Edit tour

Windows Analysis Report
etopt.exe

Overview

General Information

Sample name:	etopt.exe
Analysis ID:	1366000
MD5:	f77abc2f79780428ca514c0041c8b9e9
SHA1:	2d2bd0cfe56fbcf3c1ca78790927531b5219a5a0
SHA256:	d02718250398639963db5042756d15f138f518f1f4cea9914a685c7b7e59d325
Tags:	exeGuLoader
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

etopt.exe (PID: 964 cmdline: C:\Users\user\Desktop\etopt.exe MD5: F77ABC2F79780428CA514C0041C8B9E9)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pz.qishia.com/mm2/up/

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Windows NT\Accessories\Storage.dll

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for submitted file

Source: etopt.exe	ReversingLabs: Detection: 18%
Source: etopt.exe	Virustotal: Detection: 28%			Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Windows NT\Accessories\Storage.dll

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_03258F44 _memset,MD5Init,MD5Update,MD5Update,MD5Final,

0_2_03258F44

Source: etopt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: etopt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_004065CA FindFirstFileA,FindClose,	0_2_004065CA
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_004059F9 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004059F9
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_004027AF FindFirstFileA,	0_2_004027AF

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_0325D878 GetLogicalDriveStringsW,QueryDosDeviceW,__wcsnicmp,lstrcpyW,

0_2_0325D878

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001

Source: global traffic

UDP traffic: 192.168.2.6:59285 -> 38.6.193.13:8889

Source: Joe Sandbox View	IP Address: 38.6.193.13 38.6.193.13
Source: Joe Sandbox View	IP Address: 192.186.7.211 192.186.7.211
Source: Joe Sandbox View	IP Address: 192.186.7.211 192.186.7.211

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.186.7.211:2001Content-Length: 155Cache-Control: no-cacheData Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.186.7.211:2001Content-Length: 155Cache-Control: no-cacheData Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.186.7.211:2001Content-Length: 155Cache-Control: no-cacheData Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.186.7.211:2001Content-Length: 155Cache-Control: no-cacheData Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.186.7.211:2001Content-Length: 155Cache-Control: no-cacheData Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.186.7.211:2001Content-Length: 155Cache-Control: no-cacheData Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.186.7.211:2001Content-Length: 155Cache-Control: no-cacheData Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.186.7.211:2001Content-Length: 155Cache-Control: no-cacheData Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c

Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.186.7.211
Source: unknown	UDP traffic detected without corresponding DNS query: 38.6.193.13

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_03255676 _memset,_memset,IsUserAnAdmin,socket,WSAIoctl,setsockopt,_memset,_memset,GetTickCount,_rand,sendto,recvfrom,_memset,closesocket,

0_2_03255676

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.186.7.211:2001Content-Length: 155Cache-Control: no-cacheData Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G|fuv|vh3Fu`"+]+Cu\&>*)3_c

Source: etopt.exe, 00000000.00000003.2569596409.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2565425091.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2567418847.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568085841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564782055.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568777694.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2569596409.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2502746841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2483969615.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564127876.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2570547466.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2571763520.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.0000000000558000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2566225406.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2478616603.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.186.7.211:2001/
Source: etopt.exe, 00000000.00000003.2569596409.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.00000000005B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.186.7.211:2001/2
Source: etopt.exe, 00000000.00000003.2565425091.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2567418847.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568085841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564782055.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568777694.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2502746841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2483969615.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564127876.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2566225406.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2478616603.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.186.7.211:2001/L
Source: etopt.exe, 00000000.00000003.2569596409.00000000005B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.186.7.211:2001/Q
Source: etopt.exe, 00000000.00000003.2565425091.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2567418847.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568085841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564782055.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568777694.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2569596409.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2502746841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2483969615.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564127876.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2570547466.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2571763520.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2566225406.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2478616603.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.186.7.211:2001/T
Source: etopt.exe, etopt.exe, 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://news.qq.com
Source: etopt.exe, uninst.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: etopt.exe, uninst.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: etopt.exe	String found in binary or memory: http://pz.hnlyzqjlb.com/mm2/up/
Source: etopt.exe, 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pz.hnlyzqjlb.com/mm2/up/http://pz.qishia.com/mm2/up/up2?sid=%u&d=pid=%u&mid=%u&sid=%u&x64=%u&
Source: etopt.exe	String found in binary or memory: http://pz.qishia.com/mm2/up/
Source: etopt.exe, 00000000.00000003.2484091414.0000000002702000.00000004.00000020.00020000.00000000.sdmp, ClocX.exe.0.dr	String found in binary or memory: http://www.clocx.net
Source: etopt.exe, 00000000.00000003.2126145719.0000000002703000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.clocx.net/
Source: etopt.exe, 00000000.00000003.2126145719.0000000002703000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.0000000000558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.clocx.net/PublisherClocX
Source: etopt.exe, 00000000.00000003.2484091414.0000000002702000.00000004.00000020.00020000.00000000.sdmp, ClocX.exe.0.dr	String found in binary or memory: http://www.clocx.net/help.php?lang=
Source: etopt.exe, 00000000.00000003.2484091414.0000000002702000.00000004.00000020.00020000.00000000.sdmp, ClocX.exe.0.dr	String found in binary or memory: http://www.clocx.net/help.php?lang=&tab=(
Source: etopt.exe, 00000000.00000003.2484091414.0000000002702000.00000004.00000020.00020000.00000000.sdmp, ClocX.exe.0.dr	String found in binary or memory: http://www.clocx.netopen
Source: etopt.exe, 00000000.00000003.2493614540.000000000270E000.00000004.00000020.00020000.00000000.sdmp, Japanese.lng.0.dr	String found in binary or memory: http://www.geocities.co.jp/SiliconValley-Sunnyvale/4137/
Source: etopt.exe	String found in binary or memory: https://apis.juhe.cn/ip/Example/query.php
Source: etopt.exe, 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.juhe.cn/ip/Example/query.phpclient
Source: etopt.exe	String found in binary or memory: https://apis.map.qq.com/ws/location/v1/ip?key=3BFBZ-ZKD3X-LW54A-ZT76D-E7AHO-4RBD5&output=json
Source: etopt.exe, 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.map.qq.com/ws/location/v1/ip?key=3BFBZ-ZKD3X-LW54A-ZT76D-E7AHO-4RBD5&output=jsonstatusr

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_004054B9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054B9

Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E841450 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_6E841450
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_0325FC09 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_0325FC09
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_0325D9B1 OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,lstrcpyW,CloseHandle,	0_2_0325D9B1

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_03256403: __EH_prolog3_GS,RegEnumKeyExW,_memset,lstrcatW,CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,FindCloseChangeNotification,

0_2_03256403

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_00403382 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403382

Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_00406953	0_2_00406953
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E825C02	0_2_6E825C02
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E824014	0_2_6E824014
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E823814	0_2_6E823814
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E8249C3	0_2_6E8249C3
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_0325B90C	0_2_0325B90C
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_0325A75F	0_2_0325A75F
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03254429	0_2_03254429
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03252484	0_2_03252484
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03277324	0_2_03277324
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_0326A36C	0_2_0326A36C
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03258B80	0_2_03258B80
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_032612E6	0_2_032612E6
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03257144	0_2_03257144
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_032759BF	0_2_032759BF
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03272000	0_2_03272000
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_0326907A	0_2_0326907A
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_032710A0	0_2_032710A0
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03275F10	0_2_03275F10
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03267EFD	0_2_03267EFD
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03272580	0_2_03272580
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03271D90	0_2_03271D90
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_032765EC	0_2_032765EC
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_0327546E	0_2_0327546E
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_10006C4A	0_2_10006C4A
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_10005A9B	0_2_10005A9B
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_1000629B	0_2_1000629B
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_10007F0F	0_2_10007F0F

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\ClocX\ClocX.exe 282397F5EFC6B5A517881350736901620649C3CF0A692423CF77B9093F933E8B

Source: C:\Users\user\Desktop\etopt.exe

Code function: String function: 0326B4E0 appears 31 times

Source: etopt.exe, 00000000.00000003.2484091414.0000000002702000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameClocX.exeD vs etopt.exe

Source: etopt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.troj.evad.winEXE@1/224@0/2

Source: C:\Users\user\Desktop\etopt.exe

0_2_00403382

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_00404769 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404769

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_00402178 CoCreateInstance,MultiByteToWideChar,

0_2_00402178

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_0325AAED LoadResource,LockResource,SizeofResource,

0_2_0325AAED

Source: C:\Users\user\Desktop\etopt.exe

File created: C:\Program Files (x86)\360

Jump to behavior

Source: C:\Users\user\Desktop\etopt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX

Jump to behavior

Source: C:\Users\user\Desktop\etopt.exe

File created: C:\Users\user\AppData\Local\Temp\nseCC.tmp

Jump to behavior

Source: etopt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\etopt.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\etopt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: etopt.exe	ReversingLabs: Detection: 18%
Source: etopt.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\etopt.exe

File read: C:\Users\user\Desktop\etopt.exe

Jump to behavior

Source: C:\Users\user\Desktop\etopt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: ClocX.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\ClocX\ClocX.exe
Source: Uninstall.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\ClocX\uninst.exe

Source: C:\Users\user\Desktop\etopt.exe

File written: C:\Program Files (x86)\ClocX\Presets\Alte Standuhr.ini

Jump to behavior

Source: etopt.exe

Static file information: File size 4544252 > 1048576

Source: etopt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_6E82AEDC LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_6E82AEDC

Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E82BEAD push ecx; ret	0_2_6E82BEC0
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E828BF5 push ecx; ret	0_2_6E828C08
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E844205 push ecx; ret	0_2_6E844218
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_0327365D push ecx; ret	0_2_03273670
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_0326B525 push ecx; ret	0_2_0326B538
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_1000A095 push ecx; ret	0_2_1000A0A8
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_1000E9C7 push ecx; ret	0_2_1000E9DA

Source: C:\Users\user\Desktop\etopt.exe	File created: C:\Program Files (x86)\ClocX\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\etopt.exe	File created: C:\Program Files (x86)\ClocX\ClocX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\etopt.exe	File created: C:\Users\user\AppData\Local\Temp\nszFC.tmp\Checker.dll	Jump to dropped file
Source: C:\Users\user\Desktop\etopt.exe	File created: C:\Program Files (x86)\Windows NT\Accessories\Storage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\etopt.exe	File created: C:\Users\user\AppData\Local\Temp\nszFC.tmp\Zip.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\etopt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\EnhancedStorageShellEx NULL	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\EnhancedStorageShellEx NULL	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx NULL	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx NULL	Jump to behavior

Source: C:\Users\user\Desktop\etopt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\ClocX.lnk	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\Uninstall.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 2001

Source: C:\Users\user\Desktop\etopt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\etopt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\etopt.exe

Code function: VirtualBoxParallelsVMwareHyper- VirtualBoxParallelsVMwareHyper- ParallelsVMwareHyper- ParallelsVMwareHyper-

0_2_03251A4D

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\etopt.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\etopt.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SNIFFERPRO.EXECHARLES.EXEIRIS.EXEHTTPDEBUGGERPRO.EXESRSNIFFER.EXEOSTINATO.EXEWPE.EXEWSOCKEXPERT_CN.EXEWSOCKEXPERT.EXESMARTSNIFF.EXEHOOKME.EXENETWORKTRAFFICVIEW.EXETCPMON.EXESMSNIFF.EXEHTTPANALYZERSTDV7.EXEHTTPANALYZERSTDV6.EXEHTTPANALYZERSTDV5.EXEHTTPANALYZERSTDV4.EXECSNAS.EXEOLLYICE.EXEOLLYDBG.EXEWINDBG.EXESOFTICE.EXEWIRESHARK.EXEFIDDLER.EXE%08X%08XROOT\WMIMSSMBIOS_RAWSMBIOSTABLESSMBIOSDATANULL STRINGVIRTUALVIRTUALPACKIDMIDSIDMAC1MAC2BOARDMANUSNPRODUCTCPUNAMECORENUMSYSMAJORMINORBUILDRELEASEX64NOTEPADVMADMINPOWERONLOCALESOFTWARE\CHROMIUMLOCINFOSTSDQUERYLOCATIONCOUNTRYPROVINCECITYISPCOUNTYLONLATCLTINFOINSTCANDENYAPPKEYDENYAPPSSUCCNEEDRESPUNINSTAPPACTIVESOFTWARE\BAIDU\BDLOGCUR_VERSIONVMTOOLSD.EXEWMACTHLP.EXEC:\XWSGCZYJBR(%XHUX%HUX%HU)

Source: C:\Users\user\Desktop\etopt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ClocX\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\etopt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ClocX\ClocX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\etopt.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\Accessories\Storage.dll	Jump to dropped file

Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_004065CA FindFirstFileA,FindClose,	0_2_004065CA
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_004059F9 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004059F9
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_004027AF FindFirstFileA,	0_2_004027AF

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_0325D878 GetLogicalDriveStringsW,QueryDosDeviceW,__wcsnicmp,lstrcpyW,

0_2_0325D878

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_03251A4D __EH_prolog3_GS,IsUserAnAdmin,GetSystemPowerStatus,GetUserDefaultLocaleName,CoInitialize,_memset,_memset,_memset,_memset,_memset,_memset,GetSystemInfo,

0_2_03251A4D

Source: etopt.exe	Binary or memory string: VirtualBoxParallelsVMwareHyper-
Source: etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SnifferPro.exeCharles.exeIris.exeHTTPDebuggerPro.exeSRSniffer.exeOstinato.exeWPE.exeWSockExpert_cn.exeWSockExpert.exeSmartSniff.exehookMe.exeNetworkTrafficView.exetcpmon.exesmsniff.exeHttpAnalyzerStdV7.exeHttpAnalyzerStdV6.exeHttpAnalyzerStdV5.exeHttpAnalyzerStdV4.exeCsnas.exeOllyIce.exeOllyDbg.exeWinDbg.exeSoftIce.exeWireshark.exeFiddler.exe%08X%08XROOT\WMIMSSMBios_RawSMBiosTablesSMBiosDataNull StringVirtualvirtualpackIdmidsidmac1mac2boardmanusnproductcpunamecoreNumsysmajorminorbuildreleasex64notepadvmadminpowerOnlocaleSoftware\ChromiumlocInfostsdquerylocationcountryprovincecityispcountylonlatcltInfoinstcandenyAppKeydenyAppssuccneedRespuninstappactiveSoftware\Baidu\BDLOGcur_versionvmtoolsd.exewmacthlp.exeC:\XWsgczyjbr(%XhuX%huX%hu)
Source: etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899ntdllRtlGetNtVersionNumbersNtWow64DebuggerCallKernel32GetTickCount64advapi32MD4InitMD4UpdateMD4FinalMD5InitMD5UpdateMD5FinalA_SHAInitA_SHAUpdateA_SHAFinalRtlRandomRtlRandomExRtlComputeCrc32ZwQuerySystemInformationNtQueryInformationProcessNtQueryInformationThreadNtCreateThreadExkernel32ShlWapiPathAppendWPathCanonicalizeWPathCompactPathWPathCompactPathExWPathCommonPrefixWPathFindOnPathWPathGetCharTypeWPathIsContentTypeWPathAddBackslashWPathMakePrettyWPathMatchSpecWPathMatchSpecExWPathParseIconLocationWPathQuoteSpacesWPathRelativePathToWPathRemoveArgsWPathRemoveBlanksWPathRemoveExtensionWPathRemoveFileSpecWPathRenameExtensionWPathSearchAndQualifyWPathSetDlgItemPathWPathUnquoteSpacesWPathRemoveBackslashWPathIsDirectoryWPathAddExtensionWPathIsFileSpecWPathFileExistsWPathCombineWPathFindExtensionW :%s%sSHDeleteEmptyKeyWSHDeleteKeyWSHDeleteValueWSHGetValueWSHSetValueWSHQueryValueExWSHEnumKeyExWSHEnumValueWSHQueryInfoKeyWSHOpenRegStreamWmailto:://%huhttpsWinInetInternetOpenWInternetConnectWHttpOpenRequestWInternetQueryOptionWInternetSetOptionWHttpSendRequestWHttpSendRequestExWHttpEndRequestWHttpQueryInfoWFindFirstUrlCacheEntryWFindFirstUrlCacheEntryExWFindNextUrlCacheEntryWFindNextUrlCacheEntryExWGetUrlCacheEntryInfoWDeleteUrlCacheEntryWInternetReadFileInternetCloseHandleFindCloseUrlCacheMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko/POSTIpHlpApiGetAdaptersAddressesVmwareBluetoothLoopbackGetSystemFirmwareTableROOT\CIMV2SELECT * FROM Win32_DiskDriveModelvmwareCaptionWS2_32socketbindclosesocketgetsocknamesendsendtorecvrecvfromselectgethostbynameWSAGetLastErrorWSACloseEventWSACreateEventWSAEventSelectacceptconnectgetaddrinfoWSAStartupWSACleanupWSASetEventWSAResetEventlistenWSAWaitForMultipleEventsWSAEnumNetworkEventsWSAConnectWSASendWSASendDisconnectWSARecvWSARecvDisconnectWSARecvFromWSASendTogetpeernamentohsntohlgetsockoptsetsockoptWSAIoctlGetAddrInfoExWhtonshtonlinet_addrWSASocketW%s\%uurlsReferer: http://news.qq.com
Source: etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .?AVCMacGetCallback@?1??IsRunningInVmwareByMacID@GMoonLib@@YA_NXZ@
Source: etopt.exe	Binary or memory string: vmtoolsd.exe
Source: etopt.exe	Binary or memory string: Vmware
Source: etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .?AVCZwProcessesGetCallback@?1??IsRunningInVmwareByProcessList@@YAHXZ@
Source: etopt.exe, 00000000.00000003.2565425091.0000000000591000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2478616603.0000000000591000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2566225406.0000000000591000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568777694.0000000000591000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2565425091.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2567418847.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568085841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564782055.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568777694.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2483969615.0000000000591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\etopt.exe	API call chain: ExitProcess graph end node	graph_0-36779
Source: C:\Users\user\Desktop\etopt.exe	API call chain: ExitProcess graph end node	graph_0-37477
Source: C:\Users\user\Desktop\etopt.exe	API call chain: ExitProcess graph end node	graph_0-37691

Source: C:\Users\user\Desktop\etopt.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_6E8264A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6E8264A2

Source: C:\Users\user\Desktop\etopt.exe

0_2_6E82AEDC

Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03210C67 mov eax, dword ptr fs:[00000030h]	0_2_03210C67
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03210BF7 mov eax, dword ptr fs:[00000030h]	0_2_03210BF7
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03230C67 mov eax, dword ptr fs:[00000030h]	0_2_03230C67
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03230BF7 mov eax, dword ptr fs:[00000030h]	0_2_03230BF7

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_0327807F GetProcessHeap,

0_2_0327807F

Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E8264A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E8264A2
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E827FEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E827FEC
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E842E22 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E842E22
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_6E8417C2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E8417C2
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03264750 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_03264750
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_03262453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_03262453
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_10008856 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_10008856
Source: C:\Users\user\Desktop\etopt.exe	Code function: 0_2_1000B2D0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_1000B2D0

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_03251000 cpuid

0_2_03251000

Source: C:\Users\user\Desktop\etopt.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\etopt.exe

Code function: 0_2_6E829A50 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_6E829A50

Source: C:\Users\user\Desktop\etopt.exe

0_2_00403382

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 System Shutdown/Reboot	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Registry Run Keys / Startup Folder	3 Virtualization/Sandbox Evasion	LSASS Memory	421 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	11 Non-Standard Port	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	3 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	4 File and Directory Discovery	SSH	Keylogging	Scheduled Transfer	11 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	125 System Information Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
etopt.exe	19%	ReversingLabs	Win32.Trojan.Generic
etopt.exe	28%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\Windows NT\Accessories\Storage.dll	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Windows NT\Accessories\Storage.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\ClocX\ClocX.exe	5%	ReversingLabs
C:\Program Files (x86)\ClocX\ClocX.exe	3%	Virustotal		Browse
C:\Program Files (x86)\ClocX\uninst.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nszFC.tmp\Checker.dll	6%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nszFC.tmp\Zip.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.clocx.net/	0%	Avira URL Cloud	safe
http://pz.hnlyzqjlb.com/mm2/up/http://pz.qishia.com/mm2/up/up2?sid=%u&d=pid=%u&mid=%u&sid=%u&x64=%u&	0%	Avira URL Cloud	safe
http://pz.qishia.com/mm2/up/	100%	Avira URL Cloud	malware
http://www.clocx.netopen	0%	Avira URL Cloud	safe
http://www.clocx.net/help.php?lang=&tab=(	0%	Avira URL Cloud	safe
http://www.clocx.net/	0%	Virustotal		Browse
http://www.clocx.net	0%	Virustotal		Browse
http://pz.hnlyzqjlb.com/mm2/up/http://pz.qishia.com/mm2/up/up2?sid=%u&d=pid=%u&mid=%u&sid=%u&x64=%u&	0%	Virustotal		Browse
http://www.clocx.net/help.php?lang=&tab=(	0%	Virustotal		Browse
http://www.geocities.co.jp/SiliconValley-Sunnyvale/4137/	0%	Virustotal		Browse
http://192.186.7.211:2001/T	0%	Avira URL Cloud	safe
http://www.clocx.net/PublisherClocX	0%	Avira URL Cloud	safe
http://192.186.7.211:2001/	0%	Avira URL Cloud	safe
http://192.186.7.211:2001/L	0%	Avira URL Cloud	safe
http://www.geocities.co.jp/SiliconValley-Sunnyvale/4137/	0%	Avira URL Cloud	safe
http://pz.hnlyzqjlb.com/mm2/up/	0%	Avira URL Cloud	safe
http://www.clocx.net	0%	Avira URL Cloud	safe
http://192.186.7.211:2001/2	0%	Avira URL Cloud	safe
http://192.186.7.211:2001/Q	0%	Avira URL Cloud	safe
http://www.clocx.net/help.php?lang=	0%	Avira URL Cloud	safe
http://www.clocx.net/help.php?lang=	0%	Virustotal		Browse
http://192.186.7.211:2001/	4%	Virustotal		Browse
http://www.clocx.net/PublisherClocX	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://192.186.7.211:2001/	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clocx.net/help.php?lang=&tab=(	etopt.exe, 00000000.00000003.2484091414.0000000002702000.00000004.00000020.00020000.00000000.sdmp, ClocX.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	etopt.exe, uninst.exe.0.dr	false		high
http://www.clocx.net/	etopt.exe, 00000000.00000003.2126145719.0000000002703000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.0000000000558000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pz.qishia.com/mm2/up/	etopt.exe	false	Avira URL Cloud: malware	unknown
http://www.clocx.netopen	etopt.exe, 00000000.00000003.2484091414.0000000002702000.00000004.00000020.00020000.00000000.sdmp, ClocX.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://news.qq.com	etopt.exe, etopt.exe, 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pz.hnlyzqjlb.com/mm2/up/http://pz.qishia.com/mm2/up/up2?sid=%u&d=pid=%u&mid=%u&sid=%u&x64=%u&	etopt.exe, 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.geocities.co.jp/SiliconValley-Sunnyvale/4137/	etopt.exe, 00000000.00000003.2493614540.000000000270E000.00000004.00000020.00020000.00000000.sdmp, Japanese.lng.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://apis.juhe.cn/ip/Example/query.php	etopt.exe	false		high
http://192.186.7.211:2001/T	etopt.exe, 00000000.00000003.2565425091.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2567418847.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568085841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564782055.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568777694.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2569596409.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2502746841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2483969615.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564127876.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2570547466.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2571763520.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2566225406.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2478616603.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://apis.map.qq.com/ws/location/v1/ip?key=3BFBZ-ZKD3X-LW54A-ZT76D-E7AHO-4RBD5&output=json	etopt.exe	false		high
http://www.clocx.net	etopt.exe, 00000000.00000003.2484091414.0000000002702000.00000004.00000020.00020000.00000000.sdmp, ClocX.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pz.hnlyzqjlb.com/mm2/up/	etopt.exe	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	etopt.exe, uninst.exe.0.dr	false		high
http://192.186.7.211:2001/L	etopt.exe, 00000000.00000003.2565425091.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2567418847.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568085841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564782055.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2568777694.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2502746841.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2483969615.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2564127876.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2566225406.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000003.2478616603.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://apis.map.qq.com/ws/location/v1/ip?key=3BFBZ-ZKD3X-LW54A-ZT76D-E7AHO-4RBD5&output=jsonstatusr	etopt.exe, 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.clocx.net/PublisherClocX	etopt.exe, 00000000.00000003.2126145719.0000000002703000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.0000000000558000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://apis.juhe.cn/ip/Example/query.phpclient	etopt.exe, 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2584894040.0000000004F60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.186.7.211:2001/Q	etopt.exe, 00000000.00000003.2569596409.00000000005B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.clocx.net/help.php?lang=	etopt.exe, 00000000.00000003.2484091414.0000000002702000.00000004.00000020.00020000.00000000.sdmp, ClocX.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://192.186.7.211:2001/2	etopt.exe, 00000000.00000003.2569596409.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, etopt.exe, 00000000.00000002.2577966051.00000000005B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
38.6.193.13	unknown	United States		174	COGENT-174US	false
192.186.7.211	unknown	United States		395776	FEDERAL-ONLINE-GROUP-LLCUS	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1366000
Start date and time:	2023-12-22 08:08:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	etopt.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@1/224@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 138 Number of non-executed functions: 162
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
38.6.193.13	newrock.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse	pz.qishia.com/mm2/up/?sid=12018&d=d948d0e579c75619c97822d3bc12a3a4ad40f6183fc06618769543168eae512272
192.186.7.211	U1MiP25NrU.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Vidar	Browse	192.186.7.211:2001/
	OYSVIdqcxa.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	192.186.7.211:2001/
	newrock.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse	192.186.7.211:2001/
	lPUOqVqw1D.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	192.186.7.211:2001/
	Z0m3hA5H5V.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	192.186.7.211:2001/
	file.exe	Get hash	malicious	Unknown	Browse	192.186.7.211:2001/
	file.exe	Get hash	malicious	Unknown	Browse	192.186.7.211:2001/
	uIAo2iBQYd.exe	Get hash	malicious	Unknown	Browse	192.186.7.211:2001/
	BB05.exe	Get hash	malicious	Unknown	Browse	192.186.7.211:2001/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	PAY-0129.exe	Get hash	malicious	FormBook	Browse	38.47.222.245
	U1MiP25NrU.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Vidar	Browse	38.6.193.13
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	38.174.110.161
	8GMQc4GV2x.elf	Get hash	malicious	Mirai	Browse	149.124.131.245
	CuruFoiJiK.elf	Get hash	malicious	Mirai	Browse	149.33.35.234
	https://wep.foundation/joQ3El-Q-4Gr4RAdgQ3Ewam3TQ3Er-4Gank-y5n-d58Kvo-y5	Get hash	malicious	Unknown	Browse	149.50.209.150
	https://cl.s13.exct.net/?qs=58966b71d01b46e59cb2ad5ab21882213e404d8ee1da250ec9afe95ab701241f2e4feb327c75ef2c31f5c41faa4fa8d3	Get hash	malicious	Unknown	Browse	143.244.208.184
	o7ZHiwiYIJ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	38.47.221.193
	OYSVIdqcxa.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	38.6.193.13
	newrock.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse	38.6.193.13
	ZRgv8wdMtR.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	38.47.221.193
	https://protect-us.mimecast.com/s/ac3HCv2pVBF7NjDBDCQGC7A?domain=uptodate.com	Get hash	malicious	Unknown	Browse	149.50.209.150
	EmLlJ1GFqk.exe	Get hash	malicious	RedLine	Browse	38.47.221.193
	https://noblecaregivers.com/Rakuten/index.php	Get hash	malicious	Unknown	Browse	206.119.171.41
	https://khradifmadina.blob.core.windows.net/khradifmadina/url.html#cl/1981_md/1110/3113/675/29/234450	Get hash	malicious	HTMLPhisher	Browse	143.244.174.234
	448023695.png	Get hash	malicious	PikaBot	Browse	154.38.185.132
	lPUOqVqw1D.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	38.6.193.13
	Z0m3hA5H5V.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	38.6.193.13
	zEiSxvfImr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	38.47.221.193
	3yPvcmrbqS.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	38.47.221.193
FEDERAL-ONLINE-GROUP-LLCUS	U1MiP25NrU.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Vidar	Browse	192.186.7.211
	OYSVIdqcxa.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	192.186.7.211
	newrock.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse	192.186.7.211
	lPUOqVqw1D.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	192.186.7.211
	Z0m3hA5H5V.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	192.186.7.211
	file.exe	Get hash	malicious	Unknown	Browse	192.186.7.211
	kcMfqkA8kH.exe	Get hash	malicious	HTMLPhisher, Glupteba, Petite Virus, onlyLogger	Browse	192.186.7.211
	file.exe	Get hash	malicious	Unknown	Browse	192.186.7.211
	file.exe	Get hash	malicious	HTMLPhisher, Petite Virus	Browse	192.186.7.211
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Socks5Systemz, Vidar	Browse	192.186.7.211
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Socks5Systemz, Vidar	Browse	192.186.7.211
	file.exe	Get hash	malicious	Glupteba	Browse	192.186.7.211
	file.exe	Get hash	malicious	Glupteba, Socks5Systemz, Vidar	Browse	192.186.7.211
	uIAo2iBQYd.exe	Get hash	malicious	Unknown	Browse	192.186.7.211
	file.exe	Get hash	malicious	Glupteba, Neoreklami, Vidar	Browse	192.186.7.211
	wMl8Y23hcW.elf	Get hash	malicious	Mirai	Browse	192.250.200.20
	4NmvRDinSZ.elf	Get hash	malicious	Mirai	Browse	103.86.90.232
	BB05.exe	Get hash	malicious	Unknown	Browse	192.186.7.211
	AVpGrgzqpb.elf	Get hash	malicious	Mirai	Browse	192.250.206.211
	loligang.x86	Get hash	malicious	Mirai	Browse	116.204.177.44

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\ClocX\ClocX.exe	U1MiP25NrU.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Vidar	Browse
	OYSVIdqcxa.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse
	2OcriJkWk6.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse
	newrock.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse
	lPUOqVqw1D.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse
	OE9ZntaKqM.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse
	Z0m3hA5H5V.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	WrB1gNS1fN.exe	Get hash	malicious	HTMLPhisher, Glupteba, Petite Virus, onlyLogger	Browse
	kcMfqkA8kH.exe	Get hash	malicious	HTMLPhisher, Glupteba, Petite Virus, onlyLogger	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	HTMLPhisher, Petite Virus	Browse
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Socks5Systemz, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Socks5Systemz, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba	Browse
	file.exe	Get hash	malicious	Glupteba, Socks5Systemz, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	uIAo2iBQYd.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Glupteba, Neoreklami, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse

Created / dropped Files

C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3008011, page size 1024, file counter 446, database pages 107, cookie 0x12, schema 4, UTF-16 little endian, version-valid-for 446
Category:	dropped
Size (bytes):	109568
Entropy (8bit):	4.1657339726782165
Encrypted:	false
SSDEEP:	768:Eb7b7gKrgLIx2cNt2hLnKzBFTQnQoRtn4+bszoFgQdDWe7pdDWevd53tTnY0/Ii:/IKCQnQo74Qx9pxrz9Yaf
MD5:	278EC616F43F0559564DC24DBAF77985
SHA1:	BFCFB7549DCE1F1D95CC0593CC84888D46B3C39D
SHA-256:	1D0F28FE927B577C0C02350E018AF36874EC24A91AB9331D78C3455787DFCBEA
SHA-512:	A058C66C86BA0D4FEE4CB2A1FEFA3006B3DC985A0A06D79F31AA4713EAFCE571A8FDDFC0DA8A41A20760C0F64BCA54BECC94A84C93A9FD151638BCD071F3D2BA
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .......k.................................................................-...............................z..!1...-i.n.d.e.x.N.P.1._.I.D.X._.1.N.P.1..C.R.E.A.T.E. .U.N.I.Q.U.E. .I.N.D.E.X. .N.P.1._.I.D.X._.1. .O.N. .N.P.1.(.N.D.).. ..!.....t.a.b.l.e.N.P.1.N.P.1..C.R.E.A.T.E. .T.A.B.L.E. .N.P.1.(.N.D. .s.q.l.i.t.e.3._.i.n.t.6.4.,. .N.M.D. .B.L.O.B.,. .S.H.A. .B.L.O.B.,. .T.S. .I.N.T.E.G.E.R.,. .D.T. .I.N.T.E.G.E.R.,. .F.G. .I.N.T.E.G.E.R.,. .F.D. .C.H.A.R.,. .M.W. .C.H.A.R.,. .S.C. .C.H.A.R.,. .V.R. .I.N.T.E.G.E.R.).r..!-...%i.n.d.e.x.F.L._.I.D.X._.1.F.L..C.R.E.A.T.E. .U.N.I.Q.U.E. .I.N.D.E.X. .F.L._.I.D.X._.1. .O.N. .F.L.(.F.N.)..$..!....!t.a.b.l.e.F.L.F.L..C.R.E.A.T.E. .T.A.B.L.E. .F.L.(.F.N. .s.q.l.i.t.e.3._.i.n.t.6.4.,. .A.C. .I.N.T.E.G.E.R.,. .F.G. .I.N.T.E.G.E.R.,. .V.R. .I.N.T.E.G.E.R.)..B..!....]t.a.b.l.e.V.I.V.I..C.R.E.A.T.E. .T.A.B.L.E. .V.I.(.C.V. .C.H.A.R.,. .O.V. .C.H.A.R.,. .U.V. .C.H.A.R.,. .P.V. .C.H.A.R.,. .T.V. .C.H.A.R.,. .C.T. .I.N.T.E.G.E.R.,.

C:\Program Files (x86)\ClocX\BackupAlarms.bat

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.795593782140805
Encrypted:	false
SSDEEP:	3:8hFgEYiXukHqp2YR3snjo1q5hXIWn:8h23iXzj83GU1qYW
MD5:	C8BF8F5A39C3CD41974F240DE82A0E75
SHA1:	F37B3319D1349DDBC34A3229FFE5F567E845C058
SHA-256:	CC51C20EF9133B8B13F5DDC0464679B81677413CF34A5B70785ABFEF857367B5
SHA-512:	0896EF062C1A738DFECF0C40220304C02C602169AFC7F8CBB99E8943AF6D46033441D8DA8D1237D62ABD0EDBD92F400BE0685B8CC09A9A26C91FD5554C78A0FB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	regedit /ea alarms.reg HKEY_CURRENT_USER\Software\BonSoft\ClocX\Alarms

C:\Program Files (x86)\ClocX\ClocX.exe

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2090496
Entropy (8bit):	6.160592837778405
Encrypted:	false
SSDEEP:	49152:g6vznGwXRuYl294VVamxwoWVXOSLsJelqJ1cya/caqYY3MSV2Uu:bpXRu594VVajoSXOSLielqJulc1YY3Ms
MD5:	2943A5A31664A8183E993D480B8709BC
SHA1:	E7C28C1692073CF3769B61A8B298D09497D2A635
SHA-256:	282397F5EFC6B5A517881350736901620649C3CF0A692423CF77B9093F933E8B
SHA-512:	F6DFA47D02DC9D1D874B5618C354961EA70E7C5223C27EFEB530DBCEAD610AA8255DFEEFE3A68325DB9B00AC9DF6A5519C885F91ECB82E582BBFA34364CD3518
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 3%, Browse
Joe Sandbox View:	Filename: U1MiP25NrU.exe, Detection: malicious, Browse Filename: OYSVIdqcxa.exe, Detection: malicious, Browse Filename: 2OcriJkWk6.exe, Detection: malicious, Browse Filename: newrock.exe, Detection: malicious, Browse Filename: lPUOqVqw1D.exe, Detection: malicious, Browse Filename: OE9ZntaKqM.exe, Detection: malicious, Browse Filename: Z0m3hA5H5V.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: WrB1gNS1fN.exe, Detection: malicious, Browse Filename: kcMfqkA8kH.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: uIAo2iBQYd.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..h{..h{..h{...{..h{...{..h{...{..h{..i{..h{.^.{..h{.^.{..h{.^.{D.h{.^.{..h{.^.{..h{.^.{..h{Rich..h{........................PE..L....(.P.................\..........A........p....@........................... .....+l ...@.................................T...T....................................................................i..@............p...............................text...wZ.......\.................. ..`.rdata..(....p.......`..............@..@.data............p..................@....rsrc................f..............@..@.reloc...............8..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ClocX\Lang\Afrikaans.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2284
Entropy (8bit):	5.180986000943191
Encrypted:	false
SSDEEP:	48:YcosbKhFY9+dx0nCQIjGZfZfUnteSos+go5XboJ1oqcBI9zwqbkl9oKRvpgdTv:Gnx0n2jUqeRd5XsPNZbadvmdTv
MD5:	7F8D637F9AB63DC4120C6439B19710DA
SHA1:	38460CDD6C2EBB49FA2E49C6397AAFF369697351
SHA-256:	2F7AC68D51C52C33D8186123BD0B7F8A2087EC5E5B3C5BD16FD844AA220774FB
SHA-512:	1A881116A6CAFC1291E8B71E2FAAE1F350C2459EB38C989286F33495F93A516917D5CA614B69AEB9C46CA7B208B884D12A97B6201B320A3D1A213B59CAC89F3F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	001,Kan nie die beeld laai nie!..002,Kan nie die tydgewer instel nie!..003,Algemeen..004,Voorkoms..005,Aktief..006,Fout met die byvoeging van die Alpha-Kanaal!..007,Kan nie die uurwyser laai nie!..008,Kan nie die minuutwyser laai nie!..009,Kan nie die sekondewyser laai nie!..010,vm..011,nm..012,ClocX - Wekker SINK!..013,Kan nie die agtergrond laai nie!..014, Deurskyning (Win2k/XP)..015, Prioriteit..016,Laag..017,Normaal..018,Hoog..019, Sagte tekening..020,Onaktief (vinnig)..021,Metode 1 (standaard)..022,Metode 2 (stadiger)..023, Beeldkeuses..024,Altyd bo..025,Heg aan werkskerm (Win2k/XP)..026,Deurklikbaar (Win2k/XP)..027,Onbeweeglik..028,Posisie deur werkskerm beperk..029, Standaardkeuses..030,Wys vm/nm..031,Minuutliks..032, Agtergrond..033, Begin..034,Begin met Windows..035,Begin met aanteken (gebruiker)..036,Behou vorige posisie..037,Keuses..038,OK..039,Kanselleer..040,OK..041,Nuwe .....042,Redigeer .....043,Los..044,Toets..045,Sorterr wekkers volgens tyd..046,Naam..047,Tyd..048,Datu

C:\Program Files (x86)\ClocX\Lang\Arabic.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2134
Entropy (8bit):	5.6344245676996625
Encrypted:	false
SSDEEP:	48:sf8rC2JvLPvHQbQbQ3ktvMpVf5+rwx0w5GcgAuPCnXTu:i2JPvCQbEYrelgT6XTu
MD5:	B0277FB1E01F2C417AC128A7E683B81B
SHA1:	4265377B929A15D510A6DC07E2C3986751D984C7
SHA-256:	6F8806A904F7ADED9C217C8A7FA5F38F13CE0BB5F5A21E0CCB74612C9C9B3EB5
SHA-512:	1E3C1001AA92E97932AF9C6B0A28F535A707EA2C7D01A6E333BC95E7CFF71A04A81B6F89EE8D112667C21502D7E591F1D0942C513B82D64638D664E444D590CF
Malicious:	false
Preview:	001, .. ...... ..... ........002, .. ...... ..... .......!..003,General..004,Appearance..005,Enabled..006, ... .. ..... .... .... !..007, ... .. ..... .... ...... !..008, ... .. ..... .... ....... !..009, ... .. ..... .... .......!..010, ...011, ...012, ClocX - ..... ... .......!..013, .. ...... ...... .......!..014, (2K/XP)..........015, ........016, .......017, ... .......018, .......019, .... .........020, (.... (......021, (..... 1 (.........022, (..... 2 (......023, ...... .......024, ..... .. ........025, (2K/XP)...... ... ... ........026, (2K/XP)..... ......027, ..... .......028, ..... ...... ... ........029, ......... ............030, ... ./...031,Minutely !!!..032, .......033, .....034, ... .. .........035, (... .. ..... ....... (..........036, ...... ...... .... .........037, ........038, .......039, .......040, .......041, ......042, .......043, .....044, ........045, ..... ........ ... .......046, .....047, .....048, .......049, %d. ... .. .....050, .......051, ........052

C:\Program Files (x86)\ClocX\Lang\Bosanski.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2360
Entropy (8bit):	5.340070352554395
Encrypted:	false
SSDEEP:	48:OeeySYKHbJVvLmhXm6NPL+Y4EGidNoiqiEUygVMg+a3kGjkIa2RFmk4SaTv:OeeySFbJhLm86NPL+1bwSPU50a37BVI7
MD5:	4DAD1A9BFCB103D54B06909ABB097536
SHA1:	B4D125726C841FDBE717BE04FB22843C2FDEE837
SHA-256:	79DBBB2DE47A367B70646DCCB4AF1DFCD56A9ADCD4959D82612CF6889B1D8CF7
SHA-512:	E2C8F121440D8259191C2932AF7FA5978065AA295726150C0E27B0F569686CC46009939EBAC303A97BA76507B9AB94B56587F712B4332D8620692EF11552F2BB
Malicious:	false
Preview:	001,Ne mogu da u.itam sliku..002,Ne mogu da inicijaliziram tajmer!..003,Op.ta pode.avanja..004,Izgled..005,Omogu.eno..006,Gre.ka pri dodavanju alfa kanala!..007,Ne mogu da u.itam kazaljku za sate!..008,Ne mogu da u.itam kazaljku za minute!..009,Ne mogu da u.itam kazaljku za sekunde!..010,AM..011,PM..012,ClocX - alarm ISKLJU.IVANJE!..013,Ne mogu da u.itam pozadinu!..014, Providnost (Win2k/XP) ..015, Prioritet ..016,Nizak..017,Normalan..018,Visok..019, Umek.avanje..020,Isklju.eno (fast)..021,Metoda 1 (default)..022,Metoda 2 (sporije)..023, Opcije prozora ..024,Uvijek na vrhu..025,Zaka.en za Desktop (Win2k/XP)..026,Klik kroz (Win2k/XP)..027,Nepokretan prozor..028,Ograni.i poziciju veli.inom ekrana..029, Preset opcije ..030,Prika.i AM/PM..031,Minutno..032, Pozadina ..033, Startup ..034,Pokreni sa Windows-om..035,Pokreni pri login-u (user)..036,Ne vra.aj prozor na po.etnu poziciju..037,Opcije..038,&U redu..039,&Otka.i..040,&Zatvori..041,&Novi.....042,&Izmijeni.....043,&Obri.i..044,&Test..04

C:\Program Files (x86)\ClocX\Lang\Brazilian Portuguese.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2299
Entropy (8bit):	5.287961916315013
Encrypted:	false
SSDEEP:	48:9DLSULlHyDf339z4wakpkxNOp0EIPY5drDQvXcBkK/h2nb3M:9D+ESz3NzNkzadrDQNkao
MD5:	663CA37CB27AA3B419C76F228889B08C
SHA1:	875E600FFEA6E925D35011F5A44CA5E9FECD1140
SHA-256:	CFE734403030DD1A5BDEA2F307FB3416C2DC424AF6C298A127A2CD13900BDE67
SHA-512:	EDA069DA7998919A39409A61ADF01B544FC222CAF490F985507B849A8442DCC62A3F744C026484B5E4450081815B1031A099BEB62EE75BAFC7D5A5C2682A397C
Malicious:	false
Preview:	001,Imagem n.o carregada.002,Temporizador n.o iniciado!.003,Geral.004,Apar.ncia.005,Habilitado.006,Erro no canal alfa!.007,O ponteiro das horas n.o foi carregado!.008,O ponteiro dos minutos n.o foi carregado!.009,O ponteiro dos segundos n.o foi carregado!.010,AM.011,PM.012,ClocX - ENCERRAR o alarme!.013,O fundo n.o foi carregado!.014,Transpar.ncia (Win2k/XP) .015, Prioridade .016,Baixa.017,Normal.018,Alta.019,Contorno suave .020,Desativado (r.pido).021,M.todo 1 (padr.o).022,M.todo 2 (lento).023, Op..es de janelas .024,Sempre em primeiro plano.025,Colar ao Desktop (Win2k/XP).026,Clique atrav.s (Win2k/XP).027,Fixo.028,Posi..o limitada pela tela.029,Op..es do rel.gio .030,Mostrar AM/PM.031,Minuciosamente.032,Fundo .033,Inicializa..o .034,Inicializar com o Windows.035,Inicializar com login (Usu.rio).036,N.o ajustar pos. (monitor-duplo).037,Op..es.038,&OK.039,&Cancelar.040,&Fechar.041,&Novo....042,&Editar....043,&Apagar.044,&Testar.045,Alarmes organizados por tempo.046,Nome.047,Hora.048,Dat

C:\Program Files (x86)\ClocX\Lang\Bulgarian.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2341
Entropy (8bit):	5.674982113835398
Encrypted:	false
SSDEEP:	48:Q4D1txCI+Pyna/m9PDbSRiVXwCZhYRag3YRikKYuPCnXTu:NLxWTsPDbS8GCFY81KL6XTu
MD5:	FC5EFBE2A513ACFC40B7276BA1D9E7FD
SHA1:	68879191DC99CBE8F1D0DE298AA2EA9DD2126017
SHA-256:	4DB314221B4C98E7D8E5849D7502BB2926E2A7CD4B340EA127E3351C9FE38F57
SHA-512:	B15EC36EEEA8A5B76BBF5D98F644558A0E0A0602F7F3EF391E043061F45BF37E35A7C046AAAE75C48530B5BF2A16F3CC63113782467B6506E29DD4C86437D2F8
Malicious:	false
Preview:	001,.. .... .. ...... .........!..002,.. .... .. ............ .......!..003,......004,........005,............006,...... ... ........ .. .... .....!..007,.. .... .. ...... ........ .......!..008,.. .... .. ...... ......... .......!..009,.. .... .. ...... .......... .......!..010,AM..011,PM..012,ClocX - .......... .. ........!..013,.. .... .. ...... ...!..014, ........... (Win2k/XP)..015, ...........016,.......017,..........018,.......019, ............020,............ (.....)..021,..... 1 (..........)..022,..... 2 (.....)..023, ..... .. ...........024,...... ........025,....... ... ........ (WinXP)..026,...... .... (Win2./XP)..027,.......... ..........028,........ ......... . ........029, .......... .......030,........ AM/PM..031,.... "X" ........032, .....033, ............034,......... . Windows..035,......... ... ..... .. ............036,.. ............ ...........037,.......038,&OK..039,&........040,&OK..041,&.........042,&..............043,&...........044,&..........045,........ ...

C:\Program Files (x86)\ClocX\Lang\Czech.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2317
Entropy (8bit):	5.569844746682866
Encrypted:	false
SSDEEP:	48:hInwTWyJOTni5/QS90WmUBC3MRq6mgmcvL5uJBUTLoAc9ceGK6mq6vs5:htTWyJOTi54oecg/cT0XAjY6AG
MD5:	A1A459AEBED25C19F29A65E4BA95649C
SHA1:	D9C7E65249563CC9523305E9D56F8BD6AC10B6E1
SHA-256:	A3BFBCEF85E8317089B62B98265B052949F3B11D0B404526B51AA489C14E5649
SHA-512:	E32F2A29DDD2E69F80F091BD081C6CFC5AADE9B7113FD8BA1A18E670FA8A4222238231EF97987B3240CEF205F5F57B22F3CC3B701AAE8D1BDDE8943CAA383352
Malicious:	false
Preview:	001,Nelze na..st soubor!..002,Nelze inicializovat Timer!..003,Obecn...004,Vzhled ..005,Zapnout..006,Chyba v p.ipojen. alfa kan.lu!..007,Nelze na..st hodinovou PNG ru.i.ku!..008,Nelze na..st minutovou PNG ru.i.ku!..009,Nelze na..st sekundovou PNG ru.i.ku!..010,AM..011,PM..012,ClocX - bud.k vyp.n. po..ta.!..013,Nelze na..st pozad.!..014, Pr.hlednost (Win2k/XP) ..015, Priorita ..016,N.zk...017,St.edn...018,Vysok...019, Vyhlazov.n. hran ..020,Vypnuto (rychlej..)..021,Metoda 1 (v.choz.)..022,Metoda 2 (pomalej..)..023, Nastaven. okna ..024,V.dy na vrchu..025,V.dy vespod (Win2k/XP)..026,Proklik.vac. (Win2k/XP)..027,Nep.esunuteln...028,Zak.zat posunut. mimo obraz..029, Mo.nosti pozad. ..030,Zobrazit AM/PM..031,Minutov...032, Styl ..033, Spu.t.n. ..034,Spustit p.i startu Windows..035,Spustit po p.ihl.en. u.ivatele..036,Neupravovat pozici (dual-monitor)..037,Mo.nosti..038,&OK..039,&Zru.it..040,&Zav..t..041,&Nov......042,&Zm.nit.....043,&Smazat..044,&Test..045,Bud.ky (t..d.n. podle .asu)..046,N.

C:\Program Files (x86)\ClocX\Lang\Danish.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2249
Entropy (8bit):	5.355862754705078
Encrypted:	false
SSDEEP:	48:NBTNJZ209IBMoFnjw18YvIPRg85a5QXyKUjFkkaTu:NNNJZ20GBLJw8YvEx0apUjFk5Tu
MD5:	1793FD4614D665E1B0FA41CBFE09C531
SHA1:	360CCBA52499F0B7498DC5E3E87C22F901994AB4
SHA-256:	E2C426880EAFB1B032B70678965628795C5655AB3C97A1F5404DABEC3DD1FF52
SHA-512:	AC446E3EC77A1CD037B270C3FF85E58316EC7624A47AF873BF5B9FA53A5C277EC4675A80A288678F2CB839A30071DF8EEB1BD098A848270450E9E0D7968368BF
Malicious:	false
Preview:	001,Kan ikke hente foto!..002,Kan ikke starte timer!..003,Alment..004,Udsende..005,&Aktivere..006,Fejl ved till.g af alfakanal!..007,Kan ikke loade timeviseren!..008,Kan ikke loade minutviseren!..009,Kan ikke loade sekundviseren!..010,FM..011,AM..012,ClocX - Lyd lukket..013,Kan ikke hente baggrunden!..014, Gennemsigthed (Win2k/XP) ..015, Prioritet ..016,Lav..017,Normal..018,H.j..019, Kantudj.vning ..020,&Inaktiverad (Hurtig)..021,Metode &1 (standard)..022,Metode &2 (Langsomt)..023, Alternativ for vindue ..024,Altid &.verst..025,&Fast p. Skrivbordet (Win2k/XP)..026,&Klik i gennem (Win2k/XP)..027,&Ej flytbart vindue..028,&Begr.nset position til sk.rmen..029, .vrigt ..030,Vis &PM/AM..031,hvert minut..032, Baggrund ..033, Start ..034,&Start samtidigt med Windows..035,S&tart ved login (Anvend)..036,&.ndre ikke pos. (To Sk.rme)..037,Alternativ..038,OK..039,Afbryd..040,&Luk..041,&Nyt.....042,&Redigere.....043,Ta &v.k..044,&Test..045,Alarm sorteret efter tid..046,Navn..047,Tid..048,Dato..049,%

C:\Program Files (x86)\ClocX\Lang\Deutsch.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2388
Entropy (8bit):	5.335592870780523
Encrypted:	false
SSDEEP:	48:ZfBd7wrhvl0k/Bz2XAxq9J4SCVbYaeuHQyVSXh2F0bzvxFWIEuJsZFXlVUMjL7YX:/wxJz2wxqQFb3NSFWIzUXoMzY1Z
MD5:	B4DB92C415B94A3F270B3B4A06D2A446
SHA1:	0413F4D52D6174D0C3C5E792EB2C7BE08E907D02
SHA-256:	33B1ECFA6DC605FCB6C7DBEBF1792AC93AB1F8C7C2FC98DFF10AF4C97553EE9F
SHA-512:	4274A4372006E75042BD9B87E3D8C1F7F9852757FB46459FFAB1E9F4193D3B3103CD49A281507BD76D5548DE22F9B2420568582D32C871A5B952157DAB9F946E
Malicious:	false
Preview:	001,Kann Bild nicht laden!..002,Kann Zeitgeber nicht initialisieren!..003,Allgemein..004,Aussehen..005,aktiv..006,Fehler beim hinzuf.gen des Alpha-Kanals!..007,Kann Stunden-Zeiger nicht laden!..008,Kann Minuten-Zeiger nicht laden!..009,Kann Sekunden-Zeiger nicht laden!..010,AM..011,PM..012,ClocX - Alarm HERUNTERFAHREN!..013,Kann Hintergrund nicht laden!..014, Transparenz (Win2k/XP)..015, Priorit.t..016,Niedrig..017,Normal..018,Hoch..019, Weichzeichnen..020,Deaktiviert (schnell)..021,Methode 1 (standard)..022,Methode 2 (langsamer)..023, Fenster-Optionen..024,Immer oben..025,An Desktop heften (Win2k/XP)..026,Hindurchklickbar (Win2k/XP)..027,Unbewegliches Fenster..028,Position durch Desktop begrenzen..029, Standard-Optionen..030,Zeige AM/PM..031,Min.tlich..032, Hintergrund..033, Starten..034,Mit Windows starten..035,Mit Login starten (Benutzer)..036,Fenster nicht neu positionieren..037,Optionen..038,&OK..039,&Abbrechen..040,&OK..041,&Neu.....042,&Bearbeiten.....043,&L.schen..044,&Testen..

C:\Program Files (x86)\ClocX\Lang\English.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2195
Entropy (8bit):	5.322992609048549
Encrypted:	false
SSDEEP:	48:S9910MsOKxTvsoVeOFLvxCBkin0Dqtbry4whkLA8wFfHYwgAuPRXTv:S9xkFsoXZg0DqtbG4whknwFf4wgTNTv
MD5:	E873D0C2ECD4DCCE5E89191FFDE5253A
SHA1:	04D6C989C41D8E2895B94E1D41882C3F76EF9C0E
SHA-256:	E913E546B84C80F5F2D4B4CF85D72BF1F722AABD7B9C5C97814F828966077296
SHA-512:	A3914AFA462A14721F223EB16E9903709D504C5F77094D6CFA92D07513FD1726616C925E43DCF14E81120161316751D1BDA7DDD0F82936C8A1E8B8F169DC2047
Malicious:	false
Preview:	001,Cannot load image..002,Cannot initialize timer!..003,General..004,Appearance..005,&Enabled..006,Error adding alpha channel!..007,Can't load hour hand!..008,Can't load minute hand!..009,Can't load second hand!..010,AM..011,PM..012,ClocX - alarm SHUTDOWN!..013,Could not load background!..014, &Transparency (Win2000+) ..015, Priorit&y ..016,Low..017,Normal..018,High..019, Antialiasing ..020,Disa&bled (fast)..021,Method &1 (default)..022,Method &2..023, Window options ..024,&Always on top..025,&Pin to Desktop (Win2000+)..026,Clic&k through (Win2000+)..027,&Unmovable window..028,&Limit position by screen size..029, Style options ..030,Show &AM/PM..031,Minutely..032, &Style ..033, Startup ..034,Run ClocX with &Windows (admin)..035,&Run ClocX at user logon..036,Don't ad&just pos. (dual-monitor)..037,Options..038,&OK..039,&Cancel..040,&Close..041,&New.....042,&Edit.....043,&Delete..044,&Test..045,Alarms sorted by time..046,Name..047,Time..048,Date..049,%d. day in month..050,Daily..051,Week

C:\Program Files (x86)\ClocX\Lang\Espanol.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2505
Entropy (8bit):	5.147183891313604
Encrypted:	false
SSDEEP:	48:+SPTJ2eRlB17zb6X3vbc+Texw1Kr/CaA8HvrSdU2VGgcQwha4a6/3V8vcv:+4l2eXT7PY3zc+xMyEvP2shQwUsVl
MD5:	EA82EE5D70868307FB93CA810CAE4613
SHA1:	5F41C9092E8D9FC09AC8143C1DD2994903800D86
SHA-256:	8285C04903A1F1AA4451F0AB81401B88A9FFAF720952B703C708B7363F420EAF
SHA-512:	3D8931B2E543B302C479FD356E8692780D88945FD7E69405060441C5AA77AA54830F8A4FDCBB5C7B6CED3F759800517B2C864E97A53AC31B31434D8AC27B8826
Malicious:	false
Preview:	001,No se puede cargar la imagen.002,.No se puede inicializar el temporizador!.003,General.004,Apariencia.005,Activar.006,.Error al a.adir m.scara de transparencias!.007,.No se puede cargar la aguja de las horas!.008,.No se puede cargar la aguja de los minutos!.009,.No se puede cargar la aguja de los segundos!.010,AM.011,PM.012,.ClocX - APAGADO (alarma)!.013,.No se puede cargar el fondo!.014, Transparencia (Win2k/XP) .015, Prioridad .016,Baja.017,Normal.018,Alta.019, Difuminado de contornos .020,Deshabilitado (r.pido).021,M.todo 1 (por defecto).022,M.todo 2 (lento).023, Opciones de ventana .024,Siempre en primer plano.025,Pegado al escritorio (Win2k/XP).026,Clic a trav.s (Win2k/XP).027,Ventana fija.028,Ventana limitada por la pantalla.029, Opciones Reloj .030,Visualizar AM/PM.031,Minuciosamente.032, Imagen .033, Arranque .034,Empezar con Windows.035,Empezar al login de usuario.036,No ajustar posici.n (2 monitores).037,Opciones.038,&Aceptar.039,&Cancelar.040,&Cerrar.041,&Nuevo....042,&E

C:\Program Files (x86)\ClocX\Lang\Estonian.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2362
Entropy (8bit):	5.182401934744877
Encrypted:	false
SSDEEP:	48:HrWjaA54MqKpFKlZx2MPq45Gm38OWuyHVCJ20Qv+bC/gloIGMINTu:hAaH6qH2MPqD48un4p+bUizBuTu
MD5:	84C4D2361103B662BEBF68DA906D4F40
SHA1:	0AA776C9CF78F45212F953A274C4F6C703016AB0
SHA-256:	6CF612F8E25A26A8FE2DD498DF727C4AACCEA47BD2ED871EDCCDD5C074B99167
SHA-512:	8AC021C5CB9281314474FF1DAEF3EF6C2A4262D3744837E46B02ECE9095A4C1798ACE858200AF3E40BB905E1C22BD4AABB0EBA96CA578B2155BFC50A6321E87C
Malicious:	false
Preview:	001,Ei saa pilti avada!..002,Ei saa kella avada!..003,.ldine..004,V.limus..005,Lubatud..006,Viga alfa kanali lisamisel!..007,Ei saa avada tunni osutit!..008,Ei saa avada minuti osutit!..009,Ei saa avada sekundi osutit..010,AM..011,PM..012,meeldetuletuse sulgemine!..013,Ei saa tausta lisada!..014,L.bipaistvus (Win2k/XP) ..015,Prioriteet ..016,Madal..017,Normaalne..018,K.rge..019, Silumine ..020,&Keelatud (kiire)..021,Meetod &1 (vaikimisi)..022,Meetod &2..023, Akna s.tted ..024,&Alati pealmine..025,&T..lauale(Win2k/XP)..026,&Kl.ps kuni (Win2k/XP)..027,&Liikumatu aken..028,&Ekraanil piiratud positsioon..029, Ettem..ratud valikud ..030,N.ita &AM/PM..031,Minimaalselt..032, &Taust ..033, K.ivita ..034,K.ivita koos &Windowsiga..035,&K.ivita koos logimisega (kasutajaga)..036,.ra lisa& positsiooni. (dual-monitoril)..037,Valikud..038,&OK..039,&Katkesta..040,&Sulge..041,&Uus.....042,&Redigeeri.....043,&Kustuta..044,&Testi..045,Meeldetuletused ajaliselt sorteeritud..046,Nimi..047,Aeg..048,Kuup.ev.

C:\Program Files (x86)\ClocX\Lang\French.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2372
Entropy (8bit):	5.250285063754293
Encrypted:	false
SSDEEP:	48:vJFRS8/MlfWqeawdkKPnwShTJAnMZ/ekJOFGD6l243LqicRy:RFs8UxWqeanSTJAnXkJOv7qicg
MD5:	7767FBCDA3DB9B77F1E8FEB02172AE34
SHA1:	2E7FC2B22E094061AB51FC805CF16863E601A512
SHA-256:	4FFE5D4BF560C15DB2777F0BC31652D7C733DC3CAD3B4E052B10BBD6AF65A0EC
SHA-512:	A0C0A6D155ECFBABEC6DDE343E17536C550393DD7900B9A233549A61609F0F248FE9BC94B136B1A3695D9AACB1F63E1C5A6B3ABBE20526A26FEFBE5DB433918F
Malicious:	false
Preview:	001,Ne peut charger l'image.002,Ne peut intialiser l'horloge!.003,G.n.ral.004,Apparence.005,&Disponible.006,Erreur d'ajout de canaux alpha!.007,Ne peut charger l'aiguille des heures!.008,Ne peut charger l'aiguille des minutes!.009,Ne peut charger l'aiguille des secondes!.010,AM.011,PM.012,ClocX - alarme ARRET!.013,Ne peut charger l'image de fond!.014, &Transparence (Win2k/XP) .015, P&riorit. .016,Basse.017,Normale.018,Haute.019, Anticr.nelage .020,D.sacti&v. (rapide).021,M.thode &1 (par d.faut).022,M.thode &2 (lente).023, Options de windows .024,Tou&jours au dessus.025,Fi&x.e au bureau (Win2k/XP).026,&Clic . travers (Win2k/XP).027,Fen&.tre bloqu.e.028,Position &limit.e par l'.cran.029, Options par d.fauts.030,Voir &AM/PM.031,Minutieusement.032, &Image de fond .033, D.marrage .034,D.marrer avec &Windows.035,D.marra&ge avec login (utilisateur).036,Ne pas repositi&onner (2 .crans).037,Options.038,&OK.039,Annul&er.040,&Fermer.041,&Nouveau....042,&.diter....043,&Effacer.044,&Tester.045,Alar

C:\Program Files (x86)\ClocX\Lang\Greek.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2481
Entropy (8bit):	5.748505003046585
Encrypted:	false
SSDEEP:	48:fQQV08HDWRNNxzWfwVDmC7yrdxKInE/nzjsGUM+GGAEIHVGVqYNmZ7+5a1PTu:ruNdwwVyPBxhnE/zYGh+GVpGVBei5a9C
MD5:	9CA688F0E5F418AB6D24DF39CCD336D2
SHA1:	EE45BC8EEFFAD60D1F7F54A9894137CAB160BCEA
SHA-256:	887EE063F618D73F46B7ED49C6A36AE0A117CB060A6AF0986A5E31B7270B9D92
SHA-512:	91153AE38246B27F745C6D12D74603E6B11AD2B28FFCB83E0E7E3582EA864E905631125DF7926B88A97456B5CA04A1E2AF1088D5F329946AAEDB3532417DAB3F
Malicious:	false
Preview:	001,.. ...... .. ........ . ........002,........ .. ............ . ...!..003,........004,..........005,&........006,... ...... .. ........ .. alpha channel!..007,... ...... .. ........ . ........... ..........!..008,... ...... .. ........ . ........... ............!..009,... ...... .. ........ . ........... ...................!..010,....011,....012,......... ClocX .........013,... ...... .. ........ .. backround!..014,&......... (Win2k/XP) ..015,&............ ..016,........017,..........018,.......019,Antialiasing..020,&.............. (.......)..021,&....... 1(..........)..022,&....... 2 (... ....)..023,........ ......... ..024,&..... ... ...........025,&.......... (Win2k/XP)..026,&.... ....... (Win2k/XP)..027,&.............028,&........... ... .... ........029,.............030,&..../......031,... .......032,&Backround..033,...... ..034,&...... .. .. windows..035,&...... .. password (.......)..036,.. ....... ....(..... .......)..037,..........038,&OK..039,&.........040,&..........041,&

C:\Program Files (x86)\ClocX\Lang\Hebrew.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2013
Entropy (8bit):	5.5733608573558495
Encrypted:	false
SSDEEP:	48:A+UFyubnHRyCv8TzCVoL29Vg9mAsMeoXLyh+y/5WnRzuPCnXTu:nubHpUPAoL2VgLsMeoXLT+5Wno6XTu
MD5:	E312627E571323C7805473D7C8A6B3E5
SHA1:	EB9ECA27CDEBD2984B3B4FCE6279731EC7C40EF3
SHA-256:	808986BA3FFBD5B0BEFE6C8CF4DFD5578D138B5569ADF7DC1C41D32F37542D81
SHA-512:	114B44D29C1AF4772CEFCD14213A3D3679995BD6E2C121D403CB36675A4043177D1B9128864229C451A8C8FA8032FE365E0B5139700DFA7DFC1194A718675929
Malicious:	false
Preview:	001,.. .... ..... .. ........002,!.. .... ..... .. ........003,......004,......005,......006,!..... ... ..... .... ......007,!.. .... ..... .. .... .......008,!.. .... ..... .. .... .......009,!.. .... ..... .. .... ........010,AM..011,PM..012,ClocX - !..... .......013,!.. .... ..... .. ......014, (Win2k/XP) ...... ..015, ...... ..016,.......017,.........018,.......019, ..... ..020,(...... (......021,(.... 1 (..... ......022,(.... 2 (.......023, ........ .... ..024,.... .......025,(Win2k/XP) .... ...... ........026,(Win2k/XP) ... .....027,.... .......028,.... .. ...... ... ......029, ....... ...... ..030,AM/PM .....031,... .....032, ... ..033, ..... ..034,Windows .... .. .......035,(.... .. ..... (.......036,(... ..... ..... (...-......037,..........038,&.......039,&.......040,&......041,...&.....042,...&......043,&.....044,.&.....045,...... ....... ... .....046,....047,.....048,.......049,... ..... .%d..050,......051,.......052,.......053,......054,..-......055,.... ........056,:....0

C:\Program Files (x86)\ClocX\Lang\Hungarian.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2439
Entropy (8bit):	5.524282620245631
Encrypted:	false
SSDEEP:	48:fzycwT+JHTioGFfNUGN+WBgJL8u/o9XwcrPFTN79ZDx5UyfdQy4wPzevGTjTu:OPiJzjGFfNRYJl/o9DBVTUyfm/aTu
MD5:	897DF08D2097EBAE47D45632EEF4344B
SHA1:	CE7718EDCA84272A94A19EF831604E88EE76CAF9
SHA-256:	FB73CFCC647F00CD7FB3AAD3F6FA6753AE62879BAF4D4576CD8116E1AA55BCEC
SHA-512:	DA22C98D987F45FC49E12053EC4B227E75508FCC1CA46ACE9855D95F877FD633522C62CEE305E0188BAD5538E923310FAF14FDAB94F357D90598178D586E990B
Malicious:	false
Preview:	001,K.pet nem lehet bet.lteni..002,Id.z.t.t nem lehet elind.tani!..003,.ltal.nos..004,Megjelen.t.s..005,En&ged.lyezve..006,Alpha csatorna hiba!..007,Hiba az .ramutat. bet.lt.sekor!..008,Hiba az percmutat. bet.lt.sekor!..009,Hiba az m.sodpercmutat. bet.lt.sekor!..010,DE..011,DU..012,ClocX - id.z.t. KIKAPCSOL!..013,Nem lehet a h.tteret bet.lteni!..014, .&tl.tsz.s.g (Win2k/XP) ..015, &Els.bbs.g ..016,Alacsony..017,Norm.l..018,Magas..019, .l&sim.t.s ..020,&Kikapcsolva (gyors)..021,&1 met.dus (alap.rtelmezett)..022,&2 met.dus..023, &Ablak opci.k ..024,&Mindig fel.l..025,As&ztalhoz t.zve (Win2k/XP)..026,.tklikkel.s (Win2k/&XP)..027,A&blak r.gz.t.se..028,&Poz.ci. limit.l.sa az ablakhoz..029, &El.be.ll.t.sok ..030,&DE/DU kijelz.se..031,Percenk.nt..032, &H.tt.r ..033, &Ind.t.s ..034,&Windows-al..035,Be&jelentkez.skor (felhaszn.l.)..036,Poz. ne korrig.lja (d&u.l-monitor)..037,Be.ll.t.sok..038,&OK..039,&M.gsem..040,&Bez.r..041,.&j.....042,&Szerkeszt.s.....043,&T.r.l..044,Tes&zt..045,Riaszt.sok id

C:\Program Files (x86)\ClocX\Lang\Indonesian.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2296
Entropy (8bit):	5.2130956360951375
Encrypted:	false
SSDEEP:	48:S7Ikp8cURun1XREJ7aTBHkRAfdkkDdOhcjSDEnb4rt6VwTu:SMke7RsXREJ7ckk5SGb4wVwTu
MD5:	93ACABEC2DAFEC5E819D4ADFBDD86429
SHA1:	7459019E4DB35D21E2494432860FF94BA11AB498
SHA-256:	3A615F5AFDF3592336BB992B8176A702B7CE81AABA0CC13F7192E57023A973AA
SHA-512:	FBB12F645627CB6C57F513AB1189F5FF0C954B1664D8B74B6FDD451F96C8B1A58C9B166A5483670104B2947C16E5C2BE9A49F224EB237C318E4925FC5D386986
Malicious:	false
Preview:	001,Tidak dapat memuat gambar,..002,Tidak dapat memulai waktu!..003,Umum..004,Penampilan..005,&Enabel..006,Eror memasukkan saluran alfa!..007,Tidak dapat memuat jarum jam!..008,Tidak dapat memuat jarum menit!..009,Tidak dapat memuat jarum detik!..010,AM..011,PM..012,ClocX - alarm SHUTDOWN!..013,Tidak dpt memuat latarbelakang!..014, &Transparansi (Win2k/xP)..015, P&rioritas..016,Rendah..017,Normal..018,Tinggi..019, Antialiasing ..020,Disa&bel (cepat) ..021,Metode &1 (default)..022,Metode &2..023, jendela opsi..024,Sel&alu di atas..025,Gantung di Deskto&p (Win2k/XP)..026,Bebas &klik (Win2k/XP)..027,&Jendela tetap..028,Batas posisi dg &layar..029, Opsi preset..030,Tampilkan &AM/PM..031,Dengan teliti..032, &Latarbelakang..033, Mulai ..034,Mulai bersama &Windows..035,&Mulai dengan login (pengguna)..036,Jangan a&tur pos. (dual-monitor)..037,Opsi..038,&Oke..039,Ba&tal..040,T&utup..041,Ba&ru.....042,&Edit... ..043,Ha&pus..044,&Tes..045,Urut alarm berdasarkan waktu..046,Nama..047,Waktu..048,Tan

C:\Program Files (x86)\ClocX\Lang\Italiano.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2384
Entropy (8bit):	5.1377744629293165
Encrypted:	false
SSDEEP:	48:eYCHSWlXfWhQYLnGWDvuYhAbBLG/VDR1OUZFM9S+Net8W92xxZxpvdAj/M:F0SEXf4QMpDvu8AbSVV4eFM9S+ct8Wgd
MD5:	2D6C2E8AE88C3269B639DDACFCC87775
SHA1:	43EE3F9A70A9127BBF36B7C82D19716FE0B7A316
SHA-256:	F054EEC75474FA5AF87268D06C5DC7B007ED18C5A7FCB682C8F1E681BC5CA63A
SHA-512:	75D5595B77A65F6B03E715358A80CB80E3C3BF81A02169BFEE63515251A2DEB03427B34183FD6ED27F27F705406AD2BE1CCBC4596D4178D37202174B992F550D
Malicious:	false
Preview:	001,Impossibile caricare l'immagine.002,Impossibile inizializzare il timer!.003,Generale.004,Aspetto.005,Abilitato.006,Errore con la trasparenza!.007,Impossibile caricare la lancetta delle ore!.008,Impossibile caricare la lancetta dei minuti!.009,Impossibile caricare la lancetta dei secondi!.010,AM.011,PM.012,ClocX - SPEGNIMENTO (allarmi)!.013,Impossibile caricare lo sfondo!.014, Trasparenza (Win2k/XP) .015, Priorit. .016,Bassa.017,Normale.018,Alta.019, Bordi sfumati .020,Disabilitato (veloce).021,Metodo 1 (default).022,Metodo 2 (lento).023, Opzioni Finestra .024,Sempre in primo piano.025,Attacca al Desktop (Win2k/XP).026,Clicca attraverso (Win2k/XP).027,Finestra fissa.028,Posizione limitata dallo schermo.029, Opzioni Orologio .030,Mostra AM/PM.031,Ogni minuto.032, Immagine .033, Avvio .034,Inizio automatico.035,Inizio al login utente.036,Non riposizionare la finestra.037,Opzioni.038,&OK.039,&Annulla.040,&Chiudi.041,&Nuovo....042,&Modifica....043,&Elimina.044,&Test.045,Allarmi ordinati

C:\Program Files (x86)\ClocX\Lang\Japanese.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2474
Entropy (8bit):	6.2844739666300145
Encrypted:	false
SSDEEP:	48:R1ZqJLkNJuzKizSeJjhrMVRazEBplicgrqrjYAayZyGX8LD/uPCnXTu:DZqKNJfixJjhrMjazEBqnqrjYAa8Ls25
MD5:	2E5F6A85256DA31D089291A7E2A9A762
SHA1:	70AE0BC41F4111DBE941F42CC3148B5B7839EE1C
SHA-256:	94DA919FCC7FDF0B84B6E056D7C5151E3BF481F83501E0956C4482E9C7DAB324
SHA-512:	C72C832A888236F068E46F69E5D00F6E62E07BC5C0E091293ED8CD27EAA3B22800EAEDEA2E4E9A5ED3383218B8A7CB0584DA6079D8F62A80E2CECE656E380CD8
Malicious:	false
Preview:	;ClocX 1.5 alpha 1 Language File for Japanese..;Auter : Fujita..;Url : http://www.geocities.co.jp/SiliconValley-Sunnyvale/4137/..;e-Mail : gallery_fake@msn.com....001,.........o.........002,.^.C.}.[.......................!..003,.....004,.O....005,.g.p......006,.A...t.@.`.....l.......G...[!..007,...j.....s.o.......!..008,...j.....s.o.......!..009,.b.j.....s.o.......!..010,AM..011,PM..012,ClocX - .A...[.. ....!..013,.w.i.....s.o.......!..014, .... (Win2k/XP) ..015, .D...... ..016,....017,.....018,....019, .A...`.G.C...A.X ..020,.s.\ (....)..021,...@ 1 (...)..022,...@ 2 (.x..)..023, .E.C...h.E.I.v.V.... ..024,....O..\....025,......\.. (Win2k/XP)..026,.N...b.N.......... (Win2k/XP)..027,..u.........028,.........\........029, .v...Z.b.g.... ..030,AM/PM..\........031,Minutely..032, .w.i ..033, .X.^.[.g.A.b.v..034,Windows.N......N........035,...[.U...O.I......N........036,.E.B...h.E...u.........037,.....038,OK(&O)..039,.L.....Z..(&

C:\Program Files (x86)\ClocX\Lang\Korean.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2261
Entropy (8bit):	6.240619749370674
Encrypted:	false
SSDEEP:	48:cHQXRvolvFxZrTUJN2qu/4ppruwEjOz6fF+z6hEHQXwWMooOz/RlZxY7AkCTu:EQBQhFxZrwv2NwX5kO8+jQgWMooEHZlC
MD5:	2EEFDCDA287C97061ACBDF4409AA659B
SHA1:	C1B8A1161D3EAF0836B991694931721DA3F6E8DE
SHA-256:	13D52A3C7D896B2AF05774F7C6B0E43AD4D93953F0F721C490D610FB26CA22B7
SHA-512:	1A67388402DD1228536BD53F0889FAAECE9ED4A9713E2AC1DFB84AE96F721E2EC1B9B1B3D1E2117687D5FF78175E73B88ED7CA8BBA01C537D5BD0567ED1DF27D
Malicious:	false
Preview:	001,..... ..... .. ..........002,..... ...... .. .......!..003,.....004,.....005,.....(&E)..006,....... ... ....!..007,..... ..... .. .......!..008,..... ..... .. .......!..009,..... ..... .. .......!..010,AM..011,PM..012,ClocX - ... ......!..013,..... ..... .. .......!..014,.....(&T) (Win2k/XP) ..015,......(&R)..016,......017,......018,......019,.........(..... .....)..020,...........(&B) (.......)..021,......... ...&1 (..)..022,......... ...&2..023,...... .....024,... ....(&A)..025,........ ....(&P) (Win2k/XP)..026,....... ....(&K) (Win2k/XP)..027,........ ....(&U)..028,... ........ ......(&L)..029,... ...... .....030,&AM/PM .......031,.....032,...(&B)..033,......034,....... ... .......(&W)..035,...... ... .......(&S)..036,... ........ ...(&J) (.......)..037,.....038,...(&O)..039,...(&C)..040,...(&C)..041,.......(&N)..042,....(&E)..043,....(&D)..044,....(&T)..045,....... ... .........046,.....047,.....0

C:\Program Files (x86)\ClocX\Lang\Nederlands.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2489
Entropy (8bit):	5.2427085130863915
Encrypted:	false
SSDEEP:	48:fm2ZJkrpaZ4DbqfTHD2E5tFUHzRKZmu1dE69x279IIjHim90gcqID+mTu:fm2ZJkESHq7FqRKZPZ9x279PjpOY5mTu
MD5:	C817194B9BCBD2D5323B0A6D7EF7C56A
SHA1:	810C07D0D0385C428D5D1B4BE7FC00DFF3DCE76D
SHA-256:	8DE577D96C63E9B9E2D7211BC900718F872C6EBE3979A83F46876FE768B1AA09
SHA-512:	587142CE6D2F7D2289560A94E75B20E831B6CDA1D4EEBFE1A20428FE028B8FCF2C7D72E82F16655B495BDA35C64A5E1E1E3A21DED8B300A4ED7AC23174961C75
Malicious:	false
Preview:	001,Kan afbeelding niet laden..002,Kan klok niet initialiseren!..003,Algemeen..004,Beeld..005,Inschakelen..006,Fout bij toevoegen alphakanaal!..007,Kan urenwijzer niet laden!..008,Kan minutenwijzer niet laden!..009,Kan secondenwijzer niet laden!..010,VM..011,NM..012,ClocX - Alarm UITSCHAKELEN!..013,Kan achtergrond niet laden!..014, Transparantie (Win2k/XP) ..015, Prioriteit ..016,Laag..017,Normaal..018,Hoog..019, 'Anti-aliasing' ..020,Uitgeschakeld (snel)..021,Methode 1 (normaal)..022,Methode 2 (traag)..023, Venster-eigenschappen ..024,Altijd op voorgrond..025,Plak aan bureaublad (Win2k/XP)..026,Klik door klok heen (Win2k/XP)..027,Onverplaatsbaar venster..028,Stem positie af op scherm..029, Voorgeprogrammeerde opties ..030,VM/NM weergeven..031,Elke minuut..032, Achtergrond ..033, Opstarten ..034,Opstarten met Windows..035,Opstarten bij aanmelden..036,Pos. niet wijzigen (2-schermen)..037,Opties..038,OK..039,Annuleren..040,Sluiten..041,Nieuw.....042,Bewerken.....043,Verwijderen..044,Test

C:\Program Files (x86)\ClocX\Lang\Polish.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2349
Entropy (8bit):	5.512392538157304
Encrypted:	false
SSDEEP:	48:LtjgkeiQhyCSJsZmDnami9fdB2CLLIIDj/I1zICfonRF1XOzYF9x2bL1aCFr/f:hMgCSJamrami9f3jHd2ImonhXp9x21a+
MD5:	6DAC613D6C6D0A30BEAC1B1536E051AF
SHA1:	FAF8F9EA6E95A1177B62E10CB8D9E3BC54F5F8F4
SHA-256:	C241583B8B3854991D37C399D82F71994F20EA961054FA94006815D72B713507
SHA-512:	915A39083A790864A52C8D270F307C11F43B4D4F6A712275A487318111CDDD453632EA481E6A552D147EFF786A5E679D13A9D10F26D3DD9F788C3CFD95B8F852
Malicious:	false
Preview:	001,Nie mog. wczyta. obrazu..002,Nie mog. uruchomi. stopera!..003,Og.lne..004,Wygl.d..005,W..czone..006,B..d przy dodawaniu kana.u alpha!..007,Nie mog. wczyta. wskaz.wki godzinowej!..008,Nie mog. wczyta. wskaz.wki minutowej!..009,Nie mog. wczyta. wskaz.wki sekundowej!..010,AM..011,PM..012,ClocX alarm: WY.ACZENIE KOMPUTERA!..013,Nie mog. wczyta. t.a!..014, Prze.roczysto.. (Win2k/XP) ..015, Priorytet ..016,Niski..017,Normalny..018,Wysoki..019, Antyaliasing ..020,Wy..czony (szybko)..021,Metoda 1 (domy.lnie)..022,Metoda 2 (wolno)..023, Opcje okna ..024,Zawsze na wierzchu..025,Przypnij do pulpitu (Win2k/XP)..026,Klikaj przez zegar (Win2k/XP)..027,Zablokuj pozycj...028,Ogranicz pozycj. do ekranu..029, Opcje zegara ..030,Pokazuj AM/PM..031,Minuty..032, T.o ..033, Uruchamianie ..034,Uruchom z Windows..035,Uruchom przy logowaniu..036,Nie dopasowuj pozycji (2 monitory)..037,Opcje..038,&OK..039,&Anuluj..040,&Zamknij..041,&Nowy.....042,&Edytuj.....043,&Usu...044,&Test..045,Alarmy posortowane wg cz

C:\Program Files (x86)\ClocX\Lang\Portuguese.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2229
Entropy (8bit):	5.26744165871897
Encrypted:	false
SSDEEP:	48:9DL1hlqQSf339bGvpmxNOp7DIPHCErjK4QvX2UXaUJkwwIG:9DZnqQS3NbCmz5rFQuUhJTwIG
MD5:	DCD35241BCB58CB9A495AEBBEE280E77
SHA1:	A70E368A9E2E5FD002DCA142AC7C357BB87B4AA4
SHA-256:	424BF20CECBB097F714FA9BD12B4EA6EC4902F6229FEC88C80FF0A28F6E91BCD
SHA-512:	040F222DDC205817E629FE3EA5094320607F3E5E72A5CDF28FBB70E4C9B855AA6807697FA160B4DDA18D5338972DA65CA70F122C6073861DD6ED19C8BBCC4A67
Malicious:	false
Preview:	001,Imagem n.o carregada.002,Temporizador n.o iniciado!.003,Geral.004,Apar.ncia.005,Habilitado.006,Erro no canal alfa!.007,Ponteiro das horas n.o carregado!.008,Ponteiro dos minutos n.o carregado!.009,Ponteiro dos segundos n.o carregado!.010,AM.011,PM.012,ClocX - Desligar alarme!.013,Fundo n.o carregado!.014,Transpar.ncia (Win2k/XP).015,Prioridade.016,Baixa.017,Normal.018,Alta.019,Contorno suave.020,Desativado (r.pido).021,M.todo 1 (padr.o).022,M.todo 2 (lento).023,Op..es de janelas.024,Sempre em primeiro plano.025,Colar ao Desktop (Win2k/XP).026,Clique atrav.s (Win2k/XP).027,Fixo.028,Posi..o limitada pela tela.029,Op..es do rel.gio.030,Mostrar AM/PM.031,Minuciosamente.032,Fundo.033,Arranque.034,Iniciar com o Windows.035,Iniciar com login (usu.rio).036,N.o ajustar pos. (monitor-duplo).037,Op..es.038,&OK.039,&Cancelar.040,&Fechar.041,&Novo....042,&Editar....043,&Apagar.044,&Testar.045,Alarmes ordenados por tempo.046,Nome.047,Hora.048,Data.049,%d. dia no m.s.050,Diariamente.051,Semanalme

C:\Program Files (x86)\ClocX\Lang\Romanian.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2326
Entropy (8bit):	5.18100710273134
Encrypted:	false
SSDEEP:	48:9CsmPKCGCvGCtQCVlJupQnCY+hALpZ4AjrNGycLek18fwwV3MuZsCHYQ2r:9OPKjuGEQ2JqQnCYOErNGtLekKIwV3TW
MD5:	928A5C47953AF408531CD2DC2AC8584E
SHA1:	E27A61AF8B8FE4B22B13CE948CBBD80E55A6AF76
SHA-256:	4764809159E4FD2D9F0ED0E7F6D44A388C97BDCD6C2631D152DC871E29245EBF
SHA-512:	921F8917AFF5CDF7819B19512AA81C779026B32A2E0A30C82AF925FE76D22B0206AB2F132999F40979C1F2DB23AD607B2B088B7D7365044BE41B42C7908B09EA
Malicious:	false
Preview:	001,Nu se poate .ncarca imaginea!..002,Nu se poate initializa timerul!..003,General..004,Aspect..005,Activ..006,Eroare de transparenta!..007,Nu se poate .ncarca indicatorul orar!..008,Nu se poate .ncarca minutarul!..009,Nu se poate .ncarca secundarul!..010,AM..011,PM..012,ClocX - ORA .NCHIDERII!! (programata)..013,Nu se poate .ncarca fondul!..014, Transparenta (Win2k/XP) ..015, Prioritate ..016,Joasa..017,Normala ..018,Ridicata..019,Margini catifelate..020,Inactiv (rapid)..021,Metoda 1 (implicit)..022,Metoda 2 (lent)..023,Optiuni Fereastra ..024,Permanent .n prim plan..025,Fixat pe Desktop (Win2k/XP)..026,Clic transparent (Win2k/XP)..027,Fereastra fixa..028,Pozitie limitata la ecran..029,Optiuni ceas ..030,Indicator AM/PM..031,La minut..032,Imagine ..033,Pornire ..034,Lansare automata..035,Lansare la login..036,Pozitia ferestrei fixa ..037,Optiuni..038,&OK..039,&Abandon..040,&Inchidere..041,&Nou.....042,&Modifica.....043,&Elimina..044,&Test..045,Alertari ordonate cronologic..046,Nume..

C:\Program Files (x86)\ClocX\Lang\Russian.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2413
Entropy (8bit):	5.693543780784365
Encrypted:	false
SSDEEP:	48:t8IUxeikqFAecTGM+Nygw49MLuDbV3NaG2PHZG+DcZ577UagrTu:twxTkqFAPB+LwMMLUb2GaHhcZhUzTu
MD5:	BA5647E2889A3B3DA10E3BD5BE0CE4B5
SHA1:	CBE0EF3874710A2EFC9725D1A2C2F900B828D6C0
SHA-256:	2065D94FF0EF5FE40F3521861E61AB70EC546A17CB3CC2E9B15D64BD3EB96BA1
SHA-512:	DEAC73849488BB3CC82BA1AA7B930494DD1868F7011C7B6D7541D0744BF26BF94CF2D35D5BC069A54143FFE93857EBF239FC74CF12145D6F54EDC6E1F75E6164
Malicious:	false
Preview:	// iNorbert proudly presents..// russian translate of ClocX..// iNorbert@mail.ru....001,...... ........ ...........!..002,...... ....... .......!..003,.......004,....... .....005,..........006,...... .......... .....-......!..007,...... ........ ....... .......!..008,...... ........ ........ .......!..009,...... ........ ......... .......!..010,AM..011,PM..012,ClocX - ............!..013,...... ........ ......!..014,............ (Win2k/XP) ..015,......... ..016,........017,.........018,.........019,........... ..020,......... (......)..021,...... #1 (.. .........)..022,...... #2..023,....... ......024,...... ......025,.. ....... ..... (Win2k/XP)..026,.... .......... (Win2k/XP)..027,...............028,.......... ...... ..........029,......... ............030,.......... "AM/PM"..031,...........032,...... ..033,........ ..034,........ . ..............035,.......... ... ..... .......036,.. .............. . ..........037,...........038,....039,........040,.........041,..........042,........0

C:\Program Files (x86)\ClocX\Lang\Simple_Chinese.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1886
Entropy (8bit):	6.402116213311843
Encrypted:	false
SSDEEP:	48:VlpO2ZDqLqz0Sog9VNQmdZFnU0T2fn2lYQE8cCM4vjvqB4uPCnXTu:zpO2ZDqLOP79zxnvT0nhQpJ9jva6XTu
MD5:	FA2BA4997B287CE38F2DBDDCD180D4F5
SHA1:	521B78583AE110DDA52CCACD57848B89B9589FC9
SHA-256:	6DEF2B26AD82D20590CDB14AD36A5851F6E2AF6FCA72EFC87C26FE576DDD962A
SHA-512:	C62A1192F551B6DC632315275D6E6EF5E2806DA4DFCE9AFDFBF4E06F80A6702F57CFB0222477C599814F2D577B979ED686336047848BA1816F1A6100B6667E8F
Malicious:	false
Preview:	001,.............002,.................003,......004,.....005,......006,... Alpha .........007,.............008,.............009,..............010,AM..011,PM..012,ClocX - ..........013,..............014,......Win2k/XP....015,..... ..016,....017,......018,....019,.......020,............021,............022,...............023,..........024,............025,.......Win2k/XP....026,..........Win2k/XP....027,.........028,....................029,...... ..030,... AM/PM..031,.......032,........033,.........034,.. Windows ......035,.............036,...............037,.....038,...(&O)..039,...(&C)..040,...(&C)..041,...(&N).....042,..(&E).....043,...(&D)..044,....(&T)..045,.....................046,......047,.....048,......049,....... %d.....050,.....051,.....052,.....053,.....054,.....055,.............056,.......057,...........058,.....059,........060,............061,........062,.... WAV ........063,........

C:\Program Files (x86)\ClocX\Lang\Slovak.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2406
Entropy (8bit):	5.585890762321675
Encrypted:	false
SSDEEP:	48:Y81cEWQ51kbiZyt8jJkuVB+X4lGxvSDjvna4HP/MTNOTJPcRW9ZBM:YYWQbDQW9eIlWEnJP6OGUa
MD5:	6B5809A31DE634A0EC58019350E4D50F
SHA1:	6060C89F71FFEF00DF7053D66087938DE5E2AEF5
SHA-256:	757B6322FF5894AF64AB3887BD8690838D5D59C561CB963CAE1AD8FF78117F1E
SHA-512:	45E98F361EEEA4ED4FEAEA0A699779F6E8A7FD1D9DC7360288C712159651419CEBD51B6A66BBA1327B316D37B294410D20DF6C33C71715CBE5F49717CA70F648
Malicious:	false
Preview:	001,Nemo.no na..ta. s.bor!..002,Nemo.no inicializova. Timer!..003,General..004,Appearance..005,Enabled..006,Chyba v pripojen. k alfa kan.lu!..007,Nemo.no na..ta. hodinov. PNG ru.i.ku!..008,Nemo.no na..ta. min.tov. PNG ru.i.ku!..009,Nemo.no na..ta. sekundov. PNG ru.i.ku!..010,AM..011,PM..012,ClocX - bud.k vyp.na po..ta.!..013,Nemo.no na..ta. pozadie!..014,Prieh.adnos. (Win2k/XP) ..015,Priorita..016,N.zka..017,Stredn...018,Vysok...019,Vyhladzovanie hr.n ..020,Vypnut. (r.chlej.ie)..021,Met.da 1 (v.chodzie)..022,Met.da 2 (pomal.ie)..023,Nastavenie okna ..024,V.dy na vrchu..025,V.dy na spodku (Win2k/XP)..026,Preklik.vacie (Win2k/XP)..027,Nepresunute.n...028,Zak.za. posunutie mimo obraz..029,Mo.nosti pozadia..030,Zobrazi. AM/PM..031,Minutely..032,Pozadie..033,Sp...anie..034,Spusti. pri .tarte Windows..035,Spusti. po prihl.sen. u..vate.a..036,Neupravova. poz.ciu (dual-monitor)..037,Mo.nosti..038,&OK..039,&Zru.i...040,&Zavrie...041,&Nov......042,&Zmeni......043,&Zmaza...044,&Test..045,Bud.ky (

C:\Program Files (x86)\ClocX\Lang\Slovenian.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2265
Entropy (8bit):	5.32217234304011
Encrypted:	false
SSDEEP:	48:ZWUFVFU14/Jj/aMzpW1yOrKUaA2DY5uSs8CIFNM8oy5G5GPunusGN66phovaTu:zc4J7aMY1yOrKUP2OC8vFmhykAPuuBi3
MD5:	0C0351290AD760F3CEA848F6F65B4AF3
SHA1:	C2E4A8B2426463F4E80CF9D5FE74317C55A76D3E
SHA-256:	4D7AF300B3FBBC5D8CE3DCAC871C9C6CA4EDD6785721418C90042CC5C23DEC01
SHA-512:	4428499AEB70E37F6B2F6868A2B08DA1C2A121F4E2DA741048E6125C65BF224D3FBBE6CCD8421387666B7F87D3F336452902D1E3FF164500A9213340E1665DDA
Malicious:	false
Preview:	001,Ne morem prebrati slike..002,Ne morem pognati .asovnika!..003,Splo.ne nasavitve..004,Izgled..005,Omogo.eno..006,Napaka pri nastavljanju alfa kanala!..007,Ne morem prebrati kazalca za ure!..008,Ne morem prebrati kazalca za minute!..009,Ne morem prebrati kazalca za sekunde!..010,AM..011,PM..012,ClocX - alarm IZKLJU.EVANJE!..013,Ne morem prebrati ozadja!..014, Prosojnost (Win2k/XP) ..015, Prioriteta ..016,Nizek..017,Normalen..018,Visok..019, Bla.enje..020,Izklju.eno (fast)..021,Metoda 1 (default)..022,Metoda 2 (po.asneje)..023, Opcije okna ..024,Vedno na vrhu..025,Prijet na Desktop (Win2k/XP)..026,Klik skozi (Win2k/XP)..027,Nepremi.no okno..028,Omejiti pozicijo na velikost zaslona..029, Preset opcije ..030,Prika.i AM/PM..031,Minutno..032, Ozadje ..033, Startup ..034,Za.eni z Windowsi..035,Za.eni ob prijavi..036,Ne vra.aj okna na za.etno pozicijo..037,Opcije..038,&V redu..039,&Prekli.i..040,&Zapri..041,&Novi.....042,&Popravi.....043,&Bri.i..044,&Test..045,Alarmi urejeni po .asi..046,Na

C:\Program Files (x86)\ClocX\Lang\Srpski.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2344
Entropy (8bit):	5.344770829282602
Encrypted:	false
SSDEEP:	48:Oe2ySYKHbJVvamhXm6NPLFXYmB4midNoiqiEUygVMg+a3kGjkIa2RFmk4RTu:Oe2ySFbJham86NPLFX3OmwSPU50a37Br
MD5:	1D9538A2F34F9F14C5359A802D88EEA3
SHA1:	97D508EE407E866EE43D93789EDF66A82E067AF6
SHA-256:	80E87432D776463469912BC1A0B42039FE76FC86014F236D277678ABC3F3246C
SHA-512:	230CD741CDCF2A762C6DFFB9A18772E984DF965265879BFD8400DAB2C4CE74CA70DBA5A8E2BD0B155D2D110E49B6001110E04EECFD3799A7ECEA4A402D6D217F
Malicious:	false
Preview:	001,Ne mogu da u.itam sliku..002,Ne mogu da inicijalizujem tajmer!..003,Op.ta pode.avanja..004,Izgled..005,Omogu.eno..006,Gre.ka pri dodavanju alfa kanala!..007,Ne mogu da u.itam kazaljku za sate!..008,Ne mogu da u.itam kazaljku za minute!..009,Ne mogu da u.itam kazaljku za sekunde!..010,AM..011,PM..012,ClocX - alarm ISKLJU.IVANJE!..013,Ne mogu da u.itam pozadinu!..014, Providnost (Win2k/XP) ..015, Prioritet ..016,Nizak..017,Normalan..018,Visok..019, Umek.avanje..020,Isklju.eno (fast)..021,Metoda 1 (default)..022,Metoda 2 (sporije)..023, Opcije prozora ..024,Uvek na vrhu..025,Zaka.en za Desktop (Win2k/XP)..026,Klik kroz (Win2k/XP)..027,Nepokretan prozor..028,Ograni.i poziciju veli.inom ekrana..029, Preset opcije ..030,Prika.i AM/PM..031,Minutno..032, Pozadina ..033, Startup ..034,Pokreni sa Windows-om..035,Pokreni pri login-u (user)..036,Ne vra.aj prozor na po.etnu poziciju..037,Opcije..038,&U redu..039,&Otka.i..040,&Zatvori..041,&Novi.....042,&Izmeni.....043,&Obri.i..044,&Test..045,Al

C:\Program Files (x86)\ClocX\Lang\Suomi.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2436
Entropy (8bit):	5.214434411536153
Encrypted:	false
SSDEEP:	48:jAspe44gcoLB3zjkP0FdaJnSp/K2drjNamUPTu:jAsp2gcMjk8F8ABjNLWTu
MD5:	FAA5BF602E511AD03ED8FAEEEC9D40CF
SHA1:	1748B8D296B6A6D742AD378BEFAC1622D8845A37
SHA-256:	5C131D1314BDF05B942583F5D6D1EA2D5659628FEADB42F4D3005BDB9982E470
SHA-512:	DE92EC4855C702E05BDFBF89F25C7B6177497B81142575692557ED2850339D2EC4B37C3A956A2EA8A4FCC180D5E53BD1D5604FE40980C4E02F12660919DD0B58
Malicious:	false
Preview:	001,Kuvaa ei voi ladata!..002,Ajastinta ei voi k.ynnist..!..003,Yleiset..004,Ulkoasu..005,&K.yt.ss...006,Virhe lis.tt.ess. alfakanavaa!..007,Tuntiosoitinta ei voi ladata!..008,Minuuttiosoitinta ei voi ladata!..009,Sekuntiosoitinta ei voi ladata!..010,AM..011,PM..012,ClocX - h.lytys PC SAMMUTETAAN!..013,Taustaa ei voi ladata!..014,&L.pin.kyvyys (Win2k/XP) ..015,&Prioriteetti ..016,Alhainen..017,Normaali..018,Korkea..019,Aliasesto..020,&Ei k.yt.ss. (nopea)..021,&Tapa 1 (oletus)..022,&Tapa 2..023,Ikkuna-asetukset ..024,&Aina p..llimm.isen...025,&Kiinnit. ty.p.yd.lle (Win2k/XP)..026,&L.pinapsautus (Win2k/XP)..027,&Lukitse sijainti..028,&.l. siirr. n.yt.n reunojen yli..029,Kellon asetukset ..030,N.yt. AM/PM..031,Minuuteittain..032,&Tausta..033,K.ynnistys ..034,&K.ynnist. Windowsin kanssa..035,&K.ynnist. sis..nkirjauduttaessa ..036,&.l. muuta sijaintia (kaksoisn.ytt.)..037,Asetukset..038,&OK..039,&Peruuta..040,&Sulje..041,&Uusi.....042,&Muokkaa.....043,&Poista..044,&Testaa..045,H.lytykset ai

C:\Program Files (x86)\ClocX\Lang\Svenska.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2310
Entropy (8bit):	5.374266043513612
Encrypted:	false
SSDEEP:	48:WavowZsfFXA9JUCFRQijv1BMTZKNQgXVynztV9QmqAUaxMxviysDHO5Ltg60Kg:WavowEFw9JUMRQixByZaJV0zVxqAxzyM
MD5:	692A55F3A8B0D2240679A9A8F6CD8B83
SHA1:	2E58FAAB3B35F2C36F391E677932722949B66F8D
SHA-256:	3A5F18B977B2D40B832E362D5E3DB7B5A10EAF7DDBA793B830B60CA02FC7A9B4
SHA-512:	E0B456AD42EA6C5C04ACA3ED47EE6EFCD696E7DD46F8E68B425D34CA1228EBD20747D1AF932651CFE6506D17D95D277571156689163E82D5AE7D4BA590DD5A49
Malicious:	false
Preview:	001,Kan inte h.mta bilden..002,Kan inte starta timern!..003,Allm.nt..004,Utseende..005,&Aktiverad..006,Fel vid till.gg av alfakanal!..007,Kan inte ladda timvisaren!..008,Kan inte ladda minutvisaren!..009,Kan inte ladda sekundvisaren!..010,FM..011,EM..012,ClocX - larm ST.NGER..013,Kan inte h.mta bakgrunden!..014, Genomskinlighet (Win2k/XP) ..015, Prioritet ..016,L.g..017,Normal..018,H.g..019, Kantutj.mning ..020,&Inaktiverad (snabb)..021,Metod &1 (standard)..022,Metod &2 (l.ngsam)..023, Alternativ f.r f.nster ..024,Alltid &.verst..025,&F.st p. Skrivbordet (Win2k/XP)..026,&Klicka genom (Win2k/XP)..027,&Ej flyttbart f.nster..028,&Begr.nsa position till sk.rmen..029, .vrigt ..030,Visa &FM/EM..031,Varje minut..032, Bakgrund ..033, Start ..034,&Starta samtidigt med Windows..035,S&tarta vid login (anv.ndare)..036,&.ndra inte pos. (tv. sk.rmar)..037,Alternativ..038,OK..039,Avbryt..040,&St.ng..041,&Nytt.....042,&Redigera.....043,Ta &bort..044,&Testa..045,Larm sorterade efter tid..046,Namn..047,

C:\Program Files (x86)\ClocX\Lang\Thai.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2386
Entropy (8bit):	6.112058786166187
Encrypted:	false
SSDEEP:	48:Q0QaBfLuSJH+yK99GThN/+5l1VeiOmxzgSCQLQiTpCyB7XgAuP8XTu:Q0QaBfLuSJVK99ChY1V5VbXpCyB7XgTz
MD5:	5A008D847D9846DB2EB9D84B500FC407
SHA1:	F4DBD5725559F1FDE3497959F15F8E2DB01B9A60
SHA-256:	54991D21C1EA6C3C3C54FE68DAEFF96041DF96C4AE05E13B300C8E60A8DA3DE3
SHA-512:	43D253A8C72E444F5EB5430D31EA5ADFC4EF2D309CFB8859713195E8DD34756EEF988DE443CE7C3F429A670F0D8B1011A4B886DEE4D85985EED06B78DBFE0CCD
Malicious:	false
Preview:	001,.................002,.....................!..003,........................!..004,....................!..005,.....................!..006,............................!..007,.....................!..008,.................!..009,..................!..010,AM..011,PM..012,..... X - ...........!..013,.....................!..014, ......... (Win2k/XP) ..015, ....../... ..016,.....017,......018,....019, .......... ..020,............. (......)..021,..... 1 (....)..022,..... 2 (........)..023, .......... ..024,............025,.......... (Win2k/XP)..026,........... (Win2k/XP)..027,.....................028,...............029, ............. ..030,... AM/PM..031,................ PNG .......032, ............ ..033, ............... ..034,...................035,............... (......)..036,...............(.2 ....)..037,.............038,&.....039,&......0

C:\Program Files (x86)\ClocX\Lang\Traditional_Chinese.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1902
Entropy (8bit):	6.37456130870283
Encrypted:	false
SSDEEP:	48:u8hbLlIx/SDsjUqJPgocfhc65yk8mGaEQNcbqCgjkpRqM4LkXNfua2SiuPCnXTu:u8llIx/SQ4qJPWfhc65yJAElwkAkdH6y
MD5:	1087C3F3DDD9CC72492C6CE37579D069
SHA1:	3E715A01456D0421D6C407538A69E670CC18A512
SHA-256:	0AB5DF5226313D018060B308AF3DB6C5C9CACF7A1985607C3542380268076F56
SHA-512:	34E928146D5B26E9C2F532392DB15BACCE94AB9A36C93C3D398199E667474E3571938CCF425363D35E19C2F9E928C159A5792B10392122423C699FB5FE26F8AD
Malicious:	false
Preview:	001,.L.k...J.....002,.L.k..l..p...!..003,.@....004,.~.[..005,.....006,...~.[.J alpha .W.D!..007,.L.k...J..w!..008,.L.k...J...w!..009,.L.k...J..w!..010,AM ..011,PM ..012,ClocX - ........!..013,.L.k...J.I..!..014, .z.. (Win2k/XP) ..015, .u.... ..016,.C..017,.@....018,....019, ..O.W/..... ..020,.w.... (..)..021,..k 1 (.w.]..)..022,..k 2 (.C)..023, ....(....).. ..024,......W.h.....025,.....T.u.. (Win2k/XP)..026,.........k.... (Win2k/XP)..027,...i..........028,.......i...X.....029, ....].w.. ..030,...W..(AM)/.U..(PM)..031,.C....032, .I.. ..033, ... ..034,.H Window .}........035,.H.n.J (...) ......036,...n...]......m..037,....038,.T.w(&O)..039,....(&C)..040,....(&C)..041,.s.W(&N).....042,.s..(&E).....043,.R..(&D)..044,....(&T)..045,............046,.W....047,.....048,.....049,.... %d ....050,.C....051,.C.g..052,.C....053,.C.~..054,.@....055,.....s....056,.W..:..057,..{:..058,...: ..059, ..@: ..060,............061,.....y.z:..062,.... WAV ...

C:\Program Files (x86)\ClocX\Lang\Turkce.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2241
Entropy (8bit):	5.3993674147697766
Encrypted:	false
SSDEEP:	48:vfuHDUxQ2FPl6UoFzHioqkIqKpyLm50pN+b2DFFakIss2q8WeHSwTu:vfSgxQ2FtxAzfIpyLHN+qPm2C6Tu
MD5:	AF5BF71BF65C85430F339FD263D19E60
SHA1:	5004E292E76559C176A0A2BDA06FDD75AA0788EC
SHA-256:	4298489EA4E99BB8CF68C0051312D10424E17026A82A868F9FBE16014244100D
SHA-512:	63B811EE7A5EB2E3EA667AFB23823EED3FF798F3168571215644029EA3A942935091778C20E56D55BAFF3C2A5D3A285F6B2A2ECD5385C784A0622A85E199A103
Malicious:	false
Preview:	001,Resim a..lamad...002,Zamanlay.c. ..z.mlenemedi!..003,Genel..004,G.r.n.m..005,&Etkin..006,Alfa kanal. eklenirken hata!..007,Akrep i.areti a..lamad.!..008,Yelkovan i.areti a..lamad.!..009,Saniye i.areti a..lamad.!..010,AM..011,PM..012,ClocX - alarm KAPAT!..013,Arkaplan a..lamad.!..014, &Transparanl.k (Win2k/XP)..015, &.ncelik..016,D...k..017,Normal..018,Y.ksek..019, Antialiasing ..020,Etkisiz b.rak (&h.zl.)..021,Methot &1 (varsay.lan)..022,Methot &2..023, Pencere se.enekleri..024,&Daima .stte..025,&Masa.st.ne ..nele (Win2k/XP)..026,D&o.rudan T.kla (Win2k/XP)..027,O&ynat.lamaz pencere..028,&Pozisyonu ekrandan k.s.tla..029, Haz.rl.k se.enekleri..030,&AM/PM G.ster..031,Dakikal.k..032, A&rkaplan..033, Ba.lang....034,&Windows ile Ba.lat..035,Ot&urum ile Ba.lat (kullan.c.)..036,Po&zisyonu ayarlama. (dual-monit.r)..037,Se.enekler..038,&Tamam..039,.pta&l..040,&Kapat..041,Ye&ni.....042,D.z&enle.....043,&Sil..044,&Test Et..045,Zamana g.re alarmlar..046,.sim..047,S.re..048,Tarih..049,%d. ayda g

C:\Program Files (x86)\ClocX\Lang\Ukrainian.lng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2325
Entropy (8bit):	5.813118990170243
Encrypted:	false
SSDEEP:	48:1liKJBTGlVWryPQ42xZZW8KVIFND5i394wtoPlnjp3uPAPxM:1liKnTGlVSyIzZW8KVIFtwZoq4m
MD5:	D10E2A8BCCCAF9EFF46D453E6FB127D0
SHA1:	7C7A5C843C6B8FB615CBF30DE329A1505276450C
SHA-256:	7608128E882E3A34CFC48A35DA9C2F1C77BD07B491EE4BD1D6D48BB425CB68BD
SHA-512:	E600F8345D0F17D920C01EC47EFA6AA76F1608834AC4390D0F489A24B59EDF94B7707AAA51EB9FD0D462483C465A44187EA72AFBF99747F13262862FCA0FE0BD
Malicious:	false
Preview:	001,.......... .. .............!.002,.. ........... ......... ....!.003,.......004,..........005,..........006,....... ......... .....-......!.007,.. ............. ....... ......!.008,.. ............. ........ ......!.009,.. ............. ........ ......!.010,...011,...012,ClocX - ...... ......... ....'.....!.013,.. ...... ....... .......!.014, ......... (Win2k/XP).015, ..........016,........017,...........018,........019,...........020,............ (.......).021,..... 1 (...........).022,..... 2 (........).023, .... - ...........024,... .... .......025,........ .. ...... (Win2k/XP).026,........ ... ........ (Win2k/XP).027,........ .....028,........ ...... .......029, ......... ...........030,.......... ../...031,Minutely.032, ....... ........033, ..........034,...... ..... . Windows.035,...... ... ... ............036,.. ........... .....037,..........038,&...!.039,&.......!.040,&.....!.041,&.........042,&..........043,&.........044,&.........045,........

C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-hour.hpng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 181 x 27, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1350
Entropy (8bit):	6.69981675807187
Encrypted:	false
SSDEEP:	24:m6y1htZdWwjx82lY2T3pHEVbuYYiyJ3Vbq4G6SA9dGogWH+192AotNLFFg2u:twqNn2SATJ3X3feH2JF6
MD5:	CDBC4ABB27F64B3E4073D798D205B5B7
SHA1:	58577123B1D59FCCFB80A588D92C11F447258A23
SHA-256:	5821718C8E53A8ACD10DD52C12E451E88F3DD7CE94332E6406490DF2459823D3
SHA-512:	B6B3F5F8120DEDBC27A39DE98E5F6CFDEA6C2B11C6E5C2E960A4C16E37C8D752D4F0103D494E03FB5C2C7FA9C4BBDDD16B51D0CB8B87602FC83C5519BE98D3F5
Malicious:	false
Preview:	.PNG........IHDR...............>.....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:D3C59E439F2011E18651C5CDA301D5A0" xmpMM:DocumentID="xmp.did:D3C59E449F2011E18651C5CDA301D5A0"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D3C59E419F2011E18651C5CDA301D5A0" stRef:documentID="xmp.did:D3C59E429F2011E18651C5CDA301D5A0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..F.....PLTE...333fff...{{{......BBBHHH.......................???TTT'''NNN```............xxxuuuccc..............---...

C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-minute.hpng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 230 x 5, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1115
Entropy (8bit):	6.213566468733229
Encrypted:	false
SSDEEP:	24:uLy1htZdWwjx82lY2T3pHEVqSacyJ3VcHJqlGZE+JMGzl0s2snMj:mwqNn2S8JPJ3K4l+J0dj
MD5:	8619F256A096C9E1AD177F97B799D82D
SHA1:	9EEDCB61BB671006830D76A89969CE962C4F6813
SHA-256:	6B4041B6DFD71C01E16016D5CC98A950951A1B44A3FA0CE48A7668BD4A229853
SHA-512:	2B954763605B7F082963EBCDD3213F30E0DECA1C5E3B06B720142887A18CA6FB8BCF4D429C05432F45529E33F062E10E69F39855FD9E109BBF949F79080FD813
Malicious:	false
Preview:	.PNG........IHDR.............fd`.....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:2EB4C5F39F2211E18513A81FC2AFE6F4" xmpMM:DocumentID="xmp.did:2EB4C5F49F2211E18513A81FC2AFE6F4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2EB4C5F19F2211E18513A81FC2AFE6F4" stRef:documentID="xmp.did:2EB4C5F29F2211E18513A81FC2AFE6F4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.Ti]...TPLTE......?>>NNN......!!!tss(''......DCC.........=<<............]\\...&%%...100............c....tRNS............

C:\Program Files (x86)\ClocX\Presets\Adler.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 130 x 130, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	55630
Entropy (8bit):	7.986980389473075
Encrypted:	false
SSDEEP:	768:AvEl7OYQJBlmbnzl7WWsHp8Oi4rdq3mQYomnVb6kanEpHVjaBqUXz:xYmbzoWACO1rd7QYoeWERsz
MD5:	0429009042C10C55BAA8A1399E50439A
SHA1:	3E1290EDE1D59D407747B2549E5E377CE1EBEF2D
SHA-256:	B7CD2C45291C1912745BFBAB53D09DEB7807F5D7343BDD258A44D47B9B1BC9D8
SHA-512:	B94907B7966E2BD14FD3C918ABB8BE692007836942FB4A59882419B7F6E4FDCED1EBC012CCD3A2BA3986AA395F59251A4E094E980AAE22CD546ABA25C300F5C0
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs...:...:.d.W.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F....IDATx...n.a........6..../.E..4.4.ua..iI.5.V.N.b.P.j........,B..a...O...&.....l.{.:m...nc7.......N..\|..A...`8.g.H..C...+V.......Ym089%oI...6.......Q,9...no@...L..d2a..Tj..7Hiy\..0+D.q.#..v.]&....d...=.NxS......W...ta....%1.pI<.Y......LH<.{'..V...../.7..h$soG5o.+.S.F.f. .6Z......6.]A..Q..M.q...x}..X..#g...s....F<...........#S1..S...=M..s w...G.vj.r.D2...(.6bd.%./..2.........a('.}G.0.x...........p.....m..p..IsW.Uu.K.=..\v7$..Op......~y...J.......(...V..Q!....k~e$7=.(.t..z.....{.O_.v..]....;..`..u.....v.:0..3.^5...@...p....]...n.{\i....Vm).0.U^q.....W........;.g.w...9.]<r...g.......!...#..G...........?2...h`.._...u.c...GG........R.?2..{Aa......L..b...k..........\.;$..@.....\|.N......o...`.x..u..N...}.s..on.......M..w........[.G.........6..^........W/._U...S....]..wuo.....S...M-k.tM...%.........;..fz......a!E..\|...............

C:\Program Files (x86)\ClocX\Presets\Alte Standuhr.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	946
Entropy (8bit):	4.661831809454109
Encrypted:	false
SSDEEP:	12:a4EqmYrrrcRQBjpJrprh27XFPV+J/PnXFPVG99XFPUXFqC2kpmdoH9Gs968v2ims:BEQrmu95UTOxf01kKkp5dG/8+i4352X
MD5:	1ED534D32D9C5AEC051584FD4F4A6AC0
SHA1:	69FFD3F42B20EA7F0D8ACF48A914265A2B03ED59
SHA-256:	F247ED947B0F833783B876902185821E47283039ABA7114F114EDD889CF04F45
SHA-512:	996F90AD4E516474F1632164164410BDC791A994664A6DD227AEFDBAE9556B6E86A48720F9C52BA6C1FBB896DE958F114A35ED9E6FAAB10724B971D9C6A47F85
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red)..DisableAMPM=1 ;show AM/PM indicator (default 0)..AMPMColor=0x787878.;color of AM/PM indicator....HourColor=0x1F4CA2 ;color of hour hand..HourLength=15 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=2 ;width of hour hand....MinuteColor=0x1FFAA2 ;color of minute hand..MinuteLength=30 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=1 ;width of minute hand....SecondColor=0xF7FA92 ;color of second hand..SecondLength=30 ;length of second hand..SecondLap=10 ;overlap of second hand..SecondWidth=0.7 ;width of second hand....;CenterX=68 ;center point's X (default image_width / 2)..;CenterY=66 ;center point's Y (default image_height / 2)

C:\Program Files (x86)\ClocX\Presets\Alte Standuhr.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 140 x 165, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	45581
Entropy (8bit):	7.983167078747716
Encrypted:	false
SSDEEP:	768:TnOKv1UzMqfrTun4WXmRdkWKGoHfX7Yik3gAv2zMpr6VPtJHj2M4hmH4G:TnOKNyMqfrXjkWKGoHfX7YiInhpr6VrJ
MD5:	C09624E5A94C36866D9BF05A3C07DD33
SHA1:	A98ACA5BA10EA2187BF11CC506BE2FA893AEAA79
SHA-256:	7E59083736758B2575545383BB8ED07EF79972D4ED3AB08F78B367528FAEB596
SHA-512:	00F2F02EDCD6A5BCFD9037378A58F2BA3D47CBD010A3EAB9B9A62E46535DCCD744888BBB6FF7C48FCF5EB02CAEF0634DEAA2129CE496E5CF64EE79CF0E56CF9B
Malicious:	false
Preview:	.PNG........IHDR..............c......pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F....IDATx.b...?.(......b...Q@......3.H...4.`F.I. .F..( .....H.........?....13..............32p}\.>..hR....b.).....l..~...k.LffF....33........gf...?.......$...0..../..........g.+!V...&.t........h.'.....O..7...........0..a`eab...d...d...'.o?.~...N,....,.L.LLL...^3....L....11\|......_.........KT..g...#%....^n...(.>...C.DSt..[.4@.,..=...AB(...9..6R.=....+O.hrM}.....6.........H.>.x.". p..>.I..../H.j.....`.(..d..K.........e..[.P.........K0.....}.....O..>v.Q>Qp......._...T....0pss3.e.....o..?...........O.\,l.....SP.........._`........l\....@U......g/..}.yVD..v.....5....H0i...~....`.L{.../>v{.....o>1\.v........O..Px.../........._.o..0.s.K.`...?.........P..?0..b..,....\|Ap..../...o....LGG...o ....\?..rp..2sp..."..pJ0...1w...(.^.\|p...$j.....].{0..-X..?D2:8q.H....\|..'....Y.w.....!C:...^8_.X.`.....&(..4.. 9.Aq4.#..lU...7Y%.%....V1.....C4. ..s..h4@:I...K....y..\|

C:\Program Files (x86)\ClocX\Presets\Amarillo.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 176 x 176, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	24329
Entropy (8bit):	7.9041850094582715
Encrypted:	false
SSDEEP:	384:Pj/Jv0KxBi7S2563Y7bY45Bi3cmrt05iuxtrjFrF27F0JP6BSyk:P7JVx+7cYHH5M3cS053LrjFrswPxyk
MD5:	0BC808A35C32957F3C115DE1593263AF
SHA1:	639DFF4394E4739E48B8647E24BF5CA055975482
SHA-256:	4807722EB149030D3BE8DF0D51FE0B0232CA618360D7982F637F9560A00488E2
SHA-512:	158642B2FAEBF5901781BDF56A2BE7E7E21225CC48A6AC0CEFA5A463B95466792868843A96BB975A9E0076225FA150BE66B0DDC25ED88C60BDC76B2F18E9A32A
Malicious:	false
Preview:	.PNG........IHDR................^....pHYs..u0..u0..3r.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..^.IDATx.b...?.(..C.....h.......h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!....e4.....L..........X...A.H...(...1?.s.1'..B.....@...?..{ ~....3<..O.......@.nE....M... .....Ag..>...&R. ....@......%..... ....../.W..8....@..&`....L..@.......(...H.....T.D....@\|..;.L..Gc....h.'..N&Pb..b; ..&<.\....E/...?.D..H...C@\|.........4".00.... .L.....5m2./Uq'bF...X.../.......Y.A...o.....@~.. ..Q.1.Hi._.q.u..%^..5J.(....qA.../.yy..6....7....m....E.@$.D..t.c6...Z....$S(..../..#.......U.;)a..Ms!g...........aX....}.WA.....%..u........"]Z....H<.x ..j0H....?w...~...0............CmJ.Y&.t..h.Y..}.)K..sG...O....~......A.....ms.1#.:....%7.....]O....{..a....W...B.i1..uBO.(%,....&FfV`".a....ca ..&XP........f.6..C.......o`...L......o.^.&.G.....'...XJh....Y...&.7.1...h.%``...&.H`:..r.1.-..L..,...UEE...

C:\Program Files (x86)\ClocX\Presets\Apple.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	21840
Entropy (8bit):	7.867040497269375
Encrypted:	false
SSDEEP:	384:5tGsRrRU7jBNZv2+ytf2IbDeKuY2PDuRuxm6Cilnov4fsxqZlQ:ukRANuHlzHVa0i9R7sxz
MD5:	17A826CF3E44BE13DC3D3077BCE71456
SHA1:	2B4067840DB9403BC4DFF49DD0B4CBC686830003
SHA-256:	3E693BCD12D1BEEEAE1A419286539DADCBAAA970DC39EC0E4C928431B89684F0
SHA-512:	423DA5BE9D159473FEB5A3D5718E5DCF45BEF5800CCA64C4D9A37C852A0BECE919209B328F75DAEDAD6D850B8B79A90C72D6086F92349423670C9B5CAA793679
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..T.IDATx..MJ.P....4I....UZEg...At..=8r.b.....33.:Q..(..Om^...t....f....\.h....:..w4...:TrF..).O....6...%...N....H...#.^@..FX....l......j.5.U....9.... ..9}@.6.EU..z...O.oX.......w.Q.........Z.......".....'.<.........5...K=_.$z....'.~.!.X.F.)..N.@,...oWn1..Na%;&..CN.....e.A...../.....g.~.}...........h4........d...V.A.`.s....bdbf...7.....RL..........._.??>...j..L...4.....~p...C@6.....K....,...@..Hg........=.(.0232p..\|.A........... .F...R.._u.!..6..D..y9`,.c... ...Z./0.r>.+....3..3..........l.0..... .F.....g..-Z./c.....l...7L..,P6.B`D3pq03..1..01\|......?......M..F._.HI0..@..&.....].......Ll..H...GPq..............AR..A.....?..>.c.....??>.....7P.;....M.......h4..E>.;.)..../5...K.\........,...T...NV..1!v.).....vp...;0n...~...............lP.a.`P%....&...=.....7....=..^3.....................g..be...b.....\|6p.................><y.t..R..o0....hX$.FFfh&....K.....

C:\Program Files (x86)\ClocX\Presets\Aqua.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 116 x 117 x 24, resolution 2834 x 2834 px/m, cbSize 40772, bits offset 54
Category:	dropped
Size (bytes):	40772
Entropy (8bit):	4.180879268207736
Encrypted:	false
SSDEEP:	96:TWMaS6iyEE7D4blhUraVHX/6bLtqUtC8D5zd8R2YuIHwD555D51vyRI/Bke9HAmx:TWuVy+mVWIZWYKmJ
MD5:	F80744C019A522AF5A4BDB6B9D99229D
SHA1:	FD7067AB7257FB030B05DFDECE58C7CF532160B6
SHA-256:	BE88E238CD1428C247D1D9E8504746D07A564C75D0F82173A4BBC38BF64C5E14
SHA-512:	EECD1A42F5E97F4D4EA045A64B1176AEF91B9BFE7F57D4DE19EBCBECD50B5EA4E269C62F1C82AAE155573F1676314A0366EF512687CFCEA805B18DDACF831A40
Malicious:	false
Preview:	BMD.......6...(...t...u....................................................................z`.X7.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.H%.F".S2.pT.............................................................oS.C..f@..b..........................................................................................................................................................................................j.nG.J%.fH...........................................N(..[.......................................................................................................................................................

C:\Program Files (x86)\ClocX\Presets\Aqua.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	30483
Entropy (8bit):	7.932354142916476
Encrypted:	false
SSDEEP:	768:3fQkIoTw9vw5VugTvrBRCKbhNE3uJJD1GYP71q:vQ6CIVuGTvhbLE3iYqq
MD5:	73E7B2F60F8AC6FDE449861AC5484755
SHA1:	FF314467B04E04A70C2BCAF2C5E65C1C7B5D9274
SHA-256:	81DC5E6439F08EDEA70408774E1195FB2D01BE1AAE88B0A157EB7E8BC342DDA3
SHA-512:	EA9A4C1A3F9897AC96D3A3111F6F1D5BBC32EDAE25B4D69FD47144E5FE5970823C3FCF81D45EBB950BDFFB16CFA5CE0963F220F08BBF942A0BCFCAA025A0CA64
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..v.IDATx.b...?.(... ..........D...=............bddd...@..H3A.....@....3......3..33...^.bX.l..'..b......b....faaQ.F...........-...$.L..@6.01p...131..P...?...H~..O@......_.....m`.x.....-{....a.n..4$K.>>>..N.&6v6...Fs^^^.A.Ac`...#......._..}.{.......3032C. aF&.&&Fxb.a.9...........(....>^.~......~...LIi.._.~.......>......!..,-,A.....n.......3`...9.........A.....e...?,..fb.E0...'.&pB......D...........33.L`"....\|...;{z.zO..w..80d.. ..D........uvr........:0..A....,...H.. 1P....:(.Ab....rPdB.A...L.H.I.0........@9P....4(..@h`"..L.7.....n^.z..;w..". ..m....g...Vt.s........3....?...#......e.../.? ......g.dm..?...~.K.?..@."%.P...y......XYY..X..........889.lH..1.?.f..eaa.'$.~X).2C@@......\|.r..]...\....;w.e8..`..q...(.. 1...p..I<........Vx.m,..f.a....p...j.1....8.......D..4.-.......a......\|.....0..Z.c..W...J5t}.....[..N....0........Y.!^.H..I...@.A.....A8

C:\Program Files (x86)\ClocX\Presets\AquaB.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	962
Entropy (8bit):	4.5949957780877515
Encrypted:	false
SSDEEP:	24:BEIrIA83TORXFB01rfjkpWdGm8xiF0ZJGi:BzucFKuMdGmEZJp
MD5:	1A89EDBFD22BA1D75DD1B647D14ACF19
SHA1:	E2B42F0A5751BE735F9F1C253B1054DC0A21818B
SHA-256:	69E4CBA68588981E07949CF2B90D506F7139E5DDEB0922D84ABFECB6ADA8D666
SHA-512:	CCB1472901B66F0F7E24F57F1ACE692972421871B2B039202948126A2F007155CCDB7424B9FC1E80017870F1524ECDA1AE6E452E9678413B9CF8101ACE0D6F9E
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFFFFFF ;cut window by this color (default red)..ShowAMPM=1 ;show AM/PM indicator (default 0)..AMPMColor=0x00000000.;color of AM/PM indicator..DateColor=0....HourColor=0x00000000 ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x00000000 ;color of minute hand..MinuteLength=51 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x000000FF ;color of second hand..SecondLength=55 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand....CenterX=63 ;center point's X (default image_width / 2)..CenterY=61 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\AquaB.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	30483
Entropy (8bit):	7.932354142916476
Encrypted:	false
SSDEEP:	768:3fQkIoTw9vw5VugTvrBRCKbhNE3uJJD1GYP71q:vQ6CIVuGTvhbLE3iYqq
MD5:	73E7B2F60F8AC6FDE449861AC5484755
SHA1:	FF314467B04E04A70C2BCAF2C5E65C1C7B5D9274
SHA-256:	81DC5E6439F08EDEA70408774E1195FB2D01BE1AAE88B0A157EB7E8BC342DDA3
SHA-512:	EA9A4C1A3F9897AC96D3A3111F6F1D5BBC32EDAE25B4D69FD47144E5FE5970823C3FCF81D45EBB950BDFFB16CFA5CE0963F220F08BBF942A0BCFCAA025A0CA64
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..v.IDATx.b...?.(... ..........D...=............bddd...@..H3A.....@....3......3..33...^.bX.l..'..b......b....faaQ.F...........-...$.L..@6.01p...131..P...?...H~..O@......_.....m`.x.....-{....a.n..4$K.>>>..N.&6v6...Fs^^^.A.Ac`...#......._..}.{.......3032C. aF&.&&Fxb.a.9...........(....>^.~......~...LIi.._.~.......>......!..,-,A.....n.......3`...9.........A.....e...?,..fb.E0...'.&pB......D...........33.L`"....\|...;{z.zO..w..80d.. ..D........uvr........:0..A....,...H.. 1P....:(.Ab....rPdB.A...L.H.I.0........@9P....4(..@h`"..L.7.....n^.z..;w..". ..m....g...Vt.s........3....?...#......e.../.? ......g.dm..?...~.K.?..@."%.P...y......XYY..X..........889.lH..1.?.f..eaa.'$.~X).2C@@......\|.r..]...\....;w.e8..`..q...(.. 1...p..I<........Vx.m,..f.a....p...j.1....8.......D..4.-.......a......\|.....0..Z.c..W...J5t}.....[..N....0........Y.!^.H..I...@.A.....A8

C:\Program Files (x86)\ClocX\Presets\AquaLarge.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 176 x 176, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	46620
Entropy (8bit):	7.961746017021179
Encrypted:	false
SSDEEP:	768:Mfbx5EU99lKeGQVYgofZgJTe1mY3FABwXRfrd5Z3H0Yzf5VrZmX:Mft7seG3g5e1mY3EwBR5Z3Hnj5VtmX
MD5:	FD4E0D5D5A8A964E2B25D1CFEBE5A4A6
SHA1:	CA0A5D1F4D0D7910F6677113710278C766902AB1
SHA-256:	2DEB821546723BA504DC12614B388CFBCCB785C74D7C5EC04033E66642187771
SHA-512:	8EC6DC56990120818357C0ABB7C1F95AE5E5108BC8B3D3858236E42FCB0B84CE14D1F322C298AB8B242575F00E5B9D5764570D8FA9326F8EAEB3B306A91B5AE0
Malicious:	false
Preview:	.PNG........IHDR................^....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F....IDATx.b...?.(..C.....h........q4.(.3J..?..(....h4..........R.....,.r.,.2L.L.....@9Q _.H..1....'#.#;........'.......d.....{..k .%........?......3.gH...h.....h4..%R.ajj.4e..].v...V.M..&0Q....0.#41.S..0......2F& .5x...... .........m .....~.....\|........O....8.o0...f.l...L..,,,..L.z.H.........B. ...HJ.D.I.............. q....#%n ......@.....i5..SP[Gt...@.#....v.Z.yyy.fffk&f&+ m.L..r.}d.....0q..%.. .?.....0[....?...$~&&fp...%``..'`.. .d.........l.#8A..&.S@;..."G.<xp.....Z..... ..GR.]0o........u.&.{`B.B.... .4,.2@.)...JC............Xbd.$fP.........a%6..\......R.o.@3...k..\|...?..^.......HI....8....}..999.....HLA..n.B.)..&FP.........f.r.....9..p...JX01H......Nx....D... ...'Z&hBf..L.......Q`..X2..v.w...}........p_.7..0..E<2......kh.D....Vg......i.V....y..`....1..:.c.P....PAK..BP.sQ.}....A...c...& x.3..`.b..4..O.m.....#..j.....}#..gJ..{...[.......A.

C:\Program Files (x86)\ClocX\Presets\AquaMade.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	27995
Entropy (8bit):	7.902628308729259
Encrypted:	false
SSDEEP:	768:xp4+24RPlPmseLV72TgAUjwVq16Z9Xd12XIVVL/wUjJ5Vq:jpHheh7fvjwV2m9X2O/wWJ5Vq
MD5:	9AAE18427A5BF4B00F9BA4A58AE01A05
SHA1:	4D59CE4542295D5C2E5B9A9325C6191C3AE25FE7
SHA-256:	0DC9ADDA1AC844E4A8C3D5A9033B2EE35D1AFC81988FAA155E88308AA16D9499
SHA-512:	73CF29E377DECC34A31D5824E43EDD6050BBBFCF4DE8A33AB423C15122F6D7B93B7A3F7E7FBB3B3C9E1BB1951DE834D80FA69A02931546C9A1CCEDD8328009FE
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..l.IDATx.b...?.(... .X..g....9T...E...Y.(.....bI [...I.H.310q.i..F..F..?@..@.7........H...32...T..?.?.~.:.e...,.....P..............##..##..#...0)..=.O.X....#..".8X......,.....7......]....7/...tl.......hH%.`.0....3...12.X.....Y.........)!0 %.F.........L..LL@6X.l.E ..?...................@.>...u-._I.Vv7F&f'fff;..<...E3.?.....A....`..Vb@..H..2..`.$.&x..bf&.f&X......>......?w....PH...4(..#$[2j...311{.....Y.[..#.....#.\|.8.9..V........@..............X.a...d..`......m{..;.q...i..4...4.........\|. ....7.9................G..p.....J{..V`.....(.Y@..............^:\|....V`.a........l.. ..E..E..m@.#3k(0....c..K.G.x.....~.f......@../._..........?H..M,.L..u>.X..rp.f.D,.fae.cHi...%...f..!U.0...03.fa`.&...0.7....w...b0%....;..@...qYP\|..x.......W..0V........K\|.?11.^...;.f..)...g..n.Z}[.....M.......N.u4to... .G.1t4@...a.p.J#;..L....[m.L.k..2.).....\/...R.*.t.M..>d(z.r../u

C:\Program Files (x86)\ClocX\Presets\Aqua_Apple_Clock.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 100 x 122 x 24, resolution 2834 x 2834 px/m, cbSize 36656, bits offset 54
Category:	dropped
Size (bytes):	36656
Entropy (8bit):	6.288881463678386
Encrypted:	false
SSDEEP:	384:ovrz7c5apfURSGfJJsvMOO7WOhc4tHwOormPeJ7bEnb6f1ofnpapYR+MqV0yT:AZUzVOO7WODtHwOormPPU4nhuVfT
MD5:	9AB412A79776C5575EAAC0D8CB36C294
SHA1:	B8BD1945591A00235F5C8C80076F7B54C421AE4C
SHA-256:	093E1350402900EFAEE414D0506425A690A4EABCFD77A78A1979B2E072FDB083
SHA-512:	D6BB2EA1A8AA4200B054BB7FF65BE4535D57ED7EA3531C2802A116D7FDA0EB53134170BAC32993EA1E43B08BAF879967920C4AE6DA023D625AE92219770B89B9
Malicious:	false
Preview:	BM0.......6...(...d...z...................................................................................................................\|\|\|uuuppplllkkkkkkjjjlllooouuuzzz..........................................................................................{{{vvvqqqooommmnnnooorrryyy................................................................................................................................................{{{tttoooedd_\Z\ZY[YW[YX[ZZbbbeeeeeegggjjjrrr{{{.....................................................................}}}uuupppnnnkkkiiigggeeedddeeefffeeefffjjjsss.......................................................................................................................................\|\|\|ihgjbZygV.jR.lP.kO.kO.kO.hOycOl]O`YQYXWccceeegggmmmttt~~~...................................................~~~wwwssspppiii`^\f]Wl_SwdR}fR{eP{eP~gRxbPh\Q[YV```gggkkkuuu....................................................................................................

C:\Program Files (x86)\ClocX\Presets\Bahnhofsuhr.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 129 x 129, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	30183
Entropy (8bit):	7.905187050462904
Encrypted:	false
SSDEEP:	384:iJ7Z3xRpqfyMY75H8OWTuMcSVp4yiuNtv9lPadvB5iAR63e0MHAFq/zVIe+c9NAD:OZ3ReyMgFsuMlHFP9lyF7vkqOtwrY
MD5:	194E941B01069DFD6ADAA0EAE5133FD0
SHA1:	320DD2E272DC6AB8F96C837262E2AE13330F50A7
SHA-256:	02696689D1EF5B7C77CE40C439CD6D9BE7F4ABDE14B59F52297CD113955B6947
SHA-512:	727A6C4142D8E1FF0D41D16BF704448303B1DF2DF00EEBCBB1E888C09D2C2043518EB828FAA3006A3D71ADF914EF6B1CF2EB70D5F7C4F0C2B7408DDAD6424CBA
Malicious:	false
Preview:	.PNG........IHDR...............P....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..u]IDATx.b...?.(... ..F.`....h"......2.=... ..f@....$.+.?..O..b.F......lf46...&,........P............. .X.x.gF. ..zyy.YYY....*......Kqpp.333.....i. ....4._ ............?...?~....../_.<~....C...=r..;...@....%..H.c.%...b...E....a...RuEEE.>>>]...Mnnn.`..#...D....!....FVVV........4...?0..y >010@....LLL.......(.........^.~...So...B..`.c(....4...4.a....zzz....6....H7.F.>P.... ....ap$....`...Ps...R.d.\..N......d.F..(.......q.....M.v....A..4A..bp.... ..]"@..."......,%%...t+`..r7rN.E ..r=4..l.<r..".V".h`5.....(@.$.K@0;a..@b 7....w...s......@..@...(~#....t...A...r=... ..>..T.......w...V....A.....`E:........o........>\|`...+...g...;...Y........P...Y.@3.r.......\..yyx....1...1....IIJr...6.....`%.....{......<.k..w..~...H%..T:..`.lr...(.t.I.,lM....x....q....#..X".P.W..7..I.y..s.L......"..1.(.<.!..q...X......E..E..PU..Y.Q@....\|.fD...M.......@...

C:\Program Files (x86)\ClocX\Presets\BaiWeather.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1538
Entropy (8bit):	4.912643629219799
Encrypted:	false
SSDEEP:	24:BEZrGXE5lr9BxjTJaKhVY/hTOLX01rfXkpFdGIo85bifKzo+ibQ0Wd9iBxLuQI:BkqyllTJfgt+vdGJszohQJTiBxLvI
MD5:	D4F3C4B3EE12CDDFF6A83E9AAA565B3D
SHA1:	696F89C01B34E6DDDA7035ED179A8CBB4D7043D9
SHA-256:	73DDEBF290683CE599E79003F95A804E17498ED4403D10CDC8B2092B4308A4C9
SHA-512:	72C3CDC6045DDEC39718951AF431989EC88072458605570C5630BAA9D34A2A2FA917542F8CAD785C09AA642624C086A64DF1366D2FE2E91F79BF6571D7294376
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xAC6C1C ;cut window by this color (default red).....;not used with PNG in Win2k/XP..DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font..AMPMCenterX=61..AMPMCenterY=88......DisableDate=0..DateColor=0x787878..DateFont=Arial..DateFontSize=12..DateCenterX=62..DateCenterY=45......HourColor=0xCECECE ;color of hour hand..HourLength=39 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0xCECECE ;color of minute hand..MinuteLength=56 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=3 ;width of minute hand....SecondColor=0x18c7f7 ;color of second hand..SecondLength=57 ;length of second hand..SecondLap=20 ;overlap o

C:\Program Files (x86)\ClocX\Presets\BaiWeather.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 161 x 161, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33642
Entropy (8bit):	7.9898594034987465
Encrypted:	false
SSDEEP:	768:0+BKTCFpP9wB4YZfKoAf8qzfc9XIpV8JzO64:0CNwflfA0Afc4X8JzC
MD5:	796618351AEB1C80C1FEF6579990FB9F
SHA1:	896ADF790D7FAB3E97079C4E5CB461A45B821AD3
SHA-256:	CA04C21BA94D6E432C436A26FEF81609AA40C783462624CA191DB9710FC84750
SHA-512:	21BD6661731B0481602D6A8D5985137EDA95648FF87A11187688853F899E352EEEA12CF8EC70460E2930E10E85FC84E569B5D5656FC038D8359FEC72791AC7F3
Malicious:	false
Preview:	.PNG........IHDR..............Q....+tEXtCreation Time.Thu 7 Oct 2004 18:56:56 -0600...{....tIME.......]......pHYs.................gAMA......a.....IDATx..{.eU}..k?..>f.sg.y..(.Ff..."...i@..iM.6`c.....?.?.........m5E.Tic...DE..2#`G...}...k..[..........=.s........w.u..f....................pEG\T...l&.D&.5Y.r.-v...R..JW.T...W^p.H6?......4....3[]eO3R..Z.U.1.iWV..Y....Z1.J....:.`.M.0.'..Gk;......;.?.........ZB...\|'>2Wm......q;....fK..CUX....V. ..n....A,AU.?.4"U..3s..Je...@.h...p.k.'..R..U'F..5..3u.>: .[i.};..p`b..M....._...9.....r.\u..(^W...b.eU.;.TeZ...'..4....lI&.$..&......8.C.H^.b...v.v(!.Z...JR.R:8.S.Y...%,...N".L.H..z:..X:.v(e5..$...v....V..}./n.q....~./.......o.O?.-U._.l.;.ewg..p..L.......".,.qa#a.K....".r.^.."...r).9..^....).6...b......Xr..B4.....PL..JP.%......ZJUK.8...~.n..;..............{...._V.:....O.Wf.....//..7.t.....I..@V.\|..VQ?.....)...(j..J.:..1\|.RXT.:B3L...\|5.gr...A.-?7...m.x.C.."......:.%....$l.2r.....&}g....i.C.-."q..4R

C:\Program Files (x86)\ClocX\Presets\BallClockAmber.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 104 x 103 x 24, resolution 2834 x 2834 px/m, cbSize 32192, bits offset 54
Category:	dropped
Size (bytes):	32192
Entropy (8bit):	6.83338253674313
Encrypted:	false
SSDEEP:	384:Ds2SUYkFxoF79oRKLcX/uWL8Owlk75v9h2y/rrftfLDdOKVLB0lGuRsUxlIB:g2YQXRKL8/wM1Yy/rrftjPLB0wuRsSIB
MD5:	13B2CD8AC7C2041757E7F8133F3615AC
SHA1:	421F8E88710E56BE792B4E2C5CF7B80F2DF9FB5F
SHA-256:	C07DA73ED598A9E0C3064791984360B211031CAC9B42A42EC50C1EB7E5C12B3A
SHA-512:	C53537E84E7C9560EA2BB963D696B18A968A8F94D764C46A52E6E3419F0AA8628DDC315C185D0F3799D6585F15EAD807B125BC708CD393FE4402BF0D831DE2A5
Malicious:	false
Preview:	BM.}......6...(...h...g...............................................................................................................................................................................w..o..m..j..j..l..o..w..}..........................................................................................................................................................................................................................................................................v..i..b..\..[..[..Y..W..X..W..V..V..V..V..V..W..W..Y..[..a..h..u............................................................................................................................................................................................................................................u..a..Z..Z..[..[..\..]..]..]..[..Z..Y..V..K..@p.V..W..Y..Y..[..[..[..[..Z..Y..X..X.._..s...........................................................................................................................

C:\Program Files (x86)\ClocX\Presets\BallClockAmber.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	18400
Entropy (8bit):	7.856496562747338
Encrypted:	false
SSDEEP:	384:5td1uc5PdIUsIhMmNNRTHzhTjXQKnZVwIvXTY4XhP+e/Tsjf:fdooNlNAmLXZxP+eIjf
MD5:	C0B3CD6A12D50F9CD681BBAA03015423
SHA1:	DB1EF651280D3B37A279D1F56BEA4959563BD46C
SHA-256:	A7AC46F2D7C9FEA9C99F356A18D4F3D4814DA0D93584209C69E8BE36BFD600CE
SHA-512:	BAAA73846A66D7F28C7167C8E57F2B122EBCEB772A09B01984E151292626A469126003DDF707A342E760D035C304C3371A5E3ED890E28BC66D5679071F53D45A
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..GVIDATx.b...?.(... ..F.`d....M.#....h.... .F......4..F8.. .d.##.H.3.....=..{~.....>......".s.........@.%.p E0...D.-..?.z........s8#.6...?......C-........".I..KG.AJ..A...A...A...A...A..@..?.N.J.h.....w ~..?........p..o..o.3<.......H..C.d....P.`.t.g..c.S.b..ec0`cf..F....#... P..L......?..W.Dq.._...1\....K...".=! ...........pE<..1(..3.p.08.01.../..g.W..}........~.'%P0p.)30q.0\|{r......zT.......g..a8..#......A..... ..c.@.x&...+.........`....7...~ .O.....[..~?.......p../..v...5M...{....0..O(0....._.1l...a.....`K..q..@.)....RK.].>.pN..@.3...j."........a`....AM./C.Y.......R..jo.gfx...A_.'.g`..~#. ').`.u.\2.GD6..J.@.g@{.?....8........ ..C......f..d0..fH`ca....b.tF.H..p.J2..+2.I.1.J(3p.0...3..Z%"!.o..P^R.........p..i.]M5.f.....}cX.r.............d.....W..............?.........._....g8.L...SB@.s..b...=...g..x.`......FH...h.G>..q.2.).2.i.0.jX1..j1p..10..

C:\Program Files (x86)\ClocX\Presets\BallClockAqua.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 104 x 103 x 24, resolution 2834 x 2834 px/m, cbSize 32192, bits offset 54
Category:	dropped
Size (bytes):	32192
Entropy (8bit):	6.731943420864348
Encrypted:	false
SSDEEP:	768:Hc0SD1wzFxbmt9DT8vkbZKHrI2mmLyKBRygYK0s:80w6ZiSVlbyKBbYo
MD5:	25F334F4A79DAD4448C324BC0200F02D
SHA1:	306892204CE74FC72E197788E4ED03270574E889
SHA-256:	93C5D3A982E8BD1E17579D41A833155E5BEC92FCF2063D6E14B9F7E8F6FE4613
SHA-512:	04FD745EFEC76FD83356C3F7EE7DFB6676E966FFD80EFF7C1E86784B4D0B08530052E0C8CED07BBEAFD114C410A21484E34CBBC31B84B7746E4DB8B17962AB39
Malicious:	false
Preview:	BM.}......6...(...h...g...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................x..f.....................................................................................................................................................

C:\Program Files (x86)\ClocX\Presets\BallClockAqua.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	18528
Entropy (8bit):	7.8611486566871855
Encrypted:	false
SSDEEP:	384:5DR08eJq+7lRlGCjOa1tplFiea2xb5xa3y7q28T:QXqCj/1tplkyxdxUyW3T
MD5:	31ADC20E79C6F0B4B4BD624C4960A24E
SHA1:	0DD73A3A8B5E8FEA8AAF86DF4EF8EF608EAC411D
SHA-256:	01EF0594D6B5E5E5C3C02475E1096CB9A307C40E167DD26D11BFE352C458BC08
SHA-512:	AD204A9088438012195F5AC8E1DF9FE78C3EF7416D8F9D36A5CC41998F57A47F7B3A47BAE7444EB70C7FB73726154985042F0A84BB350FDCE49CBFD83AE9B131
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..G.IDATx.b...?.(... ..F.`d....M.#....h.... .F......4..F8.. .d.##.H.3.....=..{~.....>......".s.........@.%.p E0...D.-..?.z........s8#.6...?......C-........".C..U.P..KT...W...M...E...I.....c...d.F.. ...2..3.{....c....0..\|....~.<.....H..C.d....P.`.t.g.6H.c...fb.3.F..##...#...S.@y62...L.....{....;.Dq...O.~..q....".=! ...........pE<..ZT(..(.0.r;02...= ..g._.32p..g`....'RR.......7;...?...g..G...j_......._...p.....wqD..L..q..@.1..G<.zNg.0tbd..cdb...p\...SHl..y./..2....dbx.G.(..V#.......l.......3.b....?B.....?'.............[B@.s...L..o...4...3.p....=..P".......X..>..$....d#.?.....[..&...30~{.._....../.0.J)0<.q...$.....8.q%.......m....W~:.py.&..8......pF<#.'3.M....T.#.....G.........`......A\..AN..AY..AQ..AV..A......O.)...'K...r...(.&&&.3.O1.j..mfc...?..U..6....^0....N.;.>1<~.........&........~n....OG.......`J..q..@,...g...L.6.:,.J......qb..L....de..g0..b0

C:\Program Files (x86)\ClocX\Presets\BallClockIce.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 104 x 103 x 24, resolution 2834 x 2834 px/m, cbSize 32192, bits offset 54
Category:	dropped
Size (bytes):	32192
Entropy (8bit):	5.985389961863382
Encrypted:	false
SSDEEP:	192:DZ8oIe45flGoS3iItFTeQsHyXw7Hmyak1v+1fveN3e9Iy6CGCMV6JgMuutekplCl:DFRSItFaQsHyXw6kIqD0lwhI2uy
MD5:	6C0B705BDE7D2AFE37253E45524B729C
SHA1:	46BBAA392E19944FA0DC67A867D6BAB5C5FABE8D
SHA-256:	C0E1C4843953607594FA2D32CA85BD516D6BF19FDAC0C49F6D7C71702DEC57F1
SHA-512:	BC0F736ACA104903F6AD106A2875202B64C7A112B3F055AEFBE293547F93FB784E765B94B4A0571011E722162B7C4A5EB75A2FF4AB122BAB4427D3F94F7D1266
Malicious:	false
Preview:	BM.}......6...(...h...g...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................HHH~~~...lllhhh.............................................................................................................................................................

C:\Program Files (x86)\ClocX\Presets\BallClockIce.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12805
Entropy (8bit):	7.853853054587897
Encrypted:	false
SSDEEP:	192:WSOYiiwKNMtJKMvHuOoOHZofl5rndayVeTtVUEilpFe7mfWq13L3wHR4dv3O9THx:5Y6WnjHZoflxV634FKGWW73eSdveIkz
MD5:	7341D4B09D1030D1CECEA62EDBD8DE93
SHA1:	060A6A44ED3C889908824ED64B31888EE65DCA7F
SHA-256:	89A25A2C8D5A5B26F1C3749282AE1FECC42B690219D985392336747FE1A550FB
SHA-512:	C2AC9391085B96E8CCE8A0F0C76B3817034B25B0E7D5F353A72CE92D30BCBC63D38D0844B25A82F5FA4390077FC5E3E4F0EF993FF9A8B6BC16979E618AA93F17
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..1{IDATx.b...?.(... ..F.`d....M.#....h.... .F......4..F8.. .d.##.H.3.....=..{~.....>......".s.........@.%.p E0...D.-..?.z........s8#.6...?......C-........"...KKSKJHHH...K...U...Y....]....H.......w@........}..o7.{....k...>...D.9.J.....%..HG.x...1%%%m....`d..#Z...I..'A.<..v..........&.;.Dq../...wu.....".=! ...........pE<....)....prr:....../..g..a..>}.. $,....W.6V6...}......F&F.^.^.`.a`cc..6.....=.......<>2k..8".P&..8.......#..=.kii9..u?`.[@s8........./....2p.s0.Y.....AWW.,...+../^.c.?.....<}........,...%0.....`u...k......[B@.s..b..9.%.ssru....988...!.+..1......?~0.K...7o2....s9.\|...ABB..h>8p@.lfHKMc...f.V....a$;..U.'??.....3....O.>]9y.....gDK......@........f...1...K...>@..b.tP.!G:(..................,0.......PWW.....N...g...f.....>u..CFF...s..x....A..?3.s9J"...6.....,q..K..S.N9.Lx..S...f..b.....K.3.s....l&0.....-..".TW...3HJJ2H.K0...0......7.u;....

C:\Program Files (x86)\ClocX\Presets\BallClockRed.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 104 x 103 x 24, resolution 2834 x 2834 px/m, cbSize 32192, bits offset 54
Category:	dropped
Size (bytes):	32192
Entropy (8bit):	7.056071030869739
Encrypted:	false
SSDEEP:	384:DM7J9t2ORX9hUmbPtJ4T9oF4UeMPNShuK/3mNvQTgUX:w7JPX9hFnoiF4UeMFeum04Tgq
MD5:	E26AD55938AE56FEB11B2450A5A02B0F
SHA1:	5436A23577C3F33038963C8F44D8BEE50DD5FCCF
SHA-256:	0FABBE61F9E6638B396FE35F2A02CCAB1AF7D2DE40E284318565B7983FD58408
SHA-512:	E07EF075F6833C193412F41F0F5B235E76759FDD70CC8126FBC68BC3689C369BFDE7795356D7A6EF826C70F57AA879A6FC698EDEEC41D6E234D006F647CC90AF
Malicious:	false
Preview:	BM.}......6...(...h...g...................................................................................................................................................................................y..w.~v.~v..w..z..................................................................................................................................................................................................................................................................................}y.xt.tp.tp.un.so.sm.ul.vk.vk.vk.vj.vk.rm.rm.ro.sn.so.vr.\|x.................................................................................................................................................................................................................................................us.rq.rq.tr.ts.ut.vu.vt.ws.wq.xr.wo.zn..p..sx{n.xo.wo.vp.ur.ur.ts.tr.rq.qp.pn.pn.rq.............................................................................................................................

C:\Program Files (x86)\ClocX\Presets\BallClockRed.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	18975
Entropy (8bit):	7.848170374392596
Encrypted:	false
SSDEEP:	384:56UKEwcqBzASUGvcXbSSnUWCi6WExgCY9vgHA:Av8qBzAfGvcrSSnUX3XK
MD5:	48C63E4358B3C3747F617A6B636ACD74
SHA1:	E22EB43B6E4EB4BD758BC3F8A07CFD4589A2B616
SHA-256:	80D565FDEDC4640C7F0C1086B53B0741449770899122EF1E4BD718CED53F2523
SHA-512:	942AC646B29303ED8CB73153466AB2480B48959A484E831CA3AD7FF77EB01E16ED1D2EB5150BB9AEA0B095DB3396896E91F1F1E1EE4C75A7362A731840387B85
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..I.IDATx.b...?.(... ..F.`d....M.#....h.... .F......4..F8.. .d.##.H.3.....=..{~.....>......".s.........@.%.p E0...D.-..?.z........s8#.6...?......C-........"...K..YJ..Q......#.....,...8P.....H......@.............p.+..w..?........#".p.... ..B..-..#.1..]L..I......Q......b@IA.<..v....{`.x......../.a.....WW....)....2.1.K.......W..q....,#..'#..0+...%...;#..\|...@..>.B..!.&.eu.F>.....20...V.9W..(..........x...Y.~.....2! .9@.......L.9].............=......0...a.X3.A..^.........y8.c.C.&6v.YIN.....o.......3P..L.'.............[B@.s..b..9.%.s.8t....9.....R.".[=....y....1._>..6.'.0..0r.......2.g.`0.5..3...A....~......f..&....j. ....gd..`fyf......+'..q....-!..v.@.....g.s002.s..12&.10...y.c...\|&(..........<...*...".........O^!.A>...r.....B..20.5.z........w.?_>3......C..e.,..2\|.{.....^........T......W../............9....e..z&,.....l.g.#>...k0r:..Zg`..a...a...d

C:\Program Files (x86)\ClocX\Presets\BigBen.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 254 x 254, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	52018
Entropy (8bit):	7.988592195271539
Encrypted:	false
SSDEEP:	1536:ycHNm1xLbHcKpCtCvfMw3kGMZ2Bc/p8Xp:Ftm14C30Gw2Bc/p8Xp
MD5:	20F7051C41230A7C304AE9FCC2B1672A
SHA1:	6F601C41AC367325375DF553EC8C3E2907A4A6EF
SHA-256:	69274CC505982E37F5CC1CF478775E4FE5CECE83AB1C836E924C4FBC702391CF
SHA-512:	8ABBA59074E457AD058564B37A879474E5DD7BE2C5B92C5534FC0B87E8112D7F7C0B1296056BBDD5F15F73B7E556618FCBAFEC8D059D5AC95685122EFBE0A6EE
Malicious:	false
Preview:	.PNG........IHDR................Q....tIME.........'O....pHYs..........iTS....gAMA......a.....IDATx....]gu...rz/...F..l..q.`0..@.@..Br...~o...7......@(...W....l,K.z...9..}v.k}..kb.R.l.,=.9.Sv...U...MiJS...4.)MiJS...4.\|..\.@S~1r...N...J..Je..b.ZQ...0..2l(.....o..p$.D...X...8.6..S..l........@.<.y..C.8u..,.Z.eMG.V.^...U...jQ..8.m...B.-X.N.k0. \|...1/B!..I..:..r5z..a.%..C.h..B.......9...N...;w....n..p..t+R..b.."..ZZ"H%..(".... <..L9... .K0....Tr.1?=..L......Y.J...9.."d....m...v.V.l..)...x.H.....{..;.......p..)he..d..G.`.;.X..Y.d.X\B.e...~.t=D[..`.....K.>.%.a....@..C1_E...azN.33..9C.......^.."%...-qgrz.V.eS................?;._EG".B...X.q.b..fy....;..r..../p8.\].]...[...Z....w.\|....q..A.6._6.......g.b.@..X6[(..4Y..V......G>....b..cHE.p.a.Z..N..n..E..4m..`g...9...\.6.....T.G..O..}.o..o...r.'[;..S8zp...<...)g.U...m.v.w...\|....B.R]....x.I../3.?.m..o.......uW^...;..-..._m....$\.2..T..6@n._+...f.{.&.k......^...g.........[0.1.;^.=.<.@..]....-k2..

C:\Program Files (x86)\ClocX\Presets\BlackAppleClock.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 117 x 118 x 24, resolution 2834 x 2834 px/m, cbSize 41592, bits offset 54
Category:	dropped
Size (bytes):	41592
Entropy (8bit):	6.224189134230555
Encrypted:	false
SSDEEP:	384:eXNleXJJIKo5QHHHHHHHHaHHHHHHHHHHHHh/+tMHHHHHHHHHHHHHHHHHHHHHHHHd:7XJJt0ZlN1uBaCAv1hEPWU3c
MD5:	12232B20B415DECC653B6BC5B9F0DDDD
SHA1:	E63540F2F7A39603DE5B4AA212690DBA028A2F42
SHA-256:	CDCAA8879D4B2C318F27CE0AB3048061A71E0F1050090BA53C54562D175DEB30
SHA-512:	6994257DA58D28A185DD212858EFA4D3C1CFC1CD57F1BE43C2693DDBDE2D688668C043798773CE933FBA202D74BAD0D6B90C6806A483AD6A99068CA938E0F3BD
Malicious:	false
Preview:	BMx.......6...(...u...v...........................................................................................................................................................................................{{zyywuttsrrrqqsrqqqqqqqsrquuswvuyxxzzy.......................................................................................................................................................................................................................................................................................................{{{vuuoonjjifedcaa^^][[ZYYXXWWWVVVVUWVVXWVXWV[ZX\[Z]\[a`_ddciiglkjqpputszzy.........................................................................................................................................................................................................................................................................\|\|\|ssrkkjddc_^]YXWUTSQPPNMLMKKKJJIIHHHFHFDHGEHFDHGEHGFIHGJHFKIHLKINNLQQOTTQXVUZXV]\Zba`ffemlkuut~}\|.................

C:\Program Files (x86)\ClocX\Presets\BlackAppleClock.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	24027
Entropy (8bit):	7.908755071537191
Encrypted:	false
SSDEEP:	384:5fOprdUBSqoJzEJzpXqIVCiBZ75lAIy9Q/Z8RpzjLn6itBtIOe4HY85Y+KeFz:ROprKPezA1LVCiJTZ8RpvN+OemY2YGFz
MD5:	EBFD13181F171F5E71D710A6EA9F129B
SHA1:	E435734C679F3D7360B58498416703E63B41B699
SHA-256:	B30B748AAC01BCF421013976B3BA9DF1DA074077D35773624E5B2411D7E49B52
SHA-512:	BCD11A5F1861AFF7656F9FDB9D861CAE038A3A186C0B4163011C18702E687BC6988DB5C5F54F49774F38DFB2F42ECD925AADA31A0D423A615E52BAC82A1086DB
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..]QIDATx.b...?.(... ..F.`d....M.#......Z...(.fw..&b[.J$(..A4....R..x.....7..l...7x...\f`.\|.....RJ.(..8u..1.EQ`..@....R...1..s..T.".#..C`).:...g&..z.e.>........z~.....7.....6.[h..$.;.3.....o.8...;.!...F.....,$4.vFc.7...G(.N.^-A......{w..m....TU.0........Ia....f&Z.......DRz.NK7]X../1#....G.y..2.........h...q.....7....d..R...Q.V.. ..."..M..C.....9c...~....,..H!..4....v=;.8_.DG<.&.ue..@.CQX....-<.......^..Q..B...;l...{...:.\..8.4.$..;tn.R...M.%4j..v../,.4Fl.%g..J.Y.._....q.V...`...oc.9.....S.Z.....A,.p.'.z.O....""Z.._.4...#....L..f.F./.N..^^>->^.Sv.....k..=..@.....?L.?\|.........&..pM...X.E.?Pu..w&D../0........%4...._...F!AA36VV._.~....l,,_......%p....7??../.?..hm\|o........,..........&N..\:..`.Zr....Ei..X.[.=.{.7...z....4.<@.? ....(....$.....\|bgL'...L_..z[UK!....\ 5.x..W)ey.A.....A8....DR...@........m&..{.CH#...."...].K.!8;......f../..\|k.....S..!

C:\Program Files (x86)\ClocX\Presets\BlackBallRoman.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 129 x 129, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	18261
Entropy (8bit):	7.972349901067941
Encrypted:	false
SSDEEP:	384:+RTsz18O1aVoTRG/gB3OySclWba32Z58aPY5I2YelngpOILTc/61ENvt:sm1TootG0Oy/WbqlFI0y1EBt
MD5:	732674A58E6E96725158AB71D39D1AF1
SHA1:	19E9FD5080FD624A0BA53C23BE8939166431FE55
SHA-256:	2B885590F9C5CD14ACCF5066E444EDEB4DD5A678A278401EBE60422E93EEFD18
SHA-512:	1C32055BD5ABCEC2E898D782E65DC2C31E289B874D964292974E94671173BAB2900D58CAAC1E4C58234381E680B03582E53FE1CDCCC24839D575BBC0A200691A
Malicious:	false
Preview:	.PNG........IHDR...............P....sRGB.........bKGD..............pHYs.................tIME..........U.. .IDATx..}yxT...}..$....6....-...V...~U....Oj...~V.....V\J.].l.Z.....P..M1,...Y&.Lf_..Y~.L.7..dA._.u.+...3....r?......M.6.Z[[.....].vM.w.......T..Q.i...S.$.a.....f.....f.1I..>........:4s...3f.h.2e..s.F...x..>s.9.\|....Y..... ....t:...f.0,...)..{EQd.....v......g.;..<..S..w.?._.W.^.a.3.[wZoo.a8.@.......E..,#..B.$.\|>.....r!.J.j.".L.j.BQ.D"...a(...0`..dY....'...M.`.X..f. =y.....\...3.\w..g7.G.>.c...O>.....;'...$.M..i !.$.......?......c.=.....f..Z...r.Z..d2lRu]...PU..@..`.....o.6o..;v ..BUU...Y.... ."$Ib......}..._\|...v.iM...#p\y.K........o..ba..."f....ttt.....D.........w..A..fC*....(....lA..(......@__..N'.0.........c.v....c.m....}.X,.d2.8q.kg.y.o.~..5.1.<.__?{....hH.d..n..N0n..F.W^1z{{.EQ..0.t:md.Y....8..S.I.....+.H$btww..h....4.......#......F[[....ktvv....0.............4:::.C......4:;;...n.......0.....+V.3g.4...$1....~?....O.......

C:\Program Files (x86)\ClocX\Presets\BlackClock.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 117 x 119 x 8, 1 compression, image size 6966, resolution 2898 x 2898 px/m, 256 important colors, cbSize 8044, bits offset 1078
Category:	dropped
Size (bytes):	8044
Entropy (8bit):	6.168405619029834
Encrypted:	false
SSDEEP:	192:xSaertTTPSCkul+KvKPq+guw3NVvY5WlHBHnaXO1Kuk5hVR:xeF6CLlraRw3Na56p5rk5hv
MD5:	99997471274B4A052F0BBDF11EF4D52B
SHA1:	C66163666A712ADED3981FC62F6545EE26B37FF8
SHA-256:	6EFA274E645CCE1483C678FD22DF195413037A95681788DD758C5BB99AA92418
SHA-512:	BD2B2CA3161FE9234E3BAAD6ADBA7BA15F025D6031804FBD7E80695B2B210786CBAD178DE9946A20B585D2D306D44E8089FFC83F52B7703E41E0093D555CB8BF
Malicious:	false
Preview:	BMl.......6...(...u...w...........6...R...R..................................................................................................................................................................................................................................................................................................................................................................................................................................................... ... ..."... ...$.. #.. ".. %..!&..#(..$(.!"". "$."$%.$%&. %).%%(.')+.#(..%)-.)).),.,-.--..%+0.&,0.-0.(-2.)/3..3...1.,/4.+03./01.04.-26./48.112.124.246.456.16:.468.17<.789.68:.38<.79<.59>.6;?.89:.:;<.9<>.<<=.6;@.8=B.=>@.:?D.>@B.;@E.<AE.?EI.@AB.ACE.CDD.DFG.AFI.FFH.EGJ.GGJ.AGL.EHJ.GHJ.FJK.CHM.DIM.IIJ.JJL.ILN.KLN.LNN.FLQ.HMQ.LNP.KPS.OQS.KPT.MRV.OTY.PQQ.QQT.PRT.RST.STU.TUV.QVZ.UVX.RW\.VXZ.SX\.TY].XYZ.YZ\.Y\].\]].W\`.Y]`.]^`.Y_d.Z`c.^`a.Z`d.\be._dg._di.`ab.bcd.cef.dde.`fi.dgk.fhk.ejn.hij.ikm.jlm.mnn.gkp.flp.hmq.mn

C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	949
Entropy (8bit):	4.621169578246485
Encrypted:	false
SSDEEP:	24:BE/Drm5b7OmTORXFB01rfukpWdGm8bCi51Pgi:B2H0XCFK9MdGmQ71P3
MD5:	C01ED0B8CF60FB8904628B963D903FCD
SHA1:	80E751986DF1BD6272F172E7EC84CF7A6BD00DD9
SHA-256:	7F10E7820353E7422FA95F9523FC4A43DACEE60806B025F37FD733A7DC6598FB
SHA-512:	A818305CB3623CB4A23F35BA8E84ACBA9F46AA51EAB01791444A99D76507CB222752B3F92528F7E9282678C94D4F32E26CDCDC4671FA9A07D52713817DFC30B8
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFFFFF5 ;cut window by this color (default red)..DisableAMPM=0 ;show AM/PM indicator (default 0)..AMPMColor=0x201010.;color of AM/PM indicator....HourColor=0x501A1A ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x501A1A ;color of minute hand..MinuteLength=51 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=54 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand....;CenterX=60 ;center point's X (default image_width / 2)..;CenterY=60 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	28114
Entropy (8bit):	7.96802714586052
Encrypted:	false
SSDEEP:	384:5sCbXvMMC03YbV0tj3tx398ZUGY22JbWwlrFijLr+ZBmef/6/xRppPy8/b7zwkxF:/fMx03Oa+KtijLr+Hf/6JJ7zhxNJn+I
MD5:	674CF0106048DFE1BA8F9AFBC3840B48
SHA1:	7CB8AF5DB17DA0A779DE76CC96F4181F741B20EC
SHA-256:	03D0B14986DD3E58B69C15979712F323713EB11CCB095D9137A29C5A169199B2
SHA-512:	5F0B396E53070F471724487AC051C92F1732341741F917F840A070B38EF925122740E1DEB24F8807219718D1F6B51FCF1D8DFD2E38DC29542E1EE5EC9A770D5D
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..mHIDATx.b...?.(... .X...8...._...U..2..)2......73......(3..33.?F&... ........?&.S/........w...,..................Q... ....".....NK.#x.Ob..r.[.Q..s....i............... ..X.Z........B+S._2.AX....z..&..J.&q......c....Z. ...#p......].....@M..4..Atv.g.r'.8!.$.......o:j$D...D...Yv.5......i...lb..D,.z...I..e...,.Bzf.b....2...X...s.d..N......$.. ...E...E.[a.)...5.P..?O.....n4...Z.Va.s/..]...m.r.cG._[...e.)..x.....~..04../.U...xm.n...".x.......w3..Tu.....`..n....\R... :=.\|...E...........K.]..HDDC.g..Sd.M....... 0....I........vE.b..0Q>.T..rg.do=.......l$}....6'........s.=J.....^c.>F..`...t...h.ku:......f..kC.dm...L.Q..#Z..0[...A....h...DP...l"..b..l...........'...C..V...3C..JH...HZU.S0..K7+..-&..Fd.x..G...?.t....>'Iv?..O......E.....$a..;.9s..E.`.....Dw...u.Yc.........>&~...p>l.;.\|2.n61..2......W..O.+...0...\.4mQ.%.88uv......G.\|.g.I.A.]

C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1410
Entropy (8bit):	4.829360623424793
Encrypted:	false
SSDEEP:	24:BEarGXz5lrUBR6TO5fq10X7kpFg4SGIo8Ji4h3NPeibQ0Wd9iBxLuQI:BhqFlQfq1I4SGJmDPBQJTiBxLvI
MD5:	5ACC6F230EF671CD047E46010FFB5782
SHA1:	552172F52383E1C286E8B4C9D373165F511FEDA0
SHA-256:	420E912411E4CAC71F88F0485AD13D9AB40E513979C8C2E820B0BA70A1C9A843
SHA-512:	85D4388F35B93B0E82E4BB5BFFB56DA0A968EAAADC43B009A46F1F7FF03DE1CDA5BCCEDA0550424A86073F7F5DF49F36698E264DA9834BEB12139FD6A0877B32
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFFF4FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0xFFFFFF.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=12 ;size of AM/PM font....HourColor=0x00BBFF ;color of hour hand..HourLength=37 ;length of hour hand..HourLap=-7 ;overlap of hour hand..HourWidth=4 ;width of hour hand....MinuteColor=0x00BBFF ;color of minute hand..MinuteLength=55 ;length of minute hand..MinuteLap=-7 ;overlap of minute hand..MinuteWidth=3 ;width of minute hand....SecondColor=0xFFFFFF ;color of second hand..SecondLength=53 ;length of second hand..SecondLap=-49 ;overlap of second hand..SecondWidth=7 ;width of second hand.... ;CenterX=60 ;center point's X (default image_width / 2)

C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 129 x 129, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	25218
Entropy (8bit):	7.984811192664038
Encrypted:	false
SSDEEP:	768:86rfzS40W3RuiRp5F8IdXo0t0WyfrovfU+TnTC:8aG4PRlpUjWMMTC
MD5:	3DBECAC206657C42196EB6258B85F7A3
SHA1:	F496AF89CAD84D2C09EA0121BC3BD5C5690A09EC
SHA-256:	589112537079C34208B56E728B61FFFECC514D898D37E45A4039A1EBBE1E0261
SHA-512:	BA3388F7B35BA75FE93872AEE939CFD03DE554B2477B48AF61A553DEBFF5BABBEED35887FF4EA89E33AA22208AE242DDFA6EA52AAF91A486CAA49E61604FB47E
Malicious:	false
Preview:	.PNG........IHDR...............P....sRGB.........bKGD..............pHYs.................tIME....."0.4.M.. .IDATx..w.$gu..9o.........D2..0.`.8-.W......6..k..8.l/.AKt..".,.....!@....G..hF.o.TUo..Q.}....e.X.<.t..].u........yG.......r......~..7^....i.=..K>tL...m.e1......V..df..V.e...e.....V...9......!..z.I.O:.;.}..n)....s../..}_.G.x.c....>................=.P..id..7.h3...RA4..r..{.VJ..$:.....c.E..=;.g......;.`...f.....>..3...+....~.%.........n...../.......~..w?....o;.(%...^........T$.#...H?T.T.W..t..F+...Hq...~.TC.J....Hw..=......M.\|..}..ocO{...c./}.Y._.>.3.v.........,...+.>.}...g}.......p....g..{..F%mp=..F........[....w...&....cpp..}...%...3."\|.+_e.c..{71.i.E..E..J.&...E.t....{.\......w...?{.3.r...........p{..?............VQ......?@......c$.@7.......ZN=..r....@[C.V.V.+&..#.H.!..zCl..".E......w........o....H.)..u).ePTH....z.hm...........w_........e..\|......>w..Q..FQ..Kb.Iff)....w.?...Y<>e.......n..kn........e.x...B[...@...@....[Y\..0*...

C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	4.815875038770773
Encrypted:	false
SSDEEP:	24:BEarGXz5lrUBR6TO5P10X7kpFgIGIo8Jim03NPeibQ0Wd9iBxLuQI:BhqFlQP1IIGJoYPBQJTiBxLvI
MD5:	D7BC067BEB09EE29E2FF239B39DBC1FB
SHA1:	26B5B966EE8872A2CB2FD038A8D9448826E77AAB
SHA-256:	3796CF0105972A785F485135ED1429B778EC9A3549A24EAA2796035F1D84E9D8
SHA-512:	83D283768A574AEAE44D1A7506CB0C006CE1A5EC15425805D2883C8B7F499EA270F56E3673192681F31E97A4252239FFF75CCB42A3898D2259D152C379068098
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFFF4FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0xFFFFFF.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=12 ;size of AM/PM font....HourColor=0x00BBFF ;color of hour hand..HourLength=37 ;length of hour hand..HourLap=5 ;overlap of hour hand..HourWidth=4 ;width of hour hand....MinuteColor=0x00BBFF ;color of minute hand..MinuteLength=55 ;length of minute hand..MinuteLap=7 ;overlap of minute hand..MinuteWidth=3 ;width of minute hand....SecondColor=0xFFFFFF ;color of second hand..SecondLength=58 ;length of second hand..SecondLap=9 ;overlap of second hand..SecondWidth=2 ;width of second hand.... ;CenterX=60 ;center point's X (default image_width / 2).. ;

C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 129 x 129, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	26827
Entropy (8bit):	7.983277849645144
Encrypted:	false
SSDEEP:	384:+lAnQBTH+Yw2dXkWG+Tmd3mEw1p02I4Hl8bgFvJqdxtej9NgSBlhN7Qdl/2KnGgt:hQBr+YbFDG+TCvWrDFkdxto3HYiDaK+
MD5:	AD4C8EF01B22B7220BB0691E9C392705
SHA1:	B0A6835473DB5B3AAF5699450631BFF5A4204272
SHA-256:	15DD5FA2E9718DC6386E4B4620C1C1F173CE375604FD2D3D9C961F418051BB84
SHA-512:	0176E6F72D928DE575097BBF867B5AF17A0C0C649444D95C83470DC41CEB0B3BD30B1934AF2E661DCCC3D073EE0507F378E75C5798064A313C0A7A9D0F238577
Malicious:	false
Preview:	.PNG........IHDR...............P....sRGB.........bKGD..............pHYs.................tIME.....!%..ge.. .IDATx..y.dUy..y.....s.. 3.(rQ..c.\1..F.bL.jb..u.&j. .&.q..%.... ...2t....t7..>CM{Xk..........:...P{........_.q.G>9.....}..v.m.Y.Ht.)...o..<..U>.&.>...skc...&.j..{...k...6.8o.8a..;v.....O<..-.........y.s...x.....e.+...N~..<......t.{....a{rX........0(.....t..{..C.K.&....E....'.8..o.;g.\x.%.W.z..g0...;.W..........g<...6.....]s.eW\..k~...m...I7..7.{<.......X.......AJ")1.........^{.M.r...1%...#E.?..j5...9G.f.....~....7.....'..[~.cN<.g<.........?....,.z.:...\..o\|......H.1..].v...w8.4....[Q...&.>....c..b....U<..o.7...W..;;m..1......W^.5.....i.ZC..C.....`a\|.Q<I.y..T.QJ.y.../{.s.\|.O..s....m....?}.7_.....{..<...k......-:.i.......{...S.a+[\|.....!...0.hj..<."b.$4C...YC..t..$.....w..;...6.n.;....f.........$I...:.4.L`t..+^../...W}........M....'.t.%?...s._).nN(...8yVp....[.;....l.v/.S;......{..$'.{0?..9.b.e.. -....,1D..P.>!..y.Aa..,.

C:\Program Files (x86)\ClocX\Presets\BlueBallStd.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1412
Entropy (8bit):	4.835640392621879
Encrypted:	false
SSDEEP:	24:BEarGXz5lrUBR6TO5fq1rf7kpFg4SGIo8Gio403NPeibQ0Wd9iBxLuQI:BhqFlQfqeI4SGJ/4YPBQJTiBxLvI
MD5:	BB688C71A92147A2F5F7C60E9BFD6D4D
SHA1:	802183CBAF47321F3A9144F81C36AE4D8545D158
SHA-256:	610FB3556B3E858A233766FA9AF50057D41F6DBCBB15AC998A1DE733DE2F471B
SHA-512:	5D890BB00D5433141135AE6C2EA8764830BD500185DBDDBA064744BEFC8CDA027CF82B0B3EC22F5DCA9A3B46C6B16D529D60E24664324C9646D918E89E670ED7
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFFF4FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0xFFFFFF.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=12 ;size of AM/PM font....HourColor=0x00BBFF ;color of hour hand..HourLength=37 ;length of hour hand..HourLap=-7 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x00BBFF ;color of minute hand..MinuteLength=55 ;length of minute hand..MinuteLap=-7 ;overlap of minute hand..MinuteWidth=3 ;width of minute hand....SecondColor=0x00553FFF ;color of second hand..SecondLength=58 ;length of second hand..SecondLap=-27 ;overlap of second hand..SecondWidth=2 ;width of second hand.... ;CenterX=60 ;center point's X (default image_width /

C:\Program Files (x86)\ClocX\Presets\BlueBallStd.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 129 x 129, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	28187
Entropy (8bit):	7.986090269080051
Encrypted:	false
SSDEEP:	768:MtXV8nMgM3Da9p/tp3bH73l8vAPt9k73YpH1:wV8VMalb7l8YPtS7oH1
MD5:	52B3B390690B8CC3D7E432F7AD26069E
SHA1:	2A777EDC8D78796291722EC5AD91FD036224DAAC
SHA-256:	BCDE729100D23631E527E126AC820E00B894D5CA0E2B1D11DFE13E2DA2045FFC
SHA-512:	01F670587E3E63D6CCD55B6007F76CD1265D2DF055759CB24E6EDA958E790D556A545054591E4BF3EF92FBB54320EF7CDC6E02E4ED1271B8054CFFC2A691A44E
Malicious:	false
Preview:	.PNG........IHDR...............P....sRGB.........bKGD..............pHYs.................tIME......-..... .IDATx..w.eey......n.9s.03.. "..P.FCD....hPy....F..$...6.(...J...@..g.f...9e....c.}......_.o..>{..k.......Y#..>>.....{.a?....~......<~..~....+....H....j.vq..i..n.djC..9.._{.]q....l_~..>t.......}...~..S^>..v....I.y.s.}.......r......}..v.. ..\|l%..C?.......7...-%..L..Sq.4cl<J<._.m#[';\...E...@.@k.c.>..{.8.w<..'..............r.!?...r.]/\.s....x..G!DM......sf'...<^r..1.......N;.u..{mBr...E..z..6.E..f..(.ML..vG.G~..?...wa.\|^o....~.!?{.._..'.t....).]~.5..s.?..U...5....hr.A..0.u+v....y..>.V......9l....l.p.]..._............$.....#p"\.._.h.^<..#..-!i.".t@......%.GH.....5J.>..L.}.._z../8..'..Y+.'.~.....w_..\q..]./(\...lf..h.vg....xD..=.9.....~...p........u......L...9.A`.....a...!I2.<..+W..W....{...G..+2.zHA..C.K7.(..}h.S[2.................o....+>....u.Mw.15.1Q.tR\|V...H.......u..+B6l.D{\|+..~.{Wo"1#<...s.>..w...9...T.G.s..6...@?M.4&.I..V...L..

C:\Program Files (x86)\ClocX\Presets\BlueSphere.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 123 x 123 x 24, resolution 2834 x 2834 px/m, cbSize 45812, bits offset 54
Category:	dropped
Size (bytes):	45812
Entropy (8bit):	6.813368700176925
Encrypted:	false
SSDEEP:	768:4JNtQgkxvPaaWTDWWzXSFzhVORp+8jYCzPlT/536x4:IgPaakXoLOdP55j
MD5:	D0F718A4EC8C75AF41446108FC6DADFD
SHA1:	4267134842903E2967A93896FD48A8CF92EA2A71
SHA-256:	3B78EEF71580D0D884FC53773A304A22C9C3AC007BC1F28AE182B7B153394713
SHA-512:	83098834C891F90FDA0D463F91E15CE6D4110379C53B994668E703F687E73247162CCF862BB284006EEE4393500DC978ED0AEA5BC395141F90481D0095EBA819
Malicious:	false
Preview:	BM........6...(...{...{........................................................................................................................................................................................zzzooodddZZZRRRLLLJJJIIIGGGGGGGGGGGGGGGHHHKKKKKKNNNUUU]]]gggrrr.........................................................................................................................................................................................................................................................................................................rrr^^^MMMGGGCCCFFFKKKTTT]]]hhhsss}}}..................}}}ssshhh\\\SSSLLLEEECCCFFFPPP```uuu..............................................................................................................................................................................................................................................................................~~~aaaLLL>>>AAAMMMaaa{{{.................................................

C:\Program Files (x86)\ClocX\Presets\BlueSphere.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	25942
Entropy (8bit):	7.955440909764544
Encrypted:	false
SSDEEP:	384:5gAXluiJgvL09fKPHmTCrKnehZk/Bl/a6dPipbz2J/ivEIs8fHF30X1OuaUol9:VlIvL09fKPGl/rbjcVmX1ZaH3
MD5:	E8B800502663E1DC178C8C7F20E4910B
SHA1:	67D4438F1114F2D66DE8082C06CE873E1B0977BC
SHA-256:	FC214D8533A48A7E6ACB73EA847484B4BA9D9591196612A63A803F71DFD1E5BA
SHA-512:	FAC04010538C6CC18993E2809937BE95719F54E208D9C21AB09AB1B511D0202D613FA443E0E34E29123D6C3C54FFCCC30156BAABBE13AF258BFDD93F1AC5CE39
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..d.IDATx.b...?.(... .....444.6n..\|..a._.2..:..?..R....`........ 6._..j.}.\|..E.;w.0yyy..p.. .^.0....;..;pzDBB..9..#........ ......LL.8...?.....q.7g.....3.[....!....4.....3..{.:.................H.aaa.....$..@%.@...............`......d....@...............e.=..... .}...?.vKKK3>}..?;;;#...2...@.>..s..y...l..P....[[[QKKKY`.V.F...hW.........p.17...@.......M........o....w.....s.X...&......,)......!555.---.>!...L..........]Bq.................0w..s......0.K..@#..(.....>..S`....x.l'.x....W..~...g.~BV...........=(..@....P^^.d...Pq........pY`d...w}`.LEMMM.(...,."..y...P.@.....!%./@\|....w......./^\.6"..K-..`mm.x...A....4(..........?..V.Z.vPtt4./_.xyyuLMMm.9.HEE..(%..! ......A...Q.H......?...6..f...N..R.l.R.x....:u..}.N...-nn..@6............9(..@.......L....jU...r>{.L.............@9.....D.............`... .A4.- w@K..@....@.`......@.\[.~..#G.l.

C:\Program Files (x86)\ClocX\Presets\BlueSphere2.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	23821
Entropy (8bit):	7.947198931425243
Encrypted:	false
SSDEEP:	384:5jIsgmpetEnrsFb0gxMo2FHnRvS1VicSzk+U3Qa8FNvB7SrSDlE8LpwyTWEtJwJB:9IQpeMIMokvS1gxz83nq57YL80EtJwTr
MD5:	DAEB5B8E238848F28D9CB967DC211D2E
SHA1:	6672CACB53247FE0FDB4F68452B19A462BA2555D
SHA-256:	163836A57326CD517C89098265E5DCB0CF689C55A169E5B0B576565560951F70
SHA-512:	CEBF576DCCCA84314837AC80C3E89E68AC86E26DF51D31E3228A229D055E6EB6840842A3F1CB9D2B0A59794312A9FC3FA8B28DB6EE05A159CCEF51E46B05C85A
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..\.IDATx.b...?.(... ..F.`d...b....0a.#......6#.0........a.U.}}}.`.N.8.....Fx...0.w.!**..p.....U... ..J...A,..,.Z.."l....oM.fS..cXv.X..../.`......Cr.$.Hj.Gk..9.1..e;.`G....J)7.i.}.R.c.5...1(.9..'.R.r..{'....+.0......!...........N.._KK...I.....F..0r.xxx....D;::.988.Z..X..y... @a......_..=.?..g z.u.....<}...??..O.>}.&..""".......=...C.......).....D....I.))).s..;.T.KJJ..).....5uuu]..>..211.qh..vFd.c..?.6...,E@..7`x=..+.?..u...../...............4.K..W.^1L.<yP.0@.... ##...@YYY....G.....W.......3...6.be ..F:(....%V.~D.'1.f.&20F.......U.._.>.&....;.L..O.>}..../.5,]..)::zP.%..h.%...dP........;NLL.QGGG......(..6..@.....(...p.......+.......5 a........../^......g...q.....\.s..W."...&`..?0...@...A..@9.......a9..............,.......04.......`d0.".K..F.3@..0.. ......V....dx..A<z...e...V.g.o.~.f^uu5............4(......g........."....FFFN@9kUUU%`.."..

C:\Program Files (x86)\ClocX\Presets\Blue_sphere.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 121 x 121 x 24, resolution 2834 x 2834 px/m, cbSize 44100, bits offset 54
Category:	dropped
Size (bytes):	44100
Entropy (8bit):	6.3032945741088335
Encrypted:	false
SSDEEP:	768:5UgVAiVbt4DDDPywwDu5QQWdkMAlCy+eE8sN7qX3sUcQN:5vhMPad+loeE8rHzZN
MD5:	E7AA8136A3AB665606CF7C759A90B44D
SHA1:	8679DF46FF5F6A5AD64EF2C3942CFD3A6C0D6B6E
SHA-256:	038EDAC0FA25B8299B05657ACE4541DBF1363598D1992BA09003625751B58710
SHA-512:	BF23C2C51D744972CEFA56F6A464E84FD55BD4511DA1FC8EE336DAD7B233F8E09955A0F018B04F8F5E7AEFE60BA70CEFEC167BF68A0FB1B1ACB0FD1FC6C2027C
Malicious:	false
Preview:	BMD.......6...(...y...y....................................................................................................................................................................................................}}}xxxrrrlllkkkkkkkkklllqqqwwwzzz......................................................................................................................................................................................................................................................................................................................yyyhhhUUUJJJCCC>>>;;;:::???AAAEEEHHHKKKJJJFFFEEEAAA===<<<>>>AAAFFFRRReeewww.....................................................................................................................................................................................................................................................................................yyy]]]LLLBBB???HHHWWWgggwww................................................nnn\\\KKK@@

C:\Program Files (x86)\ClocX\Presets\BubbleClock.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	949
Entropy (8bit):	4.621730241023766
Encrypted:	false
SSDEEP:	24:BEsrm5b7OmTORXFB01rfukpWdGm8bCi51Pgi:BH0XCFK9MdGmQ71P3
MD5:	801B92A1950ED3E5A8CB847FA3AF0F23
SHA1:	50A53B61711EEB3CC200E1B11FF8408DB37ECF2A
SHA-256:	67B31CF35186FFFB4CD13AE825EAF0C71599DDAF2EED5EEC8D791701B7118B73
SHA-512:	A2DECA99EFF12867EEDC7F2CE12700F17F2A5E6F226BB614F1958A6E1CCB1307A2E2D4652C61609D55FD0FBA0518908713B823EC61FBA96E6BAF66FC5786B428
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFFF2FF ;cut window by this color (default red)..DisableAMPM=0 ;show AM/PM indicator (default 0)..AMPMColor=0x201010.;color of AM/PM indicator....HourColor=0x501A1A ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x501A1A ;color of minute hand..MinuteLength=51 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=54 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand....;CenterX=60 ;center point's X (default image_width / 2)..;CenterY=60 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\BubbleClock.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	26311
Entropy (8bit):	7.939197037416011
Encrypted:	false
SSDEEP:	768:xYBlu8IJvxWn5wpAdeR2CsBTw2ybm4LSUJ0sl95O:xIu8IJvxWnO+g8NyfEC95O
MD5:	94575E1B2268EBACFB4349EF05174F80
SHA1:	D7B7F21875C9FDAE5364804E3B4DA77B9D0BE128
SHA-256:	F37F0EE1842F9CEFCFFE4B291C8C247C7A4871252E551150677A86E1575C943C
SHA-512:	01E50869D088D15954E79AE3CCB4C5EDC84F292405AD79AAB4318B0ED6BE18B009D2DCCC33234FBBA88635EFB883EB8DE7E6A07ACE6202767DD231926A515D6C
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..f=IDATx.b...?.(... ..F.`d.......0.._.......V.."!3.x8....b.N..U..axj...0..ox&".LT.....e...U[..0............K.)6D.E>....`fB...)..S.j.......KD.. .)6... (_.....\.K.f..3..X..y....)...a.......l.......n.G.............f:.....6..bZ.2.5bI......xD...W..i.H>WS..........Q....N.".R..~..&.h........0.D.4T.".8..:......-.#.......)..a(....cE",..A.X.........o...R..5.....B.49.......&G.<..#p~....w...]...G..$/.,q~.or.....Y...).M.....2VA......=..,.../!.....St.:.u.b.$..>......I./....q9Z.@'.56SB.3.E$.J_.u.7k....yE.T..X7..!...P.L..J.s..G....\|a...`..".0z;....4..k..K.]+..9....A..-...F.U.4....-...0...y$..`.A\| .E.....@.E]....63.w.".l.&.......s)!....S.5@;.D.-q...t...[.NV.PW(\..#.......w$..n..\|:X...../........$..$....i..........>.mPW.....J...{>h..Ak.R.l.W.f.^.A......U....bb\|.....pp.D. PZ.w<..t.....[...S......)B..<...=S.Bl.B.Y......XDN2.......Xr...D.:.!S....

C:\Program Files (x86)\ClocX\Presets\Cappuccino.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	994
Entropy (8bit):	4.690989170901346
Encrypted:	false
SSDEEP:	12:LXe4EqmYrrrcRQBjpJrpqZ27XFPV+m1nXFPVG99XFPUXFqZ2kp0oH9Gst8ZVB2iU:LdEQrmu9rTOe01knkprdGm8ZWiWN2i
MD5:	FE5BE53D2267788942BB4D382592A376
SHA1:	A6B987CA380DE8FAE09E40A07B1460264B8A3186
SHA-256:	B0296C84A695FB91F33C65A0B7CC0DF52DE0FE610F9327CB07F43A288E7A88E5
SHA-512:	BD4E50321E012324FC0F2651135BBD11908599E7353EEECC1C017F456177DDF3D492A8A46613D11F3CAFEB6C961EC5C05A1FBDE31F8AB206C7C42B851F0D2BEB
Malicious:	false
Preview:	;Cappuccino ClocX skin by Shak @ AquaXP.com..;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red)..DisableAMPM=1 ;show AM/PM indicator (default 0)..AMPMColor=0x787878.;color of AM/PM indicator....HourColor=0x808080 ;color of hour hand..HourLength=30 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=2 ;width of hour hand....MinuteColor=0x404040 ;color of minute hand..MinuteLength=50 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x909090 ;color of second hand..SecondLength=50 ;length of second hand..SecondLap=10 ;overlap of second hand..SecondWidth=1 ;width of second hand....;CenterX=68 ;center point's X (default image_width / 2)..;CenterY=66 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\Cappuccino.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 140 x 140, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10177
Entropy (8bit):	7.873268670708565
Encrypted:	false
SSDEEP:	192:apbPCmV6zP1UjFjRWkIt68pM3dBvAgc+vlhWH65iHWRUtDOQbHy5RkcP8zY9pz:apb6TpUNRDsYFvPEHWj6cPWo
MD5:	399B9C9DC36DED079B004FAC8A2747E2
SHA1:	769A7A703E83FC62357E8B66017074C911A0616A
SHA-256:	8D47C549094F6868CDDC13042E2136318FEB819CDD3090C5804A98BEA59FC389
SHA-512:	36A8A32407755F6977CFB469A095D86D83CEF2A5FF2F0F6D65D92CF37FAE137D5900A011121E4BEBA0537D0E0A89231DE1AF6580E1D965037923CF255C782C06
Malicious:	false
Preview:	.PNG........IHDR...............A>....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<..'SIDATx.b...?.(......b...Q@... .....q........O.?..@.....A,Ml.!..V. .X.y........X.161l.C.....0O L..3.....:qss;....011.311I#..U3'J....;....<..}.......>.<x.......H......H@.....%..6.....M..vv6.....,,.@1...AM............;.,,.'..h.W.... ..Z.A.M...I@..GkkC&...733..P...O...)f.J..._.......)........%...J..@......$a.t.T2.._..j.x..DB.0.....y.v....\|h".....D...@.=.`.n...a.. ...j.\|6t....@.........K........p.....@.5.`-M.\8.%(......9..n\..L.Bu.#...........V....(u.......`.&...O.........I(......%.....#...`\|FX...../ZML..._..3...@......e..+W.f.......?,bp%..S..'.\|jP.....>.~..OO.t.Z..w.4...h0$..R..P@m.%%.e@7..+..3.K.]...jBA..#.....8q.((....3...@.1.p..\......w.^...t..X ....0..Xd>)....E b..a6#....Y....8...cI...XXX$ml.w?xps......a...#hX!.H.....@.0.......V?.^..F. . .a....h.....D8!G6#<.Af#'..zj.%.,.B...._O.>.72......V.......H0(%..T........l..P...".0 ....>*..q.K.D..ZZ.............r..=.@..........9s..

C:\Program Files (x86)\ClocX\Presets\CarpeDiem.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1432
Entropy (8bit):	4.852570033640407
Encrypted:	false
SSDEEP:	24:BEa2rPCkjbHSCEsrTNTOe01rfLkpGdGm8Ri+gFFibQ0Wd9iBxLuQI:B4VbHHIG4dGmSgFyQJTiBxLvI
MD5:	3F95C7C4C98812F4937DE9230FEB4C12
SHA1:	6E9299AE2A062BA6914C4F824CD5B7F7F5FF995E
SHA-256:	9E07C7737174B058C6ECFA5A82B5093D8647467C5A30BE39497F95CC1CD454BA
SHA-512:	F0F4B9FAB8EE3764DAC87AFC8D6AC1AAF95BE4195CBDBBE26C792546861E37D7B6E52BE9CAB157A09257F3F69B58D5880901F12C4EBCC210CC1A1CB107997BEC
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..DisableAMPM=1 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x808080 ;color of AM/PM indicator..AMPMFont=Verdana..AMPMFontSize=10 ;size of AM/PM font..AMPMCenterX=50..AMPMCenterY=68....DisableDate=0..DateColor=0xEEEEEE..DateFont=Verdana..DateFontSize=10..DateCenterX=61..DateCenterY=75....HourColor=0x800000 ;color of hour hand..HourLength=30 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x800000 ;color of minute hand..MinuteLength=42 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x808080 ;color of second hand..SecondLength=42 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand....CenterX=59 ;center point's X (

C:\Program Files (x86)\ClocX\Presets\CarpeDiem.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 126 x 126, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	13144
Entropy (8bit):	7.876979908992175
Encrypted:	false
SSDEEP:	384:yznpBXF4w8UxPB6ce72dVBp8qKmTHbdZUH:qXaV7EVhFCH
MD5:	1A5946136A4DAB0C22FD35DCCFAF5D12
SHA1:	1C7641A17EFEE9F3FC5C907ED081BC0763D4CF0B
SHA-256:	5CFD95F49197BA7EBA4BFB2B56B904B6C619EABDE6B2B5ADCEFAC264130F1347
SHA-512:	F92502320244C2CB7AF55DE0364252B71F9061F3262BDDCCE24003F2CA0ADDDB8B7178D65F2FA501AA5C31C744EA304CBF8D6FB43CCFD9E57C1798545ACD0DD8
Malicious:	false
Preview:	.PNG........IHDR...~...~......#......pHYs.................gAMA....aLA.... cHRM..z0..............qG...S..8....K..?..2.IDATx.b...?.(.y. .XF..u...A........e....{........'...@.....F._...P.p.S..Ax...>..FI.."..$\...:U......^1.\|.<.=..c.....h.G...2#.0................`1FF.W....apd.....L.S....@9....\.(.AI...............!...J..Ha...0..lP.3.r;P... q.2H........./....$...#8.!4.,.!z.b...C...B...p.%.............'s...R.)ev.....Z9..rF.A...=....B.....t.,.....K-...o......q.:@.B;..%.[..............,.[...41......./._.......t.$..:n.w<......q...3....Kj.....}5an..QU..._...t;.g....-...a....9....Xh..u.\|"..O..l'.}=.,.........d.9..W..Os.....lxHab.j2}j........5.\|J...7....>U..U.C.#j.....N...\|.....0....3..FP.V...$}.x.~.{.....'`..s.7...>..>.{6...6$.xTP........!..O..z.C."..M.)....r.....@.............a...8Px1A+k0........6.ffb....O.-..&...j.'$....{....pA3)..X....n'03....\|.........4../........i..._H....XE.............. ._P...!.>#......t.o........h.".^...5...7#."e.G4...AHK...,@....oV.\<n@!._

C:\Program Files (x86)\ClocX\Presets\Casio.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	4.809680141752885
Encrypted:	false
SSDEEP:	24:BEQrGXz5lr9Bx6TORXFB01PRzkpWdGIo81OiDLPEGibQ0Wd9iBxLuQI:BzqFlxFKgMdGJGBLPEpQJTiBxLvI
MD5:	247DB811DD18688D6134FB3199CF5C30
SHA1:	D82D5276AC82EFF8637B71D8EEE54149D17652EC
SHA-256:	EE4BA265429C986667B2B71D21D1FA0FAFEAD643DF2568594A3214F95E0DAC4B
SHA-512:	3248B043CB83682B22DEDABD6E1E83172B9AD9B6E3B473D10DADEDE9542CBF3B95B6B67337ABFE85BF1E91E1110883505C6095EE76B8722BA8D1BA43BA39697C
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font....HourColor=000 ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=5 ;width of hour hand....MinuteColor=000 ;color of minute hand..MinuteLength=51 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=3 ;width of minute hand....SecondColor=4141216 ;color of second hand..SecondLength=54 ;length of second hand..SecondLap=20 ;overlap of second hand..SecondWidth=2 ;width of second hand....CenterX=88 ;center point's X (default image_width / 2)..CenterY=105

C:\Program Files (x86)\ClocX\Presets\Casio.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 190 x 210, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	47377
Entropy (8bit):	7.991405637016689
Encrypted:	true
SSDEEP:	768:MgH34monBdcO89MlOEUp9/hXoIuFAMlalsAERfgNJJivcYIt:H0jkm0EUp9/2bFAMklIpQ
MD5:	771989CA35F956E5AF4E43DF7F9E27D5
SHA1:	E38B023D8C57225F7450B2FE0845877DE8C85F05
SHA-256:	264F1F3CA50008D5A28B30E08741663264BD30CD53005A804179BA8F6FB396FA
SHA-512:	FAB9E62E16F77C6B05EF304F696C5606F35BFCFBDCE5CF4A360F51EBEB51F0851B36D6EDC98BE077069394F336AA72C4BFF1D4F1C32F350FBB2B5556C68D7DED
Malicious:	false
Preview:	.PNG........IHDR..............Bz.....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx....].u&x.}9...4r$..........e...hK+iG......)..K3^.5...X.,.-Q.dY...IQL`&H. H......q.w.{n....F...u?.+.~..?.;.i6...Xx.{{8....X ....c........_x,<.............YX...?..@....._x,<.....X ....c........_x,<.....X ...G.?WX..{....y......c...u......,Y.G]]]..d2.~R<..P(D.p.".........<....o...n4.rl......?.S...w...V....)\|.^...R...].r.&''.P(....w......(.>\|.......c-...H..`......@Al.J.......{.......Z.h....R&.A.t..>...cz.>.6.x..-. T\|.D.k..g....Z........~_...a..0.....Q.r.D.\|...Fibb...z...".r9.{...kb\|.2555\(......7..$.....9.1......C.WF..M.phi"._.....8.....V.X.....;D.'.I!....C,9.L(.wtt...7.g..1...1.@.=...%...wx.O...%"q.s=....j........7....{<q/.J........O.-~34\|.X[..A:v.8.<y.....\|>?8==v...b.\9...h4....`......#..::..Y(....'.....R...R.......V5.c..B...g>...=...C.lV..0.."...Te)..C.0...+..=........B.q.``.0.~..S.>...J..z.]a.H..7.3....+.Wc.9to...}sB%...;x.u.X...'N..o....S'.1....

C:\Program Files (x86)\ClocX\Presets\Citizen.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	922
Entropy (8bit):	4.572711077292605
Encrypted:	false
SSDEEP:	24:BEurKluCXTzqr1sRHkLKOLgGLXoIdKghi0uSdUjn:B9K8VPkGUB+UT
MD5:	80C7B322338D51E96594DE91A5E3C603
SHA1:	D1E2F5689E71E04C2A90E0FE44882CAE67AB4AC1
SHA-256:	75C6DE781F983AAA2A4F2BB7315BDD1314C6C3F052435DD378AA0D1F8C0B0CCF
SHA-512:	F7B338B00963A5760261E375458B3135B7AC1E9D6DF87EA2EAC70A436629E4C0C0DF14425209593E947F851C92523E8A0E20D42E3A8E2FCBDD38486EE532C7B5
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number).[Settings].CutColor=0x0000FF ;cut window by this color (default red).ShowAMPM=0 ;show AM/PM indicator (default 0).AMPMColor=0x00000000.;color of AM/PM indicator..HourColor=0x2E3543 ;color of hour hand.HourLength=45 ;length of hour hand.HourLap=0 ;overlap of hour hand.HourWidth=5 ;width of hour hand..MinuteColor=0x2E3543 ;color of minute hand.MinuteLength=60 ;length of minute hand.MinuteLap=0 ;overlap of minute hand.MinuteWidth=3 ;width of minute hand..SecondColor=0x2E3543 ;color of second hand.SecondLength=65 ;length of second hand.SecondLap=0 ;overlap of second hand.SecondWidth=1 ;width of second hand..CenterX=100 ;center point's X (default image_width / 2).CenterY=99 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\Citizen.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 200 x 199, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	75320
Entropy (8bit):	7.9941540871981
Encrypted:	true
SSDEEP:	1536:Engr3PcDKaKs6I/Dmqji+UUK7Rt+E8VyMkHsBP8jnZ5oi:f3PNnI/Fm+UUKekMkHkP8gi
MD5:	74D7455A9E42EDBA04A1FC8E5D1CA1A4
SHA1:	9D0CD86A18ACA40AAE14018EA9FA8B37A1D929F5
SHA-256:	B2391BB989C145731214525DD323CFE4978C87DD6781FD2A23E1209A2DF7115C
SHA-512:	2D7BCF50805437EDB759480BFD17D2B6C677CDB8DACA23C71AD5F8373E30E8F81A2734B0DC0F23F01B8C3D6DC90C0054BD061BF41F2039BD52DA6B09CAD8BDBB
Malicious:	false
Preview:	.PNG........IHDR.............\..K....pHYs..u0..u0..3r.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..%.IDATx...r.0.E/..`...]...l].....x.L..J.HR...!...4.....6....J:.2M...5.SQ.%...\U..A.1.9....e.K..k.N3..i..;.i.4m.[...4.4.q...i.S......z.0..i...s.P...../K.....<..[MUo..?^...,y....P7.PS..W......E..?.........QQ;.P..U....%O.]~{.........._...2.9J.;.#.K9..:.1....q.gQ.Hn.dY.(..6...T.X.k..-D-......q.0..q...!...%?!.}\]o..9jQ........X.. . ...GQ......Pp.....'...6....r.s.._..mOo9`..`.y.8^cC........7.;....G.v.e.A ..?.hc..+$.E...^ ..n.Z)...tL;..}...n8.....6.SIY..iZ....!.....vwpn..7....._F2.Z!%..+#.r....q.\A_.>..t.B!.k...P....WBY.C.7.w...J..R!.z.....EMz}..d.4.1...}.[......T...?,m..'.{e.. ...[....qad%qr..$L..Ag...._}.^.&.z..=.....BWI...<B.,!DtI.c......o.<...v.c....z... ....0n.z...3......9..j.Q.x.z.T.{N..!C..<...d2.3.>..T..\|7-,*i.jW.d..E(..drF...\..n.<}?Ha.T...............IA....kR..^..uU(.x..'.1......o.Q...8...l. .....7....e........,...j.

C:\Program Files (x86)\ClocX\Presets\CloQ.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1134
Entropy (8bit):	4.793200953489584
Encrypted:	false
SSDEEP:	24:BEQrGXz5lrkBJSaKy4qGTOXZZ410XiOkp5awGIo8bCiqwfQi:BzqFlCSf1qVX4jnDawGJQ8wfn
MD5:	4347579972618D2220B35D400E2497DF
SHA1:	CAE1FE63BE61C08C9880C21AD31C5E0F595596A2
SHA-256:	0901474F95A0FC08BF58F2E34CD2A46F3EE2A0B50742E6AB1D70B471BB084F6C
SHA-512:	B337F9408D55F39D2F781C2941DA02593B596709E5D890BDE69991643B2F18A4CB7A2D30F421477F83899F247306DB06570DAA0326DEB348D69836AE72539433
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x404040.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=9 ;size of AM/PM font....DisableDate=0..DateColor=0x787878..DateFont=Arial..DateFontSize=12....HourColor=0xAA9696 ;color of hour hand..HourLength=20 ;length of hour hand..HourLap=2 ;overlap of hour hand..HourWidth=4 ;width of hour hand....MinuteColor=0xAA9696 ;color of minute hand..MinuteLength=30 ;length of minute hand..MinuteLap=2 ;overlap of minute hand..MinuteWidth=3 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=32 ;length of second hand..SecondLap=2 ;overlap of second hand..SecondWidth=1 ;width of second hand....Cen

C:\Program Files (x86)\ClocX\Presets\CloQ.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 160 x 110, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12249
Entropy (8bit):	7.972601047733004
Encrypted:	false
SSDEEP:	192:xSx2nqVZzOLi+6PrSjnGhLaU5TZaMRF11U8yAgk0AaUNxTX0acFNNyZik72XdZ:Yx2mlOG+6UGhLxaM91U8ypk0BUNd3NwB
MD5:	49856033126C7EAD5EDC2B3A82504A7E
SHA1:	9FD4B61502C34A93B9C5E401AA84FE661559F575
SHA-256:	A9575B7EBACA877D5693DE98D9298317574BD6463E3EF129F8301C151698227D
SHA-512:	CF38A27ABA93210452431701BCECC53DE6259A244ACE2733F96B1D9A2BA2AAEA58B75FC5208220AB87D725ACF5D2EBEFADD9DD4FC6675E2323B6DADF71A9EE9C
Malicious:	false
Preview:	.PNG........IHDR.......n......-......bKGD..............pHYs............... .IDATx..yTU... ..Qdo..........Zy.evK.l.WETp..8.9.,5@..T...\..)h...P.+j.5..t...9..}.8......t..a-............A..y..B....'...\|....v....W.......Y.s.5.~v?.m...L.0....,...q..9......,U$.....j.n.8z.h.7.k..m....S.N.....j....N.<...FDDp...3g...Cwww...].P..;...F.h...@+....l..Z.x..r..Z..y...9s.L...133...BH.2%ICI.R.t..............`HH.=<<.woZZZj...`....l...r.l.`8....v..Y.fq.=,++.%.^2Y..p..j....2U5..UMR^.XY)S..58.,_.$...4.YRR.{.r...tuu%.R.!.F.x....;>.!.H.......(...}\|\|...I!$c.&.5ud...........LK;..4&%....Gx.......#LJ:..'N3==.99.1/.....zr.....V..={../g.....@..................wvv...W=...WVV...........xO.?.G..2##.yy.T.....).[bzz:....}{.8..s..*a...!.-.O.....chh(...(..j45.h..{.?.(ff.9.:.=..9h2$%..?.0?..B..Q........e.>}..w....S$\|.M.'.m.xXXX...1.......Z..55Wy..5.tWy.J.O...}....o......YPPDI..<.0.....9.!C.......<.....^.^.8....#G....$.Z..(.Z-../.211...{.{.^......bv..,/..zEm}...\|..v.$\|(.]8.......

C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1242
Entropy (8bit):	4.897976935663915
Encrypted:	false
SSDEEP:	24:BEQrGXz5lr9pk/7FoB35k6s4H6T13Z41rfLkc31CGm8bCinCd0X:BzqFlk/7Fy3u67C4ecFCGmQtCd6
MD5:	1FE0CF880A1FBD2C105E85361ECDD3F8
SHA1:	0B49F938CBCBBFB4F28FF070F85F9B01AE02470A
SHA-256:	22A6B9F1430102C28388DC50604FA010EAAE46778E1DEF800A8ACDF12B91F8C2
SHA-512:	B6FC3892CECB7AAA5CE4880B2518B01BF2796AC5BCD82A8CD4979F6A2E1592CE6E4D9215A09AF448765EEEB0BF5083CE6D4F114C728FA2A8226DF871B7C648A6
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Arial Narrow..AMPMFontSize=7 ;size of AM/PM font..AMPMCenterX=71..AMPMCenterY=173....DisableDate=0..DateColor=0x000000.; gray - 0x787878..DateFont=Arial Narrow..DateFontSize=7..DateCenterX=99..DateCenterY=157....HourColor=0x666666 ;color of hour hand - 0xAA9696..HourLength=35 ;length of hour hand..HourLap=2 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x444444 ;color of minute hand - 0xAA9696..MinuteLength=45 ;length of minute hand..MinuteLap=5 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=47 ;length of secon

C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 150 x 328, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	72778
Entropy (8bit):	7.986758581304158
Encrypted:	false
SSDEEP:	1536:IQSHf6+JZpEmnuiBXnfTb7UXhy/HShAypIe7w0+hdCsX/SOLFI6vD9ccIiUcjk3a:ne6UtVBXnrb70775khX60rvmcPjYa
MD5:	26E6D02144112F1919FCC08AC0F6CE07
SHA1:	7D3D5F287BF72C85C6B14C6F3FA8FD858367B542
SHA-256:	C5FDCEE509EC0AE18872EEA9DAEC67DBDF3C98552DB579B49FB0A88397BD8BEC
SHA-512:	3F4CF5A92673924CC7AA7D29F62C564D94824C9941E6D3A843029A94BF6250AEB0D9C1AB43000BAC4A6305019E50345F75EC10164CC291D7B3D25CCB6355E77E
Malicious:	false
Preview:	.PNG........IHDR.......H......B......pHYs.........g..R....gAMA....aLA.... cHRM..z%..............R....X..:....o.Z......IDATx....e.u...iOg...9Vf.<....@........d..E.mwKlZjw......b..pG....aw.%..-..$.l.$H.f..9.2o.w<......D".U....PWF.8w.S.......G...}>.?...._\|.......Ws..C.......kw^.........]>......O....;/y........9.\|.;.p70......................?V.}M...w...E...H..<..u...?D...X.F...[....H..P.....&.PI.......!e.Q...!.n,...1F.>`..x..n.......1.......l)M.O.{.ht;...@3E.g'O.XY...{E>...K.....c.....O..'...i...!M..m...J...^.....eU9...].....b......I....-..#.....1..]...v.K.c.....~@..[*.B.duu.__].......6..WWO...'G.....:0PB.....4u.^x.EU....\|P..L...".L.L.c/...\|....c.."H)...km\.$m...Q..M....d:-.j.\.GW._?.L...\|........:..)C].....p.h....Gq..... b..u..(}.e....?/.4E...a...6....'O.^_.....!.5M.R....\.mk..2...$.\|:..w.a:.r..}lll0..q..!.RP..@)u.m.R"...J+..0..<M.Wx...!X..M.m].....h..{}n.Y..6+..j..eC..}..._..w.^.qp.6`U@}.u.l... b...n.{n....y.L.^.I.............d..S...VF..O?..

C:\Program Files (x86)\ClocX\Presets\DSX4.BMP

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 172 x 172 x 24, image size 88752, resolution 7874 x 7874 px/m, cbSize 88806, bits offset 54
Category:	dropped
Size (bytes):	88806
Entropy (8bit):	2.418590036691463
Encrypted:	false
SSDEEP:	192:zcQE3KmYlXNZqpg7fGMGXGk+z19sLtNfcCuzE73qAWxmmXbDyio52j8USDPsA:GKTXNsC7fGMGMzKcCFqLxDDyiOPUSrsA
MD5:	858779477D2CD597F1A2B379F25F2393
SHA1:	0639E3C09E3007B2B81E07A7F1FEDD80C340F325
SHA-256:	D08BB435160F30217FF90D2586E6178A5927787A453CA2B5B9F1F45F4D548D1F
SHA-512:	8635144EA3505FC2F17DB349913759B18BEB132C6ABE7CCF2E9FB672897A577A5DBB3937A2D7964A2F212D5CB6233AA0C3DE598862A26CA8177A76BECC06858E
Malicious:	false
Preview:	BM.Z......6...(....................Z....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ClocX\Presets\DSX4.TXT

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.505459612613831
Encrypted:	false
SSDEEP:	3:FERjVM0lLLiRFQLZQ:FERjzR66Q
MD5:	CCA118DA9D40AA92B4C49EA17402E071
SHA1:	933017121E0B936B1FF2BE7E3A0BAB114540E8D7
SHA-256:	3B5AECD81B46AAA3BEDAD81DE9A9B988F80B9EBA4552957500B842E61B27570B
SHA-512:	B5575F2BA60E965A7C1E589F24B2B1B5A1D17E05A5A24199AF778461F428F251D1D83DC3BE65C95111D8C06F1981AA384F2B88005877B1A6F2F63549275A17A4
Malicious:	false
Preview:	Creator of this background (dsx4.bmp) is jonnybravo.

C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	699
Entropy (8bit):	5.1520962367864565
Encrypted:	false
SSDEEP:	12:a4EqmYrrrcR5pjpJrtOphhAlL4GOy46hp7pEH3eJvzpEH9CPpEHoNlTYQBcpwcz:BEQrm5b7OSF4G66hpOUvm0SIrJi
MD5:	9873AB1C4F582F7DBA405E18BF9EC1F5
SHA1:	2ED9BB9613EBF3B11B334F0132C3AD7C24C64E28
SHA-256:	02908C5B2E4603C69ABBD0F6DD5BE49B2AE0C68036624C3001574B8F87970C1C
SHA-512:	25F9B0B0629FEE815574FEB5738352838AF8B01FFB13634DF1735CEF394DAB551F8448EC53A18A4C01983B8784B3290BC067F5A772EB5CA8521CCB520B0AF2BE
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xff0000 ;cut window by this color (default red)..DisableAMPM=0 ;show AM/PM indicator (default 0)..AMPMColor=0x201010.;color of AM/PM indicator....DisableDate=0..DateColor=0xFF0000..DateFont=Arial Rounded MT Bold..DateFontSize=24..DateCenterX=126..DateCenterY=263....HourPNG=DarkCrystalBall\hourhand-7.png..HourPNGCenterDist=1....MinutePNG=DarkCrystalBall\minutehand-7.png..MinutePNGCenterDist=1....SecondPNG=DarkCrystalBall\secondhand-7.png..SecondPNGCenterDist=1....CenterX=129 ;center point's X (default image_width / 2)..CenterY=121 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 259 x 293, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	18381
Entropy (8bit):	7.906733896939069
Encrypted:	false
SSDEEP:	384:8XK3pDi4J8D6x2f07PdcijEepIP8n3ImeVEvXoGlQVcr:bDicTD7Pd5HIP83IxV3Glf
MD5:	7040CF8BADFFA9D06ACDD6EBDC09EE1B
SHA1:	FD1DD414926151A3CCF845225BD42283DABF666E
SHA-256:	53B13873417183ADC06FA7A02F044C4BE9AB7A34D7572D487B23DF1DC08C8292
SHA-512:	31876C0BD6B8AB89DADA1223D32D0305F1221C3C9A7D96FF9D81938499C26B1E840C47E836CADFC51192F84B465947B1B47B535DF4DBA33C413C6C6A3EA71670
Malicious:	false
Preview:	.PNG........IHDR.......%.......w.....tEXtCreation Time......().A......tIME.....3.4..#....pHYs.........B.4.....PLTE.............. .." .%!.)#"%$!,($.++%"2&$:%2(%:-)6.*90+52-;32350=82>;;;+)C2.C3.J3/P61B51K94D:5J=9C=8L63R64Z94T95[=9R<9\<:f>>q?@]@;EA;MH?OC=SB=ZI?PA=iA>rCCCEAKHEMKKKF@UD@[IBTIC[LJRMH]PFWPGYPNTSJ\SSTUSYYV\[[[DBcECjFHkKEbJEjNHdMIkGEwMQyRLiRMtUPfUPk\SdYSl^[b^[lXTx_`\|`Vi`]ccZlb[zcccfdihflkkle`se`}jbulczmkpkl{pf\|qnuri}sssvszyw\|{{{KI.QM.ZX.]Z.[`.\d.b].`^.fb.ie.hh.op.mp.sk.rl.vr.vs.\|q.{q.}{.}z.vr.jm.jv.m~.qn.ww.o..o..\|..w..}..x..}..t..u..}..z..z..\|..........................................................................................................................................................................................................................................................................................................f.......tRNS..........................................................................................................

C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall\hourhand-7.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 260 x 9, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	997
Entropy (8bit):	2.0884247801006333
Encrypted:	false
SSDEEP:	6:6v/lhPkgm0CcgCMkuldXGrr05PMnP8wE3BEdBNmoSaRRClb4Ja96mMcKhTVlljp:6v/7sCE2URmP8RBEdBNmoR04Ja9t6Tj
MD5:	DDC1CB30B5B35268F7C85E9E0F2F3039
SHA1:	41808DBE86473A57F1F327BC4740EAEFA9AFFE4F
SHA-256:	D338C477D7542D753C2E919F66C50FB53F8DFD22AE22D4E54A90DB895EF3E433
SHA-512:	C8D39CB4CB8E5A55D00E1652A0889E0FB3B75C9CFBCDBE2BC0DE95425BF9DB7E07111654E2FC3F0CA8D295B70233730D2F94DDBD83AE6F3A5CECB411D4178827
Malicious:	false
Preview:	.PNG........IHDR..............?.R....tEXtCreation Time......85>`y.....tIME.....*..S.D....pHYs.........B.4.....PLTE...i..S...a......".....P..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................E ....tRNS........S...FIDATx.c`.t........e..H.0....V`.......@`.+......8.4..X._v.-..`.v.;.....W.#....k....IEND.B`.

C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall\minutehand-7.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 260 x 9, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	994
Entropy (8bit):	2.0676937312492822
Encrypted:	false
SSDEEP:	6:6v/lhPkgm0CcgCMkuldXQPMnP8wE3BEdBNmoSaRRClY4bbGVic1xu67z3p:6v/7sCEwmP8RBEdBNmoRP4bb7H67F
MD5:	938CC637343645DC9C62B076D5136EEA
SHA1:	AA97737CE6ED4A6467565FFAE188B8065E3584DC
SHA-256:	8206494360928E9B8567FB00B05249B2E484CBFFE61297CE3AAB13C19319F657
SHA-512:	7A118C93CAC330AF2DEB065F4A19E55884C4099B9963DCE25F8244A9C5FA490E3BE75F16FBFD298E68815C1D0EC4ABB6171C965A213AE5252CD5EFC5DBFC7D60
Malicious:	false
Preview:	.PNG........IHDR..............?.R....tEXtCreation Time......85>`y.....tIME.....*.Q.#C....pHYs.........B.4.....PLTE...i..S...a......".....P..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................E ....tRNS........S...CIDATx.c`.t....d.@{..0....@`.?.t..6.....t...c@.hJ.....F......@......."..!......IEND.B`.

C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall\secondhand-7.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 258 x 5, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	966
Entropy (8bit):	1.8498608372980492
Encrypted:	false
SSDEEP:	6:6v/lhPk51llGMkuldXgknPMnP8wE4cyOP5Rt+D/6SaRRClMUspNvsOzQp:6v/7Q+EQGmP8ieRt8/6jRjUspqOza
MD5:	903639FD237D7A7AD546C610AC3E5B0C
SHA1:	E387CEC4B6524E228ADDE937FF7A73A10E4D5C7E
SHA-256:	AC322A5C1AB93B1C7C6311EBFBADEBB5FED8D4745032C024FDD4520D040C55B6
SHA-512:	48C4BD0345893432ECA0745A1DA8D9B023BA1E385C37D6157A24FC6B98EBE4A343EA8508902C4B9A3D626982E3D0AB5102C1DA363ACFF16E710FCDCC9E75F0E7
Malicious:	false
Preview:	.PNG........IHDR................n....tEXtCreation Time......85>`y.....tIME.....+.\.NM....pHYs.........B.4.....PLTE...i..SSS..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f....tRNS........S...'IDATx.c`..a.................h*`.tA@.... .W4U.Y....IEND.B`.

C:\Program Files (x86)\ClocX\Presets\Earth2.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 99 x 98, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	23596
Entropy (8bit):	7.977189008715547
Encrypted:	false
SSDEEP:	384:fG3wnDvFur/1BzxGeMzVDrTYk4cOLS28OG55+cqkem85Y2YErO5nEOmYKyhMAiw1:xnpu5DczdY1cOHmed9y5H7JUGf
MD5:	3D11A2F8562DD07A4D1C0BCCAD601535
SHA1:	0F123DE33890FD36A1E11A7B8E4F15CA68BDADCC
SHA-256:	1A93F6ED5578452B808BDADF9A19C889D262C2264C98A204AEC82CFD35EDA4A7
SHA-512:	C8856EB5482EBEB1D4F27256DED07995EA4822B759622FA9BAE5474DB6660D746C03AAC48708D8A3A90D2204E38553310BD21FF07AD841664AFA7DF3F6E6511F
Malicious:	false
Preview:	.PNG........IHDR...c...b.....Dgm0....bKGD..............pHYs............... .IDATx...gP....y.o.cc{"f;bcg&z......[.T.[..T^%.J^...L.@ZH..iH...x...a$..B..C. [.J.}.mz..3.=.3.c^."2"........s...........g...<...O>.7k.....M.}._.......<......p.j kk.X^>.......[22?#^.+.....w......#...0..y.8....S..O8>y...B.w/....y3...c\.............G8.~3...ay....VW..x1....X].`y...]...o.=g....................a<x...z0kk.XY....a.\8........9?..cq.o...........?r.>g.?cv....O..k.P^.....<x...A....>...++...~...1v...t. .....'..........>.v.. .........$-.7..\|LY.g44\|....r..f..k~..V.'\|....?.Fh.O8y.0O.Dp.n.{C..j.......!b.O......K.c.F...bSc..Iu.awgas..?$...N.!..#.d...^.2YD.2...{b...T.......m.....9.....?...!...\U.-..}.........?O.Dp.v....lA..~LR....?..DF..T!.....).[XE~i=E.M.W..l......z.'..m.j..._..[..[Lzv.iY>..E...avxH2(...&6.wX....h;MM.0?...........44~G`.G..._.I..0.;w.[&'......Q\.............+...Q..dd..]TMIu+.M=..Q..Cy].%...S^.Ay]......1..m..LeC..u...SR......z..Ud.......#5=.d...,.Q..dd....

C:\Program Files (x86)\ClocX\Presets\GroenneKugler.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	4.906092571887757
Encrypted:	false
SSDEEP:	24:BE0rGXE5lr9BP5MoaKLuaPTO2u1DHkp8wdGj8xi85sjibtYQTd9iBY2jabOtWuc:BTqylRMofiiNdGjWCUtjTTiBY2Gb+Tc
MD5:	6299257E666FF7E94C35E5C06CF2C369
SHA1:	283C54F59495A84734889776ED6F47ED5AB6A98E
SHA-256:	DBE467C95B421C4E0B99BF65A99FEDA9DD8C86687FF10889D3C1DFA6DBEF3E3B
SHA-512:	942802E9022565303ED072DDE09CDC564870DF7FADCEA4156DF47ABA9F38D99E5E73972BEC64CFC68427B492862BBB5CADE78F41D80274DFAC0C684AFE708113
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFF00FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP..DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=14 ;size of AM/PM font..AMPMCenterX=61..AMPMCenterY=122......DisableDate=0..DateColor=0x00FF00..DateFont=Arial..DateFontSize=30..DateCenterX=1000..DateCenterY=25......HourColor=0x0000FF ;color of hour hand..HourLength=160 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=10 ;width of hour hand....MinuteColor=0x0000FF ;color of minute hand..MinuteLength=210 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=10 ;width of minute hand....SecondColor=0x00FF00 ;color of second hand..SecondLength=250 ;length of second hand..SecondLap=10 ;ove

C:\Program Files (x86)\ClocX\Presets\GroenneKugler.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 1600 x 900, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	17954
Entropy (8bit):	7.7331748694752225
Encrypted:	false
SSDEEP:	384:mp5XLNVMnsvqqyUuXWEDgdYpUN8y5t0awON+:m3LEXDWEO600sN+
MD5:	B32A0C1C5D6FFEDD2AF545F0C774CF67
SHA1:	A16B334B7B7A19B2F04842C2D586A7D14E78385B
SHA-256:	858D8FF1F4F91C37D2034D3E39FD1B7B9222F63199A92F133766D0C8D03AFF41
SHA-512:	F6365D1353D59B160CCF3719B7CA519A3D5039EC027AFECAFF3BFE5E4F4E9B1303789883B82BA54209C5218E4A99E5CAF32BCFAE6B75D9765178F5778E4D4036
Malicious:	false
Preview:	.PNG........IHDR...@................tIME..............pHYs.........B.4.....PLTE......."..$..)..,..0..6..:..=..A..E..H..M..O..P..R..U..W..X..Z..\..^..`..b..d..f..g..i..l..n..q..s..v..z..}..~............................... .. ..!.."..#..$..$..&..'..(..)..)..+..,..,..-......../..1..4..8..9..;..<..=..@..E..G..H..I..M..N. P."Q.$R.&V.)T.(Z./[.1].3^.6`.7b.9e.=f.>g.Ai.Ck.El.Fn.Ho.Ko.Iq.Mr.Ns.Pv.Rw.Sw.Ux.Vz.X{.Z}.\~.]..`..b..d..e..g..i..l..m..n..o..o..q..p..s..u..v..x..{..{..\|..~.....................................................................................................................................................................................................................................................................7......tRNS...........................................................................................................................................

C:\Program Files (x86)\ClocX\Presets\GuldKugler.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	4.906092571887757
Encrypted:	false
SSDEEP:	24:BE0rGXE5lr9BP5MoaKLuaPTO2u1DHkp8wdGj8xi85sjibtYQTd9iBY2jabOtWuc:BTqylRMofiiNdGjWCUtjTTiBY2Gb+Tc
MD5:	6299257E666FF7E94C35E5C06CF2C369
SHA1:	283C54F59495A84734889776ED6F47ED5AB6A98E
SHA-256:	DBE467C95B421C4E0B99BF65A99FEDA9DD8C86687FF10889D3C1DFA6DBEF3E3B
SHA-512:	942802E9022565303ED072DDE09CDC564870DF7FADCEA4156DF47ABA9F38D99E5E73972BEC64CFC68427B492862BBB5CADE78F41D80274DFAC0C684AFE708113
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFF00FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP..DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=14 ;size of AM/PM font..AMPMCenterX=61..AMPMCenterY=122......DisableDate=0..DateColor=0x00FF00..DateFont=Arial..DateFontSize=30..DateCenterX=1000..DateCenterY=25......HourColor=0x0000FF ;color of hour hand..HourLength=160 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=10 ;width of hour hand....MinuteColor=0x0000FF ;color of minute hand..MinuteLength=210 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=10 ;width of minute hand....SecondColor=0x00FF00 ;color of second hand..SecondLength=250 ;length of second hand..SecondLap=10 ;ove

C:\Program Files (x86)\ClocX\Presets\GuldKugler.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 1600 x 900, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	18084
Entropy (8bit):	7.75211321666826
Encrypted:	false
SSDEEP:	384:dMfoGG4iyzLXP0ZCh1zDXZ8L5cevao4+JSIrJUjTTSs6O2M:MoGGTuXsZw1DXZ8LlSZsr6TRHL
MD5:	FE01D57C5DCEE76563AB98CC0C8191CA
SHA1:	61E51410FE6E6E09D8437A80746C2640A31E30B4
SHA-256:	9814CBDBE2037432E1ACD08483A1D09592B7286B10ABED744E7F27E9E53249D6
SHA-512:	55EB4FA8786980D764A006358990BEE376A6AA828EF649BCD5EFB37B40120C45C04E549DAE28010B4D6CDF6997A75887AF6FE06401EB2EFC0798ADDE4B50E34D
Malicious:	false
Preview:	.PNG........IHDR...@................tIME.....7..&......pHYs.........B.4.....PLTE7,.;0.>2.@4.E7.F8.H:.K<.N?.QA.SC.TD.VE.XG.YH.[I.\J.^L.aN.cP.dQ.fR.iT.jU.lW.nX.q[.r\ t] u^!w`!ya!zb"\|d".f#.g$.i$.j$.l%.m&.o&.p'.q'.s'.t(.u(.v).x).y.z.\|*.~+..,..,..-..-..-......../../..0..0..0..1..1..2..2..3..3..4..4..5..5.6.6.7.7.8.:.<.?.@.B.C.E.G.H.M.N.P.R.U.V.X.Y.[.].^.a.c.d.f.h.k.l.n.o.q.s.t.v..w..y..z..\|..~.................................................................................................................................................................................................................................................................................................................................................................. m#....tRNS...........................................................................................................................................

C:\Program Files (x86)\ClocX\Presets\Holzuhr.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 160 x 153, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76563
Entropy (8bit):	7.981093231474991
Encrypted:	false
SSDEEP:	1536:a0YzZWfFT+/3XsqBkWMkizXqi1J4Py2huSyPYLY4l6ov4L9RI251yP:aLWt+/3XsY/yzaKJ4Mx4lhS9RDK
MD5:	3A3667D7B67B89C0EA9061711B3C6C6C
SHA1:	D4EF1011E817D469C6079C066104FA12CD03D669
SHA-256:	28FD079455D8B533C4B3B4B217DA82E9097F199EDB3435D9D787B5E42CA342FC
SHA-512:	39FF76E279C8A641CABDC71891D26B31C56ED0F80F68AEDF0273E22C454F36339117316E9AA776CFAD7CAF9A5664406A77C4B3AFCA44C456950EF1DE127A7C65
Malicious:	false
Preview:	.PNG........IHDR...............1H....pHYs...:...:.d.W.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F...IDATx....O.....6.uX.L.....T.P.#u.!(.......i.)......i.J1W3.e..Z....w...}.....}Jy.....J9.T9..e..(.D.\|.,..H8w...'DFp-...Q......(...K.P.J..P.-..,..E\|..X.c)..K....P.!.L.....W..8.[Q.M.5.B...5.m...Lj5r..t..YX.U.4i.S..)..)..U...i-..U...Cwu.CM%.;.w.!.kd.]..e..T..V..f!h..h1.....&....g.....jA.[Y.hf.....6^x.y;.b.....!..A...0v.}a.....K!..cl{......?b'0..\.?.+.o>...<.6..o...z..k...F..<...a.SC....2.eor..S.b...r8?.....Q.....<\|..`[.......W^...N6.l...Ys...m.i.....U"4.....YY.0..e.Iw..N.>K....Ck9..2B.j.o.2Rn`.D..c.f>n}........2d.+..E...W...Q%.+..M..3SF]N....W....0@.?I.P.n...J]Kj^..Fi..&..D.....@.". ^..7...ts3..U+/.R?Y..m.MO.....l.l...$.&%97(..D..E.......+..]E...Xp.K.].H.LA.5$)I.KOB...Z*..a6.UR.)..[".9....S]$BS.M.4.UA:..<...hU....5.a.S`./.Q_A.@W....r:.dXT2!..^WN.Z....k.R...r...x^...hU1lP3gk$...[G..B.c...MO.g......%..e..X..5...>3q_.k..D.}...z..

C:\Program Files (x86)\ClocX\Presets\Holzwanduhr.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 128 x 130 x 24, resolution 2834 x 2834 px/m, cbSize 49976, bits offset 54
Category:	dropped
Size (bytes):	49976
Entropy (8bit):	7.092155868494483
Encrypted:	false
SSDEEP:	768:ab87dRTe9524Xb8CR1ShryVMZAFoNYoEnT2Z2++7ClagdgXfgc7InbO:aIcEyVMZAedS2ZJqClwfgc0bO
MD5:	E119CD24C7FD2C54B082E7B27F5E11E4
SHA1:	A78344B1A624CF58B2B6051F9864C966C78375BB
SHA-256:	7AA8F3DECB9E9B660682CAC31A0A77F92F9F47FA55DE60FC259132FD4246135F
SHA-512:	E68052BD60E2973930A59029D4E39491FB277AE27C3649288FA99CD9375F3C70E317DCBF5E0824E4F4D5E50157B6F3FB3294C07CCE0B5BABB7C6CC98A0F5A3B2
Malicious:	false
Preview:	BM8.......6...(......................................."................... ..$..$..%..% .'..("., .+..)..'..)..)..(".% +!.'..% .'..'..(..(..'..'..'..&..#..%..%.."..#..'..+..-..,../..0..1!"5 3..6#!>'%B&$A&%A''C&%A&$@&&A%'B."=."=&(C((?&$7'%8.!6"'=..6..5!!5! 1..-! 0&'8..3.$7 $6.$3. 0. /!#2. ...!"0""/ .+ .+# ,!...&..$..%..&..%..&(#-(#-.)4/5-)4/+6,6('1##, .( .)"!,#", ".%"-%!,!.(..'#!)&#- .+ .-! , . .)".(%.($.'(.,#-.&0/'0-%.1,/OKM............#..$.$#.$$!$$ #$."#."#."".#".%".&#.'#.(#.) .& .%.."!.$".%..$.."..$..$.."..#..#..%..'..'..%..%..'..(....+..,..+........+..,..0 .3!.4$"7'%;'%;&%:(';'';%';&(<&'<&';&';'(8$&6"#6."5."4.!4!!6##7##6$$7"#8"$9#$8%$7%$6%$6##4""1!!1! 0..+..+..,..,.., ...(..%.."..!..#..(#!++(3+'2)&1((2)'2)(2''2!$."#-"".!!-! . ..!!/# 0#!.#"."#..!+..(..'..(..&..&..&!.%#.&$.&$.&,$.62:?<AB@F56:49=.........$..(."&.&%.'&#%&""&!"'"%'!%& &$.&$.'$.($.'#.(".'".& .# .$".& .&..% .'!.)..(....+...!./!./$#5%%6''7((8():*:():('8&&6%$5##4""3##3! 3..2..1..2..3..3..2..0..0..0../.....-.

C:\Program Files (x86)\ClocX\Presets\IvyLace.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1542
Entropy (8bit):	4.878600306111023
Encrypted:	false
SSDEEP:	24:BEZrGXE5lrABRhB0aKEszdeTOs010BJGkpUdGIo8dip4UGibQ0Wd9i8xLnQI:BkqylUhB0fXjAf6dGJP4AQJTi8xLQI
MD5:	3D708D8F639F76D859E665EF694A62EF
SHA1:	0B1CC310F0033F40D0893BB5A13E6B69E6F2987F
SHA-256:	7BD5BAAF5212EEFAD806866581EEC7CEF31BCA8D1FDB1189F246F3CE6BF0CBFE
SHA-512:	47998441D8C308402C30857C0493C75EC0E5F7CE122A724426DCD35E126EB492F84C0740F663AA41CC33DA80008A5442B93F78CB6A99BA0ECB0DF0471F3F12C2
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xAC6C1C ;cut window by this color (default red).....;not used with PNG in Win2k/XP..DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x000000.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=12 ;size of AM/PM font..AMPMCenterX=92..AMPMCenterY=112......DisableDate=0..DateColor=0x000000..DateFont=Arial..DateFontSize=10..DateCenterX=90..DateCenterY=76......HourColor=0x011AFD ;color of hour hand..HourLength=29 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=4 ;width of hour hand....MinuteColor=0x011AFD ;color of minute hand..MinuteLength=40 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=3 ;width of minute hand....SecondColor=0x000000 ;color of second hand..SecondLength=47 ;length of second hand..SecondLap=0 ;overlap o

C:\Program Files (x86)\ClocX\Presets\IvyLace.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 193 x 322, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	88214
Entropy (8bit):	7.99675772005271
Encrypted:	true
SSDEEP:	1536:tEYNBJ0JbTvglRPMu2FUqo5pnf6fAXk+C35bv7ty64zIW8X3j0R8zIoAJ:tTNBqPIliu2+rfAr+C35bvZypbY3YSB0
MD5:	DF9960BD75494BE3C8AA6953BC4B869C
SHA1:	1B8E3720D85A3583443ECA58E2827F0BA5E75B0C
SHA-256:	8A265F137F9BD4C9BA7BCA815DE1088E1F95C093A25901350B7CD0B4B14FDE78
SHA-512:	8B939210B7A77616C06E50296B21A3501570748DB2BEFCD6FD05615FB5EFE0CE397B76C9D459C858FB328FF90FC6639CFB9A1B8D782E4925AF1568D3188265FA
Malicious:	false
Preview:	.PNG........IHDR.......B.....H..^....tIME.....$8L.......pHYs.........n.u>....gAMA......a...X%IDATx..}...U...9wO.y`.9.$QI...5..3. Q...k._.uu..fE.P....00.L....}.snU.4,*....}..u...t..'.S....vr;...Nn'......vr;...Nn'........O_...M.7~.&......N...oG.v.:...9...UGL.G..$@~.v..............6455a..;...............9B....;L&..n7...`...t:...%.....1.4BP..m......'.q..I....cBo.c..5...={.`..$.a......F..Q..B.......D...`0.P[. ..#..A....l1.q#..f.....h.=:u...x$.>... G..IP..v......._>...7...k.HD@G...tZ.sg...H....Euu5L....l..$........././Z1........>x.[...r.>..CUhhh@ee%..:D... .....g~~..u.&..p..x`0z.A.t.$ . P6M..y....3f..\|...&)t..=..:t..;.G..9..3....I...e....f.....$.b..p8..\|<.[RR.z..^.za......oFu.....&.....[.....PUU.f._..d.Ik.{w......@..M;.I@.$.......k.....{.n...-.Fbb.i.........UsR..u.....>....=Z.#;;..:..5k...__H.j.".b.-.....u...`"?@..(........MsG....k..L.^..../.....J...z.WQ.$...1`..<......0 Nn..6M.Y.Zh.n..ZQT.G.....0.tR;...3g...O.1..P..h...Fg.]i..'.#....

C:\Program Files (x86)\ClocX\Presets\Jagua3rClock.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 113 x 113 x 24, resolution 2834 x 2834 px/m, cbSize 38476, bits offset 54
Category:	dropped
Size (bytes):	38476
Entropy (8bit):	5.853923355401225
Encrypted:	false
SSDEEP:	768:y4ktG2kfqzqNul4stj9IkOA/z7kOBSi3TyA+mjg/lhqt4mI6p:ex9xSO44
MD5:	0511D5EDD48E385FE14E0E0A5AD3843C
SHA1:	C742845EC023E86FE7B1CE77733FD5111C286027
SHA-256:	9B5CDA4BCF5F1DE67D41E96FDE3DA74A7355B31C8C30A9867079E5B515774C05
SHA-512:	A8635F77EBDA4E739A922ABFF623B5D4B82F43F5F1358A8E9749FD41B53F855877EFB37B04C1A979E70BE92E85016912D1481D227E4ECE23E2D3FE9A6C7DBB1D
Malicious:	false
Preview:	BML.......6...(...q...q...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................~~~}}}\|\|\|}}}................................................................................................................................................................................................................................................................................................................~~~xxxtttqqqnnnooonnnooopppqqqtttwwwwwwzzz}}}}}}~~~...................................................................................

C:\Program Files (x86)\ClocX\Presets\Jaguar.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 119 x 120 x 24, resolution 2834 x 2834 px/m, cbSize 43256, bits offset 54
Category:	dropped
Size (bytes):	43256
Entropy (8bit):	4.430342366223317
Encrypted:	false
SSDEEP:	384:kZz8J05teDCm3J1MREBqXFlKbBfqJ+/VAImPWFOQ:cOZHkuqVlKBd0CR
MD5:	41C592514DFA1093A831102815AAD068
SHA1:	20474FCEAD8EDA8247270B171FC0CCD6B1EDBAEC
SHA-256:	86652BF37435C6E524E5DC73056F9A22F08ACFB8E427372E51D4C18FED4F2053
SHA-512:	CD715B96F7F895F5546E2EA80EF9E54643FEB75ACDBE723F6F4246032DEBB7487D338B548FD71041BF4416548AEDCDFA7AED7977EBE245752525130702899DF8
Malicious:	false
Preview:	BM........6...(...w...x.....................................................................................................................................................................................\|\|\|vvvrrrnnnkkkeee`___^^_^^_^^_^^_^^_^^dcckkknnnqqquuuzzz................................................................................................................................................................................................................................................................................................}}}tttlll]\\PNM.d..[..<_.:Q.(7..#........4 Qp)k.A..=..:..6..3..0../..!q.OLI][Zkkkrrrzzz........................................................................................................................................................................................................................................................................wwwlllWUT.5P.Cb.Wy.Su.;^.4W.?[*G\.-9..!..........#:/\{B..F..>..;..8..:..0{.,u.!k..h.#o..i..a."`.TPOj

C:\Program Files (x86)\ClocX\Presets\Jaguar2.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	27059
Entropy (8bit):	7.870527552757156
Encrypted:	false
SSDEEP:	384:5hLqpEkpEyxcmTzRgctHZTjeZz0V0LFLXxnQISR+ApHwsXRcyXnEWjsExibdCaVO:vuSIEBajH4hBQtJpHwsXT0zpdCao
MD5:	A12A30AD1D5DF1AA37A800872F645267
SHA1:	6B2235DFFB9C8AC6A3D86E852A00D46D623F6843
SHA-256:	FDE433ABA0FDE6691638D7AF029EF95561980183697595097D23BEED55263BC8
SHA-512:	927E205DE83C8A795C2F4C87060386DA15A36B2F3F72EF621AC7BA9A641B1B72F4ADCE839B8C9619901B626C44B0C930C7C3DB475F881EBDF43AAB445F718D8A
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..i)IDATx.b...?.(... ..F.`d....M.#....h.... .F......4..F8.....0..@...DO.D.1j.3...2~..........6".....8\....Y..y..$......DD.....E.x9$D.....89..X..Y~...............7.>_.}...7?.......~....(.....@ZZ..H..i..x..).(.J..rK2......OEVf.Y.N.^..^.n.vf.N6&fv&f.&6...........?.?F..??......./...xv...{...y..............<z......<.=...@.......""!%....,.E......y.T..9T5E....23..................X.q.....I&.H..e`.........../..g.p.!../...........N.."\|..dDx.K.r^...~....g...x..wC5....J..j.R..z.......?.\|1.......<l....y.TD....x..0.3(';.3.70.y..1.3..=..?....+......tFfF.f6F.F`2`d.....?.._.n.z.p..-.+w.3<....;.....$.......2.....~i...Y.._......G.<................!....}ZTZ.?. ..j.....'.hf.E"..".l&.J.....O.x...r.......AO..z..:B....../... BUdTM.M.B.($..c..E...A..8..g.Ga..q.bI.,..+.#<...$!'...z8...7D.G.4P...5.P..f....5NBq.uv..b.....h<.2.R^H.K.b.O.......i.......Xi.&.8..+.HL,....

C:\Program Files (x86)\ClocX\Presets\Jaguar2Clock.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 112 x 113 x 24, resolution 2834 x 2834 px/m, cbSize 38024, bits offset 54
Category:	dropped
Size (bytes):	38024
Entropy (8bit):	4.444331785396521
Encrypted:	false
SSDEEP:	384:mhipaBfLvA0hW8KqcE/iq4UREimrRPwavK:KipG/W8Jc7q4Uaif
MD5:	1FB082E898C2DCF91F26D998690B30A5
SHA1:	87A4DC0D6F778717BB9AF2E2F2B7853CD1CEA6F9
SHA-256:	7E1947AA387E9E85B3E8D83EB850DD26C47C301B4A7F9CCBC098D0C902996F92
SHA-512:	FD929B122F39E74C79F3CD61CBAFA865618B2FA4FDED1700A096FA4DA18AAE9408BCDE9631104E855545BB63CA44254A2B22ACC19C4F8721CFF00FF8F521A59D
Malicious:	false
Preview:	BM........6...(...p...q...........................................................................................................................................................................................~..\|\|~yyzyy{xxzwxzyyzz\|{~.~.........................................................................................................................................................................................................................................................................................................w}.ntzejo[_cUX[RTVQQSRRTRRUPPTPQSRVUVZXbffosu{...................................................................................................................................................................................................................................................................................z..v~.s{.ox.fpyXbjIRY=EJ4:>157.241340030/3016.250767??IRU[cjks}u~.{..............................................................................

C:\Program Files (x86)\ClocX\Presets\JaguarClock.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	23118
Entropy (8bit):	7.947051271511001
Encrypted:	false
SSDEEP:	384:5Ahl3Fn0P77pTlP0pz5R1RPHwYNUSEAI9wiF/6fXwgQScBeWyW64Z0Y1HKlwJALt:e7WBTpkTvrzEAI9wdvXzgZtEGGL40v0U
MD5:	C257F6DCF2A842219E24F43BD47F09EE
SHA1:	999662C17D219CC7A6675A3EF0868104D13479B2
SHA-256:	D9C00401BF038C437165B16271C0594FA63F0C26355B348EBF126CB322DD8BF2
SHA-512:	B08EDA45A957706E47959DB5C429FDA68E9E1073FEF50251D0D344FA7A12C3142B9234F79FA079C95B0A4DE7818D9E78179EB5A6E49A8A6FDBE8D775CE6F3BF1
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..Y.IDATx.b...?.(... ..F.`d....M.#....h.... .F......4..F8.....0..@...$....0KII1...0111...2qqq....../_..111.gee5......8...$%%.....899.uuu...(###.../.....q.....i. f....P....~add.....@....._........7..._.1....K..Hb........g.........J...i.#[...C...E....r\|@.d.H?...@.h......?...=..&..@\|.XJ.x..+gg.....C....!............<...:.\)..."''g...J..R.bNX..#.n...H....1@..\......+++.....C.}..w.U.9 >........MMM........8.........%.N..B........h......x..=N&A..Z.A...@j..."...:$.[A"B...Z.-.....a.L.czb.)....o..Nw....{.?...@...."...n....9...-....mllL.......,..C..a....A...............?~..l.1...p=....H...60.={.....dpssc...C..`4H.(..0.....v..<.,......ooop.n...X=....@.&.@#...3..........K___.X................D...C...3\.v...@..JKK.xxx..a...w.../fx..-...*.+W..^.............341@.......@...`"=....@.....s'#.......e.E<+.......#0...[..:V..p....A...dX.5.`40.......

C:\Program Files (x86)\ClocX\Presets\Kirchenuhr.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 142 x 143, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	27150
Entropy (8bit):	7.965413194830163
Encrypted:	false
SSDEEP:	384:WHpNa5lfTIYOR0MEvwGYHyEmHH497tvTDo8s7mTHX3cTLmkZR37B4jc23wXDpXGM:6OXgyE1hXod7mjcTLmQ74c2gXVXGwgns
MD5:	4AF2EC664E52978F64F505D6C2AB29B3
SHA1:	288C0683413F7E7AD06A868C4DA687C073D3A208
SHA-256:	D1D9C71B77F881609E96467DF3FADE83D734030101943064D201201EBE3EBBBB
SHA-512:	87CE065E304EA617FC2953212E74786D146315EBBCAE9456B353296613999EB82E24201AB52157C41A40AD1045FBAFD584002EBC3375265AD6DD5ADBFCFE8A3F
Malicious:	false
Preview:	.PNG........IHDR.............,......pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..i.IDATx.b...?.(......b...Q@... .. @.JJJ.0..`......}..?.......8..%%I...N!...%._K.#....'4.....%.8,A....(..p....ME.....,.%".......9........C....g.......=(........:.....0..$.....G.......p.p....p ...@..m......@r..N.`....RQ..G5.Ep.&.8...4N..p.DIJ..2.%..yI...py...eG..o}..y=......V.GKKILQ....A.J.....bV..H}...(.q..N.%...(.LX...\|...$TLSS.a...NZ....g..<...To...X...0.....41.K.P..N\.....N............R.. ....{>LJ$..b..%...G..$.g...+...;v.Rz.........>0.5%@%.(.9.8...\x0@..$.'...F:(...{....h......X...'..H.P....@.....E.D..I....9.....h.....ne....>\|.qw(Wk...-C$.A .n.h..4z..i5z.Lj.I....z.(;..y.*.SjH.) ...5....df.l. b..........3=...w.M.x..B........J3rN....... ...I..H.N6..H.5.^:?...t.....W.1....l....%.;.J.....c$)...DP..E4......T;?..u.X.pr..9..&.H."+`..JL.t.j.............$8A........P..w...'p...A.v.sH...w.8.r..@s8A. ..&0...V.X.c.q.I....J+..HK..G7..@........b?.%Hb.s`

C:\Program Files (x86)\ClocX\Presets\LongClock.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 122 x 104 x 24, resolution 2834 x 2834 px/m, cbSize 38328, bits offset 54
Category:	dropped
Size (bytes):	38328
Entropy (8bit):	6.400177731055891
Encrypted:	false
SSDEEP:	768:+SY8aR+Fh1mCcbLhN5PJsmU9exbK1UUWkOuRuaUivtgc:6V2zmCcbzPsmZhK5bRuitx
MD5:	224D809351EAC5981A93D5F78F325A14
SHA1:	A28AF5DF1908B2527E827931849D7891F6B2E508
SHA-256:	0A74FC0FFA8DFF0D8A080C3306CA98707BE271E02458879EA533CCA5BF43C3D8
SHA-512:	05741BB2F5C06A94D07106E86AFD5817F9380D6EC52D5570B41A659AC3BEDF1C1241FA67FFAF868E9B128532B334EFA682947CCB5DB412F0F23F8F6805E04C95
Malicious:	false
Preview:	BM........6...(...z...h..............................................................................................................................................................................................{{{xxxuuusssqqqpppnnnnnnnnnnnnpppqqqsssuuuxxx{{{..............................................................................................................................................................................................................................................................................................................xxxsssojgof_qc\scZye[}g[.j].k^.p_.p^.r_.s_.s_.r_.p^.p^.l[.j[~hZxeYscYoc[ne_ojgsssxxx.............................................................................................................................................................................................................................................................................}}}uuuqkgrf^ueX{fV.fT.q^.ra.sc.ue.vh.wk.ym.zk.}m.}n.xi.wh.\|m.wh.te.}n.wh.vg.uf.te.rc

C:\Program Files (x86)\ClocX\Presets\MClkhrHand.hpng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 82 x 29, 8-bit/color RGB, interlaced
Category:	dropped
Size (bytes):	4342
Entropy (8bit):	7.941835201767031
Encrypted:	false
SSDEEP:	96:E6/uudQD0HcoVjwpVP8mJtJRIyi1vjnwMC1DyaebT1arybARHyAgWp:EYdd7VjwpBnnIyWvjnp4+a+T1arQAdyY
MD5:	1807D18C930D5B762C02DFA33439D019
SHA1:	7F542E821A9C6F7AF1A1B7120C4FFF8DC29E6FBD
SHA-256:	D951BB6D6D6FF4D0B15E3B9C803BB51C8EB10CE976517A7DC97F8636C7E24EEC
SHA-512:	D2D005DD7AB77D40C402883FDC3B49930844E1704028417ACD544DF6EC85290928D38AAA7964F5B7E083AA7F88BF71A65BF83B59F505BC5306F0663FED60E9D8
Malicious:	false
Preview:	.PNG........IHDR...R..........G......tRNS.........;....pHYs..........&.?....tEXtComment.........IDATx..X.wTe...{..}..TB..@.VEd... . .@..E..b.e...BH !!dOH.....P.....i....s...........I%............"?Yg....F..D....`.s......j..~.br!D.A.).i......xF0..}.j...`....f.2 r.m.3;..NJL.P;c.3b.X<....dj...{...pa.4.g..'4.;lR. ....0..H.M......_....}<9S.k.T...F......$.B(.F.'.?S.... ...q..M.*(`h.&-c..@w.r../4K._.....~2..[.tU.CF..f.....6]6.1...jn../....}.}...)x..bN...I6..8..f.1...?.../v...1...O...FCQ.l.z.\..y...G.^.{"....d(.O........]q....W<....-.&..UNRD..8Qe.Loh..MP).L..AA>.........L........].U-Y.........A. v.M.,....y..b].Gs.r.....0....k."...xX(k..#....a.o,~tj.....^.+....-T.8@...N.]../i...Hg.z9.B...:?p.....~.;X3..FA.`....L..8....N....r..$2..y......2.V. .R}.......iu$..........."...ND.....kf..k....}...o<..J%R.H<....[V.!.KDf.V.%.q....A..Q.o.l......`c....ei...h..O..2.?.2.<K....tI.d.I4.nTL..)..H.Q2i.&....d7.+..q......Q.I..K/.......R..[7Q.....u.ggc(.n.bV-.y.......F..nf

C:\Program Files (x86)\ClocX\Presets\MClkminHand.hpng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 99 x 29, 8-bit/color RGB, interlaced
Category:	dropped
Size (bytes):	4186
Entropy (8bit):	7.931723634103746
Encrypted:	false
SSDEEP:	96:6fLdlazsuvgUltX4xgm/HZe0lPHtSPwZLoc:6fHarvgUSgmA0N847
MD5:	7293D9082295616A46631E18065E8723
SHA1:	B67481A1D09E19D91FC4BAD975A2490545660570
SHA-256:	667A8F4C9F37BADFFBDD7708919BD6133A4F0C9B4599B3382A0B8478B17203AE
SHA-512:	8805516F149E8094E1A0BF0A406E9AFE643FF10D5A2119592FC1138296B4BD488C030AD83B0915489A0BB8DDA7C01B074B724AEA8CA665FE16122C72AC26DA26
Malicious:	false
Preview:	.PNG........IHDR...c.........Fvu.....tRNS.........;....pHYs..........&.?....tEXtComment.........IDATx..Y.{.E........'.dX.(...(.]T......AH@.bX>.A...H 3..%.$3....I.~~?....t.'.\...x..S.&S]}..9.y..`=@.v.q.[?...O.._-.@... .V.....o..DfG&,.\|}cS....:68..p...x.A.b........d..}.e.}.}...F.......n.s.~=X.....iC"..a....y.i._\.oc...5.S.....%.0D&...\>..!.<0)...0..s..?7x6.(c...LRt............a...x]......#...2'..0..h?.\|...)"..]g.b...N.c9.^;...fF3.Q./..ju.......4..+2.2...r....p.e.X.p..3n.{....ug;.{.........2G..<Y `...._.2..{].~U......Y.l...AZ.. C..I7.~..........(. 0.&.".J........C."@..8.1N\C.,.G..7..7.=.nw/YV.F..jM....k^..Y.}.q.......o8...;....S=.........-4>&.h......p.f0.C....O.~../.X...;.#. G.=L@..&..%.G..w......'.(...Fe.H...n...}.^............W...\R....k.e.."=HC.d.P.A.v.x..7.U+./.K.w..R.+V.9.;Dvuh.9^.N.. M.a.(....m@...O.......cv(..h^..i..Y.z........v,a..v......?c.D<.Hdb...c}.:.]......b........4..Z4r..Hf..<.X.<A$.f....4....C.6A.a........^.U......W..4QWUCS....D

C:\Program Files (x86)\ClocX\Presets\Metalluhr.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	15980
Entropy (8bit):	7.977328361379866
Encrypted:	false
SSDEEP:	384:/Uyi6ZuPdB7WF2ZylcQ25aSjZk9yeXi+FAvblFmLo0h6aGZRKdhVHeAnlF:/+6ZulBISIlyYKzmLD4aGDKrEAnj
MD5:	B7D40312C4D52BE2DCDF3B26E28C4225
SHA1:	694A2A386BC5AE7627EB643C16141C826862BA5A
SHA-256:	1E2467EA0BC4A8DC323A6B61F82165A6A52AF8D12245B7B7441FF7C8E4D40ECD
SHA-512:	E3629BAF278481FD9207AB2BE95D692E9A42ADB0E376FB6625653ADB98694934513F75910DCE21E42A7C364B3B69713BA7DC7D4418658D74520F3CA92C8B7B54
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs...:...:.d.W... .IDATx..YP.{z.g9I.r..d;..."5SS..R..\$.A......W6Eq9.(......s@..........( ...4....<.P{.L.j.f..O_<.........{.....G....pY..p....C.....8.p....C.....8.p....C.....8.p....C.....8.p....C.....8..}...~>1.(.....7<...7...3...=...9........'..mg....oZ.j_5..x..VS.:...-.].@.e...............>.....j...U..3.....g.....xT.E.F..^._QO^..n.>.F.=.d...^D....%.s..e..SH..Ci......../f..X\.\|.j...z..!.........<w.ex..et..1.h.2/.96O..<}3....].o.....C.V.M..m..ct...q.z.x.:..w<.o.......HHN.X.E"..%.d.i7...Z;.......XWW.fz~.yz.qj.....:F.w..?.4[&{....]ax....2C...M..92IK..M.c....7...!.:.y.9HC. /Z..n...\|.CUm...jH/. 9.6..n..m.q.W.sw........89=...].OZ........}......../[.&.Z.gs....[..tL..;......f...e.sV..9.z...o..A.%.j(.......e......+.>h..Q=%O^q..5./.p...J........<x.L..z.2.9..Hx...$.....n..>......w.>..VVV?...<.>0^..wl.M...{.B....s.YV...26.L..8/..)...;.O.]......xFA.s..._...Gu.=.....<zA.............<ml.yS..M]<~....m<y.N..n.7.P..O..8.#....S.1..

C:\Program Files (x86)\ClocX\Presets\MickeyClock.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	678
Entropy (8bit):	4.917267489832909
Encrypted:	false
SSDEEP:	12:a4EqmYLrrcR5pjpJrtOp0BP5oHy4yjQp2i0dO92HOFLlTYQBSwcz:BEQrm5b7Ouh5obykcix4OFFLi
MD5:	11E9EFE0037DA4F0FE989AB84830BA3D
SHA1:	CA50EC23FCCE716D006A4BF0BCB12D24B337154B
SHA-256:	D0DF0CE0E36DE4ECC1D6B132CCCBA792033D86CB8BB5C93C8BD9998BB705C56F
SHA-512:	2BE02B5476830EFB44F4FEC00FCF4095608BB3AA9C98FCAEEE2D90404B2FDC7ABE6742E21C9EDA56F63F57A66EBC0566391986A1E069DC5DD34532BBFE3BF97E
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x00ff00 ;cut window by this color (default red)..DisableAMPM=0 ;show AM/PM indicator (default 0)..AMPMColor=0x201010.;color of AM/PM indicator....HourPNG=MClkhrHand.hpng..HourPNGCenterDist=33....MinutePNG=MClkminHand.hpng..MinutePNGCenterDist=43........SecondColor=0x555555 ;color of second hand..SecondLength=100 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=2 ;width of second hand......CenterX=122 ;center point's X (default image_width / 2)..CenterY=123 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\MickeyClock.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 246 x 247, 8-bit/color RGB, interlaced
Category:	dropped
Size (bytes):	99813
Entropy (8bit):	7.9960328241893714
Encrypted:	true
SSDEEP:	1536:assTzTBUqQ3hK+9T/7NSOM0t5U7mn89Rby4MDS2NK3J9TvU68z/sa6xlcEyEPvTd:a3tUqKNSOMCDKbW+gU/xPvY1TRSa0
MD5:	268519BA3D99BB1A48FC6A044EB1984C
SHA1:	D5DBF25990D0D4B7254C31690569B76C7C6A95C0
SHA-256:	72645CB08A9D89EE34896521DFF7CDD0AC79536C72296949D393A483D37B2CDC
SHA-512:	D4D9AA8E54BF2A9D55E4C69A728F7D535ACAA576782E6A37F2E2198768F06A6A31536E04C488F3795E8C38AB8EC4003BE26094A1DE89BB76BAC382A91603A4CD
Malicious:	false
Preview:	.PNG........IHDR..............+......tRNS.........;....pHYs..........&.?....tEXtComment....... .IDATx....TU.>>$Q.8.s........0.y....b........k$...Tr........o.0..:.g.].....<..3.=..S.....i_k.....!...Y[w.Z....U...w6j....5....u]x..b.Kx..'k.CV.y./.z6...f.u<...b....4m..!l....\|..l.%F..[.8B.?...6.......YcG...q..#..F.M.......(....=t..\|.......&.d.V..A3.>..../X..u..j..u..^!.".).:Z7s..n.>c....[W..[.q.C.dY3H.....sdY......wn[w....^..H..^[S.7!..<...1l....]...........[.i.'...B>.?8..'.se#mY..'..l...-...+.8......q.l.X..b..G,....v..\|* ...l......J./..{..e9v......^..*D.<.......#.!d...A.....YK>.5...u1g.... .=<...n!..Y.Z.SV..k.b.M..pg....?)..BVz .W........!n..j..1_...p.......2q.NQ6.P)/...,W....^.>;.+...K..`!....l.^=.........:S.=c.4K...........&<.1....g...]k......%Fd,R.K..U.W..4.4. J....W.FlV.!1f..]G.A.l:\|D`@Or./H#.w..grK..\.X..-....yYY.V.R....PM.^.I1\|....^.2f...\..Z.9...$..)..%.....Kw.u.4mba.c.K..-....{.r...R.TgB.\.cA/=\....+.i.B..U.V.g...'...;..N.....

C:\Program Files (x86)\ClocX\Presets\MickeyMouse.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	680
Entropy (8bit):	4.892030328377304
Encrypted:	false
SSDEEP:	12:a4EqmYLrrcR5pjpJrtOp0KPvE0BHy5W2iWO92GbblTYQJbwcz:BEQrm5b7Ou0v/ONifpVJci
MD5:	A32B0A69A50AAAF0199500937B815EA7
SHA1:	F6E6D47D60107184DEEAB69A0B3BA0A7352063AB
SHA-256:	B39F51A64048FE26B41831D4DBB612965B967D9AA0F01D579038F67728508B8B
SHA-512:	FC35567C00F18BD886B42A4D0D447D99C7999696E22ABF657D929417B5EFB1F64B805F8144080473AF4E74577FAECCB9559F35808AB68F4D41CA0FB9C444A389
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x00ff00 ;cut window by this color (default red)..DisableAMPM=0 ;show AM/PM indicator (default 0)..AMPMColor=0x201010.;color of AM/PM indicator....HourPNG=MMousehrHand.hpng..HourPNGCenterDist=15....MinutePNG=MMouseminHand.hpng..MinutePNGCenterDist=21........SecondColor=0x444444 ;color of second hand..SecondLength=52 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand......CenterX=62 ;center point's X (default image_width / 2)..CenterY=61 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\MickeyMouse.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 123 x 124, 8-bit/color RGB, interlaced
Category:	dropped
Size (bytes):	28133
Entropy (8bit):	7.9887437039825295
Encrypted:	false
SSDEEP:	768:xXTnuvx75M3cPMaaI5SG58+a3/zRHC8nDawy6AXe68Dp:IvJ5kGeI5qPzRwhXe6E
MD5:	138B8FBF86D45154F336D82B65F64318
SHA1:	7EF479F3143CE1981D5B7586C770A5BEFE2F4C39
SHA-256:	43E465AE6CB6BD2CE7D58ED2082AC8598437B40B77B6ADE04B89C39EC1E82001
SHA-512:	DACA16170627397B20D7FEA20E52743FE9395FB8AF894EBB5AA6505C27979BDA1E6DD44A31695E436A165EE79CD2222F7483A24FE8AB9DF7AD8A3D4F9BB9F7F7
Malicious:	false
Preview:	.PNG........IHDR...{...\|.......h.....tRNS.........;....pHYs..........&.?....tEXtComment....... .IDATx..}.xTU.w(v..Iv7.....i"...P@,`Gz.JG.. Ho.-...N..m{.........+....o...q.w.93..7...^99....k.6..._.....^..q.fQ.3....7..f.[/...\Z.G....>.0d.y...Y.5..:.[..)....x.S.K..8^.P)ht.....g.x.b .g.g].....(p.^..k..L"\|7...t.~O{....\.o..........y...&..${.7..N,..^....x..G.KDef].s#.F!P...3K......e...M..u.._.>=!L.R.jW/..o.N8S..E..'.O.....Ha....u.......b.t...u@..,.{0........&.."..d>.$.....k.QY@.U.'.+.L.Y.7..m...D.....s.p.....x..f!......wr.{-.&.....;f@....D~...k`V........V\|..g..x".Q...pM..~....4..F.M.n]8.....u6._5{.A... .RF.M......S.s[.p....V.......E....L.E..qi.ve....,.G..q.k........."riX*a.5,WZ.W.qi.].F1....z...^..........o..6}.......!.;.x.d.?...r6...... 8s.'X;........Z..Pym.O....y...,..D...k..9..D:h.SW.o...g....d...=fq.S..Gs.A....p..[..,J......^....5..j../.=.0...k..".......D.en..n.....?d.9.-.8}tB.=......En.D-.G...>..g....+...[...8.-.x..7m.[...{.nYxQ...k

C:\Program Files (x86)\ClocX\Presets\MilkClock.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 117 x 119 x 24, resolution 2834 x 2834 px/m, cbSize 41944, bits offset 54
Category:	dropped
Size (bytes):	41944
Entropy (8bit):	4.502988081517253
Encrypted:	false
SSDEEP:	384:48oCgzHI3a+orRHK546WiWERXIyX9mNobpDbWvwpOwxggScDYe9bahZ6biQP7l4d:nvarRqN9pkW2QP7+4j4tWldZU
MD5:	C429424DACB9E99C03E1C9AA0A43EDAC
SHA1:	8B46C8CEA93BB189D7BB658C2CB919C9BB5E73EC
SHA-256:	7759C1C207EACEA3C0D807F973AFEE0431763194CF965AF6D8A12B51E08269F0
SHA-512:	1EE9C13C2466AC1443E5CD0749B59071BDA105E61CC48558358EB7AC14700C7D0A3EB1804D11226C923CAF720813191F24EC4BE0E1494A07EFB230B0A4C15F8A
Malicious:	false
Preview:	BM.......6...(...u...w.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ClocX\Presets\MilkClock.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	21359
Entropy (8bit):	7.901413955608492
Encrypted:	false
SSDEEP:	384:5vztSCNV9xlvtlOzk3VB0/V+aWs9AGCexm2gRLfInmwzGCmTi5cUuYR00QQK1E50:TNV9vVlOu/0/7ZAGCexmdRLgmwzOikYm
MD5:	47F1370D7FF57B3FBB2279BEDB6B8AAB
SHA1:	4918369DB575B65C1FC5429E4BDFB56B1318EF71
SHA-256:	06A1292FF82C497E9238734AEF77C2F953371D5910A3AF93289F6C2820508428
SHA-512:	519CA59DB91E11C247E585511194D436401BE409EE65CBAC2C6B6EA9DA5AFCB80BA400B1CC98EBB24B4DFECECB679807BE2798B4CC2D3245B02C3B9667B75C65
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..R.IDATx.b...?.(... .X....^...J.....LLL.06.D.S...........;... .7ep.0.BQ@m...)....p...1m.B..>.......Zk4o....B...;....0gb....)[NxK.1.. (.r...T...1Z.U...%.5e.. .CQ[.a`....V.`...1.x..../.^.[..\|.dz(.R..:c.<...b....G..C....Pb.....K.5S/....foG.:FG.\.,.B..R..{a ........a.. .F...2..x..x.)c.V.U..;D?.@...]F...{.C...L)....u....D..3#.U..2...<...P..8iP..........m.wf}dn.\kM..7....X.7......}...$..+E8.........2.....R...0.6.T.n...?z. XZ."\......P .......@..40..r......d5P.Xx.........kc.1......,...VWk...k.\|`P.._..$j...qI..Dy(T.L.s.<.4..<.g.....].@p...{l..~._.0[E)..0t...).......z..5...........`......... ...0.sN....9..ZT..k.=.."\|.M..vS........jZ....O..o.f.+..s.1..I.S....2.,.9..t.\|r. ".E)..U..%....0.D..hK.7.z....\o..\t.P.".....#t..$,.g....Zr...N.X.{.....Vuc...z.;. ........,[`.^&Q...I]..H..O[x.d.iXxF..S......Q*...<...B........a\|Ln..O.u.dk.i...........O.

C:\Program Files (x86)\ClocX\Presets\Naranja.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 176 x 176, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	25596
Entropy (8bit):	7.895086709174528
Encrypted:	false
SSDEEP:	384:izRtQkbn+VtynIsPHlUGcCv5OcTfDs/YipSwz+H0lco7iHTA6ve+O4AypF21w:uLQkbn5Pn5OcavTzZlc1H06mn4LIw
MD5:	6E26841542A025BB86B2BEA057B57704
SHA1:	CE1A326FB113AC7B0F5A5850F6EFAAF35637C6ED
SHA-256:	FEB312B60BCF8CB4A74F95639CCA0FC8C0AD71567EBD3A980D868671E5A0C105
SHA-512:	C0F4E46D6952DBA10CCCF6337C701AA75EEE8AB4A48A30C66190561AB6ED040EEC282CD79B20B4833101C3B702EA715243092B47DB80707015A8E880A7C8E33D
Malicious:	false
Preview:	.PNG........IHDR................^....pHYs..u0..u0..3r.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..crIDATx.b...?.(..C.....h.......h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!....e4....."L....@."..102..i) ..bQ ..b~ ..bN f.j.....+.....@..._..3...O..# .....n..7.FC.8..@...q.&s.}`"..2u.X..5.X..xT..-..... ...W....N..8....@..&`....L..@.......#....Jl..i;......w...........O.M."..j..v..g...p'LF.R..R.-^....G..! >Xw.......4".00.... .Lc.@..3.a&VFF...{.`M..b{..n..&..#-....[v+..A..Z..4...{..y...60tkY.\..+..p..0.\.a.I.LqK:X2=......7...B.@fKd......b.$/ I..d.0..d..F..W.a.w=..........E...u.ij...N+.:.8......_.O..JE.....)..}..&ZP. .. .. .3.bi.2..-..;.......<.?..f....&ZA.fp..&j.f0Mr...wP".../........./.3\|z.................?......y#...H..&...9~..h.&``...&.P 3.....-Jz.r........OL.AXA.AX^.A....d.X.9....)H?8..*....n...7...>>.....m....0.......0............'.}@...[.L.o.c<...K.....L..@f..;.J..@...d.V.......

C:\Program Files (x86)\ClocX\Presets\Negro.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	4.794122875050788
Encrypted:	false
SSDEEP:	24:BEGrGXz5lrUBRyTOLX01rfPkp+dGm8JiX33NPeibQ0Wd9iBxLuQI:B1qFlQmiEdGmxtPBQJTiBxLvI
MD5:	8F3B521E705B5627F46E7B0013FF6C32
SHA1:	022116186DBDE488C76A3576313B6A85E8D867E2
SHA-256:	BC8D35BFB7F76801FC490B94CCC9F7EE56ED46FFBAEC4C6A2863360A11905685
SHA-512:	CF042E18EC79DEF94ADEFAE65AD05F7E74F980BDF94D84DBF57CA07C03266CB5F2513578DF1F4BB86233A309A52988C872C7A75994C004AF2C1958586E276537
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFFFFF0 ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0xFFFFFF.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=12 ;size of AM/PM font....HourColor=0xFFFFFF ;color of hour hand..HourLength=39 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0xFFFFFF ;color of minute hand..MinuteLength=59 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0xFFFFFF ;color of second hand..SecondLength=63 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand.... ;CenterX=60 ;center point's X (default image_width / 2).. ;

C:\Program Files (x86)\ClocX\Presets\Negro.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 176 x 176, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	15904
Entropy (8bit):	7.882124962892923
Encrypted:	false
SSDEEP:	384:+WRaK+pYK+RSwp359dz+GWW0DlS3dSX45sEHI44bkOvVYD:+saKO+Qwb9d/0DstSI5sA9D
MD5:	B2ED7E8FD0CCF0E6B45B3C47CEFA3742
SHA1:	0BC335E49A4E210A677181D3867CA1342C269B10
SHA-256:	AEA2E2C6F689C1DB7CAEC63BB7D6A1863F4A564560B0C90D145C76B9F3A2D8E3
SHA-512:	21FC75602C9C4E31D4A5BBBACFAE3A99F7E6CE8BD8BF73548142198F2BF32A0E5B3F131D19CD0C6755602A53C472E7347AC311A4F36E83EE1FF73E02BC7978B5
Malicious:	false
Preview:	.PNG........IHDR................^....pHYs..u0..u0..3r.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..=.IDATx.b...?.(..C.....h.......h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!....O.(..P.E...FTD.....B.6Z.<..R..2p.).&...GD......=:..Q.D..i..q....+f8XL0Xpy....... ....8.-(s.....k.......:4..A.(+. .6.%.?.....hA..&....[@\|.....g`b.3.+.. .F.0"..."..k.........+#%VF:9.?R...........@..........@.....L.l.j...m.........:.#....S@\|..O..#...k..!@.....L......m...$<....O... .......H.K...=.. ....B...(9.6{.m.:)... $...........c.<......3....%..Rz...<.p..Z.c...Rb.&p.!..c..........Z+J).9#.....X... .te{.8n.pa..{.....g...a.......,..&^=b..D.... ''.....AXAA..h...@f..6##i.cP...)....8.{........?..w....'61."..4...57.f......@.6.C..%.G....+...`..%FP.)##.......*UA. u..U...e.P......G..n...._..a%4.w....@........@...C...@....@,.+..JNP..%R}}}0...d...AI....T....../^D....f.;;;..?..W.^...PM.s..y.J..]..q...p.

C:\Program Files (x86)\ClocX\Presets\Neon.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1464
Entropy (8bit):	4.842480420404331
Encrypted:	false
SSDEEP:	24:BEQrGXz5lrUNdaKy4jTORXFBA1rfLkppSPGm8eGiEw33NPeibQ0Wd9iBxLuQI:BzqFlCdf1YFuGHSPGmjtPBQJTiBxLvI
MD5:	F9DA34467004F63FA227A92A987A53A5
SHA1:	910197CEC498DC6B075C50952441666D12940D5D
SHA-256:	2A4CF56FCF8001F8D6DBAA7229CC8BB52A638058746F76F8D170BAE6FC3FAAB4
SHA-512:	B4F3B866672B429D548A10EBBB56B02A0C740A22E6407BA43C437EA7ADFEE0A649F82D7E8EA195D4B1CAA37954EA65FDE9338C89F7681660C2BAF70AC5F030A2
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0xFFFFFF.;color of AM/PM indicator..AMPMFont=Arial..AMPMFontSize=12 ;size of AM/PM font....DisableDate=0..DateColor=000000..DateFont=Arial..DateFontSize=12....HourColor=0x800000 ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=4 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x800000 ;color of minute hand..MinuteLength=48 ;length of minute hand..MinuteLap=6 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x434379 ;color of second hand..SecondLength=54 ;length of second hand..SecondLap=8 ;overlap of second hand..SecondWidth=1 ;width of second hand.... ;CenterX=60

C:\Program Files (x86)\ClocX\Presets\Neon.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 180 x 180, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	43626
Entropy (8bit):	7.986276133657454
Encrypted:	false
SSDEEP:	768:DuF0MfMQQxIK70B7sJozsmZcWbgQK5d3/6cwivjm2A6SB9Cw0ZHYec5rLQoGd6dt:qSMfMQQKKIUoYG9bgQs1yc9V69rvecpR
MD5:	87304CFA94B7A6C97C5FAD0E1D03AAEB
SHA1:	1D42F855358B308F5BA790A3E7CB4EAF2161DD0E
SHA-256:	DF2A006BDC8FC9FC01ABABA6D223099540AFE6C21D5A2AECBDF7C4C07F4FF133
SHA-512:	2E62EDF1C1D44CF0037C8580E3BB219638F1E5FAC83FD95C21EE29C75E406C135A4E6E9882FC033F4E237FAC999D901C6AAA33CE55E94D70383EDDDAF56891D5
Malicious:	false
Preview:	.PNG........IHDR.............=..2....pHYs.................gAMA....aLA.... cHRM..z0..............s;...S..<.....A.......IDATx.b...?.(........h.......h4A..a...h4A..a...h4A..a...._-+..@p..."=..8x.....}.CS......N EJ..ua...dGD..}.Z.b.]..y. .(.C.k..}?.".K..-......B.v...6...;.A@.........#C'..a......i..8.$Ib..>...r}...b...<.0....8..F.x.3...,....eYRQ.TU..iJy.S.d...i._.x. .. ..@...1.....H+....0....E.....@......................I...?..0.L.......QBB..P.{ ........II.K@..>}....../P.....@..&h,..Z........8...R...J...9~......O..<.. .....k..<.......0..&fP.F$`P....uX@l&66V...V.`./.....5tuu.........O.>=.f../_..~..3w..=.....@.......... ..g.s..SD..#d.......A..kA....s...C........>.A...b..=...p....VL)I.Q....v.:.x...\A..@.Z......F.........h..`...[.{`G.s.....d..!..~s.e..W...M.P=.@...v......@%,(.~....x.../.....h.../Hs..?.[...`.!..$.......98.Q....$...`....l...:3...g....D.O....p.%h.0....%n..>......=...;.lk_.y...P8.$....2H....h....N.j.....:A-..e...P.. ~.a\|.)A.Wv.{......{.}.m...

C:\Program Files (x86)\ClocX\Presets\NewDefault.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 119 x 120 x 24, resolution 2834 x 2834 px/m, cbSize 43256, bits offset 54
Category:	dropped
Size (bytes):	43256
Entropy (8bit):	3.318321141805908
Encrypted:	false
SSDEEP:	384:kZSPu+ghYOPL1gvlqKQJ1YTWsUtpN4GbVkAl7y07L+T9s8:cSPpgevGrC8DbCYyzZt
MD5:	816FD13D82B4DD490414E053349FA722
SHA1:	EA89DED1A0DF180277660E50ABEE02405609C830
SHA-256:	6B612912B7A557D81789C0D3EDB1FBB00B9ACD1D9F7B4BD1E689E163AA2E8182
SHA-512:	1D174F3FD8438C2FB4A59316B78962780DA217F2AAFAD2ACEF4933D5E93D6305AA2FE2E0D70BEDC6D3CCEAF248ED22F42415EBB05C8EAFED229D2337C5A3EB1C
Malicious:	false
Preview:	BM........6...(...w...x.....................................................................................................................................................................................\|\|\|vvvrrrnnnkkkeee`___^^_^^_^^_^^_^^_^^dcckkknnnqqquuuzzz................................................................................................................................................................................................................................................................................................}}}tttlll]\\PNMHA>>4/=0(?+ B,.G+.J+.J,.Q..]5.S1.L+.L,.N,.F-.C..@1'A5.I?;OLI][Zkkkrrrzzz........................................................................................................................................................................................................................................................................wwwlllWUTHA>=1*;).J,.[2.i;.}D".M).W,.]1.g5.h5.h6.k7.p:.l8.i7.j6.j7.d4.]0.T,.N(xE"j;.X1.J/.B2(EA9TPOj

C:\Program Files (x86)\ClocX\Presets\Nvidia.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 180 x 180, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51325
Entropy (8bit):	7.970726173309494
Encrypted:	false
SSDEEP:	1536:1UgYGQi4Wwa/oNQNl7rZm18uE9UgRt3Nx:IagNql7rZi8ueUgRt3Nx
MD5:	76A66CC455FE13CC78642306B6B0FFC5
SHA1:	EC2239DC12A29F2E779CF8E7D5C7D0D11E72F050
SHA-256:	CB30C8527BD4938FB783E767294C729DA016FE0FEA5FF77537648A7C93EA6F07
SHA-512:	7BECF5AA337146328464BEB4BB929430783D22721C2CCEC33484C8F7F6F7185C4712CFC00C56DC6779288C0B6FD7B1B3AD7298328C9875455B6FE214CC931769
Malicious:	false
Preview:	.PNG........IHDR.............=..2....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F....IDATx.b...?.(........h.......h4A..a...h4A..a...h4A..a...h4A..a...h4A..a...h4A..a...h4A..a....f..m.Q.>..4...b'!5........ ......V..T#).4..6.B..e.}..]...7Mww..l.y..qDY.`.C.&0fB.tT....B.i...,;C..h..u.!$C4....R..N....B.....0`.Ft].$..6:O3.0&..n>......T.C.Eak...eE..x...}.4M.w.>b...~.O.uD..u]/}._.`.^.0....ft+c.......c.1q._...W......sA........y..k!yU..q......c.9...S........YD...B..4P...W.4..x..G.X,.............4P...e.n.Q.?.\.HC!....t..lA..f....s{Y..n...l.G...}...q.~3.[....iL.. `B..L".L.....de...&&!`b......e, ..f.f&`n..........A..@f!......@....o`B.......0.......F...>}.\|......0..Tw........4..h,a...4......?.A.....Q..................T.JYVV.p.....?..j!P..?....%V.Z......A%-(S00.B.........._...T.....{...?....u...o.....P....~..t/a5.(``.. .....%%30q.rrq.qqr).......!...!0.......B...(...:....._(.....1..vM.....j ..n/P..#D............l.j..,/.l..............C......

C:\Program Files (x86)\ClocX\Presets\Nvidia2.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 180 x 180, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	38663
Entropy (8bit):	7.939352265060175
Encrypted:	false
SSDEEP:	768:YIygzjK57ldtn9T5V8/P6aUDIe2YpbZIflcVnhyEKUfa6:YIyl5719TQ/SEYpCchyRUfa6
MD5:	3F7A7F9AC3ACB81A6EF1566C8ABDEA93
SHA1:	63A3AA6DC8709BEE66BC947CA44246457D18A146
SHA-256:	C2A189D25B3591E3F12E2DA6D4D7D05B2C04588A15A0803FE1E66EB7BC460956
SHA-512:	912AC4B7D0EB25B9058A5D3D3360D0C5AB967D28417ED6E7651C979B1410229470CFAE2CA35F47F85DDD9791E9860902D3DD5C7287D3C45B08A43FCAF91BEDE0
Malicious:	false
Preview:	.PNG........IHDR.............=..2....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F...}IDATx.b...?.(........h.......h4A..a...h4A..a...h4A..a...h4A..a...h4A..a...h4A..a...h4A..a...h4A..a...h4A..a...h4A..a...h4A..a...pj-...1.,..W R."U........_h.......cG... k.....[......./C)y.....kj...-5MC...84.3.}/8.5..g.M.....;.s9..Q..0`?Q.d........\...{T.%.8_.T.h..<.........]...x..("c?.N.s.,.h.&...1.p.....1..w..a..3..8?Zk..qY..)M...H+G.8.0...+.z_....5k.....4}........f..UQ..u`-Y...u).c..w]-......t.......t.Pu.`....\|...u..S..2.^........1w}....y6R...Om..../..=...M.H......jq&..v......A.. .EM\t....h..;@ko D.P..7..P.0..8..t..MmL....&.?b......f...O.6.R.H..K{.a.:.I\.P....7.SE..s:c.Rm.f.}....7r.>..Z./..[......K.......L.... ...7^VV....?......%.../.T..i@...A%..$............./. ./B...d........4.Xr.!H.........,.8...`.%...........i~......\|.*..T..../...C..?..............-.+.a ...H...5X.e.%x....!...&..N.-.>2...m.wu?D.RN'N.,....!.k..G8b..[.....".s._...

C:\Program Files (x86)\ClocX\Presets\ORIGINAL.INI

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	947
Entropy (8bit):	4.654346901304024
Encrypted:	false
SSDEEP:	24:BE8rm5b9VTORXFBP1rfjkpWCGm8Oi5Zri:BT0AFNuMCGmIZO
MD5:	3FF821F0959312F31CD380D311B2E690
SHA1:	A0153085828FF32D7020D35330E37336191F5C69
SHA-256:	54EFA1317F80DAE7326E9FFF03D5AA7BEEFED3B1F10EB5CC2E2349EF3E362BAA
SHA-512:	CDE3BD6F5C22EE5ACE89083F9586F0DFE0371137EEE884CD7D92E600FCE652F7A80AF306A56D28E273C42619F172525C9FF17A9C9C897B2E3CA97E18A060EF39
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x000000 ;cut window by this color (default red)..DisableAMPM=0 ;show AM/PM indicator (default 0)..AMPMColor=0x787878.;color of AM/PM indicator....HourColor=0x00595959 ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=5 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x00000000 ;color of minute hand..MinuteLength=51 ;length of minute hand..MinuteLap=5 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x00553FFF ;color of second hand..SecondLength=54 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand....CenterX=63 ;center point's X (default image_width / 2)..CenterY=62 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\Octopye2.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1497
Entropy (8bit):	4.856187163129489
Encrypted:	false
SSDEEP:	24:BEGrGXz5lrANhjaKhVuTOLX01rfPkp+dGm8JiX1PgibQ0Wd9iBxLuQI:B1qFlWhjfiiEdGmx1PXQJTiBxLvI
MD5:	85653ABA4507AB8F7AA3B19C5B04694B
SHA1:	EA5411F08D9E1E2242D8527E0A18A2DC9C1A5327
SHA-256:	698A1A399E48FD084FE2453458CEA1F87FE6A66CACC18BAE34C5C2AA4DFB60E0
SHA-512:	63D05A6540E7186562B9BAFCE9FA572456DD9B37EE2F8E2040F7377A35AA64EFBD95F97761D8AA39D4AE6CDC46AA73DBF222C20BDB3E8DCF3719EE276C2E3EC3
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFFFFF0 ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x000000.;color of AM/PM indicator..AMPMFont=Arial..AMPMFontSize=12 ;size of AM/PM font..AMPMCenterY=128....DisableDate=0..DateColor=0x000000..DateFont=Arial..DateFontSize=12..DateCenterY=45....HourColor=0xFFFFFF ;color of hour hand..HourLength=39 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0xFFFFFF ;color of minute hand..MinuteLength=59 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0xFFFFFF ;color of second hand..SecondLength=63 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;wid

C:\Program Files (x86)\ClocX\Presets\Octopye2.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 176 x 176, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	24962
Entropy (8bit):	7.967086316786837
Encrypted:	false
SSDEEP:	384:PXE05mYZsf551uyWvNZ+ZM696UTYvUiRqYud3OKaLBlkBnsUA0Z6jX/wB:f35ZZk9uDvNEKdUTYvUmMiUMjYB
MD5:	E6B20AA4B1D6B2A0C678D9194D042BE9
SHA1:	106CEBA43CD660D22367D54D40F82D000FDFC706
SHA-256:	B653C83CCB4B6026BC10FCC2E110BB7C37869B95722187D576D6710810F4CA88
SHA-512:	6188A3DF83CD935F62F424793D483CF27F7F135E7BECB54F1412C6D18985A437370AB5F1FFE21B3B53B5BD9486944014155B72EAB0B9AF01709DC4C4869F2C2F
Malicious:	false
Preview:	.PNG........IHDR................^....pHYs..u0..u0..3r....OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Program Files (x86)\ClocX\Presets\Omega.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	921
Entropy (8bit):	4.541130302091602
Encrypted:	false
SSDEEP:	24:BEurZuC/Tzer1SfPkLKpSLgGLTIZKgNi0uGUnn:B9kb+SkG/pAUn
MD5:	039055D6E6EC2F827F2144D2690BA58E
SHA1:	F8AEC1F29548CD3C825AEF43BFC6FFF9BE8B91E7
SHA-256:	F375DFE125D10A47F758F7DCC26A0E0B69798516E8872A0127DB465EA2F30F84
SHA-512:	1C8B3A5A6875E64DF6355203640F5D6FDC9DFC9AB91BEFFB17DAAF6B4CABEB48A23AC5A7E29883AA9F8DB0FDC42CD3EB0BEE17003A71798391ABB665BA451ECB
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number).[Settings].CutColor=0x0000FF ;cut window by this color (default red).ShowAMPM=1 ;show AM/PM indicator (default 0).AMPMColor=0x00000000.;color of AM/PM indicator..HourColor=0xFFFFFF ;color of hour hand.HourLength=30 ;length of hour hand.HourLap=0 ;overlap of hour hand.HourWidth=3 ;width of hour hand..MinuteColor=0xFFFFFF ;color of minute hand.MinuteLength=48 ;length of minute hand.MinuteLap=0 ;overlap of minute hand.MinuteWidth=2 ;width of minute hand..SecondColor=0xFFFFFF ;color of second hand.SecondLength=50 ;length of second hand.SecondLap=0 ;overlap of second hand.SecondWidth=1 ;width of second hand..CenterX=85 ;center point's X (default image_width / 2).CenterY=95 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\Omega.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 170 x 191, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68718
Entropy (8bit):	7.985388047540227
Encrypted:	false
SSDEEP:	1536:pJAQ0eiN162qhdH6wOnlskiRG5xFQlYbQFvUbxARNq:pJR0eiNnjlnlsjRMxFQkgdNq
MD5:	90B33F49BA0866F011D67E640CCA98B0
SHA1:	35DFDA4F68CBEB266587D307343FA4BF2EA7DC96
SHA-256:	6C422277C9BC23912CA6AEF5A32F141FF1A7AD06711C52005FD8BEAE7C0655E3
SHA-512:	AA900BF4A830203857BE1F059F547BCCA69992F822405B3719987B3DD499429DCDC178B5949B2FBB979E519407304C94F03BAA5672F0C4F6016DE8E84B0ACFA0
Malicious:	false
Preview:	.PNG........IHDR.............nmG.....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

C:\Program Files (x86)\ClocX\Presets\Original.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	18873
Entropy (8bit):	7.982586670751772
Encrypted:	false
SSDEEP:	384:f6sWIpV7vdV85P6H1LNCaP3TzMVAr/bR5fy/GPr5Kzd99qjEHwyxZ6rlgSS1Gh+n:nWyV7L2P6Vx3TzMVAr/NBy+z5Kh7wEHb
MD5:	E22608FECBA37804ABADE6A53491D5F5
SHA1:	DC6332D7E549A5D0E784125DCED56B029EF0F902
SHA-256:	8633DD0386ACB524E19DECB2546525086C13723EEACA26DAF16A91507A142C97
SHA-512:	540DCC88962AAAAC5010985FD875424E6D73ED4DD167EA039FFA8A37FFA392AA709A6E459113A52C41E9669AA06325ADC117A22FD32163FF7E36B8D21D132CCE
Malicious:	false
Preview:	.PNG........IHDR..............>a.....gAMA....B.O.....pHYs................$tEXtSoftware.QuickTime 6.0.1 (Mac OS X).x.FA....tIME.....1.Y8.... .IDATx..Z.tTU..j_S..J*..^.......EA...8.m..G.....OO.m.g<.8m..v. ...i..@..H.$..!{.JjM-o.J%..,..g.?...{.............?m..z.7..>G..qf.&.&.m..........N....>.EZ...p.G.....8..Ql6.#...,.\FQN...._.............l.ko.;..qS.E.........H\|^"........5)~l...8.......I.D..\|.6A.......W(......TI.`.T~........B.....f..,.....a3.l...#.&....~..hwS].@k.....v..q..h$..$..1!~,...9.8...x~.........X.tZ54a....\|x.1.xF..0..`.6.h...b.iw.E..d1.6.......9...!..lr.N...8..5...A.^........U.:N..M....[.!.W%h..d.....k.t6i...R.&.....is.eq.Z.$.B..v.......hij..n.vu.j.........B.....&.q....k.;..'..!.V'(..\.... .B....EX.....".@D.-..q...'..Z.>.Y5p....i`/....oh2.....f#......!.s.H..N?o....IiQ.'i..@o/.p...kN........1.. ..Q....A./.L&.R.....O....{&... .....b..\|....1....o`.#.qt.``....l..Jm$.......H.....#h<....'.^...Q..r......01.0.....6.D....U..M.CZv,dr..;.....~Y...f

C:\Program Files (x86)\ClocX\Presets\Uhr.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	4.759908504120321
Encrypted:	false
SSDEEP:	24:BEur7X5lruueRJoR1gTzIU1sRDkLKWoL/GL4wIdKgQi0VAP10mViWd9iiOMEKG:B97JleJoEFYjGteVPGCTiiOR
MD5:	4D1C32BDBCFE4874AE33DEDBBC870574
SHA1:	A84ADDA368CE3649402EF9AFDE820CB28C549016
SHA-256:	CDA8F9357983BB8070A26E8F8E4163BE6EE41EE516F670A6F60FCD593EFB3A6A
SHA-512:	C4A26C2719803FF73F36D105FE9F25E48041813664D70C21F51515FD45CF7CB826279C39B1B1BA55BCB77E2459FA4975B8BAA65309DA86351138658B0CDD4D30
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number).[Settings].CutColor=0x0000FF ;cut window by this color (default red)....;not used with PNG in Win2k/XP..DisableAMPM=0 ;force AM/PM indicator disabled (default 0).AMPMColor=0x0000FF.;color of AM/PM indicator.AMPMFont=Arial.AMPMFontSize=24 ;size of AM/PM font..DisableDate=0.DateColor=0x0000FF.DateFont=Arial.DateFontSize=24..HourColor=0x000000 ;color of hour hand.HourLength=50 ;length of hour hand.HourLap=9 ;overlap of hour hand.HourWidth=5 ;width of hour hand..MinuteColor=0x000000 ;color of minute hand.MinuteLength=70 ;length of minute hand.MinuteLap=9 ;overlap of minute hand.MinuteWidth=4 ;width of minute hand..SecondColor=0x000000 ;color of second hand.SecondLength=0 ;length of second hand.SecondLap=0 ;overlap of second hand.SecondWidth=0 ;width of second hand.. ;CenterX=60 ;center point's X

C:\Program Files (x86)\ClocX\Presets\Uhr.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 200 x 200, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2371
Entropy (8bit):	7.867510860779406
Encrypted:	false
SSDEEP:	48:u3LCLjFmREUcOLr9MoQw5QGojHtHLCZdp37ri1luua27zP8V75m9qz:ufjL5MoQfGkNH2Zdp3i1lujGg
MD5:	3D8E36965E80F589E391048B6E451828
SHA1:	24ADCDAAB515189F8B7E354A414FC9A96458E609
SHA-256:	28E430D0655EC2F1372272AB4DE2A7BCE4D3D068A6C4ED3C1D4FA38C7C5EB9F2
SHA-512:	DCDD3F5F5813C0BFDC7EA1356E68CFA6490D4D57B4D8D58B8B49DA00267ADE78C8CEB4A588E79CFEEA510D5C4E4411631CBD6AD6AED9A3D06AED0EF2E6517D0B
Malicious:	false
Preview:	.PNG........IHDR...............^....tEXtCreation Time.Di 9 Mrz 2004 11:03:25 +0100L.);....tIME....../........pHYs..........iTS....gAMA......a.....PLTE..................................................................................................................................................................................................tRNS.@..f....IDATx..V.8...%E!.....P(!....-....C-I.G.d.3c....$..u.-V...MG.....Z.S{s.g.\|......O.6.Z_A.!..)...~Q..... ..ej...Q.....Q..i...w.Q.8.....[..".8. 5J.. ...52... ....`.x.G...8 B./\|\|9/j.. ZN...W...Y.J.1G....,.....h Bt.....M..f..j..X>V....f2_N.u...hT-.7p@..(......k.....Z....`%..^..x..!.2.D.q.<...U....O.9..[T.R.us.P....2.El..4W....wL.f{A..HnU..8.].......H.U..8.A..!..I....#5..eG......x...K..b.xS8.&...z..8Gx.5.m...*..XN3...q\.\...QF.,.r.u...]$e@.#W.L...=G.A...$.....)ZY..?Vh......U../.!......L)@....]_.>............r'~..Rz.(..%..G<...>].9...b..p!....9^aF. ..........\8...#..V..d.&.$.D...c...b..bF..9/.

C:\Program Files (x86)\ClocX\Presets\UniversalAccess.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	28087
Entropy (8bit):	7.896392022586553
Encrypted:	false
SSDEEP:	768:OEJ3pClk2uBpQvaJU13kpxmAKL53BT//5UfMOYAIy:OEJ3ckjBpzmAmJD4Nb
MD5:	506F6336897626BD9835E476684E6ADD
SHA1:	3C61FE92E21ACA5079397899D3F28E8658EE92C5
SHA-256:	099E2D25A3BCBBA998B4CED1D927C975267F129BCA18865C41DBBC111428B6A7
SHA-512:	D1C33B485D2809A754F7D90B8C6C123D68300F590CE526DDA5E53062B076D9EC1FC718924B66E81E810D8ABCA4B596513665068B916CEC4487B0318386D0FA29
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..m-IDATx.b...?.(... ..F.`d....M.#....h.... .F......4..F8..@z..4....Mj.......W.i..........Z.}.q....x.BH...dv!....w..g.....\F3...a...V...d.R/BXQ..J[...Z..0..!.$...+....n..2.2.....4v..c...e.U0..z..J.79..........O..u..{....Q..."]....J...i..fdU[..........b_...x,.3......cn...\......~.>....Q... ..h!......~.....M!....8..?.Xr.]3;......tL.Uj]...G..mU.:.. ..Y. C["...BU...$........!(d.G</...0Odfy.b#..)........x.X...R......n,l,:.l."L,,...............E<...R.......&.R....M.@.,b.9..H+...._.]..s...>..7.9y.P.a..g@]....P.L...2..........l.......b..........,f......:.G0.R....H..........J F0....D/...)...........g.L.........u`....P.....@=w ......4....h...L.L..I...N...L.,..l.....(........"....I...Q...rH...5.(U0..K..`...(.....7+.........~..y....K..@K..S. .t.. .A....".....Y8..Y....9X....nX11".VFp+.................?Fx.......Wa.......>....2".....m...6...U..;.A......n...O.`bp..

C:\Program Files (x86)\ClocX\Presets\UniversalAccessClock.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 117 x 119 x 24, resolution 2834 x 2834 px/m, cbSize 41944, bits offset 54
Category:	dropped
Size (bytes):	41944
Entropy (8bit):	6.884203334546955
Encrypted:	false
SSDEEP:	768:7qhT45p/v7mUzQgC3oi76ieOCycgyC20TgDsu+Xy9Ct3PaxFf6Hc:m1o/v7mSQgC3l6ieOCycgyD0TgDQWFS8
MD5:	BC84D78607167F8C38B8B4CF7C33A54A
SHA1:	11D9589ACCBD208A0385EBA8104B4045727A7B1A
SHA-256:	29B49A701AC81741ABF8E42F569AC57FF587E91C55D4E361E97D49EE3E5AFA43
SHA-512:	10320B32859CF9FE3129C9C7C72066F877835A3952E2ED18F30B4766193DE4AE0F1347884CDA598220198EEB6BFF11592BCAABFCCF5F97989A5A48805C1D0C53
Malicious:	false
Preview:	BM.......6...(...u...w................................................................................................................................................................~~~{{{wwwtttttttttsssrrrsssrrrqqqqqqqqqqqqpppppppppqqqqqqqqqrrrrrrsssrrrttttttttttttwww{{{~~~.......................................................................................................................................................................................................................................................}}}yyytttpppqqqqqqppppppppplllhgghcciaah]]gXXgTSeNMeKJeEEeDDeEEfKJeMLfRQiYYi]]i``jddiggkkkooopppqqqqqqqqqqqqtttyyy}}}..........................................................................................................................................................................................................................................................~~~yttthgmSRlB@n86q/+v)$y$.~................................{#.x($s/+n52m@=lNLsdcysr}{{.......................

C:\Program Files (x86)\ClocX\Presets\Unreal.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 200 x 150, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	47143
Entropy (8bit):	7.975093314101227
Encrypted:	false
SSDEEP:	768:iEIQli4ubch7Y6jAj+lFOf68cc3NWQReu8jmJaa4/ImyJi7RGF9kepuOOdY74G:mX4Ge7JE7f6/ONWQp8jmJa9/IfJmEclw
MD5:	D483FFB9842A8F0A99F70376253FD45F
SHA1:	351350ABC3974B4ED94CB8ADC11EF057BE9F71D1
SHA-256:	6CEE1DFDA69C5D1D301919AFE55B02954DBA639AE118EBC446E32F41359BA005
SHA-512:	0777E6817E8E1AE1A68098E6F32550227A815739CB44970F64A6976ADB583E1FD30720D5F14D53DFF6C607347C4B72CDE8604F934B887AC0891D3FD6624354E3
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F....IDATx.b...?.(....;.. .. ....7...\..D...W.{4.Y.W^`..Wp.../..=.t...9.n..(..W...V........A..D.j..u....`.b..1/.N!M..@_.y.L....e..o.]z.v...9........Z.....)F..=.#.Zvq.*zl.>n.>...q........'w.)..5/.j....z..)....<CUP.c.B..3W......H)v.{nF.F.....~5.9.).-..^..%.z;.R...'\|.....q..w..!.....7v.... ?..e....`...2@......._.?....??t........o.>}..././FF.P.... ..._0..8A...0s.....I...../.;.......Zp..~.#H.....P.-.....Bq.`.bfb....d`1.....``.....o^FP.......b`.f..}F..P..,.Y.X!...A5.....aP)...i........`....&.xf..o.,,...........%..O......u.@..f..3.8cH.."?........_..............k.P..e..feeg...f..{...j.&`...Rc0...d.6.......&...y@6.....o.Z`..........O..."..Y.~.0f..XWX..@k..@.i4.(..../...a...uPI.2K..f]...st.L.........1...a..w...N...}FT.7...qE...............Pd...$.d.p\N...P...I..l..\ .......X.......GY..I+N..e.W.:..........@.[.o...c-7..0...~..#gV`..`56`..`......ixn%....)

C:\Program Files (x86)\ClocX\Presets\Verde.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 176 x 176, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	24372
Entropy (8bit):	7.8992689181996605
Encrypted:	false
SSDEEP:	384:wKtpFYgTIAbgpMWf7/uBGdxNE8OWzMQs8gwYG0F8LsI2u4QV14dAlsoRp4OhX9VX:7n3z2jYw4WzPs8gX7COFOl3
MD5:	6695A6E6D1A860BEF4E6B14DD3A40B22
SHA1:	184D69E9C87FB39AB70A03E7834A416465F7C46D
SHA-256:	F4FAD2F41ABB996D7F8F149082EE0AC56E9960748FBB587E50A93432504790B0
SHA-512:	6F5717A39741A7C36AAFFA6996C1C795EA120E0E1C8B0612EE61B929AC00710DD4C6D33869BCF86568E26AAAF94742FE867A7EB334EED8A07E0712375284638C
Malicious:	false
Preview:	.PNG........IHDR................^....pHYs..u0..u0..3r.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..^.IDATx.b...?.(..C.....h.......h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!....e4.H.......@,... ....X..E.X.......9.....7....@......k ~.....3<....>........&......z`..V..H..L. ..b. V...w...._..+..}.../...v..@...5.j.....i..@l..#.P......=......w...........O.LQ...j..v@l.....#.]..... >.....e.O..............p.bg ..L...^F....+...{.x7.........%...a .^.j.,._q......;.\.X..(8.0.....d.b.j..&q..z......W`.....q,B..Zc.V....B.FP.D..3.....O..j..+...SZdE..}.f4..F..q.)ta...v.G...g.D$$r2.....O..D.j....?.3.I.HB.D.... '".(&. ',.dK0(.H..-.0.2C.)....#.%2(....$....J.....g...../.......$f...3AC..P....?......a....W.H..q.0a:.'Z....L}.LL.RSFH.ACZ.ACR.ACJ..`9.9..@...i.d.L..u.(A......g.7........ex..9.......w......H.......f8.3@.....L..1.H ....g..hAM.P.. ./../....L."\|.(...F...B<\|....B......B...)..

C:\Program Files (x86)\ClocX\Presets\Violeta.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 176 x 176, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	24933
Entropy (8bit):	7.90650308950336
Encrypted:	false
SSDEEP:	768:NLPppFgWbMSDrW/a/e/mbWfMpB3MXKlKQ:NDLASDr+myiVMLQ
MD5:	03B13207E96453A1724E2C86844D6F03
SHA1:	60EBE3929D936A6DF44E80AE9DB5E061CA41D555
SHA-256:	73DAFE6E6FE8C0CA6F689A899CD704AE26B7D35F494A7FDCAB895C774AFAF17B
SHA-512:	809910F6371D592821CA10F186CBC91F6F3855B36A03EFFEAB15F721F292AFC86674C2597741839C0AB704D6FC96049520463D4C0B90F3B8EF24C9D91C2E39DE
Malicious:	false
Preview:	.PNG........IHDR................^....pHYs..u0..u0..3r.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..`.IDATx.b...?.(..C.....h.......h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!...h4...!....e4....R~.....@,..2@,..b@,..@.......9.....7..g`...H....@..._..3 ~....>..=.l...&......z`..V.H.....k.....V..D2....w.27..5 .......hl`...4..Q..&..&I3 m..F.0b. ..GP..4.y.H..&......4..00...+.=.i..6..@ ..U.\R..e?..#@\|..;.L.Fr....L..D.l.0...........J...&aFr.'.eX...E....@....\|c..%@.r...A ..#.qE.X1ZXy..`(<..........'.\|........%....J..j.[.V.....t..:...q0. ...B.PPQ.`&.....]...p.........~.[.....U.....YZ .d......!...._..ls.L..}2.O..h.'``..5........&XF...J.l.l...".Rr...@Z\Z.ARV..O......@.....D..P........D.....././..bx....go..<x..f...'41.GM....F o#.^.L...s....M...+..B..*.H;.K...L.L.L.R..ALR.AAU.A^E..A............J\|..3FF..@..........S..w.0......7........%.}@.. .......x...a........"....H...M..h.....8%e..T...T....Td

C:\Program Files (x86)\ClocX\Presets\VioletteKugler.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	4.906092571887757
Encrypted:	false
SSDEEP:	24:BE0rGXE5lr9BP5MoaKLuaPTO2u1DHkp8wdGj8xi85sjibtYQTd9iBY2jabOtWuc:BTqylRMofiiNdGjWCUtjTTiBY2Gb+Tc
MD5:	6299257E666FF7E94C35E5C06CF2C369
SHA1:	283C54F59495A84734889776ED6F47ED5AB6A98E
SHA-256:	DBE467C95B421C4E0B99BF65A99FEDA9DD8C86687FF10889D3C1DFA6DBEF3E3B
SHA-512:	942802E9022565303ED072DDE09CDC564870DF7FADCEA4156DF47ABA9F38D99E5E73972BEC64CFC68427B492862BBB5CADE78F41D80274DFAC0C684AFE708113
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFF00FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP..DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=14 ;size of AM/PM font..AMPMCenterX=61..AMPMCenterY=122......DisableDate=0..DateColor=0x00FF00..DateFont=Arial..DateFontSize=30..DateCenterX=1000..DateCenterY=25......HourColor=0x0000FF ;color of hour hand..HourLength=160 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=10 ;width of hour hand....MinuteColor=0x0000FF ;color of minute hand..MinuteLength=210 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=10 ;width of minute hand....SecondColor=0x00FF00 ;color of second hand..SecondLength=250 ;length of second hand..SecondLap=10 ;ove

C:\Program Files (x86)\ClocX\Presets\VioletteKugler.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 1600 x 900, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	18058
Entropy (8bit):	7.755795810552902
Encrypted:	false
SSDEEP:	384:uysVnL98NSU2tOrwmR154tM8Bc88TqnlJpd:uySXUaO9R4fBc86qhd
MD5:	579BD68B443B5AE75F83B7E55DCB66C1
SHA1:	447CEAAFECA2F9C59C5C5FE9E15EC1EFABDD173D
SHA-256:	5F8639EC82C166074EC913ED4B953C9CC91363B597A2A103CFDE56B4E4ED3FBB
SHA-512:	48872345D9FC0B9DBBCA498DC0C0BF8E5CBEF6D08F046EDEEDAC91C24416AAFFBDC43E113196B7A41F25D5552CC198B3F1CF5FED5771CB478C9CE39FEA4403D5
Malicious:	false
Preview:	.PNG........IHDR...@................tIME......:.t.O....pHYs.........B.4.....PLTE).=,.B..E0.G3.L4.N6.P7.R8.S:.W<.Z>.\?.^@.`B.cD.eE.gF.hG.jH.lJ.nL.qM.sN.uO.vP.xR.zS.\|T.}U..V..X..Y..Z..[..\..^..`..a..b..c..d..f..h..i..j..k..l..n..o..p..q..r..t..u..v..w..x..z..\|..}..~................................. . . . .."..$..&..).+.-...0.2.4.9.;.<.>.B.C.E.G.H.J.L.P.S.U.W.X.Z.\.^.a.c.e.f.h.h.j.l.m.o.q.q.s.v.t.v.x..z..{..}...................................................................................................................................................................................................................................................................................................................................k......tRNS...........................................................................................................................................

C:\Program Files (x86)\ClocX\Presets\Wall Clock medium-sec.hpng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 72 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	323
Entropy (8bit):	6.973816325694284
Encrypted:	false
SSDEEP:	6:6v/lhP++2xlv3zF1QOOtWbUgdyNxhnYpXLxDaRPYXuoBUSvux2nrkFp:6v/72rzF1wtWb9cxx0VGYXuoBUGlnwr
MD5:	B5ACF30D1585FAB9DA09CDA5D6A4FEE2
SHA1:	98FA6BFA72F2C9241AABB36EF6E36F5B9723E666
SHA-256:	616E149F162DBDEAE89BC3FEB6271BCB5300FAE10000F55DC56B0E399B60A055
SHA-512:	A74BF2DD5B37F76111AF6DE4AD754CBE04441DCEEDC8472510F89EC8997C9C7EA19C3C86226EC5E3C868384DA0396FCBFD687430441D4792159509BD12CDFC20
Malicious:	false
Preview:	.PNG........IHDR...H...........Z6....pHYs..........o.d....IDATx..]..0.E......Ud......Q?2Z..A.Co"....4.!....X...=JHR.lD.!..KA...!.!+.[R......+.M...QU..)%y..\|g....A.y..4...Gr..9B..l.W..{fo.JA.k7.O....wK.n...../.PM.....4...-.9.....b....?+...<0.L.[.Z.%3.H.q\%.Q.......4...w/....3s..8....O..........n.....IEND.B`.

C:\Program Files (x86)\ClocX\Presets\Wall Clock medium.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 158 x 157 x 24, image size 74732, resolution 3780 x 3780 px/m, cbSize 74786, bits offset 54
Category:	dropped
Size (bytes):	74786
Entropy (8bit):	6.085881051700042
Encrypted:	false
SSDEEP:	768:hHhvyP75gct7nK+cQ/d7yJZFDU+nfVOjKx2mW6ENRObp+A6iAk9x1:phKP7ndKcd7u/tOjKx2hNcAH+9x1
MD5:	A87FB416D0D925EC81816E43B4E6205D
SHA1:	7355F2E82AA5D9B11C706C4275F86986C26A421F
SHA-256:	8C923EEC22B59E971EF0D1A0FFF6C8F2D7B42C8577BE7430CF3E1E4F0024F3B7
SHA-512:	DB905387E6F802486AC225F7762E4F8F21FF78756D27B7C9B662771496B94EE0BB30CA1F7DAE3E38852B443639E3D08D17E091FC1442A874F5C3DA77B46F64A6
Malicious:	false
Preview:	BM"$......6...(....................#................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................@K@K2IV3HS2DK0@G/?E/>D-;A)4;%.4")0.%&.$%.$'.&*.%+.)...............................................................................................................................................................................................................

C:\Program Files (x86)\ClocX\Presets\Wall Clock medium.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1493
Entropy (8bit):	4.861749071075584
Encrypted:	false
SSDEEP:	24:BEQrGXz5lrx7Bxi3aKSmgTONMI10XDkpfoIG/w8b4ia33NPeibQ0Wd9iBxLJCb:BzqFlyfWI9KIGoQOtPBQJTiBxLG
MD5:	757BA281994BD6E525EA724A8B9E30DF
SHA1:	B3FEDAB89B7DC05765AF004177EC25E784715CF6
SHA-256:	191A3FCD80972FDCBE2D2C69C9FA0E3A414B25CA38F9239588F6923F25269B7E
SHA-512:	33195194B59F0C85135AFFB1A518813257CFCD78F4DCB6CC6AE7546EAF3402A53E935430BBE8699695AC7123F88883CAD423BD061B2F64CB09F7D37AD8AEE8A1
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x232323.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font....DisableDate=0..DateColor=0x232323..DateFont=Arial..DateFontSize=11....HourColor=0x000000 ;color of hour hand..HourLength=42 ;length of hour hand..HourLap=7 ;overlap of hour hand..HourWidth=4 ;width of hour hand....MinuteColor=0x000000 ;color of minute hand..MinuteLength=57 ;length of minute hand..MinuteLap=7 ;overlap of minute hand..MinuteWidth=4 ;width of minute hand....SecondColor=0x553F99 ;color of second hand..SecondLength=63 ;length of second hand..SecondLap=10 ;overlap of second hand..SecondWidth=1 ;width of second hand....

C:\Program Files (x86)\ClocX\Presets\White_Apple_Clock.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 101 x 122 x 24, resolution 2834 x 2834 px/m, cbSize 37144, bits offset 54
Category:	dropped
Size (bytes):	37144
Entropy (8bit):	5.323192077358441
Encrypted:	false
SSDEEP:	192:3G+xNKrzZ4gb85tG/llgjmJahf7TyTWU8DgEdtN8xytFmnmU9OHGTV/zMmZilkL0:3JNK543hjTyTWU4gEdz8Icnf9PFs3D8e
MD5:	FBD9CA6CBBC07C9F7B16577E2BA8ABB0
SHA1:	4F9A98C739E9D209F77AD99396A8A4B77C0CFE69
SHA-256:	AB8D75A5B7230938E834DA4ECB043256DFE5466A30E59B2787BD08EAC14DE50B
SHA-512:	FE2371EB44023BEF023CB68E63AF745A3593E15FCC6DBC882090F62532E617C886924EB9AE04ABFC5C47785354217ED382E8DCCCBAFDBC6BF1DE11F0895BAFE8
Malicious:	false
Preview:	BM........6...(...e...z......................................................................................................................{{{sssooommmlllllllllpppuuu{{{.............................................................................................\|\|\|vvvsssqqqppppppsssxxx.......................................................................................................................................................yyysssmmmiiifffdddccccccdddeeedddeeejjjpppyyy........................................................................\|\|\|tttooommmjjjkkkhhhffffffgggfffdddhhhnnnxxx........................................................................................................................................\|\|\|sssqqqvvv..................\|\|\|uuuoooddd```bbbcccjjjrrrzzz......................................................\|\|\|tttppplllhhhkkkpppssszzzzzzyyyyyyzzztttkkk```bbbfffooo}}}.........................................................................................

C:\Program Files (x86)\ClocX\Presets\White_Apple_Clock.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12531
Entropy (8bit):	7.8267819411607915
Encrypted:	false
SSDEEP:	192:WSb0V3Zxh1e7NN+aOZbEOMqy7wF6wYpk58VxjbqFS1VqmxVQLSopM7C2HUv5oxzR:5AVzferOZbbpUC15KoSPxgM7CMW5oDO4
MD5:	18B08FAD1BD9BD1098FC3772888D36F2
SHA1:	B7A44F8BE157ED798B1A1B9CB2D56E5761A2B481
SHA-256:	72E437C91CDCA423FCC9F7AFC91DFBA616157BC2AB344590BAAE62B75089F19A
SHA-512:	3B520D891E037507FDE5EAC7D53CEDCFB0404377987B065901681DA2630EAD9E6E54E115A4D042A7D95EF3E789C1A84AE29F72A2A77D25E84932DACA75053F01
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..0iIDATx....Fp....3e...).gsJI.\.{9.k1.....+.b`.).y.....gy..O=.u]x..8...<a..$I.,.(.}...,.Q..4M.a.<.m.<.CY.H....C.E.4..e!.....8.w....N.eY.......0.+..5M...X..m.b...B0..CQ.TU.UU..1\..l....p.Gt].....'uQ..o....@,...$.J.....%.. ...0.....R..... 9..n`....mh8....`..@..&...(r.%.0.Tr......L......}c..._.~..cgg..L .......@...........@..U;@....f, .),,......">\|....h./#...1.....l@..Z...L~.....@\q/......3......j... ..v.....X.(........?.-....h...bfee5.6..edd.E;....G<(.A.......p...T...~. .i.>....@...O....$99..`.......r...xNNN....p".......7o>.z)@...~..................r"77.D`.!G>.=..hP..".....p..Zr.}...;`"...\@...n...4.....4.....FQ....A..``..e..tl.W....:..^........_^.x..........+..@C>.....g.q..CKK....N.9..(........r....X.."...@.......4P.......\|.....w.@#.?R...l.@....%.(.@..j...i..`.NX^^>OLLL...C..a....$.+u`.........X........ .....H...E.h...Q.v.@.6(.>~....M2

C:\Program Files (x86)\ClocX\Presets\WidestoneStudios.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	982
Entropy (8bit):	4.7035599187649675
Encrypted:	false
SSDEEP:	12:a4EqmYvrrijpJTpb27XFPVGRXFdnXFPVJ99XFPhNhXFqA2kBIok9Gst81M2qYKcy:BEErI1MTwFBP1rfEk5CGm8Z5kNOi
MD5:	0B235DC651E778ACE561CE903E1BCBAE
SHA1:	56AAD578090CBC90B8F760019FC0339175988E21
SHA-256:	AA2D6050B1B0211D43AD6BC919E239B42C9A361FCFC07995F470F3FF3557DD75
SHA-512:	8047B11BA23C3DF7B31C316BBAD5EACAD11972B6C61AADE18C1CE31F2BD553C567066B5823827064E378C7D0F9AB18A5801305CFA84920C80256713D7C288BA0
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xC5BE47.;0000FF ;cut window by this color (default red)..ShowAMPM=1 ;show AM/PM indicator (default 0)..AMPMColor=0xAA5F55.;color of AM/PM indicator....HourColor=0xC5BE47.;AA5F55 ;color of hour hand..HourLenght=33 ;length of hour hand..HourLap=5 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0xC5BE47.;AA5F55 ;color of minute hand..MinuteLenght=47 ;length of minute hand..MinuteLap=5 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0xC5BE47.;E8F08E ;color of second hand..SecondLenght=54 ;length of second hand..SecondLap=10 ;overlap of second hand..SecondWidth=1 ;width of second hand....CenterX=80 ;center point's X (default image_width / 2)..CenterY=52 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\WidestoneStudios.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 144 x 104, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	13391
Entropy (8bit):	7.865143077553108
Encrypted:	false
SSDEEP:	192:/SD4RQg9vDQfUzRKk44poiF6QoqHK8fdhP1eUBuvuHyQT1BFni6XNPH/xGkvjm:qDN2vWk44GdQoshNeUsxgDni8PHZGAjm
MD5:	EBFFA2AD6F19E5418BB2F65E3B4CF5D4
SHA1:	87C70FBB8C6A0F4C83D67320931D23C4A498197E
SHA-256:	DC92936E7F1B197A209BED51B50C2C274564E22EBDB6889880B58D11DF993834
SHA-512:	1403E27E73AC6420AEB9B9218679A7378585BE165C94A0AAC0EE791B7128D9396F57F441FCB18EB243A5ED9923184B2C5FFA296AF4C90A3E8551143EB94FEFEE
Malicious:	false
Preview:	.PNG........IHDR.......h.......y.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..3.IDATx.bd```b.....A..d..@.0.F.....#........4..F... .......K..-..9.. fh.S..!...)!!'8..f .&....?..@..Z.1...N.....M<.....#.."..].!'$h..O..Q04.@.....MP.%.0......c.bB.L..#%%.(......O.a$!a...N.G.!..dd.....8..@.d.8."...A..........q..IID..$..8..NX..DN.b.c..5$.^.2b..D....<.....JT...2H.5..D.&.&.'1...p..H...X..?.m.a......v.-K.\..=.0#.aKL..JBBB...........C....?h..H...(f..}....eff.....x...GH...M...V.. ..)..O%..K.....3....p}<<<.lll...L,`.L..@...H...GND06:..@......w......N.<y...+q..D..@..l/z.a.H..`&`..ecgwfae5......<.@..z..%.l.\.A......3.G..2.K2.e...~~.c...=...\|.r.....q$(..pH.R...8..1..6..........Y&ffG`d....0.@..R"..h..=.....^duO.=b...#........4...P.*...J.?..\.r..a,............8@..r.AO4.H...M.......5..(la..J(...K(XJ.h...J. ........^@....`.c......bd...G.o_...q..2....j..L...7..1...A.............M... ......$.V$..cs...2..&.cD.........aDm. .......fx........x.

C:\Program Files (x86)\ClocX\Presets\Wonderglobe2.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 95 x 95, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	20649
Entropy (8bit):	7.9768824867321575
Encrypted:	false
SSDEEP:	384:USxy+3/jChO3XBcz2dlqj4SH1kp+6tqmBbBrf0EunL3a2OtT89UvEPa4DRnlO8za:vx//jJ3Xazmg4SVbgzBran7J8TFj4DtY
MD5:	6C8F406A6AA5DBFC6DD07E10842867DB
SHA1:	B2E7FA8AAE533ED129F3A5BA1733A89A5CA42105
SHA-256:	5C2FAA546C5860E69F39C7BCF97D67F473F3301EE19460B9769934A946FEF390
SHA-512:	E0C98580FE0F8520E617CA1D539537C46E7E34DAA52F2FC987AB484BB97038739F16B7C53C5A519F74B9EF887E3E23E23B563170CDB5AB5679925D1F61E1D3DA
Malicious:	false
Preview:	.PNG........IHDR..._..._......L......bKGD..............pHYs............... .IDATx..Yl..y.7.m..H..H..A[.(.R.-.....KR....(Q.B..G.D...j!%J..S..K.(...Fc..<....@..5..I...8.......C..u.6N...o..s.w.....S...B<+.x.......B./\|....+....f...3..\|A...B..R......#...!D.R..I)....B...U.P4I).^..%!...]....h..H)..R~YJ.!.<.B..B.B~KJ.m).B...w...{...B.y(.....R.z(.....{B.w....B\\.vm_.1(..S!...j~Z......Y!...R.Z.~.V..U(K~.,)..........`z..;.hpd.jl.z59kg..d..dj......Y.G&0.....sU......gJu.{R.....o.!"B..!....#.\|..I..J)..$......!..Rq)..Ju.{.5..6.LW.#....Y^.`c../..."....G.....!v.A.. ;;~.};lnn...eu..k..s...9..G.u~XV].cEI.B(.#.\|I.P...%.x.W.._.B...rJ.w.%e.R^....g.j...g.`(Blw..~.L&K..#...dI.3.Ri..u.63..u..0.H.X,F4.%....~D.o...eu...."3.........k..W...@.T.R.U(.eR...4.......3B.J+.o.........H,N2.....B.@.X.X<...B.@.P.. ......+....!"...H.H$B4.%....DX\Zd}.M..'........dm.....6....):...kl.@SZ.#.B..!....q.?..`EOK).PUs..6w.}0mw].....,..!.l.\.G.P......rvv..78:*...#......q/.......m.p....\|

C:\Program Files (x86)\ClocX\Presets\alarme.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1475
Entropy (8bit):	4.853612525961072
Encrypted:	false
SSDEEP:	24:BEQrGXz5lr9BxoaKy4rTORXFB01rfDkpWdGm8diF0PfXvibQ0Wd9iBxLuQI:BzqFluf1QFKOMdGmUPfwQJTiBxLvI
MD5:	D821262416FC40D087348659DEC1C6E4
SHA1:	05E9FD31BA6667274CC8B94466446AE492D41A3C
SHA-256:	FEBEBCCFF26778BA1204CB6D58A7E889D44ADBED33BC0FEFAA3E32CEF632FE3B
SHA-512:	278482031BE63DA8B81FA5529ACB5E3735E2ADAF6E5CA3D3398E838BAF80EA04FAC7747C1848FDE578958A50A05F0B1C7487815FF7D4F4F7C65EEBC1EBEABD03
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font....DisableDate=0..DateColor=0x787878..DateFont=Arial..DateFontSize=12....HourColor=0x000000 ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x000000 ;color of minute hand..MinuteLength=51 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x000000 ;color of second hand..SecondLength=55 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand.... C

C:\Program Files (x86)\ClocX\Presets\alarme.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 218 x 273, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	96516
Entropy (8bit):	7.919324419762643
Encrypted:	false
SSDEEP:	1536:OrUAxUUOq+08PZwDmJr9EfkFF8mYIDMvGZKfCg+kRTdIeKr86G0Ktu3O2UQ2s:P4wZwDsr9Efkv1xwGIfj+kR0r8LJQZ
MD5:	1138A4BE4BB0FA2728E3D6DFE1C6B2E4
SHA1:	1001A4D64D36486FAD7E5ACDDD4F458829FC435D
SHA-256:	7DA15B7C64292B1FE73983085A174669892A93D3CF344A613EBEE8C33687898A
SHA-512:	1251CF147BB1FCFF466F4C2C2A78F8DAD1275BA3B2DA5E9BB7543E10B10A07E7E8361416C1A1BDE4B7A03281E6904766F0D7A0EC99DF1BA8708D2818D7C722E6
Malicious:	false
Preview:	.PNG........IHDR.............jB......gAMA....\|.Q.... cHRM..z%..............u0...`..:....o......x.IDATx.b...?..0222..w.?...:.#..;'k._LLL..jB.......f):8}.2..w..k7o..:c..555.QQQ.II..@_..... 9...r.......@8-.Z.k...[.L. ...0 6.b1 .b..Ej.....\|....6.bf\....N._.z...1..E............dF.1.65.....c'O.....d.6...c...8....b5l.......%= z..5/..B..o.b...............w_...)A)..&.....x.....Y...?...?o......#......Pi.d.....R..l.-=.Aq....?-3..Xd..k'..7.>..S .1.......W6X?(.>}...PZ..->......@...O........>2\|..........ATJ........>f`...a..6@-_......d....../....O?.... /+.....@.]0...........i..&..........0..sf.g....Y.\|E..H...X3...._.......H....c...c.z..$VVVP.Y..@`.F....ax{u.........4;7'...s:....}..... -.. ....'..E....^...q..)._...p.2..0f.....}..Td...v...k.....P...'..{......`"...@Y.K@N.AO_{..2..F...J.......+...J...B..GO...y.6.<......./...3.c@........J,...S......d...@..xJCC.....n....{.8\|.6..of.iQ>./.Y.2.=y....a..]M......;MH..........J&@<. .X..6(5}...(...[`.-.).6k.C...[v]b.v.

C:\Program Files (x86)\ClocX\Presets\apple.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1472
Entropy (8bit):	4.872769610377242
Encrypted:	false
SSDEEP:	24:BE8rGXz5lr9BxoaKy4YPTOI01rfwPkpGdGm8bCi1iYdeibQ0Wd9iBxLuQI:BTqFluf19j4dGmQDiYdBQJTiBxLvI
MD5:	38F4322D84E0E6A5BD58BBE888061AC7
SHA1:	4DB5C23A6298D62914714E7B92E11EF4CB41AC35
SHA-256:	FFE096724F22FDD9CFB9C9622CE51F965648D9EE7C2C5537B39F5C1313A6391F
SHA-512:	1F9278D5A21F71680E024B195D02E9E14D229712C0CA88719FDAA5BF03861B70DD65E12CCEA4E46455B31673F8C6B9F6A9BC6100CB4C9728A7039FDC713FBF2F
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x000000 ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font....DisableDate=0..DateColor=0x787878..DateFont=Arial..DateFontSize=12....HourColor=0x9A4F45 ;color of hour hand..HourLength=25 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x9A4F45 ;color of minute hand..MinuteLength=42 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=44 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand....Ce

C:\Program Files (x86)\ClocX\Presets\aqua-clock1.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 107 x 114 x 24, resolution 2834 x 2834 px/m, cbSize 36992, bits offset 54
Category:	dropped
Size (bytes):	36992
Entropy (8bit):	5.610490122908846
Encrypted:	false
SSDEEP:	192:CBccMWRLppppppW111111MhOCZX0/oYkjkX/dOMQz6ruH2qraRsEtNRY0ZE7DFF8:CBvcQX0/lOvf8BNvw1lKXlJ
MD5:	56F18FD2EC130B2714C9BFEEF92ED37A
SHA1:	0BFCBBC051BA9323D9A8B5F0D7DDF77C75A21985
SHA-256:	9E5A84DA02E5BB837B575B899F4FF55F5A0095C412C4433A2CFC922208CAFA66
SHA-512:	897F923C68A601667A7AE09F1802F41F6F0E663D74F80887A8EB4ACE9AE1942DF26C368BDD0814285170B7A5B940E9A3774AAA7D90DFF426A5016260DB445BDA
Malicious:	false
Preview:	BM........6...(...k...r..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................xh.\|g..m..j..l..q..t..s..t..t..t..t..t..u..t..t..t..t..t..t..t..t..u..u..u..u..u..u..u..u..u..t..u..q..k..b.w_.lZvja.............................................................

C:\Program Files (x86)\ClocX\Presets\aqua-clock2.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 112 x 113 x 24, resolution 2834 x 2834 px/m, cbSize 38024, bits offset 54
Category:	dropped
Size (bytes):	38024
Entropy (8bit):	3.804159517586175
Encrypted:	false
SSDEEP:	96:mEPBcUiVCRGqKcOnrmGDVNdKh9B+QRGB9Ov7OPcmn:mEP00xRGhQG
MD5:	FAD209473000F30FB8AC132E5ADDBB94
SHA1:	5886423659F1DE4D705BA68583C3B36D9A3857F4
SHA-256:	8F8E24924515FF1CC157405FD35A2DFA60E49558A4E11CAE4406D88C75202BD5
SHA-512:	78DF2A704FDF25EE45621005349CF2893E14A9BC909404606CCE44126FCBE1D4EF6B2C70951B18049D3AFD8526E12A5BBDB25B44EB4E80EA90438CE1E352536B
Malicious:	false
Preview:	BM........6...(...p...q.................................q..q..w..o..m..l..q..q..q..q..q..r..r..q..q..p..p..p..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..q..q..q..q..q..q..q..q..q..q..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..r..q..k.zd..q..q..q..q..q..q.............................................................................................................................................................................................................................q..q.....................................................................................................................................................................................

C:\Program Files (x86)\ClocX\Presets\aquamade.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	949
Entropy (8bit):	4.571347043037757
Encrypted:	false
SSDEEP:	24:BEQrIADTORXFB01rfjkpWdGm8xiF0ZJGi:BzCFKuMdGmEZJp
MD5:	96FD9CCA4BBB46E48F65EC26E3AA1F3D
SHA1:	AEA8888332BF8635A1FFDBEAED9E8A632A21423C
SHA-256:	D56E5151C7EB06AD35A0364BAA8D95DDB11700754889C5498DFA6AF2CA945888
SHA-512:	F4C10EB0AFDC7E54B8DBE0C02ED2C6C22A9B6912A683536796B1FBFF0BA1BF19DCA969375002C13331666A0266DD42E38BAB628D047AF4B1C1A490786E0C3B47
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red)..ShowAMPM=1 ;show AM/PM indicator (default 0)..AMPMColor=0x00000000.;color of AM/PM indicator....HourColor=0x00000000 ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x00000000 ;color of minute hand..MinuteLength=51 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x000000FF ;color of second hand..SecondLength=55 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand....CenterX=63 ;center point's X (default image_width / 2)..CenterY=61 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\bahnhofsuhr.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1540
Entropy (8bit):	4.909224216363058
Encrypted:	false
SSDEEP:	24:BE8rGXE5lr9BxjTJaKhVY/qTORXFB01rfwkpWdGm8bCi51PgibQ0Wd9iBxLuQI:BTqyllTJfgLFK3MdGmQ71PXQJTiBxLvI
MD5:	BA768117B0EE7DCC4D22D0CF34F17177
SHA1:	048DF18F592EB751DC8094BA82BC77A9EC7E1316
SHA-256:	2B6EED6932C65F8AC44E36D62C4BBED226DB938ACB6AB43134E756F5F85DE943
SHA-512:	9A22B6F9A1ED5807C0C9B7E6974E0717C54F255A7E26F03097D3AC92A9A4EE1FD8C02F7707302E3078BE29176554DE32D9514ED849963B8A1AECCC3126137F71
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x000000 ;cut window by this color (default red).....;not used with PNG in Win2k/XP..DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font..AMPMCenterX=61..AMPMCenterY=88......DisableDate=0..DateColor=0x787878..DateFont=Arial..DateFontSize=12..DateCenterX=62..DateCenterY=45......HourColor=0xAA5F55 ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0xAA5F55 ;color of minute hand..MinuteLength=51 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=54 ;length of second hand..SecondLap=0 ;overlap o

C:\Program Files (x86)\ClocX\Presets\black and steel.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	4.92543323823258
Encrypted:	false
SSDEEP:	24:BE0rGXE5lr9BP5WaKDihTOh01kPkpFgdGm8RiTm7ib/v7Wd9iBI5auQI:BTqylRWfkbIdGm5msCTiBtvI
MD5:	885F743529845BDC1B4C9766FDA77D0A
SHA1:	478E113115B3958E77076D0F1E2F7CFBCEE00FCF
SHA-256:	56FB2FC2890BAFB2324D7168D211B1DDC91AF4C869EEB5613F15B2073757C83C
SHA-512:	553A98A1D2C039C053C048E391BC81E5E84509EFB7EB84E38B194C167BD2FCCFBE93263E92CBE505624433B4EBCB042B4A76749420448D2ED818C7500A2C7B12
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xFF00FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP..DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=14 ;size of AM/PM font..AMPMCenterX=61..AMPMCenterY=122......DisableDate=1..DateColor=0xFFFFFF..DateFont=Arial..DateFontSize=16..DateCenterX=75..DateCenterY=100......HourColor=0xFFFFFF ;color of hour hand..HourLength=35 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=2 ;width of hour hand....MinuteColor=0xFFFFFF ;color of minute hand..MinuteLength=55 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x0000FF ;color of second hand..SecondLength=60 ;length of second hand..SecondLap=10 ;overlap

C:\Program Files (x86)\ClocX\Presets\black and steel.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 150 x 145, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	8101
Entropy (8bit):	7.944900564128968
Encrypted:	false
SSDEEP:	192:E6s2mM8JBwjL+2Cze54iq+LMpWZizMVHGzRmz8Lu7vDpri15n:ZSMswf+te3q+o8szRmz8gvE3
MD5:	747303365A184814658774165BD7C883
SHA1:	93BB4D77704884F2DA950F68ACA59F1E60AE9D98
SHA-256:	9876CBE95D2BCA6E45F20BE2C75B4425DC434FF5E56DF4F7DB1985F679BF4056
SHA-512:	2612754DA59CFA739BAF3E1AD61DBD052D00E16F4DA7FDD94679585BC82CEDFF64A6C5B77C28E0D0414093FA0F09D30D0B40185D8AC191262673AD93929527D5
Malicious:	false
Preview:	.PNG........IHDR...............h....tIME.....$:O.K.....pHYs.........B.4.....PLTE.............. .#( .. .!!".#"$&$('(&#)-($&(&*(('+)--,1/0.-160.300.21454978559;86;886::=)/@-3D15B06I59B5:J:5A<7H=<B<<I3>Q<@==AG<CR@??A>EEE=BAEEDJGHDFHLHELIIEKJMLKROPNMPURLLQMWVQMQQTTSZWXVVY\XT][YSZZ\AOdMUcTNaURaWThU\eQ\mZUc\Ui][b]Zi^[q_`]]afXduiYNa\Wb\ie^qcc\teXbbeecjgieejkhgghelklbjimkgtmpilprphhrk{qrjrrtusztxtuyzxwwxt}y{rzz\|\l.mj.es.um.{u.~z.}.v}..\|...nX.~~.y..\|......\|..............................................................................................................................................................................................................................................................................................................................................................................................U....{tRNS..................................................................................................................................IDATx..

C:\Program Files (x86)\ClocX\Presets\cowboy2.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1392
Entropy (8bit):	4.808211118758739
Encrypted:	false
SSDEEP:	24:BEQrGXz5lr9Bx6TOr01Ezkp8dGIo8bCiDadKibQ0Wd9iBxLuQI:BzqFlYBSdGJQlA9QJTiBxLvI
MD5:	7B78A925BCBF93FF614A1C4FE7E84673
SHA1:	6DBD5F227E72363B4301DE8C7923442466714CD3
SHA-256:	E791213655F1CB3E5B5A08B01411E48D9EBE480166742A77F120B2964BE2D7AD
SHA-512:	7B051908EE1D78229847008A5217607EB492E174A9C56CC46A5B93360AABEA43693F61F2BD9E993A39328E7D42CCA64C5B32E12F28CA7A9F9A4E61823A56470D
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font....HourColor=000 ;color of hour hand..HourLength=40 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=6 ;width of hour hand....MinuteColor=000 ;color of minute hand..MinuteLength=62 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=3 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=54 ;length of second hand..SecondLap=20 ;overlap of second hand..SecondWidth=2 ;width of second hand....CenterX=100 ;center point's X (default image_width / 2)..CenterY=100

C:\Program Files (x86)\ClocX\Presets\cowboy2.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 200 x 201, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	44974
Entropy (8bit):	7.993740849593251
Encrypted:	true
SSDEEP:	768:/tfJ+gfGQkB4WLWrl6K/OYI4U0SyJIWu2erDzyHJaYJFJICsYjqAwInHEVnVw:egf/04QWAK9IN0Lq2eqaYJFOCOAwIHgq
MD5:	C41A10919D89B2E79D9602B5644BADB3
SHA1:	F83673308724DB3238FF799D30F8478C86CDD577
SHA-256:	45C550427466A8588B8B9C7EDA3AA685C38CAD1E6DCB6DE43860B214B3C3FC76
SHA-512:	AC2150D30FD8FB3FD87F338896715F02E1B4D0D1DCBEAD3C4B4F22B8BEE438C1D271CDBF01374F7721D8EE675B8839A150FDD3DD4F777393A7E9D854FDF799EF
Malicious:	false
Preview:	.PNG........IHDR.............f.};...,tEXtCreation Time.Sat 22 Sep 2007 01:46:32 -08001..~....tIME.....5%\..L....pHYs...........~.....gAMA......a.....IDATx..\{.]E..u..}....B"..%Dp....$$!...A.Ek%.[......B....Z.....,..@,....PR.A.. "D.7.H..BB...=.t..u.>...L.C2..7u.G.>}.._..>..:BGhT....:.;m.....y...v.z._.P.d..})......[..._..%.../.q..z....~..2.....2\......(U..w..SJ..!...B.%.(5....+..OBh/.?.l.j..st.9..=.Z......x..\|.....p.#.y...t.._X.XJ.....B\...=1.....6.p{:;.u]...6:1@.w..-I.myp..;'...':.....,..9{.....K...%...}.....o....W.5...$..s..6....otF....[..w...ly..&..'3..H.ZS..Dx...j....;/..;:.C........H....L...^.......-.$...._.~.^h........~.\|...f........Y...F.....F...M....@..s..;...8EM......N...MC.vM.`L"z_.d%...T>&.X+.w&I.Y..V-.M3.e().a1E..(y..\..\..@..=.6.S.....e....A.....e.v.!....8uX..J.m...wS.<L.w..q..o^58.c5Q.>..z.../..k....aN`.)/.....=+..k....fRH0.z.~Iv...Y<..N.A.../...[..%........b..bL....=q..."X4A.~.=.I..i`&.i.."Uv.T..;..?.lPx.... .:.[..o.i.,~s..^6.{....!..fB[V..[cP3

C:\Program Files (x86)\ClocX\Presets\default.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 121 x 121 x 24, resolution 2795 x 2795 px/m, cbSize 44100, bits offset 54
Category:	dropped
Size (bytes):	44100
Entropy (8bit):	3.83871121046637
Encrypted:	false
SSDEEP:	384:bTjuQGkjL9f2ulV12XTVv2ENp8JAoa1137h7ANbUx2:njXqukjk/Jc376NX
MD5:	15EAA774AC3848A3B4DDA0E66F5E9287
SHA1:	A3DF74FD4EBE8A46D301E27E295082CC4EBA3C39
SHA-256:	C9243878C5B9B666681D16DF368EB1532A5605701A25AA6121F3D5CFC7189C8E
SHA-512:	B78CB65E51590388EBC748EB260E3836DF30377A1F7A8207C0DB05FD0A3E2B8F4B4FEBD25C5640B803497079E07E11F5E1A2C74B1771ADCBCEA9ED2A188E84B2
Malicious:	false
Preview:	BMD.......6...(...y...y................................l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l...l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..iD.cA.\;{S4pL.fF(`C$]B#[@!Z@![A![B#\C#[A"Z@!\@"`C$fF(oL.zS3.Y9.dB.iD.l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l...l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..l..fC.X1.M$kA.^8.t...;..E".M*.T(.^2.\(.Y%.k0.d).v1.p+.u..p).k#.g..d .^..S..L.y7.y7.t:

C:\Program Files (x86)\ClocX\Presets\default.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1540
Entropy (8bit):	4.911895982050817
Encrypted:	false
SSDEEP:	24:BEZrGXE5lr9BxjTJaKhVY/qTORXFB01rfwkpWdGm8bCi51PgibQ0Wd9iBxLuQI:BkqyllTJfgLFK3MdGmQ71PXQJTiBxLvI
MD5:	D90F48DF60ACDE7569BEDC4C4B5C7AC3
SHA1:	75229A0AD9D810D292B746D9B2FA04514C509D72
SHA-256:	E444253E619E3599AB17BD1927911B8F0362254EF469886EDB53A6FAE9C580CE
SHA-512:	644CA33C38A1D7F26276FF029423BC2BB68B8E21F06AF877562DED4BBCBD3A59E368CFB5BDC10E2ACAAC0C5B7E427DA306FD4B0A44C7E03ADFD276342E7AEFD0
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xAC6C1C ;cut window by this color (default red).....;not used with PNG in Win2k/XP..DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font..AMPMCenterX=61..AMPMCenterY=88......DisableDate=0..DateColor=0x787878..DateFont=Arial..DateFontSize=12..DateCenterX=62..DateCenterY=45......HourColor=0xAA5F55 ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0xAA5F55 ;color of minute hand..MinuteLength=51 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=54 ;length of second hand..SecondLap=0 ;overlap o

C:\Program Files (x86)\ClocX\Presets\domeclock\domehour.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 40 x 14, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	2290
Entropy (8bit):	7.700327487136672
Encrypted:	false
SSDEEP:	48:LLDh2CM+hIEWlV2mEGE9cx7g+SNpWmefyAZZJDrS:LB2oe5lVEYx7hSNCf7Zfe
MD5:	2B3AB55EE12A47F5A20F8CFA2D46724B
SHA1:	1FB28F49EC9D8F2B7E90EEF82CFA48C5B7BD8687
SHA-256:	40A519F829558E1BD12C88F891125420079D40FF3C10B5940724F8D27D69D4B3
SHA-512:	777B53C0912C99A4EFE0B7D91BBB8D24CE4D74BAEC12DB92905976E4635BF23FC69126309D2BDA7579328170B963B0B8A6D66AE5F84C68BB8823F4AC9D79C878
Malicious:	false
Preview:	.PNG........IHDR...(..........n.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o.......}IDATx.b8t......>........s.+...b.....0a..{...imm9..... ..:...........^!Q...[.1....I...u.....ny9I....4......7.........9;../.?........_.s..SSQ...3...)............``^.........vvu......................7.......?g...?.%e...f...'..HHJ3........g......Vx........Sg/2.y.~.}..\!@..ps.2X...).)....t........../?.Y....U.VVV\|.. .I9i.K7o0dee3...2...........hlh..../.._.1...0l.2<z..!........._...=e8{....L...e...N.\.bm.K}.'Oc........ ..W.....Q.......P...POK....,KNV.&&#...........,++,....!....232H...........f...t..!.............a...99.L...lll...+....L..6........N..1.1......h....=...[VVV.w.>\|.......Q............................................pqo]........................??A.................^..=w........edaae...?.##.....D223_..G\|...8v..=......@L..<K.=w..{..........iww.{..>.z...?//.W.t!*%).63;.....?w...j@K1....Q...................r...rNLH....{................\|}~........(...........i...

C:\Program Files (x86)\ClocX\Presets\domeclock\domemin.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 60 x 9, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	2317
Entropy (8bit):	7.655538415930818
Encrypted:	false
SSDEEP:	48:3Od6w3EFNTi5xexqAPIzGS/S1eRl65PlgmpXnoBjuuSTq:3OdrUr+DqcieqempXnOvSTq
MD5:	71E6CF4FCE7A3C0088267F1A71ED8630
SHA1:	94B3755BF1077F8C52FFA7450DF6094F1C72E939
SHA-256:	EB308EFA319EA51E367092AAE0BD118081C0340B6ACAD03C1D55E431E33469D9
SHA-512:	C0D7A288D8425B3D4B22E9F48FD47F22095A631C41F6F67E0F364FDD41AC3029325B9133987C8CFD59B7816FAE02D4ADD0A6E16E923B422BAF175A062D025912
Malicious:	false
Preview:	.PNG........IHDR...<..........L......gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.b.s..#.3....3.z..AT\.AOO.!00....3....!............,-+.........1/.................?@E...............qqq.......YQQ.....BA!...B..V.6..b.........=....+.6}....@DM....:....48<.....BDK.....>?D.KLQ.STY.:;=.vwy......1/......eii.....""........e...y.......:.9.......FFF....c..Tg...=....;>F.hfb{....11/.........kmm....%".c....+.....11............=...._^b}........jjk....j....................888...................y...........................-...............................W\|~}....b`^.........???'zzz.....1221...N........}}}.,,,...........y....................... ...............{...'................tsy.EEC..&.......=....................HHD................................?}.d..z....?\|`.6}._[;'....0...MIYAm..7......)].n..Z.:..oa`bffPVRbpttfpssc......W..+V2<z.....[ggg.WWW.........@...ED...V.........sf.v.\|..:......o...YUFZ..............=y....{.....7.0..8.\.pA.......9.Y..&.w...........

C:\Program Files (x86)\ClocX\Presets\dragon.bk

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1477
Entropy (8bit):	4.874701427171613
Encrypted:	false
SSDEEP:	24:BEQrGXz5lr9BxoaKy4XTORXFB01rfLkpWdGm8di9MiXGibQ0Wd9iBxLuQI:BzqFluf18FKeMdGmfMiXpQJTiBxLvI
MD5:	187F4E9C78AC647EF5C632C9910211F3
SHA1:	C0BC244E495B267B294237EBB158689CFE7787A8
SHA-256:	C4E752988EA9D30089DB49CDA515FE5B4F460DB402879CBA941D27F271FDE0CB
SHA-512:	01E221AEBAD7AEA7067B4D2BFBB06D829FEB158DE0DCE336BA641DB578F8248A8FDDE2C49FB75D3E79440643091FD39A7185E1F041136BC203ACDBE3E06BCE1C
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font....DisableDate=0..DateColor=0x787878..DateFont=Arial..DateFontSize=12....HourColor=0x666666 ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x444444 ;color of minute hand..MinuteLength=51 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x000000 ;color of second hand..SecondLength=50 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=.4 ;width of second hand....

C:\Program Files (x86)\ClocX\Presets\dsaqua.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 129 x 129 x 16, resolution 2834 x 2834 px/m, cbSize 33596, bits offset 54
Category:	dropped
Size (bytes):	33596
Entropy (8bit):	5.943688620603497
Encrypted:	false
SSDEEP:	384:WF3WK3fGUUUUUUUUUUUUUUUUDUUUUU63EZJTL/o70pn0cCzW7dmb90:k3WK30UZpL/o70UzWkK
MD5:	4D99C681A6F8DF6BD48A49B3162B0DBB
SHA1:	123E39E10426BFEC2A050B963ECEC4FC379EAD97
SHA-256:	48DB744D53E5D7EB33715CF57215B6D556BFF12A0A21158B37215EF67CE96787
SHA-512:	FD5A0F937401FBC850FD67AAEC9274244A796AC81FD1E25A7BE753F7382FFA32D1E7B72A7EBF6EBC87C75BECBA1001195BE93C6361CFE58D35910D9393154AE8
Malicious:	false
Preview:	BM<.......6...(........................................\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|...................................\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|...\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.......................................................\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|...\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|...................%k-.91F.R.Z.gZkZkZk9g.^.VRJ.=.1)%...................\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|...\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|.\|..............J).9.RZk.s.w.{.{.......................{.{.{.s{o.Z.Bk-. ........

C:\Program Files (x86)\ClocX\Presets\earth.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	4.79578084741415
Encrypted:	false
SSDEEP:	24:BEQrGXz5lrUBRSTOLX01rfPkp+dGm8JiX33NPeibQ0Wd9iBxLuQI:BzqFlQGiEdGmxtPBQJTiBxLvI
MD5:	D4C8BC1C07C0077783E15664BADF33E3
SHA1:	EF27B3AE33D84581098C96384784282E090AFAC1
SHA-256:	051468A847913306CF9FB5DCBF17BDDAB5AC36689DCBA6DA0374DBBB5383B6C0
SHA-512:	5F7C44CE2FBB1E4FA332436CAFDE4085A91CC55DFDC404143A586B3777AA168783F6D82396C57C443102CE9606E044845E5680209FF8234D78CCEC9E5FF4632A
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0xFFFFFF.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=12 ;size of AM/PM font....HourColor=0xfffFFF ;color of hour hand..HourLength=39 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0xFFFFFF ;color of minute hand..MinuteLength=59 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0xFFFFFF ;color of second hand..SecondLength=63 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand.... ;CenterX=60 ;center point's X (default image_width / 2).. ;

C:\Program Files (x86)\ClocX\Presets\earth.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 186 x 186, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	57316
Entropy (8bit):	7.983908983566808
Encrypted:	false
SSDEEP:	1536:iJ+ytG7+qh+bLgR52aFR/mizDX/xwE4pr9:C+ytG7J2LY52C7X5wn9
MD5:	4AAFF353A088E9B576D7439092B1DCF5
SHA1:	CA044A1E5967D3CD2F9BB9F836B9866CD4CEC0EF
SHA-256:	08ECBB835A9061D88A2B4E8955194F7A924A951D68C9C94F587A3E2AD6E6D707
SHA-512:	5397BF8F38B2A6C3990B8545E49B37B6EB29B14115E51CBAB9C6221E0BB5E55FBA41A031D19A214165201908C6B0683CB4308B73C60BD3D3832A33B2AD8B4D2E
Malicious:	false
Preview:	.PNG........IHDR...............W.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F...ZIDATx...w...U....z..r...'g%..B.$@.L...0.........\l.56...BY(....c..9...U{...Mk..].%.:.l...xG...U.U{.....g>K.cxs..../.....f....\o......f....\o......f....\o......f....\..e.#.....?.. .R.lb.qQF`..a<tl..C.Q.K..@$=....0h..AH....R`....#%.4..G..KJ.0h...8...c..,..(..U.Zb...1....B..XBb....Z. ,[.].P~&.A.H...@$..)@#d..hm4..Z..1..E...v...X..t.qh!.Z.D.H+.P.".A........h)1.XZ 0..J(.4.c....1Fb4Ha.....)1.....B..1.-......%... .Dh.f.u........R#......}s....e.h0d.aT.....).l..s@.gT....e'.L"a.I.v..8BJiY...........c.tL.E..wT..Sa...[)d..BB.W..W......`\|...zs.....q.1....wG...G<..o...O......b..atd.B6.P.......E....$.I<...T-#....ILd0Zc..r.$......J.R..eeu..j.J.........^5:x.c.b.e.....f..%..A.1..}....-.......a.}.........LM..L%.l..c359.....N.'.....s....c.....0.##$].N.K.Q..L.E...hVW.I$..H$QH...z.Wn,e....K...^...:.FZ..D..,.d..4......[.\o....6.1z....0v.g;....#{wn.}.9...[.

C:\Program Files (x86)\ClocX\Presets\earth2.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1471
Entropy (8bit):	4.872104151320744
Encrypted:	false
SSDEEP:	24:BEQrGXz5lr9BxoaKy4dTOK01rfhkpGdGm8bCi1833NPeibQ0Wd9iBxLuQI:BzqFluf1EY4dGmQD8tPBQJTiBxLvI
MD5:	F38314A74205C38938A37A67492D55F9
SHA1:	A66F27AF7D0C055BA04F2D8DE77FAA9C798D5E52
SHA-256:	EF1AFF8D42C199FAD7E1569DC34ED48F9A68B6CB15675040B6154C69164E7EAA
SHA-512:	ACADACF57D9597EEB8A83A349C6E565D1A1881EF7EBD5F0822495367A92F87AE62CC1FA07364DD756D2ECE2328DA3C3E0FE254C1B402FE3C6E83AB02DEEFF0CC
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font....DisableDate=0..DateColor=0x787878..DateFont=Arial..DateFontSize=12....HourColor=0x33CCCC ;color of hour hand..HourLength=27 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x33CCCC ;color of minute hand..MinuteLength=42 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=44 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand.... ;Cente

C:\Program Files (x86)\ClocX\Presets\greenmarble\marblehour.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 114 x 19, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	3839
Entropy (8bit):	7.883046313078185
Encrypted:	false
SSDEEP:	96:WBxILSDd4G24IscGnu+Pk3Tt6Z3Xw0A9dqXWO:WzkSDd6GnuHTEZ3g0soD
MD5:	BD2ECAFE288B72EE504AC1A40130F02A
SHA1:	58586107F3A6CD4885C0A7801921122370E60372
SHA-256:	08F9B95562E2D5179E821797CB9158234436ECED344C6257EA60FA1DDDFA4654
SHA-512:	28A2FE295E11C03D891C94768308A2122396B587CE847D2180C07CE8729304AB0EBF257FEED7078402B1F93FF06C55DC5D2FE665046B03278E62EF2657529CAB
Malicious:	false
Preview:	.PNG........IHDR...r.........;ri.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.b...?.)XY]..D...3...=....%1$.5?A.........A&.............................l.............l... .....@..E.o.1..~...Z.....c....9.................9..y.x.\|y.F.."p..T.......S..t.t.U....[...'N\..'-.-._?~pprs.]>y..!o......>'.?._.Y~.\<q.'HP.B.....NQA.Q...a...^6.&;.}.h........?......O........:...k....I...>.......=u.+.n.F.. .(.Qr.@.......T..e...t..p.3.6f...7....WN^.M.B..b.../,&..............}..Y....M..a.s&.Wo.....c.........y...p.s1.............\|c`dfa.be........]xy..M. .. ....+.\|x....._@.z&.....1...\|\|.&.....o.......?L.N\>`lk....g....IJ...xr......WO.:....pC3.V .....DRY..k.+ad.l. ..J4.......o.<..s.f..:.=u._...XY.....I.....Q.\...+?5...o...6................G....0....ELH.@OC~?+?.'..7...../.\|.............6....%.........'O;o_...$.i.W...........</.A...........3R..J.........w.^.\|..Y.7o..\|.......7..&.....f.QP..$.t.I...Q/...D.......I...qU.%F....7z...}....!).~.....s.6.`....

C:\Program Files (x86)\ClocX\Presets\greenmarble\marblemin.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 117 x 14, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	4804
Entropy (8bit):	7.872761167878164
Encrypted:	false
SSDEEP:	96:ytePcbs8T/pKuzqSpOOTD6IZ8mE10A1bHb3GDfxkwfK:x6TT3uAxfZ8n7bHb32U
MD5:	E4F18584A1443E393889D6B0725E69B6
SHA1:	943A2815F066D5C44777EEF80D0978FFA84A696F
SHA-256:	35C6E7D3B9BF347B696EEE60A2196F10355C07F132D4AC9BE48191BD876335EF
SHA-512:	36E26F70C4699AF2F71502FCB36B564A9A2B69021FAA5A8973AFBEFE0B3305F9A9D2574D88DDD775E336433F972CAF58536ADD934BE7395A9EA0A7C41FDF2208
Malicious:	false
Preview:	.PNG........IHDR...u.........f.c(....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o.......OIDATx.b...?..'.G?G......=....3>5.;FI ....Q8./>5......&').....%(.............%........."...d... ..=....Tl^.....S&............./!.$.................>FA............F..y....08/M.....#"........\K<............4...........`........................................!%#..$$............a...............ec=u.F~..g._...GR...?.....u............_.n....]. ...^Bf,I.M...u....>K@j...N.......4#("";..........\.............)&........t...................................M +2............N.........u..... ...... ...................%$............"...........7.....&!&.....................................&"7........DMA......./.?&.F.....^54.wS0..........h.....H../;..../.......;K.A..gg...c....v..DD%....B.....!6.-..+......W..<.u.T.8....a...F\.....T....$6N....b.<]...,.&f-.M......].+...@8.1O...Y.E..2Iyp.'d....z. .I0....l..nV..2..9{........x4..ia>..K..r.@:.W.gGU.......yO....W.....Mw0..tw{......}.'..e.S1...q

C:\Program Files (x86)\ClocX\Presets\hallow.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	925
Entropy (8bit):	4.541321371524183
Encrypted:	false
SSDEEP:	24:BEurZuC/Tzbr1nPkLKhaLgGLXoIZKgVi0uzUrn:B9pqnkGUnNU7
MD5:	91E71226494DF487E040FAD190D8D199
SHA1:	B5647C7914884589F55E759A2A140B75CB6BF53F
SHA-256:	4664041204AC6D66DF612C225C7457CCE4CC16619D38ACAA24FB770564B99D07
SHA-512:	4DB2C9ED8BFC1209ABB92B93D59E1B34309228B6DF6C8E82EBD8AEEA6B7CED16956A0DFC74F2CF1EDE48E204552703A5E888A9CBFB668086BE468CD6351143A9
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number).[Settings].CutColor=0x0000FF ;cut window by this color (default red).ShowAMPM=1 ;show AM/PM indicator (default 0).AMPMColor=0x00000000.;color of AM/PM indicator..HourColor=0xFFFFFF ;color of hour hand.HourLength=75 ;length of hour hand.HourLap=0 ;overlap of hour hand.HourWidth=6 ;width of hour hand..MinuteColor=0xFFFFFF ;color of minute hand.MinuteLength=150 ;length of minute hand.MinuteLap=0 ;overlap of minute hand.MinuteWidth=3 ;width of minute hand..SecondColor=0xFFFFFF ;color of second hand.SecondLength=140 ;length of second hand.SecondLap=0 ;overlap of second hand.SecondWidth=1 ;width of second hand..CenterX=200 ;center point's X (default image_width / 2).CenterY=200 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\hallow.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 400 x 400, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	87695
Entropy (8bit):	7.995775848325961
Encrypted:	true
SSDEEP:	1536:2gdcj1dn9NCguYm6249KZqmzkHcX3qNswTBP/o3wdvdGQwPQSXpTfTWpQdZFT:jcfDyLs9Kkm3oVTBP/hVdO/ll9
MD5:	FA8384D8DA635F35BF502976A6DC7F43
SHA1:	4CAD60130366D35DC1EA05099BAFE6DEA0E566A1
SHA-256:	AF0BC4CF79640A01CF9E991D3F73993FF47D7D148F214AF36B6143C269EF1BC3
SHA-512:	65264E3881E216F3077E724C7130E8D3F5E15F1C318D8A9ADE211D480D6F485B20B5EC0D70ADBF94453498CF2BA319BC1E5CFB25E81DB3F6C78B983294E28127
Malicious:	false
Preview:	.PNG........IHDR...............6....+tEXtCreation Time.Mon 8 Oct 2007 20:07:43 -0800........tIME.........L.....pHYs.........B.4.....gAMA......a...U.IDATx....%Uy...^.....g...A.....(..Q.8.C..8(!'rt..........!....OX#. .(...".c...Q.....0.=Ko.......[5].L.{...z......r..V...{.... .. .. .. ...i..3 ..CU.N...H%...j..T..'..).B...P..K!.HA..J..D.H.."..F!lD(.....#.NXlD0.....#.LXhD0...ua.B%.7"..G.0/HA.....x#~@..D...b..dMC....h..).....Z...t.nJ.......l.;C.G._kA....(.....Y.z..RP.+....r.._.uE.To..m.L....vV.nm..:.v.......V[P.g3m..ck.......R.6..{....z....+.c\D..A.@.Ni..]..._G..?P.}P.wA=IAY?....1..........u.R.z..H....x...Ahb.v@.n......p.....Q\|>[.x.p_WS.n...."T...@.['T_..9....I...,....zc.T..:.J@..:.?...y..Q....n..)J.#($7xB......Eo.... 40a;.E5.i.K.Dy....m.V.........N#......:U<F......(L.../.q..\|.(/.......[^_g}.. .1'l'.hf..3t.G.....1J....x:....w{....]+&:z=..C.e.c.x.F.....@m..w.../e.r..=N{..GB}...#......!F..0.......Z).k.^....<#..+O..........A...q9 .^T1S..<.*.ld.].G..^GqI..n"f. D...Dd..]

C:\Program Files (x86)\ClocX\Presets\hallow2.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	925
Entropy (8bit):	4.563557273584791
Encrypted:	false
SSDEEP:	24:BEurZuC5CTzbr1nvlVkLKhaLgGLXoIZKgVi0uzUrn:B9Dyn+nkGUnNU7
MD5:	448E7CA51FF946140E484E2B8685E9C5
SHA1:	DA9FD561CDD1783F0B9A43A842F5B301D13B0BCB
SHA-256:	BAECE35CC80C8ABCFA11089AA019FBEEF1878A0E989C3B49C2734F621CBECC67
SHA-512:	04E23B9632F3A4634BE8107C97956304F9BD528BADFB00F6D69574625037D9150ECDEBCA3F8D820A6D5BF53AD7E9DEBC58A5D4EA225C00DBDBB66D8FE8006688
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number).[Settings].CutColor=0x0000FF ;cut window by this color (default red).ShowAMPM=1 ;show AM/PM indicator (default 0).AMPMColor=0x00000000.;color of AM/PM indicator..HourColor=0x553FFF ;color of hour hand.HourLength=75 ;length of hour hand.HourLap=0 ;overlap of hour hand.HourWidth=6 ;width of hour hand..MinuteColor=0x18c7f7 ;color of minute hand.MinuteLength=150 ;length of minute hand.MinuteLap=0 ;overlap of minute hand.MinuteWidth=3 ;width of minute hand..SecondColor=0xFFFFFF ;color of second hand.SecondLength=140 ;length of second hand.SecondLap=0 ;overlap of second hand.SecondWidth=1 ;width of second hand..CenterX=200 ;center point's X (default image_width / 2).CenterY=200 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\hallow2.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 400 x 400, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	87695
Entropy (8bit):	7.995775848325961
Encrypted:	true
SSDEEP:	1536:2gdcj1dn9NCguYm6249KZqmzkHcX3qNswTBP/o3wdvdGQwPQSXpTfTWpQdZFT:jcfDyLs9Kkm3oVTBP/hVdO/ll9
MD5:	FA8384D8DA635F35BF502976A6DC7F43
SHA1:	4CAD60130366D35DC1EA05099BAFE6DEA0E566A1
SHA-256:	AF0BC4CF79640A01CF9E991D3F73993FF47D7D148F214AF36B6143C269EF1BC3
SHA-512:	65264E3881E216F3077E724C7130E8D3F5E15F1C318D8A9ADE211D480D6F485B20B5EC0D70ADBF94453498CF2BA319BC1E5CFB25E81DB3F6C78B983294E28127
Malicious:	false
Preview:	.PNG........IHDR...............6....+tEXtCreation Time.Mon 8 Oct 2007 20:07:43 -0800........tIME.........L.....pHYs.........B.4.....gAMA......a...U.IDATx....%Uy...^.....g...A.....(..Q.8.C..8(!'rt..........!....OX#. .(...".c...Q.....0.=Ko.......[5].L.{...z......r..V...{.... .. .. .. ...i..3 ..CU.N...H%...j..T..'..).B...P..K!.HA..J..D.H.."..F!lD(.....#.NXlD0.....#.LXhD0...ua.B%.7"..G.0/HA.....x#~@..D...b..dMC....h..).....Z...t.nJ.......l.;C.G._kA....(.....Y.z..RP.+....r.._.uE.To..m.L....vV.nm..:.v.......V[P.g3m..ck.......R.6..{....z....+.c\D..A.@.Ni..]..._G..?P.}P.wA=IAY?....1..........u.R.z..H....x...Ahb.v@.n......p.....Q\|>[.x.p_WS.n...."T...@.['T_..9....I...,....zc.T..:.J@..:.?...y..Q....n..)J.#($7xB......Eo.... 40a;.E5.i.K.Dy....m.V.........N#......:U<F......(L.../.q..\|.(/.......[^_g}.. .1'l'.hf..3t.G.....1J....x:....w{....]+&:z=..C.e.c.x.F.....@m..w.../e.r..=N{..GB}...#......!F..0.......Z).k.^....<#..+O..........A...q9 .^T1S..<.*.ld.].G..^GqI..n"f. D...Dd..]

C:\Program Files (x86)\ClocX\Presets\iSink.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 110 x 110 x 24, resolution 2834 x 2834 px/m, cbSize 36576, bits offset 54
Category:	dropped
Size (bytes):	36576
Entropy (8bit):	6.648959837326361
Encrypted:	false
SSDEEP:	768:1MVcHjhp9uXNffJo8wYUxkM7z7M0L6lfjnjZMRi:vDsMCXMg
MD5:	A7067FA4CEA0838FFF9ED1C329C02A10
SHA1:	CD35E731C2C95C5589C7F612A4438719018422F6
SHA-256:	953AF43628EE6880A3D574DD0A167F58E7CFA4124F66A82BDC9554F177E229BB
SHA-512:	67E3E329B4B9B1DCE2FBE07A3CB9E95538A34ED6E72D640A9548687827FD237DC7E1CD6D27126B729094E754C13CD836E4901779F3BB0715BC77049E12B6B082
Malicious:	false
Preview:	BM........6...(...n...n...............................................................................................................................................................................}}}rrrjjjeee^^^YYYYYYYYYZZZ```ggglllttt......................................................................................................................................................................................................................................................................................kkkZZZIIIBBB>>>>>>@@@CCCJJJOOOTTT[[[YYYTTTQQQLLLGGGCCC@@@@@@AAALLL[[[nnn........................................................................................................................................................................................................................................................mmmQQQ???AAAHHHZZZttt....................................................rrrXXXGGG>>>===VVVsss.....................................................................

C:\Program Files (x86)\ClocX\Presets\iSink.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	16300
Entropy (8bit):	7.877169129816173
Encrypted:	false
SSDEEP:	384:5LaVln1o68AttjFEJ5w0t/4aCOr7fl5gehzqURT5u6ECv:+O69/g5nlQOr7fl55RT5uJCv
MD5:	B932F8103EDDBD166081D7E308135926
SHA1:	92F0FF8B1B5B14F0E034CD91F27160E813874D9C
SHA-256:	9C9D29270D4AD054D858D04D10300A5705B074298F77DE67DC93EB4C2C41FB19
SHA-512:	7C302F0EC5B1F283CA251A57A6CDF199374D8A5C63D2240A0D00E6F83B429EF11DEF9E974CBDC2EC0681D2754B30B3BBDD27BBC571D45F19D55CE4E6DE993DB5
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..?"IDATx.b...?.(... ..F.`d....M.#....h.... .F......4..F8.....0..@..&.....h4..p.....U........-.u...L.,...f3Y.]1...Z,..#.\|..A..b.....=..{.m{..9.}g...6x....O.a..\..y.....EY..$...#,..(......Y..R...!."..;..a.l.F]...y..^M.`.w...rM.H..t......1..u]'?.@......B.0d..yFY....q..ma.&...$IBQ.H......x..WU........?50.t:.._3.....BU.......=.. ...h..8.._.H..J...-...../.?@.Bp...{w .Z..3.Z....#...'U.&.3. .\|P3..~P?.dc...l..h.q.....j...^.4...0b....p.... .TrL.6.k......pww..;w......++..P....C1.(.A.....H.._@.:...[`.y.L.O.={.477.....'nn.O.?..(""... .n......P......F.YC.....P..\\\......5k@...`1.u.V1..Dkk......??...T.b1R.9.\...L`.b`cc........6n..*....%....[w...n.X...o....../0a....d.....PI...4$..0'2.".X..?p...G..1UWWK..].E...GEEY...f@.R.t...P..T._.~.\......APD..z..G.2...1.{..\.........J...m....@......x\|.9.....k.^=x.....D...&.s..... .tP.d..x`..;..<.A..,f.;::,...].9....9.X...

C:\Program Files (x86)\ClocX\Presets\iToolsClock.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 109 x 114 x 24, resolution 2834 x 2834 px/m, cbSize 37448, bits offset 54
Category:	dropped
Size (bytes):	37448
Entropy (8bit):	6.9477013815160555
Encrypted:	false
SSDEEP:	768:ZeYZtcSt3USJzxy5s8aGBYSrJS33M2NKd7iiARW/nhRn3cBz:X5vFas8naSrmc2NaPWW/v+
MD5:	2331BDBA9C0F6FA92572223E3CB1D2B7
SHA1:	9D855A8D1C1ECFE40D00B27AD40DFBED6AD253D1
SHA-256:	FB39E188154A042D73D47CEADA791C364F3CECA5C6787AAAB05096836CABF7B6
SHA-512:	AEC2E4578CA8564CC3A4B3E50F63D2795F314C452E594F7C610F3E1DE41F4CCF5632630AE0E3427C635F8A79935742DEFFDD8776FA77499714679D30CB1D00F3
Malicious:	false
Preview:	BMH.......6...(...m...r.............................................................................................................................................................~~~}}}zzzxxxwwwwwwvvvtttttttttrrrrrrrrrrrrrrrrrrssstttuuuuuuvvvwwwxxxzzzzzz}}}~~~..................................................................................................................................................................................................................................~~~zzzuuuttttttqqqpppmmmjjjjjjgggfffeeeeeeeeecccbbbbbb`````````aaaaaabbbbbbccceeeeeeeeeggghhhjjjkkkmmmoooqqqrrruuuwww{{{~~~.................................................................................................................................................................................................{{{wwwsssnnnnnnjjjgggeeedddaaa___^^^ZZZZZZYYYVVVUUUUUUTTTRRRRRRRRROOOOOOOOOPPPQQQRRRRRRRRRTTTUUUUUUXXXYYYZZZ[[[^^^```cccccceeegggjjjlllqqqtttxxx~~~..................................................

C:\Program Files (x86)\ClocX\Presets\iToolsClock.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	29744
Entropy (8bit):	7.962145343211094
Encrypted:	false
SSDEEP:	768:33epqn5/atVJHkAeHzV2TGjjCIUoqZttx7tP0nmdB9T:3f5e9kAIVbohowj
MD5:	0239C87AD1E60A548109255C1CDDF634
SHA1:	03D224D459FC666A00E8468E656698E7B6D15447
SHA-256:	BA64E4A42FD5847B80B20CD0980ED7A4508BEA01E88C0C6BFA0158860C8323AD
SHA-512:	6A233A1538671C25C11D08ABF8C51A277F62B45007F0174A55FBC0D09766E7BC5A5DA752A3D5AF52C060BF1F45FE568E866D4BDA679996581898E42559BF5433
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..s.IDATx.b...?.(... ..F.`d....M.#....h.... .F......(-.... .V.<`..!...p....[.F..p.......&..Tf..r.g3..F........c'..Wx.....q.....q....Qj.Tv........Y..-u...k".h.......zX........T......R5.44.9'.uN..f0.0W......>...W....X..7U]..\|..d...Ze....=..h..s1Hi..#yf8..2.....2mxv..J..}G...y.C.D......9/.yf..C.r>Sru..z .........[.n. .A .MgW \I<......x.~..'...f.F....4M..6..... jA.H..7.......YD.".K.DZ....[...H.....N.&..V.fA;.0P.K.a.'`#]3...<...h.'.P.3q..P...:..1.......?.......f.......b.&.fp..hff&`.ef`.d..0....l......<?.Y... ......XY.l....03s<gaa.....:.4..LG..Y.)......34.@.j...A ...fqaY0....x.........vFZ..!.a.]....L.....oF....sy..L;..}...!^.N........T.2..)g..+.Jq^..... 3.b..?i....,......`.a.w._v.i.zW...6..@..../c4.X.G..9.6...@m.. ..A......>..Hb.{..+n.}..+.w.8D. ...lo.W.zU......R...(.9c.(%......D.o..A!.29......M8C.......MWa.=x.G...$..b...\|...w.I.B`.{ .b. ....f8.C...

C:\Program Files (x86)\ClocX\Presets\iToolsClock2.bmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PC bitmap, Windows 3.x format, 112 x 112 x 24, resolution 2834 x 2834 px/m, cbSize 37688, bits offset 54
Category:	dropped
Size (bytes):	37688
Entropy (8bit):	5.867000345344529
Encrypted:	false
SSDEEP:	768:/88JTLJqN2AzWf7NhGQYqLhswFrfs6YmUicXZ66gNrHTWOjV:/8g8sAzWf7N4NEtZfgXz06MHTJ5
MD5:	4599B6D452F4FEF6BBB533A2E12CAB3B
SHA1:	9E53546F69F1832C33FAA52CB59154B131991132
SHA-256:	45F75B2EB209AA69FCD83D5945A6EC408DBAA6B63F2EE11440DA2E86153A0ED3
SHA-512:	5F15273223654DAD2204C3188A3551C8BEE188B4B0C895CA8603CC2D0E9322D3615A44D2E18576B9574F7B8222A2826F4D0E8F69CCA6FBB1D4C9F9236C41988A
Malicious:	false
Preview:	BM8.......6...(...p...p...........................................................................................................................................................................}..gu.Sg.?\.4Y.2^.@j.Na.L[.F[.FY.BZ.=W.7X.2Z.4f.@t.T..j..~..........................................................................................................................................................................................................................................................................gl.FW.0Y.<d.Oc.Oh.Ti.Uk.Xm.[y.iz.jl.[h.Wf.Uj.Xh.Vf.Tj.Xi.Wi.Uk.Vs.`k.V^.@X.0l.H..h..................................................................................................................................................................................................................................................\|u.QY.0[.Aa.Lf.Ql.Yn.[s.`u.cu.ct.bt.bx.h..{..ur.cm.^k.\n.^o._u.dv.du.ex.fz.h..uz.hn.[n.[k.Vg.Q_.FZ.2v.T.......................................................

C:\Program Files (x86)\ClocX\Presets\iToolsClock2.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	24673
Entropy (8bit):	7.8660373232637575
Encrypted:	false
SSDEEP:	768:xKNFVXxc1+jwftQAyOZ1piMTk07EHwvaa8aktocco:UN7DcJTtTk0g6aa8aVY
MD5:	A0FAB9D64776D909D03745CA21568DD7
SHA1:	75A12DFCC4BB1F1160B534409D9F723AD569AB7F
SHA-256:	6165135988469CF85A4352F5D4FCE2643B8F4C42B367C1D7025CA3B02FCE2FCC
SHA-512:	9CCA132390919646F85034F285C008B261C5ACCCB535224A49872779F1883A3872670CD4293E1FE6DF328FB498879887244C6AD0B7AD200508EF3D4C0957EFEC
Malicious:	false
Preview:	.PNG........IHDR..............>a.....pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F.._.IDATx.b...?.(... ..F.`d....M.#....h.... .F......4..F8.....0..@...GOq......W...?....6...&.....[...o.....1....../..(.p.00...a.`..$......5#..C.6......3_ddg......V...8...8+.%.}.........Y.{.Y....&.F.$3..%s6 ....@....hA`..df`..bV..w.....a`x.L.....0\|..1/..f...L..'..8.1....v..P.;...........?f..........k..~.#......H..F.<0.Y ..$.Y.X.899..D.........8....1\|`..p...[.._~c`x....@3...?.D..(..?8.0.3.+..e............C.0..PW.).BQ.=J~.....H..&......A+h....4........d..f_ZE.7..{.}.. ...._.:J.0.)._........@..<&..`...6..1.U.~....4..\.8....^j....Jy.9...XD..#.......,.t.......c.F.u..........@......A..\|..s...._L...n.....0.....<8..y.L8..T..Z.........F...<....>.~.p..m...U.....>0~d`.....'..0....A...A1\...P.......c...%.............j....%....L.......a...g.f..........4h..X.....?.yV...SU................N..]9.c..`...3%.S...L@..s..`../. p......?..1,(..`... .,...4..

C:\Program Files (x86)\ClocX\Presets\klokje.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	645
Entropy (8bit):	4.8956136766595355
Encrypted:	false
SSDEEP:	12:a4Eqmz2rrp5pjpuDtOpCRWWh37L4a2Kg1nea90KU9LlTYQUywcG:BEurF5buxOQW8L4ZKg1eY019FUZn
MD5:	6EAFC943CFB82EF659063B558EC46A69
SHA1:	957BC898591918CB6115EC956B736A21F218E3CF
SHA-256:	7D4CF4C12CAA29802E666F1264AB9C6E273DDBB33E1B53228926B5A8C73763F2
SHA-512:	515318860D6D4904BBC323D3FAED4882A105168A1CBDD0D2BD649D8213EAB89D505D8E6CA84E5659CED5879CAE54C4F572ED7596206C8CC054D7C580BB306DA6
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number).[Settings].CutColor=0xff0000 ;cut window by this color (default red).DisableAMPM=0 ;show AM/PM indicator (default 0).AMPMColor=0x201010.;color of AM/PM indicator..HourPNG=klokjehour.hpng.HourPNGCenterDist=13..MinutePNG=klokjemin.hpng.MinutePNGCenterDist=22....SecondColor=0x000000 ;color of second hand.SecondLength=44 ;length of second hand.SecondLap=0 ;overlap of second hand.SecondWidth=0.6 ;width of second hand..CenterX=71 ;center point's X (default image_width / 2).CenterY=79 ;center point's Y (default image_height / 2)..

C:\Program Files (x86)\ClocX\Presets\klokje.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 142 x 158, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	48325
Entropy (8bit):	7.9918505031475355
Encrypted:	true
SSDEEP:	768:pY9E5Eg1OKxlfjEfgzYBLUkFhtzNKgHrOtGHUzNUGIKkV0QnA75GONU836Y:oyEgX21/tKgHpH4NUGGVA8OLqY
MD5:	8E926836D4B639E64589C7A01CB2DBB8
SHA1:	E38F0941462D65192223F15C80096155BE1C97BC
SHA-256:	B42601106DB4FF9063C0C294A8B1F2A6A2748529D4A9C2815DEE331CB94F0437
SHA-512:	6C448249ED96BC717F0C188C379C4F902DB7F826A0B162B5B5E06A8CA6443C307F155D488BACB70A3F301E772234CA2B4BD48E0B37D85087C637B270CA44ED06
Malicious:	false
Preview:	.PNG........IHDR.............kI......pHYs.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F...;IDATx.\|PAN.A.....Yb...x ..W..g..E.A..;.3]...J....4__....PI.ty...#i.4....B2..J...R.c9......n...B4..Na..?RGk..0..`%.3.<........q6f.A..'l...w.#...lO..$.....N0.....b@..$..U.....+#:[..nj).c..SS...G....]..."+uV.).B.+.&v5...r.(%.......5.....C.BJx.dHf3N.R.VkQ.f..Y..?..'...a....i4..?...?k.la3.....:e?RW.sc..66....L.2..f....ey.....x$.iS!.....\..M@.D.`.6.....=.........V@+...._..=+.;.j....T..C,4M.".DR..)?..blBb....q...`.s.s......r.\|{}.Z?.......t,.}....96.O....x..........F.5.qE...Q..5..........v..a j'N+U\|...k\QE....7Y.p...f&Vh(.?P.8.@(C._.&.....?..\._...Y.4...,{..~u...S...O.;.u..w......k..l..[.6..+v..tF..[(......yN.i.N.F>.0kQ.dw.............X.=.....~}}.g..NmE.m.....H.'F.1..-].xAWo.._'..b.>.W"M9FcV.d..(.....r.A...h.~.......?...R.&....D...bk..t..rV....^..6YR...D...\|....e.]...q.#..1..6..*...8..W.j..$.t.At.Vz/......3G.....v%..i.....{...TGI...

C:\Program Files (x86)\ClocX\Presets\klokjehour.hpng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 34 x 8, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	1276
Entropy (8bit):	7.204792043876142
Encrypted:	false
SSDEEP:	24:Vq0kBWKRD/SdTcFMjulNQIXRI/XlvSF+2hAJO0Q28cFkoVHqelN:Vq0Op6dTcm6KuIfE9hAA0Q2NFhL7
MD5:	3CE465C5A6FA15ED85F3D78B5D9A669A
SHA1:	D9EB7392ECFB586CC6BA793F44E3EBC6C68D15C6
SHA-256:	C61F93D21895B392CA21395735D01D4514E279EF4BA7A34CC20DECD1B818ECBC
SHA-512:	EA0536484F718A2A919148ACCD6FC906643A8706F413D7DCC53C416C4916EDFF3A9EBF8756F264898947A35824844CFE12F783EF4E060AF7A84D2504E5ACB5DE
Malicious:	false
Preview:	.PNG........IHDR..."..........w......gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.b^.v......vV.>............i.J._...Ky.8....1$,...3L....r033....).....?..Y:..........g"..../_.1..........o&9....8....!...................................Z..E......._......................................................}..........E...............:.......{...................i...2.......r..................E....JFK............................................1...........................-.m.4.<...u................PPQ{...+?..........'...r.... .T....E....ddc...,....fjr........................2..............................E....@FD.B;;....b!%$....................+...L...q !$.......................q..u.S...r.5..I.gd......#`lD...,......?..... #-....G.a~...O.3......?l,L.L..graa.R.z...?..D...q..........dd~...?.f6V............8H@...@.)Y..~\|.,.Z....w.._^2p.3.W7w....7....`...RL.,,@.#.GVV6..~^....?.oN...?....;.&....~.1......_..ll.............+..Y`...t.3(~~.... ....v............

C:\Program Files (x86)\ClocX\Presets\klokjemin.hpng

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 50 x 9, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	1896
Entropy (8bit):	7.566424556834186
Encrypted:	false
SSDEEP:	48:+UBnMSY1NiJ7G+lYXQd1GCkVrTzjI2yvf:+UVvbYXc1k1zW
MD5:	9D6062887C1AC43745755AF0DECB59CF
SHA1:	03F8C2912DA77D162468D97B29583446DE040CDD
SHA-256:	1F6F37ADB95BC0E517F8AA261C2EA545368CE5A3893C869DF24F84B2E051109B
SHA-512:	F927E9B556D89717AE7E150CF765436B52AC6F5E8C3E495C341EB0AA4A72AE243819F380BD6A0FE902B41FB4BEF99143354B766766BA5A322072AC2726E72B42
Malicious:	false
Preview:	.PNG........IHDR...2...........OI....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.b.t.&.';+..#..,-,.6m............@....g.bV ..bF ..1.... ..K.J7y...].\|.A._....7........R....P..==.`]...5....FLQ.=83....{.............................................!+&4l.....32..{.h.r.S.S...~3p..1<y............1....uqw....@.......................*...................66..D....k.(f.q.&.. 6.U+....e...........p........MRQA...~$%$....++-.66/.............=@>............SQQo........................#" ...e...........p....wmrG.!.....G............../.[Zc.....fhl9........804.......................................q....;w.X....$..g...^.x....'...].&. fe.......\.................o.c..Pg........xyy.....<...X......e...............\...........4.......................>...4.......L...............................................zB.....qr.x.....?F...0..dg`gc...Lo@.....S.h..FV..7...r..20.._..10.>...1202.....'aQA.._..UWW....e................................596.)(%.....;6C................N.

C:\Program Files (x86)\ClocX\Presets\longhorn.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1472
Entropy (8bit):	4.873829154814499
Encrypted:	false
SSDEEP:	24:BEQrGXz5lr9BxoaKy4ATORXFB01rfwkpZdGm8bCi+ZQibQ0Wd9iBxLuQI:BzqFluf11FK3fdGmQEZHQJTiBxLvI
MD5:	46C0294FE18ADF12E512CC5CEB02FF8A
SHA1:	7A3D6DCC3452649FB56A22991CD46B2575A8B6FD
SHA-256:	8CFE40FCB3B948BCEB7969332B8F4A1E5955472C98D5B947C0D3AF72F05A82E6
SHA-512:	CDBBFDC50C9EE314E46C607BB5AB1FA11639E07D142CA36A1F993D069322353F22510318A4D5919BFD1749C5B8E350B1E8A31700FDD0C96444C7F288F08A96CF
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font....DisableDate=0..DateColor=0x787878..DateFont=Arial..DateFontSize=12....HourColor=0xAA5F55 ;color of hour hand..HourLength=33 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0xAA5F55 ;color of minute hand..MinuteLength=41 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=42 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand....Ce

C:\Program Files (x86)\ClocX\Presets\longhorn.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 126 x 108, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	11115
Entropy (8bit):	7.945943612326477
Encrypted:	false
SSDEEP:	192:BSbxSBebSHnFYdZNEJnPM6Tk2jdQ5yKappg76uyqLi318HhC2e:BSbx64+n2do1PpgqdQ5PapYBL4SCz
MD5:	3768C9DE0BA6520395EF84D7F56C02BF
SHA1:	31A5FB80E4F7DC3BFC2B8BF016EF722BAF2CF2F7
SHA-256:	2F8C5FD250D6F896C96C44984AA11C1B924696DBFD11270D624B68B0B255D521
SHA-512:	34BDB2BCB4DD4A3E19CF49E5427EBB38F4645B4285EDE9555AD1A534C32ADDD6DEBBEA71655A2A87E9B4834FB06E6268ED706EA4519991EDFEF7D332E3F0EBAB
Malicious:	false
Preview:	.PNG........IHDR...~...l......=......pHYs...........~... .IDATx..w.\..y6..g....;3...2.6....c.a...,0AXd.....N.....:...9!........~.O.{.V..3....[.n.p~_:......A._...........K...3.....r....x....Hx.....{.....4.r.o`..o....^.....S......._l..?...........<V]]..D..x\|ww..._._..../..=..O.<..E.x=^.........\|..?y..?.-y.}.\|.-.a.u......Bkhh...'.-m.m...b.......=...b...}<...w/E.[g...>UWW..X,......................p......}...(.p.o .lZ.+W..A...'.d.m.npp..2..B..5..?S......+..x.......e..ik..8....wG..6SzG.ZKJ.cg....J.2.dgf.Y^XX.~.....W..4.w<]YY..*CWW......c..{....\|....E.....lr...?..z......E.e...>....XC.yB.+...rU....t@+..T...h...".......9{..OC.Pp..(...>3....}....u.;.r.d#....v..T7.}W9.$/''wuqi.T.pu.....;g...?....?..x....W%..7 ..q.......O.......g..t...........g...........l.....r..!.!W!.........-..[P.}7.....w.7....ZnA....P......9.C.@. mT..S........E\|...0.....H$.0=.....C..............i..W.U.............g.u/_......1......B..\+...:...z......[w...

C:\Program Files (x86)\ClocX\Presets\mars.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 250 x 250, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	48014
Entropy (8bit):	7.986851682633987
Encrypted:	false
SSDEEP:	768:iNAFMfapVRMLrN41wNbVDgrnTjBebwTXR2B6tYhfU3XlGfKWFDJrtw+dceO06ANw:iNAF5VUEEbirTdmwTgBLhfUFGl5dG0na
MD5:	ABE2E3676135DC72C21F6AC4D55D5C8C
SHA1:	43073CC174592A80D8E2D7AD23BFA2164B92774F
SHA-256:	EF28D4EF8CAB0CEEFD7B60FE2C2ECDE52DECFEA74B041C452046DDDD4852CBA8
SHA-512:	6F7953B3655F08FFFD73AA779BAC4E49ECDDAB36323F4ED8C2CE32EA38365A074FF4F4F02FB240BAE62690D002C944ED8E17E2189425E387CECE970392A098B2
Malicious:	false
Preview:	.PNG........IHDR...............Z=....pHYs...t...t..f.x....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F....IDATx...i...v....y.Z{...._.J.e..cc.....&.).`...pR.SE......Ec.C....+4......P\|IH..eDY.u.k]].{....z..#...Z..e.....S>.......^{.9....#...<.........\.K._..sy..~y......<..R...\.K._..sy..~y......<..R...\...\..s)..sy.../..<.B.<...\...\..s)..sy.../..<.B.<..R...\.K._..sy..~y......<..R...\.K._..sy..~y......<.B.<...\...\..s)..sy.../..<.B.<...\...\..s)..sy.../..<......+..o..;...\|.mD:O....y.;;j........+.....).....5./P.S'.r{{K....'O.q..}J..5.v@.N.pX.&\.[......3...;.J.'D...a..wy..........-\....5.....{w./~.K.m.....;..y..<...y.?.u....n..2Os..........=.F..t..~l}..wv.?c..f..>.w_}.o...gO....ly.../?x..7.....\|......*"....'.JUz7..C......?@T..........g..w........e...Z...5w..x.....7..T..`..n`...`q.i3.7O..)h.(u....,Z........\|...._.......;f..!"/.._Y....k....f...f..'?..oOZ.n.:...Z..-.D.fj.B.g.yBDq3..~.....p`..n.k....}9...zo?....w./...w

C:\Program Files (x86)\ClocX\Presets\negro2.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	4.79578084741415
Encrypted:	false
SSDEEP:	24:BEQrGXz5lrUBRSTOLX01rfPkp+dGm8JiX33NPeibQ0Wd9iBxLuQI:BzqFlQGiEdGmxtPBQJTiBxLvI
MD5:	D4C8BC1C07C0077783E15664BADF33E3
SHA1:	EF27B3AE33D84581098C96384784282E090AFAC1
SHA-256:	051468A847913306CF9FB5DCBF17BDDAB5AC36689DCBA6DA0374DBBB5383B6C0
SHA-512:	5F7C44CE2FBB1E4FA332436CAFDE4085A91CC55DFDC404143A586B3777AA168783F6D82396C57C443102CE9606E044845E5680209FF8234D78CCEC9E5FF4632A
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0xFFFFFF.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=12 ;size of AM/PM font....HourColor=0xfffFFF ;color of hour hand..HourLength=39 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0xFFFFFF ;color of minute hand..MinuteLength=59 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0xFFFFFF ;color of second hand..SecondLength=63 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand.... ;CenterX=60 ;center point's X (default image_width / 2).. ;

C:\Program Files (x86)\ClocX\Presets\negro2.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10079
Entropy (8bit):	7.847117851925215
Encrypted:	false
SSDEEP:	192:prca/zZV69AIpL/JUxeRyqyrujNobJMFS3ZkjOsFsBgBEEziuS0roY:pgUHUplZar3ASJkbFikMUoY
MD5:	F0F3D8BCA45643B990FB0E2924BD4AA9
SHA1:	6A60789BB15D0CEE548691A379C95F9BFBEE7B21
SHA-256:	FFCAF7B027D1C6E00F06437F1E4864417BDC4F2428125140118A73C6A6449B28
SHA-512:	0881677F642CA9C0135859B1B16B614D952E36C62A100C421E3ADF4DF6CA0D87802C3B58F5FE8F6256F5D9782041290B0F7A50C7BB1219382B0F0BFB66270AF7
Malicious:	false
Preview:	.PNG........IHDR.............<.q.....pHYs..u0..u0..3r.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o._.F..&.IDATx.b...?.(.......4...... .F..(......5.h...h4a......b.....II.$ %.../_.~..........br@,..@...hZA=..@..._..#&&.........?......><..\|.H.S..b.i.B`"J.........d.d[...hl.3FF...vZ@@.+........p...a.....\|.......y....(d...7....`B..((..X:>\|.........4,....x8._.o...FZ8PHt.;.50......,.>.\|.r.P........ .DO..U@FD..H..<.g...&...:".._Dr....'....c).....{.?.....h.!.....s.g\.....ZV.....@.7.Bk.DC.ZQJ...)%...s.+m2.f!.3.x..-v.4........7.O.>...N..jkk3...1(((..1...1pqqa...cb..."........r#.}...c.....<x.p..-..W...u....*..Am..C)^..h.&,`....,..?.f........3......T...(..>`m,. '...n<.c8.....,`..KVpi.Jd..]bx..!>-.....3./`)8$J1...r.....m'.`.S...$++.`dd...@%...O.]..B..\.....x.....3....~....@..s...?~..-.l....b..{....!..@...>\|....G!z..T.YXX0...2hjj2....=.Vb.+.........._...^..U..>}..nw.[B....~d.~.:.....N.8.K.3...~.?...a.......X}........ru...`ee.`ll.....H.% l.IK.........~....0.1}.

C:\Program Files (x86)\ClocX\Presets\roman2\roman2hour.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 70 x 17, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	2769
Entropy (8bit):	7.792620734470326
Encrypted:	false
SSDEEP:	48:WkrslCkP6Xi1YjEY8Dy1H05LdkKCMmXlpnXqz5yymUwKROk6D58GrQFfddu0:VrkCG1OEY8Dy1SiKxmVpXM5rJk/5vrQ1
MD5:	C0086565894CB169BCC489833502B612
SHA1:	B188D83FFD2BB7418E96678AEBF3F0FFD68C581D
SHA-256:	1DE95BC6957AFB9B2906C37235C62A9B6CCF09B1C7A3580DBF18CC2877FA08E3
SHA-512:	91ADF17A2AA41CB4CD78E1C1C9754DB9058B66412BB0389608ED20FA906A26800C0ABEAFF3EFF1E0EE3137D3B2D486FE72C49D354CBE83107B8959C1C18AA8E8
Malicious:	false
Preview:	.PNG........IHDR...F............]....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o.......\IDATx.b...?Cd.o%..a++kVd>@......_.x......N.&..F6.ffF.{'k.vf.............. .dca.?.....@`.b..?}.H..?V......X........UIQ..@..e.@...K.....Rl.n.?<.?...@....?..vuHE... ..a.N].8s...v,?Y..%%g.[...k!".s......k.lt5...6-7/...+`8??...9..b.....b.../..Vt8V.s...&M.a1.5....@.....l...r....._........._.l......e...'..7;.....L.@`dee...K.....~A!...b....b...?............K. ...J.. .............''0..f....[.x.fb.q......P...9...._.~a.....}..^R...@.].'...}..i,.JJ.a.^..?........../........c`gg........o......XX.ev.~.....o.`z..u......?0...\|................!!}.................._.0.......s...4."...#.;~....73.3..C..9..?S930...q.dcc>.........X.y.~.....wrwKs./0.2=}....._..s...7xt..&....._.>.k.<.... x4....`.e.F......o...1....]....,._.1...g`b....a.tR.. .......af.....i...}E.!........a..u.... H.......7....3.............1...B\X.-...M..._.\.......x...Vn........CxB.......3g......`>..b{z8...y..

C:\Program Files (x86)\ClocX\Presets\roman2\roman2minute.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 100 x 18, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	3321
Entropy (8bit):	7.851054365624773
Encrypted:	false
SSDEEP:	48:7Sn/kwui7s9kX+QG5XH9Ek8bRs7aQqGPUEButE468UBLeYLpTHfvijH7j1:7S8s7s9klG5NKCaLqbAtEP8sLTLprvO
MD5:	FEAAEA47FFCDD97BBAB8CB95594EF1C8
SHA1:	0E82A0462942C551F465CEE6ADCC5A50BAD64337
SHA-256:	0B0692E09562B1C694938126D1E9EA74FA90A57C0D9471C2E0A23CFE7CE5A48E
SHA-512:	9EC4183039ACF07801D9C77BF245F25C42A4A21736906C7E54DBF67A218FD76524D1A36A526C05964871B0C6255B4F9595B69903B619045AA6E32F23A4398150
Malicious:	false
Preview:	.PNG........IHDR...d..........K.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.b...?..y.Z@4.. .X\|...o^.J....?+3..#._..?.3.sp1..........?..~.``e.f.J1...#H'.. .H...@,A.a.?.~....t....,..._..``dbf`.fg`........v6^./_.3......@..........KV//..nn..]...2...g.sg,..VRr.[.{...aU.U.B. .X.={...?..../.y1....?.vw...U...Q....0........U.<..@`../^..o.>.R....@..NN..........t.o@...3.Dn......+......%...pH.6..@.....$h.,.@i.lZ9..{..Q.....z...&WJ.c....z... H....n.W.J..:4.Y..T.Fp>..N...w.f.R.v...'....\..........j....\u..U&.;;;. 1>.. .....g.".@..-.{.OWG.ff...L,..?..ep.q.^.P.E.Ki...0P.,..q....... 'o.....MH2...%.^...U...,x......+...yz..h\|...%...tVq...\|.XSB....n....pF.....>..A..@..`q..&\a...Lel..v..$...?.%aQ.^[!4..2..E.D..0......\*.L....'...!...<........Z.(%...u.T.j.^...@,......../....u............y...@...Y.!..o.\|............}...;.....j.....>..r............/]<.v...........={vq.........'..Y...........M@....gO^...c-k.....'.uk.i.].....oxX.........DZ$.Z...

C:\Program Files (x86)\ClocX\Presets\roman\romanhour.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 80 x 10, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	2837
Entropy (8bit):	7.765437921106241
Encrypted:	false
SSDEEP:	48:rmzGRbMWjvJsO1a/S+2OVag8MQBAYQ7f0wcGrdQiAn7y0Jyd2suRYhZB:r+GtMWm7/aOqBAYQRrSiA7/Jy8NRM
MD5:	D51150B7FA07035717F4007284A73C6E
SHA1:	62825D81670244A1652FEF4573F6B21FD3E61CAF
SHA-256:	96E532EB349DEB34228EBE3321E0727C3638A0A4F80E7700760C08A436B13DDB
SHA-512:	4C6485A35DC02BFAE6F1E2B18B6B49BB35FD1ABEE7FFE070AD0AB50F834AC44BFBB5062EA47DB701B0ACFEE8BB900E23F014966BFF8AB59D9D58BCCE6835B9F6
Malicious:	false
Preview:	.PNG........IHDR...P.........T......gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.b...?.......?....g..M.2g..............)..............\|.....@;:.##%.@JB............l...f..?.....1~...?'7/..........._.,....V...'Fq6....e...f...........=ZZ.nLl.....n.+.#.`..?.~.a.........../.?&.?....s.?....x..e...@...3.........n^..%.SB..........?.....dd.........?##./...^../!.....w.77..B...,Y"...7......d..........@p..Y.m].=w....7#...+.+#;'..?.X...........E>.............l.....a....+$$...... .....`...p........t.&.#=M.K..T...2.....g...7....TS?1a........1.0.a..........e ....SI....3....H....4.......?.l.\.3.Ob..*f........@.}...........x....^.Z.........T..........O.>0.......9kja.mnlR...+...'...?3HII1..e....#@.a8..Lx.%s&-...../~^.o\l...............l.?....ch..... ...........p.y...._~.........9.V.Hfdf.../.`.0...........?...A......a...Mf.V......w..K.....2...V..._.....3..d.&....X...2.d........P../.._fF`v.......O.1.h[3.S2.33..O.TW...L. ....^....W\v...... ..,...........

C:\Program Files (x86)\ClocX\Presets\roman\romanminute.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 100 x 9, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	3158
Entropy (8bit):	7.824208485673109
Encrypted:	false
SSDEEP:	48:3AzX0UHGEFpLWR5XgeqLFOYhxzRnwMdsrnYPcds1oIFFTth5bNMuv5qWBR3hxk:wrdGEFlKJg7LFXx9nwMdeldsa6Ff57E
MD5:	A86418DBE12535F31E5E73B3DC7BAF2A
SHA1:	F080EA7232635292A8BFC14F7139C2DF009CD70C
SHA-256:	711B797C47B4D076E3FEA8FF4049DA416FDAF36550DF6B913A2399AF6AC5C8AA
SHA-512:	C3464D5A3EAEBA5DC85EF43039304EF7C4FC83B2472840ED0E3F102F7C92FC59E9BD4A3AC95970D490CC2E57480FA619BD580BE850E91F7B34890969B46F0B5E
Malicious:	false
Preview:	.PNG........IHDR...d............F....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.b...?......2........?...&&&.k.....`..v............. .X....~}.........?..............;...o>2...2.-........b.....of6f&.?..........q.].]]]....kv..)aIi.m..2......d.....F6.....ab..i.......f.......O...y.l.......ba.d.......:%..^fbdg`dbb............... ...h.....b.....Yx....~2.221...1......O........s...........d..~...wv....2..............4..L..?.w..a...(F.e@....d.db.#...,x..6A>. . ...... .X....,.......'..#...3'.....g`......0.a....-...O..?~0...1..........o....ObPTT.,"".... .X.62....9.l.l........&...@................%.(.........Z{z...._...d.4i..CG.\}}..x........@..<...R...8.5.......~...._....}........3.jY1.\|...'.A.`......_.C3...?.....1.(x.)............8\|......8.......~2xyy.....}x.......!....._....1.....r..&+).e..o....@x...`........ .X.....^...Q.........x....7/...........<.c=N`.f.+))..j...._k..z.>.......K.,epqua.f0.'9...:.._.~1...3\.z.a.......p..u.777nVn.u.~.d..

C:\Program Files (x86)\ClocX\Presets\romanblack\romanblackhour.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 55 x 8, 8-bit gray+alpha, interlaced
Category:	dropped
Size (bytes):	853
Entropy (8bit):	7.357114506944816
Encrypted:	false
SSDEEP:	24:VqpER+AftkhOqlEWJYK+HGhF4oXzpCkZix64h:ApEUJYe5JY4hF40FZZG
MD5:	042882177AAB65A2B945B6BCD293C7DA
SHA1:	5C7588DCE0DC34CC5DC4D4BEF84EC738DFEE6860
SHA-256:	35A3E61E917A23F068D2E4B3C2E7503B1C2BCA5D610F4A106BF686BAE441670C
SHA-512:	4EE1E7AEF13492FBDBAFCB6EA82DB94590AF16C60CA03B7DDFC7956DB3D2C92448F0C1A44FE9D653F59BE650FA7FD7C0B24FE7F0FAD7C692F1B26627D11007C9
Malicious:	false
Preview:	.PNG........IHDR...7............#....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.b\|. .p.a3...Z....!.Z.C?.9....@..@.....2...6...o.0}d....$..@..1M.<...:.N0<c.g...........$A....1.......5.$...!.."....7.k5.....&..............3.c0`........pT.D.n....`......+..k..Oh.fx...`..p..;.F..b8..s=..$C+.:C..^...\@.Z...&s.8.M.o.2..sQ......gF....~n`...../._v..'.^.+.0..]......... ..z..R....}b..........>.\|..%....i.5..."....7..l[~Ob.d.b.b.f8b.._..#..n.b.....J..Pl.. .....!.f...}..?C;0^..B.z.V3.g......a&.K....o.~...!.....s...;.........}`.T..... F.w.....f....../......a......O.?..x.<...7...W..3.l~...?o...3..........&.........~k\|......<....@.....2.....20dt.._.g.?..b.........../.?../...<.Sy.._.g...,....f.c`f.a.b..&.] K.......lc.. .. ?.E..y..L7...M..$0..........9.......o.).8..'0..C....../`...T........@...(.&1.......IEND.B`.

C:\Program Files (x86)\ClocX\Presets\romanblack\romanblackmin.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 55 x 7, 8-bit gray+alpha, interlaced
Category:	dropped
Size (bytes):	889
Entropy (8bit):	7.327700722895101
Encrypted:	false
SSDEEP:	24:rwlFZSCKBRDl7IBTwBrFKc+yFZZQrrDy8Bnz:rwYCcp7pr0cDFZmrr+8dz
MD5:	5B9B2F8241E1842B9921A1ACC940E78F
SHA1:	C8A28F4DEC48C4B63FE5E59AA7D9AF11FA709D85
SHA-256:	278C33465B3DA6829078264B5FB59293D261A97756B3781A2DA45AE93BC5A5B0
SHA-512:	FEE9D82BE6E74D1031BA6978E4279F7FE68510A263C2E419670759F47C7B8591385EB9EB77441BFE0D13B7A89F5C00BF6DF586B11ED1E46371986094E6D1FFCF
Malicious:	false
Preview:	.PNG........IHDR...7.........q.-.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.bx.....a..d........!..v.4..@.\...........j..b!...........&......H........4C/.e........0,V<.`.0....J...bd...O..C.G..v..W-(.e....G.......9.....ur.....(.!.............1......<v.=.@.+.6.:.:.............;...W....60...K3.2...........2k8.....J.X...4.bb........q+..g..'.33.1(1..a....>....7.{...u{.1.....P.....<. .@..x.`d.}.^...7.$~.......o..~......JW..........c..........7...........t..................."...i....M..................e.}...U....:@......t.E..u..M_Shg...a...PF..t..>...b.+.......p0.....Q..8B@...!'P....@Y...<P.../.....?..zk~sp.N.\\r.?........$..B..Z..N..~.)...........[&........L@..........g.IQ....&....y....0H..}..........'.o..<.x~..ae.w. ...X..z..1*un]1.3................_...@........7`R...........X.\|....6{.gl.?.I.7.G.@...T%...>`.13.........e.9bCNe....IEND.B`.

C:\Program Files (x86)\ClocX\Presets\romanold\romanoldhour.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 100 x 13, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	2908
Entropy (8bit):	7.740448337420142
Encrypted:	false
SSDEEP:	48:rmLJNMjy7tneNT+ND/whTKkxtYhremTYJCnJwcosFFnmOqdhJe5HLHxZznVnShi6:i3MjmeNTejuTKkxt+reqJwcFFhmTJYLS
MD5:	D57F357BD6EC6CB8E6B4113934C93219
SHA1:	D1C3760AD06626D717096D565DAA5DD279404AAA
SHA-256:	D8DDD4E4F5FCEACB7487CDC71DDC3E611987B1BACCF7110797E2F33726023DFA
SHA-512:	B98597FA630695033D409232BF2CA38BF49854F1A322D07CF1C4EFAFF8B1C5557F25EC8854F7241970AB1D50A1877B61566128A4D31619CE9C45683A084CE4F9
Malicious:	false
Preview:	.PNG........IHDR...d.........(..P....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.b........./.2.......,Y....k...3l......(. ..b.............-Y:a..F._ZV...3g."##14.....I........./. ........_.}c8p..._.P4...#.?..0...M..........@.(+...`bee..........yKRF....!....e.{...Y.vM...2.MM\..<.,#'._^Q..P..ys...3TUU...b.;..........L......}\|..1..O...\..0y.....'1....'O...2e..o.....'.0.........,.. .'O.0...\|<\|..........+.2\|....S .v....f...'...^.r%.'.,.. F...Y...@a.w.^...r...X. .WLL......#h....X.......>...72hkk3..........p...bafff.....@......'O..g..NN./_.\.R...?....P..HII1.....o..[.....pZ.........y.....V.j.E (..L.......0.....0..S.G`.............h."..?.....b..L.J.....G..%.$..-).E...@.......L .._01.!..}e..v.......S*(..{........0?0..... ..#.8.a..>..........30?..F......... 60...y..f...P..c... 1.Z..P...,.aj@...........(e..................k...._........Sz...y...,.Y..i.i.K.K.......+...?..F .9.....(W.........]9u..0..A...L...S...s.......?P........o.....w.

C:\Program Files (x86)\ClocX\Presets\romanold\romanoldmin.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 100 x 14, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	3709
Entropy (8bit):	7.8282860017277915
Encrypted:	false
SSDEEP:	48:897lfu06j8qtm8LF+2XKtC69+K06bqFoNUrtzi4pTGM+QjA3yn7o2/cre49YKq7B:6G0NmpXKcmqFkEte4pTGz3y7oNrhWB
MD5:	BEA6A1B4CC75E0A5D69C3E4EE40387C5
SHA1:	0A74C9554D2A88075D5F79C9CB308CC96FC22173
SHA-256:	AB47A5ADF204BC4CD1C14A7050FC6B1DC0DFA8C791EBCABC8111FDB003C45C17
SHA-512:	7A056097B6474538223A2D622F8FAE7095F2F1CEEAD789AF7683C47D9A72EA750A5E1C55FD107CD63DF50C30B832348E6DFF1896C16B03462152993F946447AD
Malicious:	false
Preview:	.PNG........IHDR...d.................gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx..5........hji.LLL.........222.FFF.............SRS.....eee...5....~~~.........................111....m===....J..........1....}}}.....676.NON.#&&.....{\|{.......................QZF.?#.#.......0......~.../_...~..6._.....t.?...e.......i~~~................'............&&&lFFF.@@@............#\|\|\|.CEE+..........kjk.+**.........ooo..p@.F....E...w2..P.<.A.......j......R$oN].!..o.~.j...i:..+3.5..9`q.QJ..J)..x..Z.R.......1F>..p.....#.w...6.Yr......N...&2.u............ex..9.....\..V3y.4...........M...>\|.[.w.^.8..............:.y.u..../_.Pabb..{...nnk....22=...c`fff..L..`.....k../...^addd......{{{.rss....QZZ.?.0.A..r.0\|................t../.I......9.>}.t..I?.....X[[/........(88...........0~...e.M:^>.W..../^......O..G....#... W...........q.J. ...a.-`q...8.<(.A..r<@.1..ttt........6....jO.+v.....k..K..n...L.`.......E..R.....&.066f....'.........P..G..455...ex.....l.....e.E..^

C:\Program Files (x86)\ClocX\Presets\weemsplath.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1540
Entropy (8bit):	4.894560877458028
Encrypted:	false
SSDEEP:	24:BEZrGXE5lrABRhB0aKEszm1ETOs010Bi1ckpUdGIo8OiruPgibQ0Wd9iBxLuQI:BkqylUhB0fwL5n6dGJSuPXQJTiBxLvI
MD5:	1BA352511DC3D718D12F1FC7F9CB4290
SHA1:	52BAE52E80AC073BEA2F0431B956775B8A01D95E
SHA-256:	A613E004BA3A8616EAB72F42EF36B7425B40365A61AF112CE1CF0D79E871075B
SHA-512:	31CEBA1CAAC3845C43482450E61D71CD27F399A563971637283D260C9EDDE3E6C8829663E1F15975FFCF476F5AFEA8A37E7F1F71D551DD7EDA4F661718323B2C
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0xAC6C1C ;cut window by this color (default red).....;not used with PNG in Win2k/XP..DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x000000.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=12 ;size of AM/PM font..AMPMCenterX=92..AMPMCenterY=112......DisableDate=0..DateColor=0x000000..DateFont=Arial..DateFontSize=10..DateCenterX=90..DateCenterY=76......HourColor=0x0E1B2B ;color of hour hand..HourLength=29 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=4 ;width of hour hand....MinuteColor=0x0E1B2B ;color of minute hand..MinuteLength=40 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=3 ;width of minute hand....SecondColor=0x3540BC ;color of second hand..SecondLength=45 ;length of second hand..SecondLap=0 ;overlap o

C:\Program Files (x86)\ClocX\Presets\weemsplath.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 228 x 228, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	66278
Entropy (8bit):	7.99259953440328
Encrypted:	true
SSDEEP:	1536:h6id/CGLVRKm+KOx487IQdf8WCLAl/QMJlW3cyb+C4q:hDxCG2ps0u9ArWkG
MD5:	E4309650933F9B7F4F7BBCD07161047C
SHA1:	0C4CBE0F0D28B3BA2C2AED2C555B5B284B86BFA4
SHA-256:	B379E31A40387B9B80C7D7196B15E77921ECF612FF3B3DE114DA67E7F6D99612
SHA-512:	E47DBDEC05705FC4E789E8678F8C11985049DFBE8C4F99E38EDB47BBE3B11AF6A853D139AC687DBEFA348AA97CCD1F56BF60D65749C44A55BEC98379E90E6A25
Malicious:	false
Preview:	.PNG........IHDR..............W......tIME.....'..(.....pHYs..........iTS....gAMA......a....uIDATx..w.d.}.x_.\.g..DLN....A&.. H0. ...(..+.+..u.-[.cW..sV.M:..+R.%Q..@. . .09..........~.j0.I.k..D.8......~....,..<...X..cy,..<...X..cy,..<...X..cy,..<...X..cy,..<...X..cy,..<...X..cy,..<...X..cy,..<...X..cy,..<...x.O`y...G...%.G<..........!...-.[.....M?.....-..\|.....g..O}.o.@.].W..b....i..k.@.3......"....4.c,X..'..g..>;.\|.........?yj............2@....n. ............W.V.3.....m...}..,...0....i8..S....`d.F....X1(c0Z\|.a.>{Q...[..V.o..f"Uu.......8q.._>w..A...t..o.X..n\|.....w......W..5b..j..GB.nD^.\|.H..A..m..D...[-..E.0....i......b..r..}4...?.y.1 .0....Z.j.....iWa..+......p...'..._h...87v..G....z....G4...w;......GF..G.fcM..h..G..GM?......5..e..F@...0........~..4....$...w#..cP.$O..m.....~.I+.o......N....6."".F.LDF...q....V..z.p.r.a..S.....^....s.....f............28...2 .n..o>.a7a:...~..i.m.}...7.j.....DCVd..I..h..-.>l.RlD!5..l2..)..(....J...S.

C:\Program Files (x86)\ClocX\Presets\wonderglobe2.ini

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1471
Entropy (8bit):	4.866891600699003
Encrypted:	false
SSDEEP:	24:BEQrGXz5lr9Bx/aKy4dTOK01rfhkpGdGm8bCi1833NPeibQ0Wd9iBxLuQI:BzqFlpf1EY4dGmQD8tPBQJTiBxLvI
MD5:	DD1979CDDBE6614EA4FCE3617D2D8FCE
SHA1:	D5235ACE6190A103E02E52E1055CCDE04AF9C39B
SHA-256:	E6C0F7FC7F440FDCF18D90A84FC6EA75B487867E60C27DA3BD0A89C44ADD041C
SHA-512:	F64E7D03D0A41A79CEEF2CBDCA99D748A5F793FD8B8150AEF924B52AEA70731795DCF47C771ABB88C088F99DD99316AD05E962CBB917376428518F11A71A83A4
Malicious:	false
Preview:	;all colors are in BGR format (hexadecimal or number)..[Settings]..CutColor=0x0000FF ;cut window by this color (default red).....;not used with PNG in Win2k/XP....DisableAMPM=0 ;force AM/PM indicator disabled (default 0)..AMPMColor=0x787878.;color of AM/PM indicator..AMPMFont=Times New Roman..AMPMFontSize=10 ;size of AM/PM font....DisableDate=0..DateColor=0xFFFFFF..DateFont=Arial..DateFontSize=12....HourColor=0x33CCCC ;color of hour hand..HourLength=27 ;length of hour hand..HourLap=0 ;overlap of hour hand..HourWidth=3 ;width of hour hand....MinuteColor=0x33CCCC ;color of minute hand..MinuteLength=42 ;length of minute hand..MinuteLap=0 ;overlap of minute hand..MinuteWidth=2 ;width of minute hand....SecondColor=0x553FFF ;color of second hand..SecondLength=44 ;length of second hand..SecondLap=0 ;overlap of second hand..SecondWidth=1 ;width of second hand.... ;Cente

C:\Program Files (x86)\ClocX\Presets\woodone\woodhour.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 40 x 14, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	2290
Entropy (8bit):	7.700327487136672
Encrypted:	false
SSDEEP:	48:LLDh2CM+hIEWlV2mEGE9cx7g+SNpWmefyAZZJDrS:LB2oe5lVEYx7hSNCf7Zfe
MD5:	2B3AB55EE12A47F5A20F8CFA2D46724B
SHA1:	1FB28F49EC9D8F2B7E90EEF82CFA48C5B7BD8687
SHA-256:	40A519F829558E1BD12C88F891125420079D40FF3C10B5940724F8D27D69D4B3
SHA-512:	777B53C0912C99A4EFE0B7D91BBB8D24CE4D74BAEC12DB92905976E4635BF23FC69126309D2BDA7579328170B963B0B8A6D66AE5F84C68BB8823F4AC9D79C878
Malicious:	false
Preview:	.PNG........IHDR...(..........n.....gAMA....\|.Q.... cHRM..z%..............u0...`..:....o.......}IDATx.b8t......>........s.+...b.....0a..{...imm9..... ..:...........^!Q...[.1....I...u.....ny9I....4......7.........9;../.?........_.s..SSQ...3...)............``^.........vvu......................7.......?g...?.%e...f...'..HHJ3........g......Vx........Sg/2.y.~.}..\!@..ps.2X...).)....t........../?.Y....U.VVV\|.. .I9i.K7o0dee3...2...........hlh..../.._.1...0l.2<z..!........._...=e8{....L...e...N.\.bm.K}.'Oc........ ..W.....Q.......P...POK....,KNV.&&#...........,++,....!....232H...........f...t..!.............a...99.L...lll...+....L..6........N..1.1......h....=...[VVV.w.>\|.......Q............................................pqo]........................??A.................^..=w........edaae...?.##.....D223_..G\|...8v..=......@L..<K.=w..{..........iww.{..>.z...?//.W.t!*%).63;.....?w...j@K1....Q...................r...rNLH....{................\|}~........(...........i...

C:\Program Files (x86)\ClocX\Presets\woodone\woodmin.png

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PNG image data, 60 x 9, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	2317
Entropy (8bit):	7.655538415930818
Encrypted:	false
SSDEEP:	48:3Od6w3EFNTi5xexqAPIzGS/S1eRl65PlgmpXnoBjuuSTq:3OdrUr+DqcieqempXnOvSTq
MD5:	71E6CF4FCE7A3C0088267F1A71ED8630
SHA1:	94B3755BF1077F8C52FFA7450DF6094F1C72E939
SHA-256:	EB308EFA319EA51E367092AAE0BD118081C0340B6ACAD03C1D55E431E33469D9
SHA-512:	C0D7A288D8425B3D4B22E9F48FD47F22095A631C41F6F67E0F364FDD41AC3029325B9133987C8CFD59B7816FAE02D4ADD0A6E16E923B422BAF175A062D025912
Malicious:	false
Preview:	.PNG........IHDR...<..........L......gAMA....\|.Q.... cHRM..z%..............u0...`..:....o........IDATx.b.s..#.3....3.z..AT\.AOO.!00....3....!............,-+.........1/.................?@E...............qqq.......YQQ.....BA!...B..V.6..b.........=....+.6}....@DM....:....48<.....BDK.....>?D.KLQ.STY.:;=.vwy......1/......eii.....""........e...y.......:.9.......FFF....c..Tg...=....;>F.hfb{....11/.........kmm....%".c....+.....11............=...._^b}........jjk....j....................888...................y...........................-...............................W\|~}....b`^.........???'zzz.....1221...N........}}}.,,,...........y....................... ...............{...'................tsy.EEC..&.......=....................HHD................................?}.d..z....?\|`.6}._[;'....0...MIYAm..7......)].n..Z.:..oa`bffPVRbpttfpssc......W..+V2<z.....[ggg.WWW.........@...ED...V.........sf.v.\|..:......o...YUFZ..............=y....{.....7.0..8.\.pA.......9.Y..&.w...........

C:\Program Files (x86)\ClocX\Sounds\alert.mp3

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	RIFF (little-endian) data, WAVE audio, MPEG Layer 3, mono 8000 Hz
Category:	dropped
Size (bytes):	10858
Entropy (8bit):	7.814865066990573
Encrypted:	false
SSDEEP:	192:0OQIOBHC22Ddnc+uCpmoHrXAUyZyYLTPr6L3zCY+dEE2apqgTMUiirzT3wa:0VJU2Sdn6CcyAKY/e7zCYmEE2e/iif7r
MD5:	74053F5E4BF6420F04AE67A74BD025EB
SHA1:	EADBDFA25C6F7C14D7EE06D557AB8449B9551334
SHA-256:	45950471E4FAF639815B99C48BD87C140610DCB587C0A9AF1F941D63A7500D78
SHA-512:	B5754571FFCF47240084272D0DF068AC1830D870A940379DB993214682D04777845C8DFC637B6119161D9600E8574EB77F5749472C69F07A815FA47CF20F600D
Malicious:	false
Preview:	RIFFb..WAVEfmt ....U...@.......................q.data0....(...B..YF..`....<..D....,..@...@.i...B,.lb.A....I..&..!(U.D....W}.......@.8.......b...!Wx.0Bw8..A.8....Bw4........"".8.C.)....Q@.@......._...(..#....P ...-.mf.......`...\|..S..0.D..`/.'....)....I.=..4..X...j.cq.1..=....%......C.'...N....\|.$W8.tY.......'2\.3`..l.a...$..z?.........(..!....P..G................}....3.a..T...~.~@a.6T.1...Sw...I.Nz..s.....z..d.......s.....0.c.p..5......:.4..3..(B.d..V.=.dZY..8q.M...ja...(....................b`.LM.9P\|4@..07.....a....R....E...A,......%.SJJtdd,X.,...6+&..U.#.../..{[......._..z.R.j`,.....(.s..............J..(...B...X.....Yh.-.'...Mi#s$...#.....'..=Z.hp;.dB#.s.3K......RX..iT.......9.E.T:z%u."FT,....2.5O.w+s)..xt.....m..s+.&.Q...,T.++....H...(.!.:..@.!.".P..a.rAc..........,..1h.S3...i.....?Q..o..M..eidNF.y.w. q..\|....4n,bq_.R_.q...`..;.=.).....`..z..w....M.E....&9....;..2...(./....$S.T..`.L....R....{#4.o...C;.....:....%.D~......C.........?.R..m

C:\Program Files (x86)\ClocX\Sounds\beep-ClockChime.wav

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 7418 Hz
Category:	dropped
Size (bytes):	4022
Entropy (8bit):	5.677177270084845
Encrypted:	false
SSDEEP:	96:mzWFPsX5MewbZxnvkQRti2glLf0KpyhF7YdBF2eKAtFjP:ma+MewzkKglLf0Kpzy47
MD5:	FEDC74E595F352049284195DE8E75F09
SHA1:	8CF9D3E2D8152D843122358E10F43A66935EA5AD
SHA-256:	1F4A7272783E4A28B0BB7A73CF832F75D0D1358A99555A1F84C9CECD52D2A227
SHA-512:	0E78BC04BC8C56AA886F0E02BE30B34B4B6EC2415801CF1DF0EB5A2A4465D71120AB71C88B778A429B4CFD55E2F06279DAD8B513B5F41E6061F9F8055F717C59
Malicious:	false
Preview:	RIFF....WAVEfmt ....................data....G.j.hqG..Yn;..[e=t..FM...V....m&.....q.../gy\|.MYwy.pXvg.bvL..s.>..p.)e.\|.IX...V7.\|..D.q..Cya..Vw\..htYd.v.dO...z7....2....Ag...Ya}t.w[wb..bvJ..s.F....;e...MP...e>....C.y..Fng..Xg^..yp^h..w_M...q:....8\|...D\...aS...yRnn..YkX..hnO..}yGm...XY...eC....Dv...Mjy.._\d..ye_p..nbY...mJ....Iv...L[...dO\|..}Pm...^dh..ne\...mRp...[^...gP...\|Jn...V^...kVm..._bz..k_j...eY...nSn...X[...jSz...Uh...bYz..wYh...a^v..p\e...eYz..tYg...dY...vSt...Va...hXw..\|Yh...dbk..te^...qYt...^_...gO...}Lq...Xe...g[m..\|bgt..mha..zpR...\|Ps...U[...hR....Mv\|..Xkk..jnd..ys^j..\|dU...qI....Fv...Rh...b\\|..._vm..aq[..nvM..y.Rq...YV...qO....I.\|..Oqm..^pj..pnde..ynR..}zF....Fz...Rj..._X.w.}X.h..Yz^..h}R..q.Yp.}.aU...yL....C.}..Jvt..^ttz.nkmb..vwR..w.I....Fw...Ug.\|.dU.v..U.h..U.b..b.Y..p.am.y.eR...yG....D....Jsy..^p\|w.qkyd..p}U..p.M..w.Jt.\|.\g.}.hS.w..U.m..V.j..a\|a\|.m}eh.w.jU...\|M....J....Rs...em.w.tgyg..jzY..m.U..w.Ut.}.dh...mV.\|..X.v..[}p..bvgy.q\|mk.}\|n[....U....S....[p...kj.y.vawm..j

C:\Program Files (x86)\ClocX\Sounds\clockbell.mp3

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	MPEG ADTS, layer III, v2.5, 32 kbps, 11.025 kHz, Monaural
Category:	dropped
Size (bytes):	12746
Entropy (8bit):	7.867655419483201
Encrypted:	false
SSDEEP:	192:iUmkPm5hJwn66NNF7I/b+aMcErEsgneaOaGZHReTKNlEvLkzu6462qvpS34Ocgt+:iHGmfCxqi/cErInATx5mLYu6AOOcfr
MD5:	F29BE0977BEF501F9CC2EB3473A7EC03
SHA1:	FA32D1AE499B0726E98266EEF416F288C5E43C8D
SHA-256:	11F4A5755D5ABFC2E6470C1DF2CB67983CCCAD1F5AF8C16E8A0B47321A862FCD
SHA-512:	8AB63C7FC1151F12625624092948F763BA22215D9DC0263D372FDEEFC70E14D1A9992D10D655D7778DCA936BE50842780FE7807D30605FEA295CC30FD58767EB
Malicious:	false
Preview:	..@..........Info.......<..1.............""&&..337;;@@DHHLLQUUYY]bbffjnnssw{{......................................................:LAME3.96 .7.....4... $..".. ..1..3P4.........................................@..+..D.X...F),r.n_0...x..Y..:...19..t..A..k.`.S.. ....n.@8..CH...G.....S....Ha.5......qL.QM"..b8..eq.N.....bY.{\|.y.?...q,.....B..d.}..!..g3.$bY.%.wT..f4.......r.. ............} .......@ ......i...B..0r.._......p....\V..G...g]. Xv.....'.eQ..h....8.......(.L..]........\|...(.Mc7.D...#...-.<Pv}.us6..H. 6.9.y.k..n.w.........k......5...p.~S.......v_...............$......?.=_I/...%...Y..w&.$.N....K......B..1s.....HH..E...&.@........."...tdI.+P.~...F..(Y..z.,R.aA0..s...32>u. L..r..>.H..d.1"..$..]....`.....{<.5..&%.......ti..S-Tl.Ff..AN.i...M...$.PZ).4'L.7:t.jO3e..d......(...N....;......Z......9...B..0.r.......Q..aFP.I.fU!@y.*.nH&z...@Z.....L.......N..w.[4..&+...-.6P../...nj.....Jb.T.a..;........D.%..~...>f.+ p..~..?K..?.vI....QOu.K...ZS1.\|}@....,...jY

C:\Program Files (x86)\ClocX\Sounds\ring.wav

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 11025 Hz
Category:	dropped
Size (bytes):	10026
Entropy (8bit):	6.186386196222228
Encrypted:	false
SSDEEP:	192:AHTBu49v6XhLYxXnIt6cFg9RdpVBFx3HYIQ04PpQlAZfu17QfW/Dtsy:0T19yRLYdnIt9+hpVBX3M00QlOGQfGDt
MD5:	5549AF0CBB0CC2F1AB1A1DD52AC3531E
SHA1:	22E51923C9365EDB643B68AFBC8C44D0DA25112A
SHA-256:	F32A30899D104EF03CDBDA1D433015982CE34EA1D58481C1E437D56C92D2F5C6
SHA-512:	870F6A04AF68BD68A8922972399FF5609D06CDD92B3D785E05B71BA60929B6D0CD380FC5C5365DEE26F69D9C84D85C34A57EA51C8D41D96A06FEFCB044B4AAE3
Malicious:	false
Preview:	RIFF"'..WAVEfmt .........+...+......data.&..{0e....vS<zz..jtnP....u.u..Vu.x...lGzq...j>v...z.M].o..l....[.bz...zAex....RD.t..}.fs.k.vk.v..Wke....a<ua....X\ok..t._p.s.s..{.{S._....e\e]....X[zy....].~d.fx...uigK....gSji....Ryvf....v.x}.Q....yZk\....`u\Z...~]~y..Xxsl..xyUsv..z.g>....{.g}.`.._....`sb....s/p}....UW.f..f.vs.k.jy....Cso....`Do[...`Pqt...._.._.uy...gIsL...fG[`....M_.`....u.ya.I....v.k[.x..lduup....Kq.u...ie.[s....o..nXu..~.HRet...[LaZ....uazy..z....elqy...}UdS{....Zbn....tn.pu.~....ZiUi....\UU....sZvf....}..f.ki....i\Sz....VjX{...olk`..u.~..xq[s....\iUl....qjQ.....q}s.}..}..izde....sj=u....e`Z{~..j.{b.zk....xnQp....`ngs...}s.[..o....x.Z`....adSf....byRv....y.o.lf....so`j....nyZk....up[..v.zy.pxns.}..l.Q_....~kM.....y.k....z..n.ki.....xGv.v..kxLl...x.uU.uk...~t.X{.p..v}Vu.....uV......sk.o..g..z.uvq..z..Gz.....of.p..f.xb.z.yt.s..\{.t...q[~`..y.xX~...y.bz.l..g....b{Wy....Wnn....]b.j..v.q.}l.ak.u..gtf....n_.b....n..z..~.o..{.k..z..b.[}...}{b=....nvuu....f.n_.s....g.{i......zf.

C:\Program Files (x86)\ClocX\Sounds\ring2.mp3

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	MPEG ADTS, layer III, v2.5, 32 kbps, 11.025 kHz, Monaural
Category:	dropped
Size (bytes):	6686
Entropy (8bit):	7.823729077076571
Encrypted:	false
SSDEEP:	192:gFG+4dGvjjICGxrvRRIOHmEaS4VwpZo0TuoMa:gFG5QfIxxrpRIOGBS4Vw4auda
MD5:	FFE63755C41C834CAA3D4967D099108C
SHA1:	B3C86A2FBA4123DC1A107328B810C64A12280936
SHA-256:	F6F4AD8F998096B329677BCE8CC1DB37B6923C5DE6761328DD5C3EF6A49CE892
SHA-512:	A60C988C41B0642D9BEC0D6E3230C1B18A26E0558D7E0864902B48C09E447114E1CB5ECF7625B9512D0094E300676B5AD73BC10ACDFFD32DBBE425FCD584AF25
Malicious:	false
Preview:	..@..........Info......................!!!))))111999BBBJJJJRRRZZZccckkkssss{{{......................................................:LAME3.96 .7......... $..".. .....N..........................................@...Y..`..0.C^.....R.....z.sJ#.Z}s...N!{...x.+.<..D..n..n.\........<.v3....J.AAAAC...C%..w...\..^...w.^..X8P.qqs..\....\..r........<.....[........./i.A.S.../{.....!.7..t3 <4].pD..-k.Zg..\.....X.8..B..0.Y..x....$30t.....7.N0.V.2iC1xf......&.S..6e<....j:Mr^S....r..;m..$+D. ...a..K<.c.m..$.R...RPN...(..$..R;@......i...SP.u.e[.I.+.&..-......NO7.......Dd....(....$-.-.l-...[..yL?.}.........-..>Z.?e..B..1$]..OH.i.+$5i....2....J.....S@...$.nS.09%.. ..j.Q.s.%.m.a&.....&..Ia.r..)..=np......g..=.7.....n....G.A.L.]zp..1Zb%.#.@...[M....P..l..r..w.f8...U.@M..5.E.h.I.&J.B.....M....P..>.._.g...".fm.3..B../.v...`...6....9.3.I..4.....1..s...].e......*..dtrh..UF..Y.^]..]..n.:...z5.h..y{..[2<...t.B.\|....r.f....].2.1...\."v.9.A.{.(.04...E....\|...I.......)2.

C:\Program Files (x86)\ClocX\Sounds\siren.mp3

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	MPEG ADTS, layer III, v2.5, 24 kbps, 8 kHz, Monaural
Category:	dropped
Size (bytes):	8208
Entropy (8bit):	7.8522466183279285
Encrypted:	false
SSDEEP:	192:5bcKdv2kGc5TguhA4i+Xguk4bAhwZbA7HThwkK0N5KIzA9j04cn:5B2Y5Tguh/guAwZbAr191IJcn
MD5:	59966D556E3973DAB3FA5B70683C3729
SHA1:	9E6A68D02C46F86C17B310A87FD9B6C1C3FC1B12
SHA-256:	CE8B62E4D4F14D50861EB57F67107556984F06C85F6EB3A6208DD2E42B027452
SHA-512:	27280A5FB62D3D8E0B6FDEBAD8941E783F13D850B848FF485A2B65A41CE7607384039CE8970B7D0F55EF268416CCDAEEF0332E9275E90167F29376EB51131D01
Malicious:	false
Preview:	..8..........Info.......%.. ............""")))00777>>>EEELLSSSYYY``gggnnnuu\|\|\|......................................................:LAME3.96 .(.....8....$.."..... ......................................................8..-s.!F`.A...d.L.......y0.:&.F.M6....#?..F..gkk..R........9....4..X.5..f~..b.l.g^.Jj.u..7..)I.....4....Q}.......,.s......9.^..Z..";.......`.gN6....,.u.)I.&fff.33I..w....?.....=.`0.......`0......rX..8..1..._...b....T...kV._..2.{.$h.q".U5.AM2...P.......@....-V...[6Y8..........D. .,.~.o...-...X..$.>.X*..../.9.Y......+.@k.. .\|..1...Uo......6...{0.$...".@X.z....\D._B.'qJ."...o.._g.....J......^.kp`.Q.l.Z....<$..8..3.R.E.x..-..h..zMXNU._o..c...t..b..x,..:uB\^..W."6mzoX..%!...:.z.6~.X.1h..~.E....6k...r.4.Z...$....um..#=.+#..W..G.u.....k...:...3^....y;...\..N..Y...j.5......?..HW.~.4.o....k.e.Mo~.jX..Rp..L.dYG....p.%..8..1tJ.....S2...8..;.A..8..........R..+.$@..A.....$.6..>.....I......h....<d\|]?.d(.Kti.5...V....P:...F.A:........t..t.X

C:\Program Files (x86)\ClocX\Sounds\trumpet.mp3

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	MPEG ADTS, layer III, v2.5, 24 kbps, 8 kHz, Monaural
Category:	dropped
Size (bytes):	18360
Entropy (8bit):	7.907116897949521
Encrypted:	false
SSDEEP:	384:O4aEJEp87W0A3vAADh+9gZCh4UzWEuZ8l9E9Zsjjh3m5:O4Hh7WL37z6zWEueb3Q
MD5:	A8543F9F3BCA2D1D1E610A2255644CA9
SHA1:	A94B4154825BB1EEE6704FAD78AFC4ECE10BBCCE
SHA-256:	04B44BD2F0D96D81475F9E5D18C20AA70B37C77F1F60570FF448DA25A9C78754
SHA-512:	AC700D10B8102898961BCB574A84FA88238C749F8941E16A0B58C9E3AC6E39488DA1D515B1393A4232470AE9ECF14AD43AB74BC91606EC3013211C577276B09E
Malicious:	false
Preview:	..8..........Info.......T..G.............!!$'-00369<@@CFILORRUX[^aadgjmppsvy\|......................................................:LAME3.96 .(.....Z....$..".....G......................................................8..,..d!F@...2... @..#..."#.. @..3.DG{.&...@..Jqqs..D..1%....ww..w...2.P......... ..7......"%\|......{............&.....p...."""......."'%.`.....(e.....""#....4..=.....7.....1........`@h4......pp.........74....8..3.Z._.h.y$]o..(..hb`d9......&.=.F.....R..x..1......2.@U.Y..X......!...7......&....FP....H..o.\|.!s..V....Q2.\|..A.......8... ;......).F.....p.d........L.. @P...c...Y.(..h.)..s...@.w.D9RQ.V..U.U>...".Y<.......8..3........L.....u.....^$.e....... (..K{.....:H.J.$g..Z.$...2.........j[QY.....$L.H.{(.z.JY.P.1wY..... ;..(.1.. d 0..j`....dU..%U".<.%.......Q<....d..D.q!..`>7S......tT...I)#g../..F.Dd).U,......ac..o.Oa.-U.....8..2.^.5.x....nf..K......<.e..}.d/..1`.1).[..{g{.I..!VUVk.u.R&.c..=7.........'......g:.q....\|.{j.h.....-+I...HQ../.J....Q

C:\Program Files (x86)\ClocX\uninst.exe

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	53876
Entropy (8bit):	5.750302372670251
Encrypted:	false
SSDEEP:	768:EGn4o4BL/akfpI1nu0LXGS8BPfeyWMZtuHvwbtOuIYdPc+92TUXr6fJkdn:D4hwgonu0fJytuPwbdNc+9aUXr6fJon
MD5:	3387961372FE91C2CC69B53180CBFEE4
SHA1:	EDE6FB0D2319536EFCA218D461425D2ADDFFD88E
SHA-256:	DAD57975BE6833C50D32EE77212ADDF11A80195D82365ADE6042234E492BD845
SHA-512:	F6551803B90934A5555587BC81B4758B21FC8BAD1653F298846E2195C797932893D761249F9CF527E95809FFC0BFD785872F0B42F56E8ADC64BDB06C63F09C5C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F.....F..G.w.F.....F..v..F...@..F.Rich.F.........PE..L...a.d.................d...........3............@..........................0............@.................................0............L...........................................................................................................text...jb.......d.................. ..`.rdata..4............h..............@..@.data...8............\|..............@....ndata.......P...........................rsrc....L.......N..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\Accessories\Storage.dll

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15460352
Entropy (8bit):	7.999687614251037
Encrypted:	true
SSDEEP:	393216:ktW7Z8DPnGxHGqJMsiQfMuYn6BMmeAxPNOtkMb:qHnG4nmB6kmyM
MD5:	3458A748A9E64402510F140B5CC5CE61
SHA1:	13B4A24B2FF052A59461826498AFEE699E40C261
SHA-256:	3030DCBACC4D14ABFFD201088E7628F5EB127E0949A6ED102EE5E75E6BE05109
SHA-512:	49DE5C8ECA376FF0B7F1C238D9465FFC2176B992F02BFB2002AFDDC24B00F197618DEF6FA8652A0D2E08FB06B43038AAB99E61873BEC2A254FD0EDBB01B14B29
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........jw...$...$...$.S.$...$.S.$...$.S.$...$...$...$...$...$...$...$...$...$.S.$...$.S.$...$.S.$...$Rich...$................PE..d....W.e.........." .....b...................................................@............@.........................................P...e.......<............................ ..x....................................................................................text....`.......b.................. ..`.rdata...8.......:...f..............@..@.data....9.......(..................@....pdata..............................@..@.rsrc...............................@..@.reloc..<.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz14B.tmp

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	data
Category:	dropped
Size (bytes):	717308
Entropy (8bit):	7.999713741633748
Encrypted:	true
SSDEEP:	12288:3Fn9hes2d4A3q+dLUeF/BppGX4BGAHY1vkylkW044wFlfP:1Ws64AaiLUeF/YX4BGBv9lkW0HONP
MD5:	0C42DBAB7F16FF55877DCAB817476A7A
SHA1:	BBAC8051DF8C4D571D7CEEAAB6C3674EED602436
SHA-256:	55072C33F4900EF1A1CBB57FAAF71D4D36FE2EE34F769BCC55090F48EC21638D
SHA-512:	21E98FA899E92ECF85B5913060ED4BF44C70D88DA91BF5E4F7041BF1EB3A5541C9C19E660F0D281DE9976AACF728731F77F55DA5BB611BEBB47EF63330620BD1
Malicious:	false
Preview:	...e...,7<.z......a...,7<.(W........,6<.(..e.`P.@.[.,7..(E.....N.<.\RYbE2....Q...3H1H.y.Uj.jM.)=6(...j"8..k...E.D.X...z..C.l.;.d%.j....2......Qf.,^?6~.CL.......Z....i..[.g..S..R..H..2}\!k..v...`.n...B....'.E..F].lc.......Gf.NWt...6D..mz....`..{c...e.....z..[.U...@.......l...$.Z.3..>..z..x..3A.!......kg.s..L.....J...q..EQ./..S.N.....:s...K\.!..0.-.H...-u..zX..C1....e.l.h..&.<.e..U!.K.._.....tXi.....W.Q.a....wi.P.h..g..,.C...<.AJ.^.G.,....x..[....,..4.......]......[...+S\|r.T.i../.'...G}0A...f^....v...4o......T.^..6...@/...).jH..H..~`....=.:Q.Q.S.q.....{W.4....x.<+....zR..Z.\%...U1rH..G!......?..'vr".5....K"2..%9...;....z..o+d..h{.;...n.>W?..l.F..;.Lp......R.D..............Wc..t.........nX.D.)gC...:..0..\|..7..b.y.M.......C...\k6N.\.b(&.t.4..X.a..!.%..x.S......b.....L.<F.f...`.C]..?..2.1..)<.......5g@m....\|...^Etl_.....a...#Wi~tOC}H...ZST.Y......9\.&H+An.jsu.4...e.]S.W.....`y...k5'<..1...(._..p.. .....O.......}y8......Oc............B..

C:\Users\user\AppData\Local\Temp\nszFC.tmp\Checker.dll

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	42496
Entropy (8bit):	5.874068067847773
Encrypted:	false
SSDEEP:	768:ENZoBQfjXtKahyIXlQWBh/GxHxn2hEDVyx1jZvC9FN:ENZwApK0XlLYd9oY9L
MD5:	8DCC038CE15A235EA9E22FC9663E4C40
SHA1:	CC702C128E3035D42220BD504D6C061967D3726F
SHA-256:	64B23AA5CA4E2E516FAE3D2480957D6F1065C91CAA930E0FFAC2BDA1CADEA76A
SHA-512:	BF81FEE736E02680B2D5CD23DD360430B9BD97AD1F75AE9485E82B548F61B83A092C5E17A4D537A06ECE6384003AEB9B7B9E7EAC4A7FFB2B371160570BCE6B81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 6%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.dI6...6...6...-...(...-...8...-...r...?..3...6...}...-...4...-...7...-...7...Rich6...........PE..L.....e...........!.....T...N...............p............................................@.........................0...c...D...<...................................................................P...@............p...............................text....S.......T.................. ..`.rdata...+...p...,...X..............@..@.data...\|...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nszFC.tmp\Zip.dll

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	6.189898793447208
Encrypted:	false
SSDEEP:	768:0qzEOfLo2T0pHES42P2wsSrSlAKL0RvTZTEeo9L1Po0OQuiSKcKysNU3her9dohe:0hQspHrXK5eKO5KysyxAd4CDR
MD5:	0F459C2BD249A8B1F4B1B598D8E5299D
SHA1:	CA47103107CD686D002CB1C3F362EFC5750BFEB4
SHA-256:	ACD3D2B809C320BB8B93385212BAC23536BD6894E8E2638A5E85468CCD54FB3B
SHA-512:	1A7E6E48EE9D966A59082F2AD3B6405D8BBDC1A45F54DEC1DE9FD1A16B34BB0DC422683ECFFD5DFB484DB3C5C42CAEA410D49DEBEAE50BA3979520834212AFE0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...T...T...T..C.E..T....C..T....w.T....v..T...,N..T...T..T....r..T....F..T....@..T..Rich.T..........PE..L.....e...........!.........n.......o.......................................p.......H....@.........................P...W.......P....@.......................P..........................................@...............$............................text...I........................... ..`.rdata...I.......J..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\ClocX.lnk

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Jan 14 14:48:34 2013, mtime=Fri Dec 22 06:10:06 2023, atime=Mon Jan 14 14:48:34 2013, length=2090496, window=hide
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	4.556220216060472
Encrypted:	false
SSDEEP:	24:8mEwmES0dOEa87hAx1Mdjuggdj0UU83qygm:8mHZS0dOH8Wx1Mdkd1Myg
MD5:	EFFF79EA48655DD8E05796FC1608AD9C
SHA1:	473B1EE0352298C68A3658F92553C500BBCA2E79
SHA-256:	AA0A7A01815120F3505E0D0C7DEEB687C93192E2C48216ECA6B7BAAEED516982
SHA-512:	4404FF3B2C6CC0AFB04FFA72E6DB83EC530D340A3D2E5A97479D8CDF1B3F9D737D6FC33B5BD2141FC1E99E277EC91426A3293ECD5066FA0B7FEA0C4C4C4FC563
Malicious:	false
Preview:	L..................F.... ......n...W...4.....n...........................s....P.O. .:i.....+00.../C:\.....................1......WC9..PROGRA~2.........O.I.WC9....................V......B%.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....P.1......WH9..ClocX.<......WC9.WH9..........................y..C.l.o.c.X.....\.2......B.~ .ClocX.exe.D.......B.~.WD9..............................C.l.o.c.X...e.x.e.......U...............-.......T............P.3.....C:\Program Files (x86)\ClocX\ClocX.exe..>.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.l.o.c.X.\.C.l.o.c.X...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.l.o.c.X.........*................@Z\|...K.J.........`.......X.......138727...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\Uninstall.lnk

Download File

Process:	C:\Users\user\Desktop\etopt.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	810
Entropy (8bit):	3.3551272351293973
Encrypted:	false
SSDEEP:	12:8wl0k0a/ledp8CUJcpK4ZbdpYmp50y0bdpYmp5uQ/CNUvH4t2YZ/elFlSJm:8oudO7p4ldjKygdjrOUFqy
MD5:	A2D126A133064F13607C676B3F637191
SHA1:	43FA26D22C1FB11DC817854CD581A924CA7C28BC
SHA-256:	CDFE300702CF0F14AB4B716036FF8E352584CEAAE53F02DD5214366143F0EDDD
SHA-512:	B24A6C5CCCBAA348C736EEF0108DBE823DD769E838417EE3A3773EECD9B299A65400C922AF1DD2BBF58D867F7F4171FA30A842CC450DE40AB9DCED53DA7174E9
Malicious:	false
Preview:	L..................F........................................................Y....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".P.1...........ClocX.<............................................C.l.o.c.X.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......?.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.l.o.c.X.\.u.n.i.n.s.t...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.l.o.c.X.........*................@Z\|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.996381968139493
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	etopt.exe
File size:	4'544'252 bytes
MD5:	f77abc2f79780428ca514c0041c8b9e9
SHA1:	2d2bd0cfe56fbcf3c1ca78790927531b5219a5a0
SHA256:	d02718250398639963db5042756d15f138f518f1f4cea9914a685c7b7e59d325
SHA512:	b6067652eb8c6778825ecbdd2252115f08167f121a41efaa894facbe71b45d9fc732cb62d1bec843d922e402cca76ffa1523607dba1acec6a806e40bf18002cf
SSDEEP:	49152:v47OO75f2R6Hjz40wOUNvzsaSSq7tceaMget9WD5W5VN+JCuyz9p7kuc7ioYRpuQ:afAEHbwOGz5ytu/scOoYOQ/n/aiACCdM
TLSH:	A82633423B34EFB7CA198A720C7652CC5757AD7132608979EA783F5C7AF57934002A2B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.w.F......F...v...F...@...F.Rich..F.........PE..L...a..d.................d...........3............@

File Icon


Icon Hash:	3b69e8ececcc7917

Static PE Info

General

Entrypoint:	0x403382
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC61 [Sun Jul 2 02:09:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	671f2a1f8aee14d336bab98fea93d734

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000224h
push esi
push edi
xor edi, edi
push 00008001h
mov dword ptr [ebp-14h], edi
mov dword ptr [ebp-0Ch], 0040A188h
mov dword ptr [ebp-08h], edi
mov byte ptr [ebp-04h], 00000020h
call dword ptr [0040809Ch]
mov esi, dword ptr [004080A0h]
lea eax, dword ptr [ebp-000000C4h]
push eax
mov dword ptr [ebp-000000B0h], edi
mov dword ptr [ebp-30h], edi
mov dword ptr [ebp-2Ch], edi
mov dword ptr [ebp-000000C4h], 0000009Ch
call esi
test eax, eax
jne 00007FF87CDDCEF1h
lea eax, dword ptr [ebp-000000C4h]
mov dword ptr [ebp-000000C4h], 00000094h
push eax
call esi
cmp dword ptr [ebp-000000B4h], 02h
jne 00007FF87CDDCEDCh
movsx cx, byte ptr [ebp-000000A3h]
mov al, byte ptr [ebp-000000B0h]
sub ecx, 30h
sub al, 53h
mov byte ptr [ebp-2Ah], 00000004h
neg al
sbb eax, eax
not eax
and eax, ecx
mov word ptr [ebp-30h], ax
cmp dword ptr [ebp-000000B4h], 02h
jnc 00007FF87CDDCED4h
and byte ptr [ebp-2Ah], 00000000h
cmp byte ptr [ebp-000000AFh], 00000041h
jl 00007FF87CDDCEC3h
movsx ax, byte ptr [ebp-000000AFh]
sub eax, 40h
mov word ptr [ebp-30h], ax
jmp 00007FF87CDDCEB6h
mov word ptr [ebp-30h], di
cmp dword ptr [ebp-000000C0h], 0Ah
jnc 00007FF87CDDCEBAh
and word ptr [ebp+00000000h], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8430	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x4cf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x626a	0x6400	False	0.6602734375	data	6.386688478752414	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1234	0x1400	False	0.4265625	data	5.032486821165516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a438	0x400	False	0.6455078125	data	5.254428296532156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x9000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e000	0x4cf8	0x4e00	False	0.36107772435897434	data	3.936533031250799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2e1c0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	United States	0.3463037316957959
RT_DIALOG	0x323e8	0x10c	data	English	United States	0.5111940298507462
RT_DIALOG	0x324f8	0x1ee	data	English	United States	0.3866396761133603
RT_DIALOG	0x326e8	0xe4	data	English	United States	0.6359649122807017
RT_DIALOG	0x327d0	0xda	data	English	United States	0.6467889908256881
RT_GROUP_ICON	0x328b0	0x14	data	English	United States	1.1
RT_MANIFEST	0x328c8	0x42e	XML 1.0 document, ASCII text, with very long lines (1070), with no line terminators	English	United States	0.5130841121495328

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegOpenKeyExA, RegCreateKeyExA
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteExA
ole32.dll	OleUninitialize, OleInitialize, IIDFromString, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcA, GetMessagePos, CheckDlgButton, LoadCursorA, SetCursor, GetSysColor, SetWindowPos, GetWindowLongA, IsWindowEnabled, SetClassLongA, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetDlgItemTextA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, MessageBoxIndirectA, CharPrevA, PeekMessageA, GetClassInfoA, DispatchMessageA, TrackPopupMenu
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor
KERNEL32.dll	CreateFileA, GetTempFileNameA, ReadFile, RemoveDirectoryA, CreateProcessA, CreateDirectoryA, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceA, lstrcpynA, SetErrorMode, GetVersionExA, lstrlenA, GetCommandLineA, GetTempPathA, GetWindowsDirectoryA, WriteFile, ExitProcess, CopyFileA, GetCurrentProcess, GetModuleFileNameA, GetFileSize, GetTickCount, Sleep, SetFileAttributesA, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv, lstrcpyA, MoveFileExA, lstrcatA, WideCharToMultiByte, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 22, 2023 08:09:33.609935045 CET	49708	2001	192.168.2.6	192.186.7.211
Dec 22, 2023 08:09:33.950232983 CET	2001	49708	192.186.7.211	192.168.2.6
Dec 22, 2023 08:09:33.950429916 CET	49708	2001	192.168.2.6	192.186.7.211
Dec 22, 2023 08:09:33.951098919 CET	49708	2001	192.168.2.6	192.186.7.211
Dec 22, 2023 08:09:34.638495922 CET	49708	2001	192.168.2.6	192.186.7.211
Dec 22, 2023 08:09:35.654184103 CET	49708	2001	192.168.2.6	192.186.7.211
Dec 22, 2023 08:09:37.669758081 CET	49708	2001	192.168.2.6	192.186.7.211
Dec 22, 2023 08:09:41.701069117 CET	49708	2001	192.168.2.6	192.186.7.211
Dec 22, 2023 08:09:45.732276917 CET	49708	2001	192.168.2.6	192.186.7.211
Dec 22, 2023 08:09:49.763505936 CET	49708	2001	192.168.2.6	192.186.7.211
Dec 22, 2023 08:09:57.810576916 CET	49708	2001	192.168.2.6	192.186.7.211
Dec 22, 2023 08:10:06.034271002 CET	49708	2001	192.168.2.6	192.186.7.211

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 22, 2023 08:09:33.056185007 CET	59285	8889	192.168.2.6	38.6.193.13

HTTP Request Dependency Graph

192.186.7.211:2001

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	192.186.7.211	2001	964	C:\Users\user\Desktop\etopt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 08:09:33.951098919 CET	341	OUT	POST / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 192.186.7.211:2001 Content-Length: 155 Cache-Control: no-cache Data Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Dec 22, 2023 08:09:34.638495922 CET	341	OUT	POST / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 192.186.7.211:2001 Content-Length: 155 Cache-Control: no-cache Data Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Dec 22, 2023 08:09:35.654184103 CET	341	OUT	POST / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 192.186.7.211:2001 Content-Length: 155 Cache-Control: no-cache Data Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Dec 22, 2023 08:09:37.669758081 CET	341	OUT	POST / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 192.186.7.211:2001 Content-Length: 155 Cache-Control: no-cache Data Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Dec 22, 2023 08:09:41.701069117 CET	341	OUT	POST / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 192.186.7.211:2001 Content-Length: 155 Cache-Control: no-cache Data Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Dec 22, 2023 08:09:45.732276917 CET	341	OUT	POST / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 192.186.7.211:2001 Content-Length: 155 Cache-Control: no-cache Data Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Dec 22, 2023 08:09:49.763505936 CET	341	OUT	POST / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 192.186.7.211:2001 Content-Length: 155 Cache-Control: no-cache Data Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c
Dec 22, 2023 08:09:57.810576916 CET	341	OUT	POST / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 192.186.7.211:2001 Content-Length: 155 Cache-Control: no-cache Data Raw: ac c0 92 48 da ae aa a8 21 aa 60 12 e9 7f 0a 7e 44 e0 04 26 88 f9 31 da 74 c7 94 f9 4d e8 c9 9e e4 6e 5b 91 aa e0 c0 34 5a c0 c7 4f a4 a6 55 4a 11 b7 86 01 98 02 04 66 43 5f 26 b8 4b 24 d6 e8 bb a1 90 d0 1d 10 05 5a 77 d9 ba 59 b8 ae 18 95 85 dc 99 99 16 f9 a8 c0 f8 89 c5 54 bd ab 33 b8 a5 ee 23 47 7c 66 75 76 7c cf 0a 76 68 e2 00 e1 33 99 d9 fe 46 1a d3 cc 75 1e 60 b0 22 2b 9e e3 00 da 8a 5d 2b b8 01 43 75 5c b5 ce 26 3e 2a 02 29 1a 17 33 ec 1a be 5f 63 a2 b7 Data Ascii: H!`~D&1tMn[4ZOUJfC_&K$ZwYT3#G\|fuv\|vh3Fu`"+]+Cu\&>*)3_c

Target ID:	0
Start time:	08:09:30
Start date:	22/12/2023
Path:	C:\Users\user\Desktop\etopt.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\etopt.exe
Imagebase:	0x400000
File size:	4'544'252 bytes
MD5 hash:	F77ABC2F79780428CA514C0041C8B9E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	24.4%
Signature Coverage:	11.2%
Total number of Nodes:	1432
Total number of Limit Nodes:	63

Executed Functions

Function 00403382 Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 430
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008001), ref: 004033A5
GetVersionExA.KERNEL32(?), ref: 004033CE
GetVersionExA.KERNEL32(0000009C), ref: 004033E5
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034AE
#17.COMCTL32(?,00000008,0000000A,0000000C), ref: 004034EB
OleInitialize.OLE32(00000000), ref: 004034F2
SHGetFileInfoA.SHELL32(0041F8E0,00000000,?,00000160,00000000,?,00000008,0000000A,0000000C), ref: 00403510
GetCommandLineA.KERNEL32(00423B20,NSIS Error,?,00000008,0000000A,0000000C), ref: 00403525
CharNextA.USER32(00000000,"C:\Users\user\Desktop\etopt.exe",00000020,"C:\Users\user\Desktop\etopt.exe",00000000,?,00000008,0000000A,0000000C), ref: 0040355F
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000008,0000000A,0000000C), ref: 00403658
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C), ref: 00403669
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 00403675
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 00403689
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 00403691
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004036A2
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C), ref: 004036AA
DeleteFileA.KERNEL32(2052,?,00000008,0000000A,0000000C), ref: 004036BE
ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C), ref: 00403764
OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C), ref: 00403769
ExitProcess.KERNEL32 ref: 0040378A
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe",00000000,?,?,00000008,0000000A,0000000C), ref: 00403799
wsprintfA.USER32 ref: 004037F0
GetFileAttributesA.KERNEL32(00426400,C:\Users\user\AppData\Local\Temp\,00426400,?,0000000C), ref: 00403822
DeleteFileA.KERNEL32(00426400), ref: 0040382E
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00426400,?,0000000C), ref: 0040385A
CopyFileA.KERNEL32(C:\Users\user\Desktop\etopt.exe,00426400,00000001), ref: 00403870
CloseHandle.KERNEL32(00000000,00426800,00426800,?,00426400,00000000), ref: 004038C3
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 004038E0
OpenProcessToken.ADVAPI32(00000000), ref: 004038E7
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038FB
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040391A
ExitWindowsEx.USER32(00000002,80040002), ref: 0040393F
ExitProcess.KERNEL32 ref: 00403960

Strings

C:\Program Files (x86)\ClocX, xrefs: 00403747
Error launching installer, xrefs: 00403722
C:\Program Files (x86)\ClocX, xrefs: 0040363D, 0040373C, 004037AD, 004037BB
C:\Users\user\AppData\Local\Temp\, xrefs: 0040364D, 00403652, 00403668, 00403674, 00403683, 00403690, 0040369C, 004036A4, 00403795, 0040380E, 0040383A, 00403859, 00403862
TEMP, xrefs: 0040369D
", xrefs: 00403582
\Temp, xrefs: 0040366F
NSIS Error, xrefs: 00403516
Low, xrefs: 0040368B
SeShutdownPrivilege, xrefs: 004038F5
UXTHEME, xrefs: 004034A2, 004034A7, 004034AD
`K$v, xrefs: 00403696
"C:\Users\user\Desktop\etopt.exe", xrefs: 0040352B, 00403531, 004036E0
2052, xrefs: 004036B9
~nsu%X.tmp, xrefs: 004037E8
C:\Users\user\Desktop\etopt.exe, xrefs: 0040386B
C:\Users\user\Desktop, xrefs: 004037B6
A, xrefs: 00403420
TMP, xrefs: 004036A5

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: FileProcess$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuewsprintf
String ID: "$"C:\Users\user\Desktop\etopt.exe"$2052$A$C:\Program Files (x86)\ClocX$C:\Program Files (x86)\ClocX$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\etopt.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`K$v$~nsu%X.tmp
API String ID: 3308099279-2935804019
Opcode ID: 8526bd4f64cbd6d7e2360942e5c26261406047a02fdac2a725c9770b35ae634f
Instruction ID: 55e4fc7ee2c2d402e406559c2feba9f147c8ed20eaacbdbb1b3bd4205d426901
Opcode Fuzzy Hash: 8526bd4f64cbd6d7e2360942e5c26261406047a02fdac2a725c9770b35ae634f
Instruction Fuzzy Hash: 35F104B0A00254AADB21AF759D59B6F7EB8AF41306F0440BFF541B61D2CB7C4A45CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 0325A75F Relevance: 35.1, APIs: 4, Strings: 16, Instructions: 136
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32(?,00000066), ref: 0325A842
lstrcatW.KERNEL32(?), ref: 0325A856
lstrcatW.KERNEL32(?,0327D71C), ref: 0325A864
lstrcatW.KERNEL32(?,00000066), ref: 0325A87E

Strings

5f)f, xrefs: 0325A793
*f5f, xrefs: 0325A7D8
UfTf, xrefs: 0325A817
f, xrefs: 0325A938
f2f, xrefs: 0325A79D
:f%f, xrefs: 0325A7B5
:f%f, xrefs: 0325A7D1
4f#f, xrefs: 0325A7AE
1f'f, xrefs: 0325A7A7
ff, xrefs: 0325A81E
f, xrefs: 0325A92B
f, xrefs: 0325A868
ff, xrefs: 0325A8F9
f, xrefs: 0325A826
/f"f, xrefs: 0325A7DF
:fff, xrefs: 0325A7E6

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: lstrcat$lstrcpy
String ID: f2f$*f5f$/f"f$1f'f$4f#f$5f)f$:f%f$:f%f$:fff$UfTf$f$f$f$f$ff$ff
API String ID: 2482611188-4250252908
Opcode ID: 493d858be447d23012901c32a188a8d2204167b2948692bbdbfc9e188449d1a0
Instruction ID: b9c02d3e36873535efba903212a2f4c346027f39f6807d0960bc59f233a812c7
Opcode Fuzzy Hash: 493d858be447d23012901c32a188a8d2204167b2948692bbdbfc9e188449d1a0
Instruction Fuzzy Hash: 78512BB1C2026D9ACB11DFA6DC8A7DEBBB9BF44304F2185A9D415FB140DB748A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03252484 Relevance: 30.3, APIs: 3, Strings: 14, Instructions: 520
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0325248E

Part of subcall function 0325FFDD: RegQueryValueExW.KERNEL32(80000001,?,00000000,?,?,?,?,0325E423,?,000000A8,?,00001000), ref: 0325FFF4

IsUserAnAdmin.SHELL32 ref: 03252ADC
GetUserDefaultLocaleName.KERNEL32(?,00000055,?,?,?,?,?,?,?,?,00000230,03254058,?), ref: 03252B2F

Strings

board, xrefs: 03252711
mac1, xrefs: 03252657
name, xrefs: 03252902
locInfos, xrefs: 032524EA, 032524EF, 03252527
notepad, xrefs: 03252A71
, xrefs: 03252500
coreNum, xrefs: 032529BA
mac2, xrefs: 032526B4
cpu, xrefs: 032528AF
Software\Chromium, xrefs: 032524B6
sys, xrefs: 03252A11
product, xrefs: 03252835
manu, xrefs: 03252779
, xrefs: 0325288C

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: User$AdminDefaultH_prolog3_LocaleNameQueryValue
String ID: $ $Software\Chromium$board$coreNum$cpu$locInfos$mac1$mac2$manu$name$notepad$product$sys
API String ID: 2533250906-73309243
Opcode ID: 792d81664daaf78b0256192d1721171c86c3cf60ec4b2b1f95fc15482cae6fb8
Instruction ID: 0ae2568a2cda51a7deb1b22034a482fcf24d48e8489964f6cc6654bf1f8a9e2f
Opcode Fuzzy Hash: 792d81664daaf78b0256192d1721171c86c3cf60ec4b2b1f95fc15482cae6fb8
Instruction Fuzzy Hash: 83128035D2035ACBDB21CA68C8847E5B7B4AF15310F0949E9EC48AB291E7709FC5CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03251A4D Relevance: 30.1, APIs: 12, Strings: 5, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 03251A57
IsUserAnAdmin.SHELL32 ref: 03251A72
GetSystemPowerStatus.KERNEL32(?), ref: 03251A93
GetUserDefaultLocaleName.KERNEL32(?,00000055), ref: 03251AC8
CoInitialize.OLE32(00000000), ref: 03251B40
_memset.LIBCMT ref: 03251C20
_memset.LIBCMT ref: 03251C35
_memset.LIBCMT ref: 03251C4D
_memset.LIBCMT ref: 03251C62
_memset.LIBCMT ref: 03251D1C
_memset.LIBCMT ref: 03251D31
GetSystemInfo.KERNEL32(?), ref: 03251D98

Strings

VirtualBoxParallelsVMwareHyper-, xrefs: 03251BCF, 03251BD2
Hyper-, xrefs: 03251BF7, 03251BFA
ECF4BB2D2496, xrefs: 03251E1E
V, xrefs: 03251BBD
en-CH, xrefs: 03251AD5, 03251AE9

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memset$SystemUser$AdminDefaultH_prolog3_InfoInitializeLocaleNamePowerStatus
String ID: ECF4BB2D2496$Hyper-$V$VirtualBoxParallelsVMwareHyper-$en-CH
API String ID: 3245460758-3394250673
Opcode ID: c6ea2e86d8cd4ab6c474a9df35c5e9da5a73517eb322565b69a92528bc8ea70f
Instruction ID: bdaf789095c89edd05b0bb1964621d3f24cddcc779ae9433660db8f7b8e914dc
Opcode Fuzzy Hash: c6ea2e86d8cd4ab6c474a9df35c5e9da5a73517eb322565b69a92528bc8ea70f
Instruction Fuzzy Hash: 50C10271D213599FDF21EB689C44BEE7BB8AF05200F0884E9E948EB241E6709BD4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03255676 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 301
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 03255716
_memset.LIBCMT ref: 032557B6
socket.WS2_32(00000002,00000002,00000011), ref: 03255816
WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 0325584E
setsockopt.WS2_32 ref: 0325586E
_memset.LIBCMT ref: 0325590D
_memset.LIBCMT ref: 03255923
GetTickCount.KERNEL32 ref: 0325592B
_rand.LIBCMT ref: 03255938
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 032559C9
closesocket.WS2_32(?), ref: 03255A83

Part of subcall function 032534F9: __EH_prolog3_GS.LIBCMT ref: 03253503
Part of subcall function 032534F9: _free.LIBCMT ref: 032536AD

recvfrom.WS2_32(?,?,00001000,00000000,?,?), ref: 03255A2A
_memset.LIBCMT ref: 03255A43

Part of subcall function 03253AF5: _memmove.LIBCMT ref: 03253BE3

Strings

ust, xrefs: 03255732

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memset$CountH_prolog3_IoctlTick_free_memmove_randclosesocketrecvfromsendtosetsockoptsocket
String ID: ust
API String ID: 4250770336-4261539001
Opcode ID: ca096747bfcec6e17b68ff669838d4e092b72187c16a7e9268727ae3f01a8999
Instruction ID: aa53505578d35138d5c624ec8c88925689cb87c524e165f24d0d73585febd15d
Opcode Fuzzy Hash: ca096747bfcec6e17b68ff669838d4e092b72187c16a7e9268727ae3f01a8999
Instruction Fuzzy Hash: CDB1AF76528385EFD731DF64D885BEBB7E8EF84710F10492EFA89C6180D7709A848B52

Uniqueness

Uniqueness Score: -1.00%

Function 03256403 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 163registryfilestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0325640D
RegEnumKeyExW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?), ref: 032564B2
_memset.LIBCMT ref: 03256580
lstrcatW.KERNEL32(?,?), ref: 03256596
CreateFileW.KERNEL32(00000080,80000000,00000005,00000000,00000003,00000080,00000000), ref: 032565B3
DeviceIoControl.KERNEL32 ref: 032565F3
DeviceIoControl.KERNEL32(00000000,00170002,01010101,00000004,00000000,00000004,00000006,00000000), ref: 03256630
FindCloseChangeNotification.KERNEL32(00000000), ref: 03256652

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Strings

Description, xrefs: 0325653D
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\, xrefs: 0325642F
ServiceName, xrefs: 03256508
\\.\, xrefs: 03256564

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: CloseControlDevice$ChangeCreateEnumFileFindH_prolog3_Notification_memsetlstrcat
String ID: Description$SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\$ServiceName$\\.\
API String ID: 1363033351-23445281
Opcode ID: e661f16306c17edff1259c3512a5302824ba04cd97a9a808dde6153eea5b15de
Instruction ID: c9712089e05d05896aa2daa5b318388dd29384bef2b3e2cfd71510417d39de63
Opcode Fuzzy Hash: e661f16306c17edff1259c3512a5302824ba04cd97a9a808dde6153eea5b15de
Instruction Fuzzy Hash: 3A61E87592122D9ADB60DB658C44BEEB7F8FB04700F4481DAAA88F6140DBB45FC9CF91

Uniqueness

Uniqueness Score: -1.00%

Function 004059F9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe"), ref: 00405A22
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nszFC.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nszFC.tmp\*.*,?,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe"), ref: 00405A6A
lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nszFC.tmp\*.*,?,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe"), ref: 00405A8B
lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nszFC.tmp\*.*,?,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe"), ref: 00405A91
FindFirstFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nszFC.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nszFC.tmp\*.*,?,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe"), ref: 00405AA2
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B4F
FindClose.KERNEL32(00000000), ref: 00405B60

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A06
\*.*, xrefs: 00405A64
C:\Users\user\AppData\Local\Temp\nszFC.tmp\*.*, xrefs: 00405A52, 00405A58, 00405A69, 00405A9F
"C:\Users\user\Desktop\etopt.exe", xrefs: 00405A02

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\etopt.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nszFC.tmp\*.*$\*.*
API String ID: 2035342205-3719508362
Opcode ID: f1679ef5f70ff734a25cf438f2dc45318474c1ecb1e9537d56531407141502a6
Instruction ID: 8b47a8f6ea4bba66e188adec423be54ea364c3fb32899d4c3b7c75557b86054b
Opcode Fuzzy Hash: f1679ef5f70ff734a25cf438f2dc45318474c1ecb1e9537d56531407141502a6
Instruction Fuzzy Hash: 2E51BD30A00A08AADB32AB618C89BAFBB78DF42754F14417BF851711D1D77C6982DE6D

Uniqueness

Uniqueness Score: -1.00%

Function 03258F44 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03258F87
MD5Init.NTDLL(?), ref: 03258F96
MD5Update.NTDLL(?,?,00000006), ref: 03258FD9
MD5Update.NTDLL(?,?,0000000A), ref: 03259001
MD5Final.NTDLL(?), ref: 0325900E

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Update$FinalInit_memset
String ID:
API String ID: 1485544455-0
Opcode ID: 7ca5e0659e45120a95ad790cc69c706f737ff0427545886a67fe41f7d188fc47
Instruction ID: 2ed77c8993ac09f2916b39bf3db3fc22831858a508c6ba450143da9a8b2692a5
Opcode Fuzzy Hash: 7ca5e0659e45120a95ad790cc69c706f737ff0427545886a67fe41f7d188fc47
Instruction Fuzzy Hash: 19214D72A11328AFCB51DFA49C44BDEB7B9BF05600F4444A5E949E7140DBB0ABC98B92

Uniqueness

Uniqueness Score: -1.00%

Function 004065CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(76233410,00422170,C:\,00405CFA,C:\,C:\,00000000,C:\,C:\,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A19,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 004065D5
FindClose.KERNEL32(00000000), ref: 004065E1

Strings

C:\, xrefs: 004065CA
p!B, xrefs: 004065CB

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\$p!B
API String ID: 2295610775-3747730429
Opcode ID: dfc65eb41cf3005a49c9d827d0c2ee39ba4b2e7e25b251809efb7f1ef4f3a872
Instruction ID: 571d3566173f3a0c3a6662c099361f9e61a7ea6c8b97466599858ca3fee4a6a8
Opcode Fuzzy Hash: dfc65eb41cf3005a49c9d827d0c2ee39ba4b2e7e25b251809efb7f1ef4f3a872
Instruction Fuzzy Hash: 61D012315051207BC64517387F0C85B7A599F553317518B37F5A6F11E4C774CC7286AD

Uniqueness

Uniqueness Score: -1.00%

Function 0325B90C Relevance: 6.2, APIs: 4, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 03258F44: _memset.LIBCMT ref: 03258F87
Part of subcall function 03258F44: MD5Init.NTDLL(?), ref: 03258F96
Part of subcall function 03258F44: MD5Update.NTDLL(?,?,00000006), ref: 03258FD9
Part of subcall function 03258F44: MD5Update.NTDLL(?,?,0000000A), ref: 03259001
Part of subcall function 03258F44: MD5Final.NTDLL(?), ref: 0325900E

StringFromGUID2.OLE32(00000000,?,00000030), ref: 0325B9DF
StringFromGUID2.OLE32(00000000,?,00000030), ref: 0325BA60
StringFromGUID2.OLE32(00000000,?,00000030), ref: 0325BAE1
StringFromGUID2.OLE32(00000000,?,00000030), ref: 0325BB62

Part of subcall function 03259031: _memset.LIBCMT ref: 03259127
Part of subcall function 03259031: lstrcpyW.KERNEL32(?,00000066), ref: 03259147
Part of subcall function 03259031: lstrcatW.KERNEL32(?,\Hash Me), ref: 03259159

Part of subcall function 032591EF: __EH_prolog3_GS.LIBCMT ref: 032591F9
Part of subcall function 032591EF: _memset.LIBCMT ref: 032592BD
Part of subcall function 032591EF: lstrcpyW.KERNEL32(?,00000066), ref: 032592DD

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: FromString$_memset$Updatelstrcpy$FinalH_prolog3_Initlstrcat
String ID:
API String ID: 3297509778-0
Opcode ID: 17479895914e0268c9d7a3d0849fd453f624f7fb89b5bbde9fa042dfe6f06cc7
Instruction ID: f674d09d1575fa948d004d37b2ba7ba0982fb1eea8ce17f4b515aba5a02242e1
Opcode Fuzzy Hash: 17479895914e0268c9d7a3d0849fd453f624f7fb89b5bbde9fa042dfe6f06cc7
Instruction Fuzzy Hash: 968151369283019FD315DF14C840A6BB7E9FFC6360F048929FD959B290DBB1DA85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00402178 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408410,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FD
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AF

Strings

C:\Program Files (x86)\ClocX, xrefs: 0040223D

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Program Files (x86)\ClocX
API String ID: 123533781-1769362010
Opcode ID: da902d845a1421ded2e6c550e5cea7f873e3ed2db129ab86100bf07b0efffe22
Instruction ID: 2fe5fc16e6b6be7fc7f88b265aa9a7785dcdb36a32ed2e5250f6cd26eae34bc3
Opcode Fuzzy Hash: da902d845a1421ded2e6c550e5cea7f873e3ed2db129ab86100bf07b0efffe22
Instruction Fuzzy Hash: 56510471A00208AFDF10DFE4CA88A9D7BB6FF48314F2045BAF515EB2D1DA799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00406953 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebca5ee2aa803abf18fab165939b450168c81bb7f4099dac6006ecaeabefa435
Instruction ID: 73b5d7de695770a1eccf5d28c9ade52004db7c8ce7441b8e3f4a7746e151c29c
Opcode Fuzzy Hash: ebca5ee2aa803abf18fab165939b450168c81bb7f4099dac6006ecaeabefa435
Instruction Fuzzy Hash: A0F18871D04229CBDF28CFA9C8846ADBBB0FF44305F25816ED456BB281C7786A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 03254429 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000030), ref: 032544C5
StringFromGUID2.OLE32(?,?,00000030), ref: 03254549
StringFromGUID2.OLE32(?,?,00000030), ref: 032545A4

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: FromString
String ID:
API String ID: 1694596556-0
Opcode ID: c11b6c36d5a92cac5094a68f4cf667051e9e267e97fb1b5a74b167f884455375
Instruction ID: 61ad8a19277de240bfe6df7bbbf811d06f511860c8417fe6c20a4cf0db71be20
Opcode Fuzzy Hash: c11b6c36d5a92cac5094a68f4cf667051e9e267e97fb1b5a74b167f884455375
Instruction Fuzzy Hash: A9618E766283069FC714EF2AD880A5FF7E9BF85250F04882EFD91CB140DB70D6858B92

Uniqueness

Uniqueness Score: -1.00%

Function 6E841450 Relevance: 3.1, APIs: 2, Instructions: 60nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,00000000), ref: 6E841480
NtQuerySystemInformation.NTDLL(00000005,00000000,-00001000,00000000), ref: 6E8414A2

Part of subcall function 6E8413D5: GetModuleHandleA.KERNEL32(ntdll,00000000,6E84146A,00000000,?,?,?,6E8416AB,?,00000000,?,00000000), ref: 6E8413E4
Part of subcall function 6E8413D5: GetProcAddress.KERNEL32(00000000,ZwQuerySystemInformation), ref: 6E8413FD
Part of subcall function 6E8413D5: GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 6E84140A
Part of subcall function 6E8413D5: GetProcAddress.KERNEL32(00000000,NtQueryInformationThread), ref: 6E841417
Part of subcall function 6E8413D5: GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 6E841424

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: AddressProc$InformationQuerySystem$HandleModule
String ID:
API String ID: 2199140883-0
Opcode ID: d71d2728d19d98121142060027a2376b4eea7e46cd1cc6d3fb8e0bbbde473ce2
Instruction ID: 95fbe7d25596dec9f917122fa8959413a80fefa637c2657dcb714b3d172ba6b3
Opcode Fuzzy Hash: d71d2728d19d98121142060027a2376b4eea7e46cd1cc6d3fb8e0bbbde473ce2
Instruction Fuzzy Hash: 2F11867190021EFFEB409FE5C984A9E7BBDEF05355F20047EE50496184E7705A54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0325FC09 Relevance: 3.1, APIs: 2, Instructions: 60nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,?), ref: 0325FC39
NtQuerySystemInformation.NTDLL(00000005,00000000,?,?), ref: 0325FC5B

Part of subcall function 0325FB8E: GetModuleHandleW.KERNEL32(ntdll,?,0325D9F5,?,?), ref: 0325FB9D
Part of subcall function 0325FB8E: GetProcAddress.KERNEL32(00000000,ZwQuerySystemInformation), ref: 0325FBB6
Part of subcall function 0325FB8E: GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 0325FBC3
Part of subcall function 0325FB8E: GetProcAddress.KERNEL32(00000000,NtQueryInformationThread), ref: 0325FBD0
Part of subcall function 0325FB8E: GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 0325FBDD

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressProc$InformationQuerySystem$HandleModule
String ID:
API String ID: 2199140883-0
Opcode ID: 0a409204e879b09a437b067fec55b919a4ab06b525a43a9bf0382bc62e20d9fc
Instruction ID: 2606ce45b91059057bc36709285974c33ebc33a7298c592823af818acb249d08
Opcode Fuzzy Hash: 0a409204e879b09a437b067fec55b919a4ab06b525a43a9bf0382bc62e20d9fc
Instruction Fuzzy Hash: 6F119A72911206FBDB20DF94D984AAEB7ACEF087A6B284479FD4096140E7709AC0DA60

Uniqueness

Uniqueness Score: -1.00%

Function 03210070 Relevance: 56.3, APIs: 2, Strings: 30, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 032102E2

Strings

temI, xrefs: 032100F2
Virt, xrefs: 03210125
Free, xrefs: 032100A3
Virt, xrefs: 03210108
rote, xrefs: 0321014D
ualP, xrefs: 03210145
nfo, xrefs: 032100FD
Virt, xrefs: 0321013D
Heap, xrefs: 0321009B
ct, xrefs: 03210155
ary, xrefs: 03210171
lloc, xrefs: 03210118
ativ, xrefs: 032100DC
eSys, xrefs: 032100E7
ree, xrefs: 03210135
dPtr, xrefs: 03210189
Heap, xrefs: 03210084
ssHe, xrefs: 032100C0
ap, xrefs: 032100C8
Free, xrefs: 03210161
Libr, xrefs: 03210169
roce, xrefs: 032100B8
GetP, xrefs: 032100B0
dRea, xrefs: 03210181
ualA, xrefs: 03210110
c, xrefs: 03210094
GetN, xrefs: 032100D4
ualF, xrefs: 0321012D
IsBa, xrefs: 03210179
Allo, xrefs: 0321008C

Memory Dump Source

Source File: 00000000.00000002.2578628998.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_etopt.jbxd

Similarity

API ID: InfoNativeSystem
String ID: Allo$Free$Free$GetN$GetP$Heap$Heap$IsBa$Libr$Virt$Virt$Virt$ap$ary$ativ$c$ct$dPtr$dRea$eSys$lloc$nfo$ree$roce$rote$ssHe$temI$ualA$ualF$ualP
API String ID: 1721193555-1716667101
Opcode ID: dd74aee1031d23a3c70522fb67a4a393cf172720c5b0308b86c5ca73078ff7ce
Instruction ID: fc4d7730b30a9f4091e605021468e24d8c93155f9e373834dd66e6dfe1164214
Opcode Fuzzy Hash: dd74aee1031d23a3c70522fb67a4a393cf172720c5b0308b86c5ca73078ff7ce
Instruction Fuzzy Hash: 43C16BB16183419FD330CF65CA80B9BFBE4BF95310F14891DE9898B240EBB5D584CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03230070 Relevance: 56.3, APIs: 2, Strings: 30, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 032302E2

Strings

ativ, xrefs: 032300DC
Virt, xrefs: 03230108
ct, xrefs: 03230155
Allo, xrefs: 0323008C
Free, xrefs: 03230161
GetN, xrefs: 032300D4
roce, xrefs: 032300B8
ap, xrefs: 032300C8
Heap, xrefs: 03230084
temI, xrefs: 032300F2
dPtr, xrefs: 03230189
ssHe, xrefs: 032300C0
nfo, xrefs: 032300FD
GetP, xrefs: 032300B0
lloc, xrefs: 03230118
dRea, xrefs: 03230181
ary, xrefs: 03230171
rote, xrefs: 0323014D
Heap, xrefs: 0323009B
Free, xrefs: 032300A3
ualA, xrefs: 03230110
Virt, xrefs: 0323013D
Libr, xrefs: 03230169
c, xrefs: 03230094
ualP, xrefs: 03230145
IsBa, xrefs: 03230179
ualF, xrefs: 0323012D
Virt, xrefs: 03230125
eSys, xrefs: 032300E7
ree, xrefs: 03230135

Memory Dump Source

Source File: 00000000.00000002.2578668685.0000000003230000.00000040.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3230000_etopt.jbxd

Similarity

API ID: InfoNativeSystem
String ID: Allo$Free$Free$GetN$GetP$Heap$Heap$IsBa$Libr$Virt$Virt$Virt$ap$ary$ativ$c$ct$dPtr$dRea$eSys$lloc$nfo$ree$roce$rote$ssHe$temI$ualA$ualF$ualP
API String ID: 1721193555-1716667101
Opcode ID: dd74aee1031d23a3c70522fb67a4a393cf172720c5b0308b86c5ca73078ff7ce
Instruction ID: 7aee33d06ad2b34b17ec68dfc1679087940ddfd90c09bf13e2c8c33d2f927a68
Opcode Fuzzy Hash: dd74aee1031d23a3c70522fb67a4a393cf172720c5b0308b86c5ca73078ff7ce
Instruction Fuzzy Hash: 97C15CB16183419FD330CF65C980B9BBBE4BF85310F14891DEA8A8B240E7B5D584CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00403A40 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040665F: GetModuleHandleA.KERNEL32(?,00000000,?,004034C4,0000000C), ref: 00406671
Part of subcall function 0040665F: GetProcAddress.KERNEL32(00000000,?), ref: 0040668C

lstrcatA.KERNEL32(2052,00420920,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420920,00000000,00000002,76233410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\etopt.exe",0000000A,0000000C), ref: 00403ABB
lstrlenA.KERNEL32(ClocX see company, Inc.,?,?,?,ClocX see company, Inc.,00000000,C:\Program Files (x86)\ClocX,2052,00420920,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420920,00000000,00000002,76233410), ref: 00403B30
lstrcmpiA.KERNEL32(?,.exe), ref: 00403B43
GetFileAttributesA.KERNEL32(ClocX see company, Inc.,?,"C:\Users\user\Desktop\etopt.exe",0000000A,0000000C), ref: 00403B4E
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\ClocX), ref: 00403B97

Part of subcall function 00406195: wsprintfA.USER32 ref: 004061A2

RegisterClassA.USER32(00423AC0), ref: 00403BD4
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403BEC
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C21
ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\etopt.exe",0000000A,0000000C), ref: 00403C57
GetClassInfoA.USER32(00000000,RichEdit20A,00423AC0), ref: 00403C83
GetClassInfoA.USER32(00000000,RichEdit,00423AC0), ref: 00403C90
RegisterClassA.USER32(00423AC0), ref: 00403C99
DialogBoxParamA.USER32(?,00000000,00403DDD,00000000), ref: 00403CB8

Strings

C:\Program Files (x86)\ClocX, xrefs: 00403ACA, 00403AD2, 00403B6A, 00403B70, 00403B80
RichEd32, xrefs: 00403C6B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A45
_Nb, xrefs: 00403BB3, 00403C1B
B, xrefs: 00403A6C
Control Panel\Desktop\ResourceLocale, xrefs: 00403A74
RichEdit20A, xrefs: 00403C7B, 00403C81
.DEFAULT\Control Panel\International, xrefs: 00403AA6
.exe, xrefs: 00403B3D
"C:\Users\user\Desktop\etopt.exe", xrefs: 00403A43
RichEd20, xrefs: 00403C5D
2052, xrefs: 00403A60, 00403AB6
RichEdit, xrefs: 00403C8A
ClocX see company, Inc., xrefs: 00403AFE, 00403B06, 00403B13, 00403B5D, 00403B63

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: B$"C:\Users\user\Desktop\etopt.exe"$.DEFAULT\Control Panel\International$.exe$2052$C:\Program Files (x86)\ClocX$C:\Users\user\AppData\Local\Temp\$ClocX see company, Inc.$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-1590275931
Opcode ID: bac995f134209b0d3fcf826ecef8c4db5023559c6cbdd24e0521128ceec4f5fc
Instruction ID: 5edaad5ae05bff09ad76efdfad2e8b6c97f96ee3e1f2b90e582c8b17d9672d1d
Opcode Fuzzy Hash: bac995f134209b0d3fcf826ecef8c4db5023559c6cbdd24e0521128ceec4f5fc
Instruction Fuzzy Hash: 4861B8717442046EE620AF65AD46F273A7CEB8474AF40443FF941B52E3CB7D9D028A2D

Uniqueness

Uniqueness Score: -1.00%

Function 10002B0C Relevance: 44.3, APIs: 2, Strings: 23, Instructions: 558COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10002B16
std::_Xinvalid_argument.LIBCPMT ref: 10002DC3

Strings

ExcludeLang, xrefs: 10002E58
flag, xrefs: 10003205
Whitelist, xrefs: 10002BD3
size, xrefs: 10003261
Qihu360, xrefs: 10002BEF
dir_name, xrefs: 10002FF1
stub32, xrefs: 100030C3
tail_append, xrefs: 100032ED
stub64, xrefs: 1000310A
piece, xrefs: 1000328F
piece_append, xrefs: 1000331C
ExcludeRegion, xrefs: 10002D83
list<T> too long, xrefs: 10002DBE
sid, xrefs: 10002BA1
RandName, xrefs: 10002F23
mixer, xrefs: 100030A5
xor_length, xrefs: 100032BE
dll_name, xrefs: 10002F40
Pack, xrefs: 10002B20
mid, xrefs: 10002B72
Item, xrefs: 10002C11, 10002D5D
path, xrefs: 10002C33
file, xrefs: 10002C49

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: H_prolog3_Xinvalid_argumentstd::_
String ID: ExcludeLang$ExcludeRegion$Item$Pack$Qihu360$RandName$Whitelist$dir_name$dll_name$file$flag$list<T> too long$mid$mixer$path$piece$piece_append$sid$size$stub32$stub64$tail_append$xor_length
API String ID: 4049434844-1224270366
Opcode ID: bf942328d2636e130558d0d77cb692d0ea28b33dc02a03ddc8deceaf38069b74
Instruction ID: e80e819f9d1fe7af8d31bddcbcd13f70b08872e3c3bc26f88325c84224d7608a
Opcode Fuzzy Hash: bf942328d2636e130558d0d77cb692d0ea28b33dc02a03ddc8deceaf38069b74
Instruction Fuzzy Hash: 1B326BB59006998BEB61CA24CC807D9B7F8EF01385F4180E9D648AB15ADB70BFC9CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0325A082 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 257
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0325A08C

Part of subcall function 0325A75F: lstrcpyW.KERNEL32(?,00000066), ref: 0325A842
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?), ref: 0325A856
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?,0327D71C), ref: 0325A864
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?,00000066), ref: 0325A87E

_memset.LIBCMT ref: 0325A185
RegEnumKeyExW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00000066), ref: 0325A23E
__wcsicoll.LIBCMT ref: 0325A2E3

Strings

Tfff, xrefs: 0325A3CA
f.f, xrefs: 0325A162
f, xrefs: 0325A1A4
:f%f, xrefs: 0325A0EB
ff, xrefs: 0325A138
:f"f, xrefs: 0325A107
ff, xrefs: 0325A15B
1f'f, xrefs: 0325A0D7
4f#f, xrefs: 0325A0E1
:f%f, xrefs: 0325A146
5f)f, xrefs: 0325A0C3
f2f, xrefs: 0325A0CD
f, xrefs: 0325A3D3

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: lstrcat$EnumH_prolog3___wcsicoll_memsetlstrcpy
String ID: ff$ff$f.f$ f2f$1f'f$4f#f$5f)f$:f"f$:f%f$:f%f$Tfff$f$f
API String ID: 970344271-1019561771
Opcode ID: add86c44f6397f95cd18294e5e6886fff522e0f4b667056580aff696362c920a
Instruction ID: 430aec1fd05e9bf6d5f50dfee238a0ffef4614badcf010ad9b74f1920d0acddc
Opcode Fuzzy Hash: add86c44f6397f95cd18294e5e6886fff522e0f4b667056580aff696362c920a
Instruction Fuzzy Hash: 0EB149B5C2022D9ACF21DFA5DC467DEBBB8BF44304F1085A9EA08AB110DBB45BC58F54

Uniqueness

Uniqueness Score: -1.00%

Function 032597E4 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 274
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 032597EE

Part of subcall function 0325A75F: lstrcpyW.KERNEL32(?,00000066), ref: 0325A842
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?), ref: 0325A856
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?,0327D71C), ref: 0325A864
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?,00000066), ref: 0325A87E

_memset.LIBCMT ref: 0325998E
RegEnumKeyExW.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 03259A3F
__wcsicoll.LIBCMT ref: 03259AE5

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Strings

)f, xrefs: 03259BB7
f, xrefs: 03259968
:f+f, xrefs: 0325983E
ff, xrefs: 03259960
:f%f, xrefs: 03259898
ff, xrefs: 0325990C
:f5f, xrefs: 032598FE
f, xrefs: 03259BEA
4f#f, xrefs: 03259834
1f'f, xrefs: 0325982A
5f)f, xrefs: 03259816
f2f, xrefs: 03259820
:f1f, xrefs: 03259870

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: lstrcat$CloseEnumH_prolog3___wcsicoll_memsetlstrcpy
String ID: ff$ f2f$)f$1f'f$4f#f$5f)f$:f%f$:f+f$:f1f$:f5f$f$f$ff
API String ID: 21601689-698487356
Opcode ID: 490fca7e1afe892e3335e45abefd465dea610960758198d90a4c769335ba53f0
Instruction ID: 96de206c82e70485cf144ecac32b251bdaadcf6cb6ff7e8e4cb78fe8f5beed84
Opcode Fuzzy Hash: 490fca7e1afe892e3335e45abefd465dea610960758198d90a4c769335ba53f0
Instruction Fuzzy Hash: D4C116B1C213698ADB60DFA6CD81BDDBBB9BF44300F1041E9D608BB241DB749AC58F94

Uniqueness

Uniqueness Score: -1.00%

Function 032588C0 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 156
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 032588CA
lstrcpyW.KERNEL32(?,00000066), ref: 032589AB
lstrcatW.KERNEL32(?), ref: 032589BF
lstrcatW.KERNEL32(?,0327D71C), ref: 032589CD
lstrcatW.KERNEL32(?,00000066), ref: 032589E7
lstrcpyW.KERNEL32(?,?), ref: 03258A8E
__wcsicoll.LIBCMT ref: 03258B49

Strings

f2f, xrefs: 032588FD
ff, xrefs: 03258AC5
*f5f, xrefs: 03258941
1f'f, xrefs: 03258907
:f%f, xrefs: 0325891B
UfTf, xrefs: 03258980
f, xrefs: 03258B08
f, xrefs: 0325898F
P, xrefs: 03258AEE
5f)f, xrefs: 032588F3
/f"f, xrefs: 03258948
ff, xrefs: 03258987
f, xrefs: 03258B33
4f#f, xrefs: 03258911
:fff, xrefs: 0325894F
f, xrefs: 032589D1
:f%f, xrefs: 0325893A

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: lstrcat$lstrcpy$H_prolog3___wcsicoll
String ID: f2f$*f5f$/f"f$1f'f$4f#f$5f)f$:f%f$:f%f$:fff$P$UfTf$f$f$f$f$ff$ff
API String ID: 510993073-207229738
Opcode ID: efef6e5493afddf5278bb6cbbcce95baa219bb8b862c4e46057f8b803e5c7263
Instruction ID: d9702edbc425eb49a959f9458ea9a91b268b7372abb5749bf66a7f65316f77c2
Opcode Fuzzy Hash: efef6e5493afddf5278bb6cbbcce95baa219bb8b862c4e46057f8b803e5c7263
Instruction Fuzzy Hash: 62711FB1D2166D8ACF20DFA6DD85BCEBBB8BB04309F5440A9E518AB200DB755AC1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03259364 Relevance: 40.4, APIs: 2, Strings: 21, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0325A75F: lstrcpyW.KERNEL32(?,00000066), ref: 0325A842
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?), ref: 0325A856
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?,0327D71C), ref: 0325A864
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?,00000066), ref: 0325A87E

_memset.LIBCMT ref: 032594FE
__wcsicoll.LIBCMT ref: 03259533

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Part of subcall function 03260395: GetModuleHandleW.KERNEL32(ntdll,00000000,03253DBD), ref: 032603A5
Part of subcall function 03260395: LoadLibraryW.KERNEL32(ntdll), ref: 032603B0
Part of subcall function 03260395: GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 032603C0

Strings

SfKf, xrefs: 03259428
TfUf, xrefs: 03259452
ff, xrefs: 032593E9
1f'f, xrefs: 032593AA
:f%f, xrefs: 032593B8
QfPf, xrefs: 03259436
_f_f, xrefs: 03259421
:f5f, xrefs: 032593DB
f2f, xrefs: 032593A0
WfSf, xrefs: 03259467
SfQf, xrefs: 03259405
RfSf, xrefs: 0325942F
_fPf, xrefs: 03259475
x, xrefs: 03259517
UfVf, xrefs: 03259460
RfPf, xrefs: 03259459
VfWf, xrefs: 03259444
4f#f, xrefs: 032593B1
:fLf, xrefs: 032593D4
f, xrefs: 03259497
5f)f, xrefs: 03259396

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: lstrcat$AddressCloseHandleLibraryLoadModuleProc__wcsicoll_memsetlstrcpy
String ID: ff$ f2f$1f'f$4f#f$5f)f$:f%f$:f5f$:fLf$QfPf$RfPf$RfSf$SfKf$SfQf$TfUf$UfVf$VfWf$WfSf$_fPf$_f_f$f$x
API String ID: 2896353583-1769253259
Opcode ID: d22d589c2c4d3279f4544bb413c64d781bdafdbf0e7e354bfbfc68829b5af749
Instruction ID: bd9b429e92b7930f64571bbca09e71cb7868d238e6f2c552b2f18a33e3d811fa
Opcode Fuzzy Hash: d22d589c2c4d3279f4544bb413c64d781bdafdbf0e7e354bfbfc68829b5af749
Instruction Fuzzy Hash: 615114B1D243299BDB21DFA6CD427DDBBB8AF04304F5081A8D419BB250EF708AD58F90

Uniqueness

Uniqueness Score: -1.00%

Function 03258163 Relevance: 40.4, APIs: 2, Strings: 21, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 032582E8
__wcsicoll.LIBCMT ref: 03258322

Strings

4f#f, xrefs: 032581A0
:f%f, xrefs: 032581A7
VfWf, xrefs: 03258233
1f'f, xrefs: 03258199
_f_f, xrefs: 03258210
RfSf, xrefs: 0325821E
f2f, xrefs: 0325818F
:f5f, xrefs: 032581CA
WfSf, xrefs: 03258256
SfQf, xrefs: 032581F4
TfUf, xrefs: 03258241
5f)f, xrefs: 03258185
QfPf, xrefs: 03258225
ff, xrefs: 032581D8
RfPf, xrefs: 03258248
x, xrefs: 03258301
:fLf, xrefs: 032581C3
f, xrefs: 0325828C
_fPf, xrefs: 03258264
SfKf, xrefs: 03258217
UfVf, xrefs: 0325824F

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __wcsicoll_memset
String ID: ff$ f2f$1f'f$4f#f$5f)f$:f%f$:f5f$:fLf$QfPf$RfPf$RfSf$SfKf$SfQf$TfUf$UfVf$VfWf$WfSf$_fPf$_f_f$f$x
API String ID: 3893915231-1769253259
Opcode ID: 2ba8ab68c8d5aeb8787339c0b41d04b85b948141e9a7ad3f371d279653de5700
Instruction ID: 2a0c5a6a4fee3acff3b7920199d2853095127f76cf7f31992321bcf09c96b677
Opcode Fuzzy Hash: 2ba8ab68c8d5aeb8787339c0b41d04b85b948141e9a7ad3f371d279653de5700
Instruction Fuzzy Hash: 7951E1B0D1436D9BDB20DFA6DC967CDBBB4BB04304F9081A8D418BB240DB705A858F94

Uniqueness

Uniqueness Score: -1.00%

Function 0325C503 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 248
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0325C56E
_memset.LIBCMT ref: 0325C58C
__wcsnicmp.LIBCMT ref: 0325C5D2
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 0325C62C
InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0325C659
_memset.LIBCMT ref: 0325C67A
HttpOpenRequestW.WININET(?,POST,?,00000000,00000000,0327D1EC,00000001,00000000), ref: 0325C6D5
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0325C70D
InternetSetOptionW.WININET(?,0000001F,00003100,00000004), ref: 0325C72D
lstrlenW.KERNEL32(00000001), ref: 0325C751
HttpSendRequestW.WININET(?,00000001,00000000,?,?), ref: 0325C770
HttpQueryInfoW.WININET(?,20000013,?,?,00000000), ref: 0325C7AD
HttpQueryInfoW.WININET(?,20000005,?,00000004,00000000), ref: 0325C7DB
InternetReadFile.WININET(?,?,00002000,00000004), ref: 0325C802
InternetCloseHandle.WININET(?), ref: 0325C831
InternetCloseHandle.WININET(?), ref: 0325C83D
InternetCloseHandle.WININET(?), ref: 0325C851

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 0325C627
POST, xrefs: 0325C6CA
https, xrefs: 0325C5CC

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Internet$Http$CloseHandleQuery_memset$InfoOpenOptionRequest$ConnectFileReadSend__wcsnicmplstrlen
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko$POST$https
API String ID: 4259084325-2617540327
Opcode ID: ef6befed1f5ad44fd4b8c0676afdd334580cd8349a2c42dcf230ad0bef205ca1
Instruction ID: 9bcd40a10951725afd0894b6f11589d5e66b77f1609b4953aadedcda40a509c6
Opcode Fuzzy Hash: ef6befed1f5ad44fd4b8c0676afdd334580cd8349a2c42dcf230ad0bef205ca1
Instruction Fuzzy Hash: F791FE71922239ABDB22DB65DC889EAB7BCFF08710F0445A5F509E6150E7749BC4CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10003B63 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 433
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 10003B6D
PathFileExistsW.SHLWAPI(?,?), ref: 10003BE4
GetTickCount.KERNEL32 ref: 10003BF6
_rand.LIBCMT ref: 10003C29
lstrcpyW.KERNEL32(?,60/), ref: 10003CA8
PathAddBackslashW.SHLWAPI(00000000), ref: 10003D96
lstrcatW.KERNEL32(00000000,00000012), ref: 10003E16
_rand.LIBCMT ref: 10003E24
lstrlenW.KERNEL32(00000000,00000104,0000FDE9), ref: 10003E5E
PathAddBackslashW.SHLWAPI(00000000), ref: 10003EAF
_rand.LIBCMT ref: 10003EBD
lstrlenW.KERNEL32(00000000,00000104,0000FDE9), ref: 10003EFB
wsprintfA.USER32 ref: 10004159
RegSetValueExW.KERNEL32(?,?,00000000,00000004,?,00000004,?,00000000,00000001), ref: 100041A9
RegCloseKey.ADVAPI32(?), ref: 100041BD
RegCloseKey.ADVAPI32(00000000), ref: 100041DA

Strings

@%u@, xrefs: 10004153
60/, xrefs: 10003C9C
Software\JavaSoft\Prefs, xrefs: 10004115

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: Path_rand$BackslashCloselstrlen$CountExistsFileH_prolog3_TickValuelstrcatlstrcpywsprintf
String ID: 60/$@%u@$Software\JavaSoft\Prefs
API String ID: 1633314636-2765542657
Opcode ID: dca7bc4d773a6e8515ede37f0cc64ca4c43c43e09934ac00fe92e3808279ff9e
Instruction ID: 3e79adc4f45eaf1a3f1008305e64cf0eac54696a86c08cd63f6249e31cc765e8
Opcode Fuzzy Hash: dca7bc4d773a6e8515ede37f0cc64ca4c43c43e09934ac00fe92e3808279ff9e
Instruction Fuzzy Hash: F9126C759006289FEB61DF54CC84A9BBBB9FF44382F5081DAE409AB155DB31AEC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00402F11 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402F22
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\etopt.exe,00000400,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 00402F3E

Part of subcall function 00405DCA: GetFileAttributesA.KERNEL32(00000003,00402F51,C:\Users\user\Desktop\etopt.exe,80000000,00000003,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 00405DCE
Part of subcall function 00405DCA: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 00405DF0

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\etopt.exe,C:\Users\user\Desktop\etopt.exe,80000000,00000003,?,?,004036CC,?,?,00000008), ref: 00402F8A
GlobalAlloc.KERNEL32(00000040,00000008,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 004030C0

Strings

Error launching installer, xrefs: 00402F61
Null, xrefs: 00403008
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F18
Inst, xrefs: 00402FF6
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004030E7
soft, xrefs: 00402FFF
"C:\Users\user\Desktop\etopt.exe", xrefs: 00402F17
C:\Users\user\Desktop\etopt.exe, xrefs: 00402F28, 00402F37, 00402F4B, 00402F6B
C:\Users\user\Desktop, xrefs: 00402F6C, 00402F71, 00402F77

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\etopt.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\etopt.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3768146980
Opcode ID: 081d1a3aa35225365c92f35197d1b482825dcf17d6e250848d5bf6d3b5cbdb28
Instruction ID: 0b9b52bb6b718f1774356dee72a061cac6175c7550ffdedce4251753d8c96ad9
Opcode Fuzzy Hash: 081d1a3aa35225365c92f35197d1b482825dcf17d6e250848d5bf6d3b5cbdb28
Instruction Fuzzy Hash: E051D571A01208AFDB20AF65DD85B9E7EACEB14756F10803BF900B62D1C77C9E418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 1000399E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 126registrystringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 10003A33
wsprintfW.USER32 ref: 10003A9E
lstrlenW.KERNEL32(?), ref: 10003AAA
RegSetValueExW.KERNEL32(?,log_id,00000000,00000001,?,?), ref: 10003AD1
__time64.LIBCMT ref: 10003AE1
RegSetValueExW.KERNEL32(?,inst_time,00000000,0000000B,?,00000008), ref: 10003B05
RegSetValueExW.KERNEL32(?,whitelist,00000000,00000004,?,00000004), ref: 10003B27
RegCloseKey.KERNEL32(?), ref: 10003B2E
RegCloseKey.ADVAPI32(?,-80000001,?), ref: 10003B48

Strings

whitelist, xrefs: 10003B21
log_id, xrefs: 10003ACB
inst_time, xrefs: 10003AF9
%u-%u-%u-%u, xrefs: 10003A98

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: Value$Closewsprintf$__time64lstrlen
String ID: %u-%u-%u-%u$inst_time$log_id$whitelist
API String ID: 4196172939-907521088
Opcode ID: bd57d663583ad725be1ebcd4565ce27e6347b317eb7ef91e5190439736748541
Instruction ID: f4ecfb2fefeb218b0075d81f0126d37cf26ec8a607a9ecb30de81acb86632dea
Opcode Fuzzy Hash: bd57d663583ad725be1ebcd4565ce27e6347b317eb7ef91e5190439736748541
Instruction Fuzzy Hash: 43413EB2A0122DABEB11DFA4CD81BDEBBBDFB08744F4140A9F509A7140D775AB808F50

Uniqueness

Uniqueness Score: -1.00%

Function 0325D5BD Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 124stringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0325D5C4
VariantInit.OLEAUT32(?), ref: 0325D5CF
SysStringLen.OLEAUT32(?), ref: 0325D5FB
lstrcpyW.KERNEL32(00000000,?), ref: 0325D622
VariantClear.OLEAUT32(?), ref: 0325D659
SysStringLen.OLEAUT32(?), ref: 0325D683
lstrcpyW.KERNEL32(00000000,?), ref: 0325D6A9
VariantClear.OLEAUT32(?), ref: 0325D6DA
VariantClear.OLEAUT32(?), ref: 0325D6F2

Strings

Caption, xrefs: 0325D673
Model, xrefs: 0325D5E5

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Variant$Clear$Stringlstrcpy$H_prolog3Init
String ID: Caption$Model
API String ID: 2453263429-3549279009
Opcode ID: 422c1ca6f0aa75e4b59e6b45b0bd9fcfe04358ed0c09f0fc7d142f3c06f00260
Instruction ID: 030463218ab5a998294b74bf65973e3fb60b8942052a97ee673ff321afe39161
Opcode Fuzzy Hash: 422c1ca6f0aa75e4b59e6b45b0bd9fcfe04358ed0c09f0fc7d142f3c06f00260
Instruction Fuzzy Hash: 4641B175611305AFDB05EF60E8499AE7BB8FF09750B104419F901EB2A0DB71EEC1CB60

Uniqueness

Uniqueness Score: -1.00%

Function 004062CA Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 208stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(ClocX see company, Inc.,00000400), ref: 004063FC
GetWindowsDirectoryA.KERNEL32(ClocX see company, Inc.,00000400,?,00420100,00000000,004053B3,00420100,00000000,00000000), ref: 00406412
SHGetPathFromIDListA.SHELL32(00000000,ClocX see company, Inc.,?,004053B3,00000007,?,00420100,00000000,004053B3,00420100,00000000), ref: 00406471
CoTaskMemFree.OLE32(00000000,?,004053B3,00000007,?,00420100,00000000,004053B3,00420100,00000000), ref: 0040647A
lstrcatA.KERNEL32(ClocX see company, Inc.,\Microsoft\Internet Explorer\Quick Launch,?,00420100,00000000,004053B3,00420100,00000000), ref: 0040649E
lstrlenA.KERNEL32(ClocX see company, Inc.,?,00420100,00000000,004053B3,00420100,00000000,00000000,0061CE90,00000000), ref: 004064F0

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406498
_JX, xrefs: 004062D7
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063CD
ClocX see company, Inc., xrefs: 004062F1, 004063CB, 004063E6, 004063FB, 00406411, 00406445, 0040646F, 0040649D, 004064A3, 004064BB, 004064CE, 004064E9, 004064EF, 004064FA, 00406524

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: ClocX see company, Inc.$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$_JX
API String ID: 4024019347-140956701
Opcode ID: e3ea83217e50d877ad61a226de1bd3f8652b4fd4a82ba8e62def624a621fd426
Instruction ID: c2620d4694fec9825f21badf733b1a0217c29b4dfb277ca131cfcdea64a62d9e
Opcode Fuzzy Hash: e3ea83217e50d877ad61a226de1bd3f8652b4fd4a82ba8e62def624a621fd426
Instruction Fuzzy Hash: 6A612471A00214AFDF209F24DC81B7E3BA4AB45724F62813FE907BA2C1D67D8D618B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040175E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,Publisher,C:\Program Files (x86)\ClocX,00000000,00000000,00000031), ref: 0040179D
CompareFileTime.KERNEL32(-00000014,?,Publisher,Publisher,00000000,00000000,Publisher,C:\Program Files (x86)\ClocX,00000000,00000000,00000031), ref: 004017C7

Part of subcall function 00406237: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,00403525,00423B20,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406244

Part of subcall function 0040537B: lstrlenA.KERNEL32(00420100,00000000,0061CE90,00000000,?,?,?,?,?,?,?,?,?,00403278,00000000,?), ref: 004053B4
Part of subcall function 0040537B: lstrlenA.KERNEL32(x2@,00420100,00000000,0061CE90,00000000,?,?,?,?,?,?,?,?,?,00403278,00000000), ref: 004053C4
Part of subcall function 0040537B: lstrcatA.KERNEL32(00420100,0040A188,x2@,00420100,00000000,0061CE90,00000000), ref: 004053D7
Part of subcall function 0040537B: SetWindowTextA.USER32(00420100,00420100), ref: 004053E9
Part of subcall function 0040537B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540F
Part of subcall function 0040537B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405429
Part of subcall function 0040537B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405437

Strings

C:\Program Files (x86)\ClocX, xrefs: 0040178B
Software\Microsoft\Windows\CurrentVersion\Uninstall\ClocX, xrefs: 0040182B, 00401847
ClocX see company, Inc., xrefs: 004017A8, 00401817, 00401835
Publisher, xrefs: 0040177A, 00401783, 00401790, 004017A2, 004017B3, 004017E9, 004017FF, 0040181D, 0040185D, 004018DE, 004018E7, 004018F1, 004018FC

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Program Files (x86)\ClocX$ClocX see company, Inc.$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall\ClocX
API String ID: 1941528284-3284503632
Opcode ID: 4def18cb9ace67983dffe7e7a47c688e468ad4a1bdd505a269ed0a544eee3348
Instruction ID: 39dd0fe120a5207bee21d69b5493a35c6fc04a070aa2f9b93a6dcf12a939fbda
Opcode Fuzzy Hash: 4def18cb9ace67983dffe7e7a47c688e468ad4a1bdd505a269ed0a544eee3348
Instruction Fuzzy Hash: 2541E771900619BACF20BBB5CC45DAF3669DF05368B60823FF422F11E1D77C4A518A6E

Uniqueness

Uniqueness Score: -1.00%

Function 032603D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 71librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(IpHlpApi,?,?,?,?,?,032540B4,?), ref: 032603F6
LoadLibraryW.KERNEL32(IpHlpApi,?,?,?,?,?,032540B4,?), ref: 03260401
GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 03260411
GetAdaptersAddresses.IPHLPAPI(00000000,0000000F,00000000,00000000,?,?,?,?,?,?,032540B4,?), ref: 03260429
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,032540B4,?), ref: 03260436
GetAdaptersAddresses.IPHLPAPI(00000000,0000000F,00000000,00000000,?), ref: 03260447
GlobalFree.KERNEL32(00000000), ref: 0326046E

Strings

GetAdaptersAddresses, xrefs: 0326040B
IpHlpApi, xrefs: 032603F0, 032603F5, 03260400

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AdaptersAddressesGlobal$AddressAllocFreeHandleLibraryLoadModuleProc
String ID: GetAdaptersAddresses$IpHlpApi
API String ID: 3738731904-887461526
Opcode ID: cb6dac280cfde8683c35c49d5ba1d493745b25e1ae65d1508113a696a797df74
Instruction ID: ef60fe2af9f280cca1d5a7f6b225825b2b4741cd77693909946b39a1911a8c8c
Opcode Fuzzy Hash: cb6dac280cfde8683c35c49d5ba1d493745b25e1ae65d1508113a696a797df74
Instruction Fuzzy Hash: 94119071620205BFDB21EB65EC8CDAEBBBCFF85710B288458F505E6105E7709AC0E660

Uniqueness

Uniqueness Score: -1.00%

Function 1000E260 Relevance: 15.3, APIs: 10, Instructions: 264COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,1000E070,1000E090,1000E0B0,1000E0C0,1000E0E0,00000000,10003427,00000000,?,?,?,?,?,?), ref: 1000E271
SetLastError.KERNEL32(000000C1,?,1000E070,1000E090,1000E0B0,1000E0C0,1000E0E0,00000000,10003427,00000000,?,?,?,?,?,?), ref: 1000E291

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 59c00143b6b2d343200221ae135fe221ba95f50665129df5f7566593b047bd66
Instruction ID: 7c3ab89e934c869368ea09d25c3e2b7bd5aa5f4c6dc03bbcea645bed82928f24
Opcode Fuzzy Hash: 59c00143b6b2d343200221ae135fe221ba95f50665129df5f7566593b047bd66
Instruction Fuzzy Hash: 578110766042418FE354DFA8CC85B6BB7E4EF88790F008429FD4AD7246E7B1E944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E822833 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 180memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E82283D

Part of subcall function 6E822700: _memset.LIBCMT ref: 6E82274B

_memset.LIBCMT ref: 6E822889
_memset.LIBCMT ref: 6E8228A0

Part of subcall function 6E822251: __EH_prolog3.LIBCMT ref: 6E822258

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,?,?,?,?,?,?,?,?,?,000002FC,6E8226B0), ref: 6E822A5D

Strings

mixer, xrefs: 6E822930
config.xml, xrefs: 6E822844
root, xrefs: 6E82290E
play, xrefs: 6E82299A

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: _memset$AllocH_prolog3H_prolog3_Virtual
String ID: config.xml$mixer$play$root
API String ID: 30380983-1392574448
Opcode ID: fa575c965a80f7f31d6370e8a314679eb7c567e203131be8a9a9762c0c028c19
Instruction ID: 61bfde2e4645304b3d0a109005106dcabba8a3af8c0946fbff4f5d2a3cfdb8b5
Opcode Fuzzy Hash: fa575c965a80f7f31d6370e8a314679eb7c567e203131be8a9a9762c0c028c19
Instruction Fuzzy Hash: 43616A72D901AA9FDF60EAE8CC98ADCB778AB04304F104DFAD159A7251D7344AC58FC4

Uniqueness

Uniqueness Score: -1.00%

Function 03254678 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 79filetimeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032546AB
GetLocalTime.KERNEL32(?), ref: 032546BA
_sprintf.LIBCMT ref: 032546E1
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 03254724
CloseHandle.KERNEL32(00000000), ref: 03254730
IsDebuggerPresent.KERNEL32 ref: 0325473A

Strings

Wsgczyjbr(%XhuX%huX%hu), xrefs: 032546DB
C:\X, xrefs: 0325468D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: CloseCreateDebuggerFileHandleLocalPresentTime_memset_sprintf
String ID: C:\X$Wsgczyjbr(%XhuX%huX%hu)
API String ID: 290198045-3591066603
Opcode ID: fd96931c9081a11632c6123bd670e6793517d60cfc0d87439fb0138a2cf27950
Instruction ID: 1f1c9844a6ccd05fa3693add4e790dd8c08da56a1f113da28d87966b3d3a709c
Opcode Fuzzy Hash: fd96931c9081a11632c6123bd670e6793517d60cfc0d87439fb0138a2cf27950
Instruction Fuzzy Hash: 56215671D20229ABCB20EBB1AC4DBDFB7BCAF09610F504595B519E6040DB749BC4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 032511AD Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 032511CD
LoadLibraryW.KERNEL32(kernel32), ref: 032511D8
GetProcAddress.KERNEL32(00000000,GetSystemFirmwareTable), ref: 032511E8
GetSystemFirmwareTable.KERNEL32(52534D42,00000000,00000000,00000000), ref: 03251200
GetSystemFirmwareTable.KERNEL32(52534D42,00000000,00000000,00000040), ref: 03251218

Strings

kernel32, xrefs: 032511C7, 032511CC, 032511D7
GetSystemFirmwareTable, xrefs: 032511E2
BMSR, xrefs: 032511FA

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: FirmwareSystemTable$AddressHandleLibraryLoadModuleProc
String ID: BMSR$GetSystemFirmwareTable$kernel32
API String ID: 3967410829-3485498159
Opcode ID: a0184870a6626557f004ed3b1f1d3a8e2d7dbe9de84660ec36c69abc1b8a056f
Instruction ID: 5486f528c88d77a59e6dfdddb8decca11134c1e3f399c29898ba86f4155f10ff
Opcode Fuzzy Hash: a0184870a6626557f004ed3b1f1d3a8e2d7dbe9de84660ec36c69abc1b8a056f
Instruction Fuzzy Hash: B4118872625215BF8F11EFB4ACC8DAE77ADFE096443658878F901DB100C770AED58764

Uniqueness

Uniqueness Score: -1.00%

Function 6E843ADD Relevance: 13.7, APIs: 9, Instructions: 196COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?,6E8418DC), ref: 6E843AEA
__calloc_crt.LIBCMT ref: 6E843AF6

Part of subcall function 6E84377D: Sleep.KERNEL32(00000000,?,6E8418DC,00000001,?,00000000), ref: 6E8437A5

__calloc_crt.LIBCMT ref: 6E843B96
GetFileType.KERNEL32(?,00000001,6E8418DC), ref: 6E843C1D

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: __calloc_crt$FileInfoSleepStartupType
String ID:
API String ID: 591920814-0
Opcode ID: b52b4f17ac8518d79d137f7e32441100180fa25f7098f3886bc7b6f2df2dc712
Instruction ID: 35acbe1cf7cc64cf51f6155b2a272d2f681b21fcbf6ab2725373a983bf159cfb
Opcode Fuzzy Hash: b52b4f17ac8518d79d137f7e32441100180fa25f7098f3886bc7b6f2df2dc712
Instruction Fuzzy Hash: 8961037290574ACFE7109FA8C88CB5A7BA0EF06324F244A68D5A5DB2E1E734DC05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 032540D5 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68filetimeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03254108
GetLocalTime.KERNEL32(?), ref: 03254117
_sprintf.LIBCMT ref: 0325413E
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 03254181
CloseHandle.KERNEL32(00000000), ref: 0325418F

Strings

Wsgczyjbr(%XhuX%huX%hu), xrefs: 03254138
C:\X, xrefs: 032540EA

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: CloseCreateFileHandleLocalTime_memset_sprintf
String ID: C:\X$Wsgczyjbr(%XhuX%huX%hu)
API String ID: 1675768148-3591066603
Opcode ID: 8092a05f0ff9acafe185dd60595b9615d5d992d54eed78c6ac89e429b3246b2e
Instruction ID: ff40232791dcb0f15d317404366a97257da9d21bf64d06270775b6c45fc09658
Opcode Fuzzy Hash: 8092a05f0ff9acafe185dd60595b9615d5d992d54eed78c6ac89e429b3246b2e
Instruction Fuzzy Hash: 2A116A72D10218AADB61EBB5DC4DFDFB7BCEF09610F0045A5B519E6040EA749BC4CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E822516 Relevance: 10.7, APIs: 7, Instructions: 162fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 6E822560
GetFileSizeEx.KERNEL32(?,?), ref: 6E822587
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 6E8225DA
__aullrem.LIBCMT ref: 6E82262E
_memset.LIBCMT ref: 6E82265D
SHCreateMemStream.SHLWAPI(?,?), ref: 6E822688
FindCloseChangeNotification.KERNEL32(?), ref: 6E8226DF

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: File$Create$ChangeCloseFindNotificationReadSizeStream__aullrem_memset
String ID:
API String ID: 4143227105-0
Opcode ID: df58e1671b9d8708f5e27fad928d0420f4189cae548005429a9cefd9ff28bb4b
Instruction ID: 25195b0cf9f2a9e570b6df6057bd71413b8a45673ee878355acfec486ed218d5
Opcode Fuzzy Hash: df58e1671b9d8708f5e27fad928d0420f4189cae548005429a9cefd9ff28bb4b
Instruction Fuzzy Hash: ED5191725183469FD711CFA8C89096BBBE9BF88214F000E3DF994972A0D774D994DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0325D42C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0325D433
CoCreateInstance.OLE32(032793AC,00000000,00000017,0327D8B8,?,00000014,0325D829,0000000C,0325409A), ref: 0325D464
SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 0325D489
SysFreeString.OLEAUT32(?), ref: 0325D4D6
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0325D4FE

Strings

ROOT\CIMV2, xrefs: 0325D480

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: String$AllocBlanketCreateFreeH_prolog3InstanceProxy
String ID: ROOT\CIMV2
API String ID: 2740001561-2786109267
Opcode ID: 3e868b97ac425fc30ad86868a18d61e631c069ecdd76aa568d20fec6f738cda4
Instruction ID: d5bba3fec94a83a616892a06ff7a9462156fc78d331dccc847b11aed628569ff
Opcode Fuzzy Hash: 3e868b97ac425fc30ad86868a18d61e631c069ecdd76aa568d20fec6f738cda4
Instruction Fuzzy Hash: BA414F71A1124ADFDB20DFE4C888AADFBB9BF04305F684468F545EB281C7719E85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 032522D6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 032522E0

Part of subcall function 03251E88: __EH_prolog3.LIBCMT ref: 03251E8F

_rand.LIBCMT ref: 03252367

Part of subcall function 03262AFD: __getptd.LIBCMT ref: 03262AFD

_rand.LIBCMT ref: 03252383
RegSetValueExW.KERNEL32(?,locInfos,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,Software\Chromium,00000154), ref: 0325244C

Strings

locInfos, xrefs: 03252441
Software\Chromium, xrefs: 032522FB

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _rand$H_prolog3H_prolog3_Value__getptd
String ID: Software\Chromium$locInfos
API String ID: 553859095-993488116
Opcode ID: b316034ccf176e6e3e9acbdd63abdb9be242732222617f242ed5f69d66117e3a
Instruction ID: a1d5f536e26728e6d03bb36ca82cd520bd424a4e8e3768f1b088f550d834bdac
Opcode Fuzzy Hash: b316034ccf176e6e3e9acbdd63abdb9be242732222617f242ed5f69d66117e3a
Instruction Fuzzy Hash: 1B414A75920729EBDF21DBA8CC44BDEB7B8FF48304F040495E908EB251D7B56AC98B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000270C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32,00000000,?,10003E87,00000000), ref: 1000271F
LoadLibraryW.KERNEL32(shell32,?,10003E87,00000000), ref: 1000272A
GetProcAddress.KERNEL32(00000000,SHCreateDirectoryExW), ref: 1000273A
SHCreateDirectoryExW.SHELL32(00000000,10003E87,00000000,?,10003E87,00000000), ref: 10002756

Strings

shell32, xrefs: 10002719, 1000271E, 10002729
SHCreateDirectoryExW, xrefs: 10002734

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AddressCreateDirectoryHandleLibraryLoadModuleProc
String ID: SHCreateDirectoryExW$shell32
API String ID: 3298338691-2043954311
Opcode ID: 641460de40bceb227389c15ea5a1fb2ca863975e2ad1171e262d9c64f5ed2f97
Instruction ID: 1eee5a521f4262f7e8716bb6570d958e198bc5a1e4979601e5f85269e3e8dbbb
Opcode Fuzzy Hash: 641460de40bceb227389c15ea5a1fb2ca863975e2ad1171e262d9c64f5ed2f97
Instruction Fuzzy Hash: E2F0E230359B29ABF741EB70ACCCF5A37ECEB056C5F208425F90CD9064D778C8849666

Uniqueness

Uniqueness Score: -1.00%

Function 004065F1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406608
wsprintfA.USER32 ref: 00406641
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00406655

Strings

\, xrefs: 00406619
UXTHEME, xrefs: 004065FA
%s%s.dll, xrefs: 0040663B

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
Instruction ID: 8c01c21c0a7f1f5dc2dd6e25fe52b42a6f95ac52fcd507e529efe0f0fc04b728
Opcode Fuzzy Hash: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
Instruction Fuzzy Hash: 39F0FC7050060A67DF149BA4DD0DFFB3A5CAB08308F14047AA547E10D1EAB9D4258B59

Uniqueness

Uniqueness Score: -1.00%

Function 100026B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32,?,?,10003D85,00000000,0000001C), ref: 100026C6
LoadLibraryW.KERNEL32(shell32,?,10003D85,00000000,0000001C), ref: 100026D1
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 100026E1
SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,?,10003D85,00000000,0000001C), ref: 10002700

Strings

shell32, xrefs: 100026C0, 100026C5, 100026D0
SHGetSpecialFolderPathW, xrefs: 100026DB

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AddressFolderHandleLibraryLoadModulePathProcSpecial
String ID: SHGetSpecialFolderPathW$shell32
API String ID: 3300259121-2838573189
Opcode ID: 5a7d0dcdd20eae69472aa074c1017cb3aadfa95b5fae4c42e1cda3afb674d9bf
Instruction ID: c2911c8ded657c3290298a28dc4c6ac999e78036784f0241cc9a6000a567ae26
Opcode Fuzzy Hash: 5a7d0dcdd20eae69472aa074c1017cb3aadfa95b5fae4c42e1cda3afb674d9bf
Instruction Fuzzy Hash: 78F0A030242628ABFB019F608E88B9A3BECFF09796F018065F60CE4060C7B9C4849B95

Uniqueness

Uniqueness Score: -1.00%

Function 004027ED Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040284E
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040286A
GlobalFree.KERNEL32(?), ref: 004028A9
GlobalFree.KERNELBASE(00000000), ref: 004028BC
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D8
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028EB

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 401e7fcc9e785d052f9d96b8add348e8218570e047f6f2203c9898179291de76
Instruction ID: c6607d0c468e52bc6f7584cdfc9404409ec1a844128278b606da0b763112cdee
Opcode Fuzzy Hash: 401e7fcc9e785d052f9d96b8add348e8218570e047f6f2203c9898179291de76
Instruction Fuzzy Hash: 96318D32C00128BBDF216FA5CE48D9E7B79EF54364F10823AF450B62E0CB7949419F68

Uniqueness

Uniqueness Score: -1.00%

Function 00403148 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004031A6
GetTickCount.KERNEL32 ref: 00403227
MulDiv.KERNEL32(7FFFFFFF,00000064,00000008), ref: 00403254
wsprintfA.USER32 ref: 00403264

Strings

... %d%%, xrefs: 0040325E

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: c4bd234f56281b57ca71a02f012e69e932c9e7491eaeba74f37c88dd6edfedc1
Instruction ID: 4907b2816c1b1973c116dae1254cb898263b9bcbe09f85d02796f99425bb7c93
Opcode Fuzzy Hash: c4bd234f56281b57ca71a02f012e69e932c9e7491eaeba74f37c88dd6edfedc1
Instruction Fuzzy Hash: B9515D31900219ABCB10DF66D944A9E7BACEF45766F14817FEC04B72D0C7789E41CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0325D702 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0325D709
SysAllocString.OLEAUT32(SELECT * FROM Win32_DiskDrive), ref: 0325D731
SysFreeString.OLEAUT32(?), ref: 0325D76B

Part of subcall function 0325D594: __CxxThrowException@8.LIBCMT ref: 0325D5A6
Part of subcall function 0325D594: SysFreeString.OLEAUT32(00000000), ref: 0325D5AE

Part of subcall function 0325D5BD: __EH_prolog3.LIBCMT ref: 0325D5C4
Part of subcall function 0325D5BD: VariantInit.OLEAUT32(?), ref: 0325D5CF
Part of subcall function 0325D5BD: SysStringLen.OLEAUT32(?), ref: 0325D5FB
Part of subcall function 0325D5BD: lstrcpyW.KERNEL32(00000000,?), ref: 0325D622
Part of subcall function 0325D5BD: VariantClear.OLEAUT32(?), ref: 0325D659
Part of subcall function 0325D5BD: SysStringLen.OLEAUT32(?), ref: 0325D683
Part of subcall function 0325D5BD: lstrcpyW.KERNEL32(00000000,?), ref: 0325D6A9

Strings

WQL, xrefs: 0325D752
SELECT * FROM Win32_DiskDrive, xrefs: 0325D729

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: String$FreeH_prolog3Variantlstrcpy$AllocClearException@8InitThrow
String ID: SELECT * FROM Win32_DiskDrive$WQL
API String ID: 1137036005-316128858
Opcode ID: f7585abde8927465a0a1f6ce96638a636bd846b9b62b16b69fbde800395846b5
Instruction ID: de39990f814b397fd35718ade9a9347e5a79ed64ebec8022f5e7863f91afee2c
Opcode Fuzzy Hash: f7585abde8927465a0a1f6ce96638a636bd846b9b62b16b69fbde800395846b5
Instruction Fuzzy Hash: AF318D75A1024AEFDF10DFA4C8889ADBBB4FF45214B188568F926DF290C770DB81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E8417D1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E8418D7

Part of subcall function 6E843250: __FF_MSGBANNER.LIBCMT ref: 6E843269
Part of subcall function 6E843250: __NMSG_WRITE.LIBCMT ref: 6E843270
Part of subcall function 6E843250: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,-00001000,00000000,?,6E8418DC,00000001,?,00000000), ref: 6E843295

std::exception::exception.LIBCMT ref: 6E84190C
std::exception::exception.LIBCMT ref: 6E841926
__CxxThrowException@8.LIBCMT ref: 6E841937

Strings

bad allocation, xrefs: 6E841905

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: 63baf71078ac91a4bb80040999e29a78beca3f704488f7a0a09a81884504f17f
Instruction ID: 052862db99b8fa2e5dbe4b0782a0ae0780d8d351d5f2332730fb1c70835c3450
Opcode Fuzzy Hash: 63baf71078ac91a4bb80040999e29a78beca3f704488f7a0a09a81884504f17f
Instruction Fuzzy Hash: 8401D63280021DEBDB44ABD9D805EDD7BACEB42318F400CA9E814AA5D0EF719E18C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E841599 Relevance: 7.6, APIs: 5, Instructions: 88stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E8415E5
lstrcpyA.KERNEL32(?,?), ref: 6E84160A
GlobalFree.KERNEL32(?), ref: 6E84161B
lstrcpyA.KERNEL32(?,?), ref: 6E841656
lstrlenA.KERNEL32(?), ref: 6E841663

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: lstrcpy$FreeGlobal_memsetlstrlen
String ID:
API String ID: 2220718183-0
Opcode ID: 32efe1afe7cb8fbd8854d49e939271494a21f5076198ae9631ac0021f451be34
Instruction ID: 98ddf58d283238ec11f1516ace9334f985a9017abe38287b6a26898c85d5e359
Opcode Fuzzy Hash: 32efe1afe7cb8fbd8854d49e939271494a21f5076198ae9631ac0021f451be34
Instruction Fuzzy Hash: 02310AF690021DDBCB11EFA8DD84AD9B7FCEB45204F0048AAD719A3201E7349A99CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0325DCC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(WS2_32), ref: 0325DCEE
LoadLibraryW.KERNEL32(WS2_32), ref: 0325DCFB
GetProcAddress.KERNEL32(00000000,0327D30C), ref: 0325E003

Strings

WS2_32, xrefs: 0325DCE8, 0325DCED, 0325DCFA

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: WS2_32
API String ID: 310444273-3733209568
Opcode ID: 985fcfeb1af071cbba2c8318a7e6fc4b3b00578249dc968624915bbaaa756070
Instruction ID: 605d9ecb04e17cdf285050604a1acaab39d383cf12a0f15128856d23d2bbcbad
Opcode Fuzzy Hash: 985fcfeb1af071cbba2c8318a7e6fc4b3b00578249dc968624915bbaaa756070
Instruction Fuzzy Hash: 3E8136B0822369DACB65EF91D9586DEBEF0BF4630DF508988D4197B291C7301AC9CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0325CCDE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(WinInet,00000001,00000000), ref: 0325CD06
LoadLibraryW.KERNEL32(WinInet), ref: 0325CD13
GetProcAddress.KERNEL32(00000000,0327CFE0), ref: 0325CE3B

Strings

WinInet, xrefs: 0325CD00, 0325CD05, 0325CD12

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: WinInet
API String ID: 310444273-2572174499
Opcode ID: 2a9a22c498fb26d006dc766388e81a6449d1b89f1afd2a844307b631b638fdf6
Instruction ID: a837ca7276dc80a6e4e1a97004255d0a630db923e6c857ae7e8a09a73a64b63a
Opcode Fuzzy Hash: 2a9a22c498fb26d006dc766388e81a6449d1b89f1afd2a844307b631b638fdf6
Instruction Fuzzy Hash: E241B5B0822368DBCB11EF95D8486ADBFB0FF45718F615958D8187B244C7325ACACF94

Uniqueness

Uniqueness Score: -1.00%

Function 032107B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,00004000,?), ref: 03210839

Strings

, xrefs: 032107E7
@, xrefs: 032107EF

Memory Dump Source

Source File: 00000000.00000002.2578628998.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_etopt.jbxd

Similarity

API ID: FreeVirtual
String ID: $@
API String ID: 1263568516-1077428164
Opcode ID: 1538b35250ad69a1367bba51381f3fb50e275b0270662e50a1f1d0305ed736d1
Instruction ID: 168bc9585bd21cef679c6ee98a0b022020028a376808661048d6fc733a13517e
Opcode Fuzzy Hash: 1538b35250ad69a1367bba51381f3fb50e275b0270662e50a1f1d0305ed736d1
Instruction Fuzzy Hash: D2218CB06083128BE314CE59D8C4B8777E5BB88318F58C55CE5888B281D3B6E9D5CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 032307B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,00004000,?), ref: 03230839

Strings

, xrefs: 032307E7
@, xrefs: 032307EF

Memory Dump Source

Source File: 00000000.00000002.2578668685.0000000003230000.00000040.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3230000_etopt.jbxd

Similarity

API ID: FreeVirtual
String ID: $@
API String ID: 1263568516-1077428164
Opcode ID: 1538b35250ad69a1367bba51381f3fb50e275b0270662e50a1f1d0305ed736d1
Instruction ID: 4cd2bd90e225164ca74e7d0e446a7481019d3f90380f54de1b88c338448aae3f
Opcode Fuzzy Hash: 1538b35250ad69a1367bba51381f3fb50e275b0270662e50a1f1d0305ed736d1
Instruction Fuzzy Hash: C6219DB06143129BE314CE59D8C4B8777E9FF88318F58C55CE5898B281D376E985CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00402483 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(ClocX see company, Inc.,00000023,00000011,00000002), ref: 004024CE
RegSetValueExA.KERNEL32(?,?,?,?,ClocX see company, Inc.,00000000,00000011,00000002), ref: 0040250E
RegCloseKey.ADVAPI32(?,?,?,ClocX see company, Inc.,00000000,00000011,00000002), ref: 004025F2

Strings

ClocX see company, Inc., xrefs: 004024BF, 004024E1, 004024F8, 00402503

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: ClocX see company, Inc.
API String ID: 2655323295-1072228731
Opcode ID: f25e879b3b79e74fae353baec5f096cb43f7d53cccb6227b1fb0415afbb78fca
Instruction ID: a97729ee4a16c1d56943da7249f011fe152986cd41bf55b20ee8639e3933e8e4
Opcode Fuzzy Hash: f25e879b3b79e74fae353baec5f096cb43f7d53cccb6227b1fb0415afbb78fca
Instruction Fuzzy Hash: EB119071E04208BFEB10AFA5CE89AAE7A74EB50714F21443FF505F71D1C6B94D819B28

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406237: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,00403525,00423B20,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406244

Part of subcall function 00405C62: CharNextA.USER32(?,?,C:\,0000000C,00405CCE,C:\,C:\,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A19,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe"), ref: 00405C70
Part of subcall function 00405C62: CharNextA.USER32(00000000), ref: 00405C75
Part of subcall function 00405C62: CharNextA.USER32(00000000), ref: 00405C89

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A19,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe"), ref: 00405D0A
GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A19,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 00405D1A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CB7
C:\, xrefs: 00405CBD, 00405CC2, 00405CC8, 00405D03, 00405D09, 00405D11, 00405D19

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-615423462
Opcode ID: 2a969093c675307beb61016a7d711a3cc48518ddeb68e40ae6e7fa30b2cf6e1d
Instruction ID: 8c953325f40539ac80e30edd2b71836dc1536c6f0222066fa4963a5f85afe8ac
Opcode Fuzzy Hash: 2a969093c675307beb61016a7d711a3cc48518ddeb68e40ae6e7fa30b2cf6e1d
Instruction Fuzzy Hash: 0BF02D35108F6016E62632391C4969F2A44CE9372471A057FFD52B12D2DF3C8942AA7E

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E0D
GetTempFileNameA.KERNEL32(0000000C,?,00000000,?,?,00403380,2052,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008), ref: 00405E27

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DFC
nsa, xrefs: 00405E04

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
Instruction ID: eb4bcb3a797d67bf37749adfe8e6602af59c17a838a4e289290f4bb9b58536cb
Opcode Fuzzy Hash: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
Instruction Fuzzy Hash: 1EF0A7363082047BDB108F55ED04B9B7B9CDF91750F10C03BFA88DB180D6B0D9558798

Uniqueness

Uniqueness Score: -1.00%

Function 10003601 Relevance: 6.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 10002775: GetModuleHandleW.KERNEL32(ntdll,00000000,10003F28), ref: 10002785
Part of subcall function 10002775: LoadLibraryW.KERNEL32(ntdll), ref: 10002790
Part of subcall function 10002775: GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 100027A0

Part of subcall function 100026B3: GetModuleHandleW.KERNEL32(shell32,?,?,10003D85,00000000,0000001C), ref: 100026C6
Part of subcall function 100026B3: LoadLibraryW.KERNEL32(shell32,?,10003D85,00000000,0000001C), ref: 100026D1
Part of subcall function 100026B3: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 100026E1
Part of subcall function 100026B3: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,?,10003D85,00000000,0000001C), ref: 10002700

Part of subcall function 10002434: GetModuleHandleW.KERNEL32(ShlWapi,00000000,?), ref: 1000245C
Part of subcall function 10002434: LoadLibraryW.KERNEL32(ShlWapi), ref: 10002469
Part of subcall function 10002434: GetProcAddress.KERNEL32(00000000,10013AA0), ref: 10002681

PathAddBackslashW.SHLWAPI(?,?,?), ref: 100036CA
lstrcatW.KERNEL32(?,00000012), ref: 100036EE
PathAddBackslashW.SHLWAPI(?), ref: 10003704
lstrcatW.KERNEL32(?,00000012), ref: 10003722

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModulePathProc$Backslashlstrcat$FolderSpecial
String ID:
API String ID: 1533630509-0
Opcode ID: 17706d07f68e50ac90ffd3ac98a317bb08b3523982d28183b7dee32b40a61618
Instruction ID: 79f9dde3cfd5618a4af10f9fb56691c5aa2df5beb53f5faf110a8696ebeadef1
Opcode Fuzzy Hash: 17706d07f68e50ac90ffd3ac98a317bb08b3523982d28183b7dee32b40a61618
Instruction Fuzzy Hash: AD314CB2D0521C9ADF15CFE0EE889DFBFB8EF08240FA08499E406EB154E73596448F54

Uniqueness

Uniqueness Score: -1.00%

Function 004020AA Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D5

Part of subcall function 0040537B: lstrlenA.KERNEL32(00420100,00000000,0061CE90,00000000,?,?,?,?,?,?,?,?,?,00403278,00000000,?), ref: 004053B4
Part of subcall function 0040537B: lstrlenA.KERNEL32(x2@,00420100,00000000,0061CE90,00000000,?,?,?,?,?,?,?,?,?,00403278,00000000), ref: 004053C4
Part of subcall function 0040537B: lstrcatA.KERNEL32(00420100,0040A188,x2@,00420100,00000000,0061CE90,00000000), ref: 004053D7
Part of subcall function 0040537B: SetWindowTextA.USER32(00420100,00420100), ref: 004053E9
Part of subcall function 0040537B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540F
Part of subcall function 0040537B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405429
Part of subcall function 0040537B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405437

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E5
GetProcAddress.KERNEL32(00000000,?), ref: 004020F5
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215F

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 749b855a64891c496e082518e03c06212c430b5046a290d8f98b3b0e22560504
Instruction ID: 50402eebda1ace8b36f41d764fdc0c499b1308dfbf698e50307e13e343713b79
Opcode Fuzzy Hash: 749b855a64891c496e082518e03c06212c430b5046a290d8f98b3b0e22560504
Instruction Fuzzy Hash: 4421D831A00218ABCF20AFA58F49B7F7570AF40354F30413BF611B61E1DBBD49829A6E

Uniqueness

Uniqueness Score: -1.00%

Function 6E822437 Relevance: 6.1, APIs: 4, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 6E821000: lstrcpyA.KERNEL32(?,?,?,6E822478), ref: 6E821020
Part of subcall function 6E821000: GlobalFree.KERNEL32 ref: 6E821030

UnzipAndInstall.ZIP(?,?,?), ref: 6E82249D

Part of subcall function 6E822516: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 6E822560
Part of subcall function 6E822516: GetFileSizeEx.KERNEL32(?,?), ref: 6E822587
Part of subcall function 6E822516: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 6E8225DA
Part of subcall function 6E822516: __aullrem.LIBCMT ref: 6E82262E

wsprintfA.USER32 ref: 6E8224C3
GlobalAlloc.KERNEL32(00000040,000003F8), ref: 6E8224E2
lstrcpynA.KERNEL32(00000004,00000000), ref: 6E8224F8

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: File$Global$AllocCreateFreeInstallReadSizeUnzip__aullremlstrcpylstrcpynwsprintf
String ID:
API String ID: 968413532-0
Opcode ID: bc5511898ae9a5e55c59ecf4303b0a13aa1ef78353df64400d5d57259f5524f2
Instruction ID: 76b331bc33c3624068e78d1d5afc67e6045107184d7d4e3cedab1532ae31a465
Opcode Fuzzy Hash: bc5511898ae9a5e55c59ecf4303b0a13aa1ef78353df64400d5d57259f5524f2
Instruction Fuzzy Hash: 2B21ED75900608AFDB54CFE8C855ADEB7F8AB09305F104869E909E7240DB349989DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E826592 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E8265AC

Part of subcall function 6E826A0C: __FF_MSGBANNER.LIBCMT ref: 6E826A25
Part of subcall function 6E826A0C: __NMSG_WRITE.LIBCMT ref: 6E826A2C
Part of subcall function 6E826A0C: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6E8265B1,?,?), ref: 6E826A51

std::exception::exception.LIBCMT ref: 6E8265E1
std::exception::exception.LIBCMT ref: 6E8265FB
__CxxThrowException@8.LIBCMT ref: 6E82660C

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 0a63202ef754d45afc216907807346bb9f05d8a0e9b280f7b9804ba4e675a1bd
Instruction ID: 633fdbbcdddc4fbe526645dce3ce0aec8e818c3a6dbcfa8c89c51a1a8af1c704
Opcode Fuzzy Hash: 0a63202ef754d45afc216907807346bb9f05d8a0e9b280f7b9804ba4e675a1bd
Instruction Fuzzy Hash: E9F0DC3141062AAFDF04DEE8C810ADE7BACAB41708F500C39E800A72D4DB758AC4EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 10008E2D Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 10008E47

Part of subcall function 10008865: __FF_MSGBANNER.LIBCMT ref: 1000887E
Part of subcall function 10008865: __NMSG_WRITE.LIBCMT ref: 10008885
Part of subcall function 10008865: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000000,00000000,?,10008E4C,?,?), ref: 100088AA

std::exception::exception.LIBCMT ref: 10008E7C
std::exception::exception.LIBCMT ref: 10008E96
__CxxThrowException@8.LIBCMT ref: 10008EA7

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 2392891d82218468df591a333fb6b1514483c070e188ab06ceaeddda4b347c32
Instruction ID: 18aa0185ec6b6cb4edbfdb9f63af4c15d080f6fba5e554b8986e3e6c595fda4c
Opcode Fuzzy Hash: 2392891d82218468df591a333fb6b1514483c070e188ab06ceaeddda4b347c32
Instruction Fuzzy Hash: 39F02834500289BBFB09DB55CC16AAE37E8FB413C8F014019F9C09609ACF70DB409791

Uniqueness

Uniqueness Score: -1.00%

Function 100041FF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(?,?,3385105F), ref: 10004250

Part of subcall function 1000861A: __EH_prolog3.LIBCMT ref: 10008621

Part of subcall function 100029B2: __EH_prolog3.LIBCMT ref: 100029B9

Part of subcall function 1000288A: _memset.LIBCMT ref: 100028CF

Part of subcall function 10002254: __EH_prolog3.LIBCMT ref: 1000225B

Part of subcall function 10002B0C: __EH_prolog3_GS.LIBCMT ref: 10002B16

Strings

config.xml, xrefs: 10004296
root, xrefs: 10004308

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: H_prolog3$CreateH_prolog3_Stream_memset
String ID: config.xml$root
API String ID: 3011095730-3592495491
Opcode ID: 5bb6a20bdd353a4b114cc90994e7c9b7b05df8629e9752ee1c2ed0c100b9d4f3
Instruction ID: 9e9064938b3fa89a1356f55a90024f1f832001dda5f5f866cc8430b8efe16fb2
Opcode Fuzzy Hash: 5bb6a20bdd353a4b114cc90994e7c9b7b05df8629e9752ee1c2ed0c100b9d4f3
Instruction Fuzzy Hash: 0D51A0715083429FE310DF64C881A5FBBE4FF88394F01592DF58897225DB30EA44CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03255AC7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 032602C0: GetModuleHandleW.KERNEL32(ntdll,?,?,?,?,?,?,?,?,?,00000230,03254058,?), ref: 032602D6
Part of subcall function 032602C0: LoadLibraryW.KERNEL32(ntdll,?,?,?,?,?,00000230,03254058,?), ref: 032602E1
Part of subcall function 032602C0: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 032602F1

Part of subcall function 03260395: GetModuleHandleW.KERNEL32(ntdll,00000000,03253DBD), ref: 032603A5
Part of subcall function 03260395: LoadLibraryW.KERNEL32(ntdll), ref: 032603B0
Part of subcall function 03260395: GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 032603C0

_sprintf.LIBCMT ref: 03255B9B

Part of subcall function 03270EF0: _memset.LIBCMT ref: 03270EFC

Part of subcall function 0325C870: _memmove.LIBCMT ref: 0325C948

Strings

{"ident_":"%s","channel_":"%s","os_plat_":%u,"os_ver_":"%hu","app_ver_":"","old_ver_":"","mac_":"%s","ip_":"","reboot_":0,"act_":%u}, xrefs: 03255B95
XDG6nayb7IIacXsx, xrefs: 03255BB5

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc$_memmove_memset_sprintf
String ID: XDG6nayb7IIacXsx${"ident_":"%s","channel_":"%s","os_plat_":%u,"os_ver_":"%hu","app_ver_":"","old_ver_":"","mac_":"%s","ip_":"","reboot_":0,"act_":%u}
API String ID: 1534788510-2706134042
Opcode ID: 838157b293e4aa5d7502bd9e518e429f119a8f32490bb0a2e4346acc080d4a8b
Instruction ID: d85096f2341845d4d17649d12abacf7f621f1fbb846ba7f5286b59e2ba297e20
Opcode Fuzzy Hash: 838157b293e4aa5d7502bd9e518e429f119a8f32490bb0a2e4346acc080d4a8b
Instruction Fuzzy Hash: 784147B6518308ABC721EF54D881DDFB7DCEF89704F44492AF589C7141EA74E78887A2

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405C62: CharNextA.USER32(?,?,C:\,0000000C,00405CCE,C:\,C:\,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A19,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe"), ref: 00405C70
Part of subcall function 00405C62: CharNextA.USER32(00000000), ref: 00405C75
Part of subcall function 00405C62: CharNextA.USER32(00000000), ref: 00405C89

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 00405841: CreateDirectoryA.KERNEL32(00426400,?), ref: 00405883

SetCurrentDirectoryA.KERNEL32(00000000,C:\Program Files (x86)\ClocX,00000000,00000000,000000F0), ref: 00401641

Strings

C:\Program Files (x86)\ClocX, xrefs: 00401636

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Program Files (x86)\ClocX
API String ID: 1892508949-1769362010
Opcode ID: 14f67ca8e0c29e206b3dcb9b188b28f81c0f34cf51c11e73715c97a61f3fd356
Instruction ID: c534a7339b2a394ebaa2443626685450ff5d36f89492a899d329025244df60ea
Opcode Fuzzy Hash: 14f67ca8e0c29e206b3dcb9b188b28f81c0f34cf51c11e73715c97a61f3fd356
Instruction Fuzzy Hash: 6B110431508154ABDF317F650C4067F36B09A92765B2C497FE891B22E2CA3D49429A2E

Uniqueness

Uniqueness Score: -1.00%

Function 03253DA3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03260395: GetModuleHandleW.KERNEL32(ntdll,00000000,03253DBD), ref: 032603A5
Part of subcall function 03260395: LoadLibraryW.KERNEL32(ntdll), ref: 032603B0
Part of subcall function 03260395: GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 032603C0

RegSetValueExW.KERNEL32(?,cur_version,00000000,00000004,?,00000004,-80000001,Software\Baidu\BDLOG), ref: 03253E02

Strings

cur_version, xrefs: 03253DFA
Software\Baidu\BDLOG, xrefs: 03253DD0

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProcValue
String ID: Software\Baidu\BDLOG$cur_version
API String ID: 836833209-3408083060
Opcode ID: 7516186c070c144d25aa6d751425c8bbd10031a9b8279c43e0888803d51c73fd
Instruction ID: 2dcb0b8dfd49f0ff27069aea10b7ff58059ecaf2df7c6dc26cff80049334adb0
Opcode Fuzzy Hash: 7516186c070c144d25aa6d751425c8bbd10031a9b8279c43e0888803d51c73fd
Instruction Fuzzy Hash: 79014F76A60319BADB10EF65DC41ADE7FB8EF40B40F1081A6BA15EA140E7B497C49BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0040611E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,?,00000000,?,?,00000400,ClocX see company, Inc.,00420100,?,?,?,00000000,?,?,004063DC,80000002), ref: 00406164
RegCloseKey.KERNEL32(?,?,004063DC,80000002,Software\Microsoft\Windows\CurrentVersion,?,ClocX see company, Inc.,?,?,00420100), ref: 0040616F

Strings

ClocX see company, Inc., xrefs: 00406155

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CloseQueryValue
String ID: ClocX see company, Inc.
API String ID: 3356406503-1072228731
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 234a7790911f41680efae40c19e92282bbd05b075ecf5bd5780e2e0f9c200ffb
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: A7015E72500209BFDF228F61CC05FDB3BA8EF55365F01403AF959A6191D274D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406D88 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746edd85731b57cf3b83eab4d46c6ffe846714ac2de3c6d7f32ede9ad86d97b3
Instruction ID: 563b001c7c21537736a46ba6dcfae31f29042dd049110a2702d2cedc179ff4de
Opcode Fuzzy Hash: 746edd85731b57cf3b83eab4d46c6ffe846714ac2de3c6d7f32ede9ad86d97b3
Instruction Fuzzy Hash: 8AA14471E04229CBDF28CFA8C8447ADBBB1FF44305F14816AD856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F89 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514b551d593553ef6eb35925373102f80a65b4a506cf9c97eb14a79c6b5c9033
Instruction ID: 3b52b9ac1d564d111b2e83a9cf7d991fe93aea36dc180f3714403aeb7247712d
Opcode Fuzzy Hash: 514b551d593553ef6eb35925373102f80a65b4a506cf9c97eb14a79c6b5c9033
Instruction Fuzzy Hash: 81913371D04228CBDF28CF98C8447ADBBB1FF44305F14812AD852BB291C778AA86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406C9F Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f3183dfc8d617743b09e10c91d9716f43336b110b5d784984891a8e16e6fe2
Instruction ID: c294b1806063813c67911164d4736656f1aea70b14f2bbbee4f44adfb39faac4
Opcode Fuzzy Hash: c8f3183dfc8d617743b09e10c91d9716f43336b110b5d784984891a8e16e6fe2
Instruction Fuzzy Hash: 34815571D04228DFDF28CFA8C844BADBBB1FB44305F25816AD456BB281C7789A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004067A4 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88364152a40110ebeb5bdea854d29768943ce371e55df298019506e9f1661bf3
Instruction ID: fd96046610c4e6138eb27a2a35463d1c943e3269e132cc0b05d4de0a017c49a0
Opcode Fuzzy Hash: 88364152a40110ebeb5bdea854d29768943ce371e55df298019506e9f1661bf3
Instruction Fuzzy Hash: 18816871D04229DBDF28CFA9C8447ADBBB1FB44305F20816AD856BB2C1C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406BF2 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138f746307d7a7201d35d7ccc0060c354a879ee681c840f29089ac68bf8abfc6
Instruction ID: 527d4cb5f1739fc0fb2cdf2f9bc36bb3b1550b8c7e7080735c92d038f1f95009
Opcode Fuzzy Hash: 138f746307d7a7201d35d7ccc0060c354a879ee681c840f29089ac68bf8abfc6
Instruction Fuzzy Hash: E4713471D04228CFDF28CFA8C8447ADBBB1FB44305F25806AD456BB280C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406D10 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1dcdb279c49f667fb6c0fa303d0cbee229d538f5a1370e2ea3a071190b81758
Instruction ID: 3e76f83bfc4e6672a0828d309bd7b37fff07c04e2d145d4cc38ae5fcc60d9b91
Opcode Fuzzy Hash: d1dcdb279c49f667fb6c0fa303d0cbee229d538f5a1370e2ea3a071190b81758
Instruction Fuzzy Hash: B5713471D04228DBDF28CF98C844BADBBB1FB44305F25816AD856BB280C7789A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406C5C Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849db49b47f03bad99b5b7f46a34cfd3aa9debb3011fd687bc5efd5786eb61e0
Instruction ID: 70b8bdcd8d03af07e842054a5d5e245901551a1439b6cbc63634ef8bcb0b31b7
Opcode Fuzzy Hash: 849db49b47f03bad99b5b7f46a34cfd3aa9debb3011fd687bc5efd5786eb61e0
Instruction Fuzzy Hash: A0714671D04229DFEF28CF98C844BADBBB1FB44305F11806AD456BB281C778AA96DF45

Uniqueness

Uniqueness Score: -1.00%

Function 6E8257A6 Relevance: 4.6, APIs: 3, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ce65d39b6fb242e06f6d56b8d5d99bbb8abaa1e1a986e10a64cb02e61fd901
Instruction ID: 0208d7ecfe30d6358c4c5520b473a88d439df8737b6000f315d259da3a85a316
Opcode Fuzzy Hash: 51ce65d39b6fb242e06f6d56b8d5d99bbb8abaa1e1a986e10a64cb02e61fd901
Instruction Fuzzy Hash: EB41FDB1984752EFCB45CFA9E490699BBF8BF08314B100A7AD815EB789D770E490CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 10007A2D Relevance: 4.6, APIs: 3, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b96b7be34690b893dc07bbc81e5c0b583aa4c003d9bbb180e3efec404beb6f
Instruction ID: 19a1e4a16eef131b3eed4e48219eaedc15e78bfb1dc35e474ddb6c44f39bb45c
Opcode Fuzzy Hash: 68b96b7be34690b893dc07bbc81e5c0b583aa4c003d9bbb180e3efec404beb6f
Instruction Fuzzy Hash: F241E1B5E04652AFDB05CF69D490298BBF4FF49390B10416AE848DB78AD778F950CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00401B8C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BFB
GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401C0D

Strings

Publisher, xrefs: 00401BB3, 00401BB9, 00401BD3

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Global$AllocFree
String ID: Publisher
API String ID: 3394109436-504977381
Opcode ID: 6d20b2b13b20091192b08d316ceb67ceea9198729bf84211b64d641f605e2603
Instruction ID: 5761affe63e0c2d9c431db38a58fbdcd3ce3ca8b2a02108ab6707c208c68d119
Opcode Fuzzy Hash: 6d20b2b13b20091192b08d316ceb67ceea9198729bf84211b64d641f605e2603
Instruction Fuzzy Hash: A92196B2600114ABD720FF94CE8496F73E8EB44318725453FF602B72D1DB7898128B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0326266E Relevance: 4.5, APIs: 3, Instructions: 43COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 03262688

Part of subcall function 03262B1E: __FF_MSGBANNER.LIBCMT ref: 03262B37
Part of subcall function 03262B1E: __NMSG_WRITE.LIBCMT ref: 03262B3E
Part of subcall function 03262B1E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0326B6E0,00000000,00000001,00000000,?,0326D017,00000018,0327E2F0,0000000C,0326D0A7), ref: 03262B63

std::exception::exception.LIBCMT ref: 032626D7
__CxxThrowException@8.LIBCMT ref: 032626E8

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::exception::exception
String ID:
API String ID: 1264268182-0
Opcode ID: 95268309ff96e12d957fe21e1e54b74986fffcad56cdf17cadc4bf6abff9bf7e
Instruction ID: 2bfe3603cc96d683522ab43e298e23fc893573896ff53cf94d5e95ff140b7f4d
Opcode Fuzzy Hash: 95268309ff96e12d957fe21e1e54b74986fffcad56cdf17cadc4bf6abff9bf7e
Instruction Fuzzy Hash: 4DF0F93892034ADACB14FB55D819A9E7BA8BF40244F144809D4149A4D0DFF095D1CB92

Uniqueness

Uniqueness Score: -1.00%

Function 10002824 Relevance: 4.5, APIs: 3, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,10003FCE,?,?), ref: 10002850
WriteFile.KERNEL32(00000000,?,10003FCE,?,00000000,?,10003FCE,?,?), ref: 1000286C
FindCloseChangeNotification.KERNEL32(00000000,?,10003FCE,?,?), ref: 10002873

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID:
API String ID: 3805958096-0
Opcode ID: ba28864e2f4e9621ed4def32bf62f5e6dccf20f37ce491c980c0712f6b6c1d6a
Instruction ID: f03b1590b95c36e251adf1c9f09301d2fbc93db8768dffa2789afb6e23a33b02
Opcode Fuzzy Hash: ba28864e2f4e9621ed4def32bf62f5e6dccf20f37ce491c980c0712f6b6c1d6a
Instruction Fuzzy Hash: B6F0C279602128BBEB61CB90CC48FAF3A78EB45BE0F20C151F944A2098CA70CE40D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 004059B1 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405DA5: GetFileAttributesA.KERNEL32(?,?,004059BD,?,?,00000000,00405BA0,?,?,?,?), ref: 00405DAA
Part of subcall function 00405DA5: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DBE

RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405BA0), ref: 004059CC
DeleteFileA.KERNEL32(?,?,?,00000000,00405BA0), ref: 004059D4
SetFileAttributesA.KERNEL32(?,00000000), ref: 004059EC

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 043921b8c917d9d62ea668da32ed729a983a4b9cb196bdfb72cf9d57704c1844
Instruction ID: 748c1894d5f7bb927cbb266f0b6a5959ce6b0e186b290a0f311dc0abef280d91
Opcode Fuzzy Hash: 043921b8c917d9d62ea668da32ed729a983a4b9cb196bdfb72cf9d57704c1844
Instruction Fuzzy Hash: 97E0E572105A5196CA1057309E0CB6F3A94DFC6334F054A3BF491F10C0CB78484A8B7D

Uniqueness

Uniqueness Score: -1.00%

Function 032547C3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 032547CA

Part of subcall function 0325A9C3: std::exception::exception.LIBCMT ref: 0325A9DF
Part of subcall function 0325A9C3: __CxxThrowException@8.LIBCMT ref: 0325A9F4

Part of subcall function 0325FC09: NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,?), ref: 0325FC39
Part of subcall function 0325FC09: NtQuerySystemInformation.NTDLL(00000005,00000000,?,?), ref: 0325FC5B

Part of subcall function 03254640: __wcsicoll.LIBCMT ref: 0325465E

Strings

, xrefs: 03254938

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: InformationQuerySystem$Exception@8H_prolog3Throw__wcsicollstd::exception::exception
String ID:
API String ID: 1231316348-3916222277
Opcode ID: 483c3a15c3b440f8591fb9418a299acceb8ca3dce47061ca34dad0d4704c66d3
Instruction ID: 04ff2770d3616c2c8c6e9097ec56cc3de922e552f9d1485a58ad7ab7cf69f8c7
Opcode Fuzzy Hash: 483c3a15c3b440f8591fb9418a299acceb8ca3dce47061ca34dad0d4704c66d3
Instruction Fuzzy Hash: BE41E771C3126A8ACF00EF96E9495EEFBB4BF08208F514559ED117B210D7B05BC68BD5

Uniqueness

Uniqueness Score: -1.00%

Function 10003384 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 100033B6

Strings

DllGetClassObject, xrefs: 1000342D

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: _memset
String ID: DllGetClassObject
API String ID: 2102423945-1075368562
Opcode ID: b8b4cc25ca5998455ccb1adb17270082b8b3c5b222b8cb717bb844048e1174be
Instruction ID: eb5b587aade3bfee20b6c57bca3ae71b00074563759df851f19f3cb839917607
Opcode Fuzzy Hash: b8b4cc25ca5998455ccb1adb17270082b8b3c5b222b8cb717bb844048e1174be
Instruction Fuzzy Hash: 4831A7729042195BEB26DF649CC8A9B73F9EB04390F0144FEE509AB141DBB4AFC48B10

Uniqueness

Uniqueness Score: -1.00%

Function 1000288A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 100028CF

Strings

config.xml, xrefs: 1000290A

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: _memset
String ID: config.xml
API String ID: 2102423945-4248206997
Opcode ID: f6d7755b0c5f51f0d02027d4325640d4bc2465f6a6932a503c89ffa4e6664798
Instruction ID: 9640eb08cb6f3e1e8e3b2f1df64a973ee1b7b56aaaba98092097d414a2a25eea
Opcode Fuzzy Hash: f6d7755b0c5f51f0d02027d4325640d4bc2465f6a6932a503c89ffa4e6664798
Instruction Fuzzy Hash: 5331B375900229DBEB61DF64CC8979EB7F8FB04394F1145A9E54CE7249EB30AE84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 100051FC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 10005206

Part of subcall function 10008785: std::exception::exception.LIBCMT ref: 1000879A
Part of subcall function 10008785: __CxxThrowException@8.LIBCMT ref: 100087AF
Part of subcall function 10008785: std::exception::exception.LIBCMT ref: 100087C0

Strings

string too long, xrefs: 10005201

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: string too long
API String ID: 1823113695-2556327735
Opcode ID: 97f4c526e96433aaafed9d275708d171cefda4ed66a9f005e217431697d3501b
Instruction ID: c4a7e5db0c3df3d933938aa2dd6a308d89482a947ff0722436fe4a79e4445fa7
Opcode Fuzzy Hash: 97f4c526e96433aaafed9d275708d171cefda4ed66a9f005e217431697d3501b
Instruction Fuzzy Hash: 49E08638D556216FE716DA349D49D1F36A2EF176D2F120A94E8639F1EACB21C8408291

Uniqueness

Uniqueness Score: -1.00%

Function 0325AAB1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 0325AA5C: __EH_prolog3_catch.LIBCMT ref: 0325AA63

std::_Xinvalid_argument.LIBCPMT ref: 0325AAD7

Part of subcall function 0326238D: std::exception::exception.LIBCMT ref: 032623A2
Part of subcall function 0326238D: __CxxThrowException@8.LIBCMT ref: 032623B7
Part of subcall function 0326238D: std::exception::exception.LIBCMT ref: 032623C8

Strings

list<T> too long, xrefs: 0325AAD2

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: std::exception::exception$Exception@8H_prolog3_catchThrowXinvalid_argumentstd::_
String ID: list<T> too long
API String ID: 1877048013-4027344264
Opcode ID: b3a5a6e2f0d63da958e16970d8e61d669013f70898ea6faf4010dcb687968cbe
Instruction ID: 6a28c4997efcc451f5bbe47def0d4e0195105fbb5890f7bc2f0a868286296774
Opcode Fuzzy Hash: b3a5a6e2f0d63da958e16970d8e61d669013f70898ea6faf4010dcb687968cbe
Instruction Fuzzy Hash: FFE0DF75101700AF8705EF68C60084ABFE9FF89720310C61AF82D47B00D731A8A0CB88

Uniqueness

Uniqueness Score: -1.00%

Function 10004646 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 10004771: __EH_prolog3_catch.LIBCMT ref: 10004778

std::_Xinvalid_argument.LIBCPMT ref: 1000466C

Part of subcall function 10008785: std::exception::exception.LIBCMT ref: 1000879A
Part of subcall function 10008785: __CxxThrowException@8.LIBCMT ref: 100087AF
Part of subcall function 10008785: std::exception::exception.LIBCMT ref: 100087C0

Strings

list<T> too long, xrefs: 10004667

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: std::exception::exception$Exception@8H_prolog3_catchThrowXinvalid_argumentstd::_
String ID: list<T> too long
API String ID: 1877048013-4027344264
Opcode ID: cd2f13581fcd77c66a53abb33945a79b8400e61c0ecb1ed384014f1dee3bcdd7
Instruction ID: e2e0f62bed51e5cd93d376c27e0c08e76ff34993e971f8df67d6359dbd6d18f9
Opcode Fuzzy Hash: cd2f13581fcd77c66a53abb33945a79b8400e61c0ecb1ed384014f1dee3bcdd7
Instruction Fuzzy Hash: 47E0D8B9108100AF8704CF64C500846BFA5FF46350310C01DF40D43B09DB31F410CB88

Uniqueness

Uniqueness Score: -1.00%

Function 10008486 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,1000291C,000000FF,?,00000104,00000000,00000000,?), ref: 100084BE
_memset.LIBCMT ref: 100084EA

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: ByteCharMultiWide_memset
String ID:
API String ID: 2800726579-0
Opcode ID: 95043ac9fa7fbe7323bcbb8401c3416a26e19b455587c94fb4cbf23e29910451
Instruction ID: bff5b458e50e9573e6c72103bb4c75d0952e354f82fb34ad632e04324d8050ec
Opcode Fuzzy Hash: 95043ac9fa7fbe7323bcbb8401c3416a26e19b455587c94fb4cbf23e29910451
Instruction Fuzzy Hash: AF1187746007069BF724DF68CC86B6673E4FB087A0F11476DA6A5972D9EB70EE008B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004EEC Relevance: 3.1, APIs: 2, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32(-80000001,10003A7D,00000000,00000000,00000000,00000000,00000000,?,10003A7D,769373E0,00000000,-80000001,?,10003A7D,-80000001,?), ref: 10004F2D
RegCloseKey.ADVAPI32(?,?,10003A7D,-80000001,?), ref: 10004F40

Part of subcall function 10004E81: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,10004F16,-80000001,10003A7D,00000000,?,10003A7D,769373E0,00000000,-80000001,?,10003A7D,-80000001,?), ref: 10004E90
Part of subcall function 10004E81: GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 10004EA0

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID:
API String ID: 1765684683-0
Opcode ID: 5f0a97714cd41f9952f85af427a472c5411521c898a5f8c4afa3399ea128bb87
Instruction ID: 32e26642a1b9b8bfd552f10a06273c5e99dd3dc447dab925f50f06ab5c5d016c
Opcode Fuzzy Hash: 5f0a97714cd41f9952f85af427a472c5411521c898a5f8c4afa3399ea128bb87
Instruction Fuzzy Hash: 080140B6100109BFEB16CF55CC84D6BBBFDEB98290B21842DF55986114DA709E00DB24

Uniqueness

Uniqueness Score: -1.00%

Function 10007DB1 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5106428158fde385c7194dd768253ba3fa1323a188d20d73d1477ff61195e251
Instruction ID: 3d74783ccd95ed67bed6364718a7e1ae7d7fff2f7dc23f37c51a7d36c9ab24fd
Opcode Fuzzy Hash: 5106428158fde385c7194dd768253ba3fa1323a188d20d73d1477ff61195e251
Instruction Fuzzy Hash: 6E017C31900791DFD722CF1CDC4185ABBF9FF842E43300A9AE09AD7189C774AC409B50

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c84be941dc6a1d7a96362bea620c540ea161ebf3f36d68bcfe60af822e705706
Instruction ID: 96616b7a1d8761cd4e25acfd582333427895197751797c173d65a169d5ce1978
Opcode Fuzzy Hash: c84be941dc6a1d7a96362bea620c540ea161ebf3f36d68bcfe60af822e705706
Instruction Fuzzy Hash: AE01D1317242109BE7295B389D05B2A3AA8E710355F10823AB855F65F1D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00405841 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00426400,?), ref: 00405883
GetLastError.KERNEL32 ref: 00405891

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3953c50c5734a5342b3d9bd696b660d903f899823d07f085df3ad9df62cd1170
Instruction ID: 7b03f1518e6b5023fdc9c6f8ed3c86d41a9a6143f13bb7bacee318a5d0ef92e9
Opcode Fuzzy Hash: 3953c50c5734a5342b3d9bd696b660d903f899823d07f085df3ad9df62cd1170
Instruction Fuzzy Hash: 30F0F971C1020EEBDB00DFA4D5087DEBBB4AF04305F04812AD881B6280D7B882588B99

Uniqueness

Uniqueness Score: -1.00%

Function 100050D9 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 10005104
__CxxThrowException@8.LIBCMT ref: 10005119

Part of subcall function 10008E2D: _malloc.LIBCMT ref: 10008E47

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 0166d83a4ea95c51d226f9edd91924c9bcab49cf557381749a6ad7419742cdf3
Instruction ID: 8cb154bf45305363a3a5292c77a8485af1267a373381068da939ca905d82d15e
Opcode Fuzzy Hash: 0166d83a4ea95c51d226f9edd91924c9bcab49cf557381749a6ad7419742cdf3
Instruction Fuzzy Hash: 82E06D7991054DBAEB00DFA4C841ACE7BACEB103D6F10C266BE1499095EB30D684CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0040665F Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,004034C4,0000000C), ref: 00406671
GetProcAddress.KERNEL32(00000000,?), ref: 0040668C

Part of subcall function 004065F1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406608
Part of subcall function 004065F1: wsprintfA.USER32 ref: 00406641
Part of subcall function 004065F1: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00406655

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: feebe6f5d4c52ed46379b7537604748e5e600fd26c001a323f5fa8d8aecbfb44
Instruction ID: 461613ffcc1e889ab22b6c60bfe416168310970280606bc727e976cb21be4528
Opcode Fuzzy Hash: feebe6f5d4c52ed46379b7537604748e5e600fd26c001a323f5fa8d8aecbfb44
Instruction Fuzzy Hash: 6DE08633504610AAD7106B709E0883B63EC9E897143030C3EF947F2240DB399C32967E

Uniqueness

Uniqueness Score: -1.00%

Function 0325A9C3 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 0326266E: _malloc.LIBCMT ref: 03262688

std::exception::exception.LIBCMT ref: 0325A9DF

Part of subcall function 0326256A: std::exception::_Copy_str.LIBCMT ref: 03262585

__CxxThrowException@8.LIBCMT ref: 0325A9F4

Part of subcall function 03264288: RaiseException.KERNEL32(?,?,032626ED,?,?,?,?,?,032626ED,?,0327E50C,03281C50), ref: 032642CA

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrow_mallocstd::exception::_std::exception::exception
String ID:
API String ID: 2299493649-0
Opcode ID: 913fd14fb2b7e0bdfae2159c371d96a6e50347bce9c0542905e0a4dae69b33d8
Instruction ID: 4312e8b3a9af6a4d7d5b9996bf7c8428fab17abbd5f7e4287cd4974ad375cec9
Opcode Fuzzy Hash: 913fd14fb2b7e0bdfae2159c371d96a6e50347bce9c0542905e0a4dae69b33d8
Instruction Fuzzy Hash: 3DE0EC7992031AAADB11F7A4CD51EAE73BC7F00545F100A55E511A6081FBB096C48691

Uniqueness

Uniqueness Score: -1.00%

Function 0325AF23 Relevance: 3.0, APIs: 2, Instructions: 20registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,0325A927,?,00000000), ref: 0325AF34
RegSetValueExW.KERNEL32(?,-80000001,00000000,00000001,00000000,?,?,0325A927,?,00000000), ref: 0325AF4E

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Valuelstrlen
String ID:
API String ID: 799288031-0
Opcode ID: 18fdd0f57e80f8523e5d2b22f3a9b216b34c25a64d64a21362248a8d8bcf7d6c
Instruction ID: aa64c6a9984f7bbe4dce7f0349e8857ad0475683705aa2105c28e109106eabe7
Opcode Fuzzy Hash: 18fdd0f57e80f8523e5d2b22f3a9b216b34c25a64d64a21362248a8d8bcf7d6c
Instruction Fuzzy Hash: 88E0B67516434AFFDF119F40EC4AFEA3BA9FB08715F008411FE19991A0C7B696A89B50

Uniqueness

Uniqueness Score: -1.00%

Function 100047D6 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 10008E2D: _malloc.LIBCMT ref: 10008E47

std::exception::exception.LIBCMT ref: 100047F2

Part of subcall function 10008D29: std::exception::_Copy_str.LIBCMT ref: 10008D44

__CxxThrowException@8.LIBCMT ref: 10004807

Part of subcall function 1000955A: RaiseException.KERNEL32(?,?,10008EAC,?,?,?,?,?,10008EAC,?,10014730,10016C40,?), ref: 1000959C

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrow_mallocstd::exception::_std::exception::exception
String ID:
API String ID: 2299493649-0
Opcode ID: 5a2fabf9ae883561be20cd077c3ceb3140a2b6256eab9e6915345f35609feb3c
Instruction ID: 1c33672adc32871e4acc4e065e52351399d91cbff3a1008f1750f24864da8916
Opcode Fuzzy Hash: 5a2fabf9ae883561be20cd077c3ceb3140a2b6256eab9e6915345f35609feb3c
Instruction Fuzzy Hash: 3FE0C2BA91018EBAE700EBE8CC02DEF73BCFB04380F010656A611B60C6EF70A7044790

Uniqueness

Uniqueness Score: -1.00%

Function 00405DCA Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,00402F51,C:\Users\user\Desktop\etopt.exe,80000000,00000003,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 00405DCE
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 00405DF0

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 4c035aff046b4d43788645f88f630755698ea216f1f6cd5eefec511dda558379
Instruction ID: 0febe3887fb1e567d40345103610fd6f3e8d71b3c6328ccb34cdb50f288ecb70
Opcode Fuzzy Hash: 4c035aff046b4d43788645f88f630755698ea216f1f6cd5eefec511dda558379
Instruction Fuzzy Hash: 23D09E31254301AFEF099F20DE16F2E7AA2EB84B00F11952CB682A41E0DA7158299B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA5 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,004059BD,?,?,00000000,00405BA0,?,?,?,?), ref: 00405DAA
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DBE

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 96c7ec262ab61fe6fea47152b5241fdb13327e4bfef36903235a76d16f55e530
Instruction ID: 925c3488fb9077aec40f028b3dd0f3fa9f3a969d3993950b85ad0e0998c5efa0
Opcode Fuzzy Hash: 96c7ec262ab61fe6fea47152b5241fdb13327e4bfef36903235a76d16f55e530
Instruction Fuzzy Hash: 53D012725146216FC6113728EF0C89BBF65DB543717028F35F9A9A22F0CB304C568B98

Uniqueness

Uniqueness Score: -1.00%

Function 00403966 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403769,?,?,00000008,0000000A,0000000C), ref: 00403971

Strings

C:\Users\user\AppData\Local\Temp\nszFC.tmp\, xrefs: 00403985

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nszFC.tmp\
API String ID: 2962429428-1799824252
Opcode ID: d625c911d66616238713db447086905caaa27ef346c10ee09824669ed3d8b5eb
Instruction ID: 84b30ca9656dbac66f08251a3a033140ae3660d08771983560dc423d63f61bb3
Opcode Fuzzy Hash: d625c911d66616238713db447086905caaa27ef346c10ee09824669ed3d8b5eb
Instruction Fuzzy Hash: 9CC01270900B0896C5206F799E4EA453A189740735BA48735F0B8B00F1C77C469D559E

Uniqueness

Uniqueness Score: -1.00%

Function 0040589B Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000,00403375,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 004058A1
GetLastError.KERNEL32(?,00000008,0000000A,0000000C), ref: 004058AF

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 69c10b653dd158b78fedd416dc1848021220c938bcb028ae315e05aba8fe1da9
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: ECC04C71205916DAE6506B219F087177A54AF50741F258439AA87F40A0DA748465D92D

Uniqueness

Uniqueness Score: -1.00%

Function 0325C870 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0325C948

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d3b63b7402b36f8fc23cc800c1f1972ec7d0668b42dfba258255d3895a2a29d6
Instruction ID: eee2c379dbd9431f8df5ef9d3a96c5382516219ca94f2221b0982f73a91bd7fe
Opcode Fuzzy Hash: d3b63b7402b36f8fc23cc800c1f1972ec7d0668b42dfba258255d3895a2a29d6
Instruction Fuzzy Hash: A03157B65183429FC710DF28D480A6AFBE4FF88614F50492EF99897340E731EA84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E822700 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E82274B

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 4c963b4a84062abd32b97a2b537e42c6f08b20f2c530fc5bca0ff8406e40893c
Instruction ID: a3191caa9bc0c670c284683b9b8445adb69aeda9cfdbc8c2e29d4561149eed96
Opcode Fuzzy Hash: 4c963b4a84062abd32b97a2b537e42c6f08b20f2c530fc5bca0ff8406e40893c
Instruction Fuzzy Hash: 50316971D246299FCF218B99CC847EAB7B8EB45314F1048BAE81CA7290D7749AC4CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 1000DC20 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee71dd3cc321f2e3bb1fe010041642a022722fbae8645dc34806be2244586ef
Instruction ID: fa09ff2649abe30817adfd985747d51783c6ba2a4443d360bf876a326ed9a0ef
Opcode Fuzzy Hash: 8ee71dd3cc321f2e3bb1fe010041642a022722fbae8645dc34806be2244586ef
Instruction Fuzzy Hash: A411E6727016035BF304DA29D880F9AB3ABFBC43A0F65825AE105C7699D7B1FD52C690

Uniqueness

Uniqueness Score: -1.00%

Function 6E82615F Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E8261B3

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: c236bad149dcf0e63ba72495f58eee48dd0493849765e4e3387fdf6ccb6b5480
Instruction ID: 641ef9bede772aa6b54d74746bc5f8689e9cfc86815fa30695df6a343ef44878
Opcode Fuzzy Hash: c236bad149dcf0e63ba72495f58eee48dd0493849765e4e3387fdf6ccb6b5480
Instruction Fuzzy Hash: 7C11D33461070A8FDB148FBC8991A9677A9AF09724F100E7C89A5872C6DB30E985EA81

Uniqueness

Uniqueness Score: -1.00%

Function 6E822251 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E822258

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: b7bc5a45251e32fff4119aa25b8d853bac704afd89803afdc762d71923ab62a7
Instruction ID: db76414f52556258dcaa06668f36870d2e14e9360a0e502e4353918d7eb61680
Opcode Fuzzy Hash: b7bc5a45251e32fff4119aa25b8d853bac704afd89803afdc762d71923ab62a7
Instruction Fuzzy Hash: F121C7B490420ADFCF00CF98D5909DEBBB5FF09354F20496AE904AB351D7759A91CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 10005122 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10005129

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: b17a4e4b803f0a4a0824ff9eb7738fbe3b7456eaf85101dd37d28649331f8495
Instruction ID: e166e89c796704a82c2d8ebf3bb600756cc9b311450c4b628bac8b5c2eaa73fa
Opcode Fuzzy Hash: b17a4e4b803f0a4a0824ff9eb7738fbe3b7456eaf85101dd37d28649331f8495
Instruction Fuzzy Hash: A3118134A04305EBFB14DF64C880B9FB7B1FB44391F208519E9565B285C772AA40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10002254 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1000225B

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: f1ef299fefce971b387dc9c69a36a40a330ea5c0df21435f86ca2055655225b6
Instruction ID: 94768823b7a520617f7d8edb4d6675452a67d7e644d18eb4daab3e7297809f1a
Opcode Fuzzy Hash: f1ef299fefce971b387dc9c69a36a40a330ea5c0df21435f86ca2055655225b6
Instruction Fuzzy Hash: 5A21E5B990425ADFEF00CF94D8819DEBBB0FF08390F20406AE804AB355D731AA51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0325401A Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03254046

Part of subcall function 03252484: __EH_prolog3_GS.LIBCMT ref: 0325248E

Part of subcall function 03251A4D: __EH_prolog3_GS.LIBCMT ref: 03251A57
Part of subcall function 03251A4D: IsUserAnAdmin.SHELL32 ref: 03251A72
Part of subcall function 03251A4D: GetSystemPowerStatus.KERNEL32(?), ref: 03251A93
Part of subcall function 03251A4D: GetUserDefaultLocaleName.KERNEL32(?,00000055), ref: 03251AC8
Part of subcall function 03251A4D: CoInitialize.OLE32(00000000), ref: 03251B40

Part of subcall function 032522D6: __EH_prolog3_GS.LIBCMT ref: 032522E0
Part of subcall function 032522D6: _rand.LIBCMT ref: 03252367
Part of subcall function 032522D6: _rand.LIBCMT ref: 03252383

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3_$User_rand$AdminDefaultInitializeLocaleNamePowerStatusSystem_memset
String ID:
API String ID: 2749519694-0
Opcode ID: f81d2551451f9ed82c7dc9a792f26adcf4a8d7c08dbd31e78c538665403e0293
Instruction ID: 3b6f4a00630b6ef448f200fd1f04aa3fdfac5e10b12eb67b23b43d74a55bfdb8
Opcode Fuzzy Hash: f81d2551451f9ed82c7dc9a792f26adcf4a8d7c08dbd31e78c538665403e0293
Instruction Fuzzy Hash: 22112B755283469FC714FF25D8405AFB7D8AF84254F508D2EB8A586181FBB096C88B47

Uniqueness

Uniqueness Score: -1.00%

Function 6E845652 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6E843793,6E8418DC,?,00000000,00000000,00000000,?,6E842A93,00000001,00000214,?,6E8418DC), ref: 6E845695

Part of subcall function 6E842FEF: __getptd_noexit.LIBCMT ref: 6E842FEF

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: a32196516cdf19635bff249d093cc35c3f3452ff77dd29ae3a11aa976a6247b6
Instruction ID: 3bd062f499e2e46a82228aa561bb607f0cb8c80f9de02139b345cbf7ac7741ff
Opcode Fuzzy Hash: a32196516cdf19635bff249d093cc35c3f3452ff77dd29ae3a11aa976a6247b6
Instruction Fuzzy Hash: 0401B13121531EDBEB559FB5CC24B5F33A5EB82765F114D29E829CB1D8EB74C800CA90

Uniqueness

Uniqueness Score: -1.00%

Function 6E828D9F Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6E828AF7,6E8265B1,?,00000000,00000000,00000000,?,6E827C5D,00000001,00000214,?,6E8265B1), ref: 6E828DE2

Part of subcall function 6E8281B9: __getptd_noexit.LIBCMT ref: 6E8281B9

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: e6b9ebc168f921aaacd07efd7d3f1561092f61d6299f1910f68ef675840cf319
Instruction ID: f8ce42fe3e0ac14a9de7603d69281570d61262deadd7d8b4f3038ec69dd9f183
Opcode Fuzzy Hash: e6b9ebc168f921aaacd07efd7d3f1561092f61d6299f1910f68ef675840cf319
Instruction Fuzzy Hash: A401B135215A169FEFA59EE5CC14B5B37A8AB82760F004E39E829DB1D0D7749890C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0326FAC2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0326B72A,00000000,00000001,00000000,00000000,00000000,?,03264E13,00000001,00000214,?,0326B6E0), ref: 0326FB05

Part of subcall function 0326491D: __getptd_noexit.LIBCMT ref: 0326491D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 562de2e60300ad2fab308e4e921ed662991e05df25c64da82e6c44345bd49b67
Instruction ID: 4a5130d2b20b94a188cb2ca07f78c570954686bad847ac7444c37c2a948d604a
Opcode Fuzzy Hash: 562de2e60300ad2fab308e4e921ed662991e05df25c64da82e6c44345bd49b67
Instruction Fuzzy Hash: F801F532222312ABEF25DE25FE24B677358BF45760F08851CA815CB184D77098D0C680

Uniqueness

Uniqueness Score: -1.00%

Function 1000B4C8 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,10009F93,10008E4C,?,00000000,00000000,00000000,?,1000ADBE,00000001,00000214,?,10008E4C), ref: 1000B50B

Part of subcall function 10009BF4: __getptd_noexit.LIBCMT ref: 10009BF4

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 9e7caa25efd125f79c6ff021455b449b7e7b0eb97496169a6406fd9e56fd8b2d
Instruction ID: 0401687f1b0e3dc8dafe9facba4e3349bb31260c8bdb627ea63377f2aeee1fdd
Opcode Fuzzy Hash: 9e7caa25efd125f79c6ff021455b449b7e7b0eb97496169a6406fd9e56fd8b2d
Instruction Fuzzy Hash: 2601BC31300E629BFB24CF25DC54F5A33D9EB817E6F028669E81ACB198DB70DD40C640

Uniqueness

Uniqueness Score: -1.00%

Function 0326015A Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNEL32(80000001,0325E19C,00000000,00000000,00000000,00020006,00000000,?,0325E19C,00000000,00000002,00000000,?,?,0325E19C,80000001), ref: 0326019A

Part of subcall function 032600EF: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,03260185,80000001,0325E19C,00020006,?,0325E19C,00000000,00000002,00000000,?,?,0325E19C,80000001), ref: 032600FE
Part of subcall function 032600EF: GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0326010E

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID:
API String ID: 1964897782-0
Opcode ID: f7586a9227118fcf93376505d7625afd3b755ad6d89dd362e66ef223c77b1074
Instruction ID: 9ceb07b53cc95822fa7533950d1a938064d92c45d263e442c01c826b09e634ab
Opcode Fuzzy Hash: f7586a9227118fcf93376505d7625afd3b755ad6d89dd362e66ef223c77b1074
Instruction Fuzzy Hash: BC01FBB6124208BFEB05DF95DC80CBEB7ADEF14650B00C06AB955D6110E770AE809B70

Uniqueness

Uniqueness Score: -1.00%

Function 0325B490 Relevance: 1.5, APIs: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,03256527,?,ServiceName,?,?), ref: 0325B4B1

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 94fcca446e2a24ce059f1d401ae576a197874cc89cc746bb874dbcb86880fe52
Instruction ID: b6bde6cbfcb9e8630ac99960c7f10e653f279bbcbc52df79503ca3cdf3deb058
Opcode Fuzzy Hash: 94fcca446e2a24ce059f1d401ae576a197874cc89cc746bb874dbcb86880fe52
Instruction Fuzzy Hash: A5014F75220206EBCB35CF59D815BAAB7F8AF04716F148119FD49C6190E770D790CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E82641D Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E826468

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5eb34bc5dec4452d79ad8cc472cd26abc3ea347fc08bf8caee44fb7574043275
Instruction ID: 7b05dac5837dc6ccc6a02460b32459cc0b6933798f6ba637be628e8d007ead9a
Opcode Fuzzy Hash: 5eb34bc5dec4452d79ad8cc472cd26abc3ea347fc08bf8caee44fb7574043275
Instruction Fuzzy Hash: B001D171920602CFD7508FD8C598758B3A8EF06326F208E39E0A8871D0CB3598D2EFD1

Uniqueness

Uniqueness Score: -1.00%

Function 100086F4 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1000873F

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: afc40b5e98b7c240ab4b601d1e2d73f2c97539d8bc804b8a391b636d7eb0c03c
Instruction ID: 29c216c59cfeeae33fb472c30fa5e9bb08b2b18a4d07e99acc7d2564e5c65351
Opcode Fuzzy Hash: afc40b5e98b7c240ab4b601d1e2d73f2c97539d8bc804b8a391b636d7eb0c03c
Instruction Fuzzy Hash: 1401A935905602DBF310CB54C481B5473A4FF043A6F314229E59D8A2AECB39E985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0326006E Relevance: 1.5, APIs: 1, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,0325E3E8,00000000,00020019,00000000,?,?,?,?,0325E3E8,80000001), ref: 0326009B

Part of subcall function 0326000F: GetModuleHandleW.KERNEL32(Advapi32.dll,00020019,?,03260091,80000001,0325E3E8,00020019,00000000,?,?,?,?,0325E3E8,80000001), ref: 0326001E
Part of subcall function 0326000F: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0326002E

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID:
API String ID: 1337834000-0
Opcode ID: 2936c7116303fd4f62c90f9fef384a0c1ad546f6408c4df2945fd3cc23f3ea44
Instruction ID: 73dfca60ca6667801ea273225ac2ef5af26984074d3a0a497cb648b2d2eadd4c
Opcode Fuzzy Hash: 2936c7116303fd4f62c90f9fef384a0c1ad546f6408c4df2945fd3cc23f3ea44
Instruction Fuzzy Hash: C2F09A36524204BBCF219F44CC00B9EBBADEF80710F14C0A5E909AB204D7719A80ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 0325D80D Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0325D814

Part of subcall function 0325D42C: __EH_prolog3.LIBCMT ref: 0325D433
Part of subcall function 0325D42C: CoCreateInstance.OLE32(032793AC,00000000,00000017,0327D8B8,?,00000014,0325D829,0000000C,0325409A), ref: 0325D464
Part of subcall function 0325D42C: SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 0325D489
Part of subcall function 0325D42C: SysFreeString.OLEAUT32(?), ref: 0325D4D6
Part of subcall function 0325D42C: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0325D4FE

Part of subcall function 0325D702: __EH_prolog3.LIBCMT ref: 0325D709
Part of subcall function 0325D702: SysAllocString.OLEAUT32(SELECT * FROM Win32_DiskDrive), ref: 0325D731
Part of subcall function 0325D702: SysFreeString.OLEAUT32(?), ref: 0325D76B

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: String$H_prolog3$AllocFree$BlanketCreateInstanceProxy
String ID:
API String ID: 1448601310-0
Opcode ID: ef39182082e63cb801b5becf9d278524cdfbb4fa6944204035ce791cf08867a3
Instruction ID: f22ec7fbf507bae31519643e482fa0aaf8331e3f415be6b25be0b81c682b22cc
Opcode Fuzzy Hash: ef39182082e63cb801b5becf9d278524cdfbb4fa6944204035ce791cf08867a3
Instruction Fuzzy Hash: E6F0DABAD2021A9BDB00EBE4C845BFEB3B8BF04311F540559A511EB180DB74AB45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10004771 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10004778

Part of subcall function 100047D6: std::exception::exception.LIBCMT ref: 100047F2
Part of subcall function 100047D6: __CxxThrowException@8.LIBCMT ref: 10004807

Part of subcall function 10005238: std::_Xinvalid_argument.LIBCPMT ref: 1000524E

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: Exception@8H_prolog3_catchThrowXinvalid_argumentstd::_std::exception::exception
String ID:
API String ID: 1905828624-0
Opcode ID: 7967cf18eefaeb1addf8928b07f1b3d0ab992d527bf3b50b333aa72c4de00079
Instruction ID: d91f0f76e09058b0984a0008e1bd8cb9390dd656f90bb26bccce90870c9f595f
Opcode Fuzzy Hash: 7967cf18eefaeb1addf8928b07f1b3d0ab992d527bf3b50b333aa72c4de00079
Instruction Fuzzy Hash: 17F05EB5605246DFDB50DF68C40065DBBF1FF05390F11851EE8A8AB785DB70AA50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03255C4C Relevance: 1.5, APIs: 1, Instructions: 25networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0325DCC6: GetModuleHandleW.KERNEL32(WS2_32), ref: 0325DCEE
Part of subcall function 0325DCC6: LoadLibraryW.KERNEL32(WS2_32), ref: 0325DCFB

WSAStartup.WS2_32(00000202,?), ref: 03255C8A

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: HandleLibraryLoadModuleStartup
String ID:
API String ID: 2906285890-0
Opcode ID: 3fce436e37f97072ea3132bd1e6794d19232640b8a7a1eceb133df32f273ee86
Instruction ID: 5fdbc9f0aa7113c7a647895471beb13b7063749f686f08237c2510230938809c
Opcode Fuzzy Hash: 3fce436e37f97072ea3132bd1e6794d19232640b8a7a1eceb133df32f273ee86
Instruction Fuzzy Hash: 94F03775625308DBC310FF6CE44AA9AB7E8EB4D710F00C91AAD98C7294D770A5448BD3

Uniqueness

Uniqueness Score: -1.00%

Function 004060EB Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEF,00000000,?,?), ref: 00406114

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: a3429a7671921507d055f7367229b0bbcbf358db24014b63cc2ffd17fe5f66ec
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 36E0E672110109BEEF199F50DD0AD7B371DEB04311F01452EF907E4192F6B5E9305A34

Uniqueness

Uniqueness Score: -1.00%

Function 00405E42 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403337,00000000,00000000,00403194,000000FF,00000004,00000000,00000000,00000000), ref: 00405E56

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 62c77d97b5b576e4a72063145ecbe95ee4dab9ee0079c0f8f42f41321a19b9da
Instruction ID: 89aff19189f0d018488bc7889057eca9e960c9bd75824335f80bce9da8befa1a
Opcode Fuzzy Hash: 62c77d97b5b576e4a72063145ecbe95ee4dab9ee0079c0f8f42f41321a19b9da
Instruction Fuzzy Hash: 33E08C3260025AEBCF209F61DC00EEB3B6CEB007E0F040432F994F2040D230E9208BE8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E71 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,00000008,?,00403305,00000000,004138D8,00000008,004138D8,00000008,000000FF,00000004,00000000), ref: 00405E85

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
Instruction ID: 2b0e1db607dfbf6c23c1cb42e3362008c8f79199795d06c7845c6f428c908e2e
Opcode Fuzzy Hash: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
Instruction Fuzzy Hash: DEE08C3221021AABCF209F50DC00AEB3B6CEB00360F00483AF954E2040D234EA218BE8

Uniqueness

Uniqueness Score: -1.00%

Function 0325AA5C Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0325AA63

Part of subcall function 0325A9C3: std::exception::exception.LIBCMT ref: 0325A9DF
Part of subcall function 0325A9C3: __CxxThrowException@8.LIBCMT ref: 0325A9F4

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Exception@8H_prolog3_catchThrowstd::exception::exception
String ID:
API String ID: 62628988-0
Opcode ID: 6f9db475daa4e10b3e236461c17a0d0aa0e4cc7782e7f017584e8fb4cfe4c296
Instruction ID: 98dce052ad2026712189efa02f36d3882e5c30aab789c7cca453dae5a8df8535
Opcode Fuzzy Hash: 6f9db475daa4e10b3e236461c17a0d0aa0e4cc7782e7f017584e8fb4cfe4c296
Instruction Fuzzy Hash: DEE0ED79521755CFD712EF68C54178EB7E0BF15210F008519E9959B340D7B09B848B91

Uniqueness

Uniqueness Score: -1.00%

Function 0325494D Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 03254954

Part of subcall function 0325AE98: __EH_prolog3.LIBCMT ref: 0325AE9F

Part of subcall function 0325AAB1: std::_Xinvalid_argument.LIBCPMT ref: 0325AAD7

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3$Xinvalid_argumentstd::_
String ID:
API String ID: 3694106296-0
Opcode ID: be2c85112f881bb2c37b8471f0ae827ae8ef4b202d9793925326d3301f970670
Instruction ID: 766266f4cf7fdba43200db97b5eb994f23852efe6f56435fd9483e5b9d4a7b84
Opcode Fuzzy Hash: be2c85112f881bb2c37b8471f0ae827ae8ef4b202d9793925326d3301f970670
Instruction Fuzzy Hash: FEE04F7F4203089BC751FFA0C801AC937A8BF04251F018132AA15DF110CBB0EB8487D0

Uniqueness

Uniqueness Score: -1.00%

Function 0325FFDD Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(80000001,?,00000000,?,?,?,?,0325E423,?,000000A8,?,00001000), ref: 0325FFF4

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 90d8339e4dc77a31adc37e7f77c2e5d252977d1f83a1efca73a399a0eebdeac4
Instruction ID: 4cc4cda1595822fbd6518da23f8127ce72c482ae1910a62a540d8f29ca4d3e49
Opcode Fuzzy Hash: 90d8339e4dc77a31adc37e7f77c2e5d252977d1f83a1efca73a399a0eebdeac4
Instruction Fuzzy Hash: BCE0EC3225014FAFCF01CEA8ED45F9A3BA9FB04700F008410F915D6150D736D860EB51

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,00420100,?,?,0040614B,00420100,?,?,?,00000000,?), ref: 004060E1

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: de7f01b9b1a33560357ebc714a1b33a1267f8522137d75375bea5d1a2440e40f
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: DBD0123204020DBBDF119E909D05FAB371DAB08350F014426FE06E4091D776D530A714

Uniqueness

Uniqueness Score: -1.00%

Function 00406010 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040601A

Part of subcall function 00405EA0: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406031,?,?), ref: 00405ED1
Part of subcall function 00405EA0: GetShortPathNameA.KERNEL32(?,004226B0,00000400), ref: 00405EDA
Part of subcall function 00405EA0: GetShortPathNameA.KERNEL32(?,00422AB0,00000400), ref: 00405EF7
Part of subcall function 00405EA0: wsprintfA.USER32 ref: 00405F15
Part of subcall function 00405EA0: GetFileSize.KERNEL32(00000000,00000000,00422AB0,C0000000,00000004,00422AB0,?,?,?,?,?), ref: 00405F50
Part of subcall function 00405EA0: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F5F
Part of subcall function 00405EA0: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F97
Part of subcall function 00405EA0: SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004222B0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405FED
Part of subcall function 00405EA0: GlobalFree.KERNEL32(00000000), ref: 00405FFE

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
String ID:
API String ID: 299535525-0
Opcode ID: 3a81b4cf330613b684f06c4c3a9e54450ddaacc68c7e23013f9f414f1f1f2ac9
Instruction ID: 6fe02511fb4ee370dd2481451e75f1a2cefdb319f183c3e0a4be5d16dbe7c48a
Opcode Fuzzy Hash: 3a81b4cf330613b684f06c4c3a9e54450ddaacc68c7e23013f9f414f1f1f2ac9
Instruction Fuzzy Hash: BCD0C731248241BEDB155F50ED05B1B7BB5FF94355F51843EF585540B0D7358461DF09

Uniqueness

Uniqueness Score: -1.00%

Function 6E824BF8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 6E824C01

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 0d3c79fa7b865af8679d2c8f6ac183be78f006498ed8e2b257f141ed99f37c31
Instruction ID: 842f3920c900d06f4a40dc3d32091d91aad2dab2a48bdcce05c60a1f16c354ee
Opcode Fuzzy Hash: 0d3c79fa7b865af8679d2c8f6ac183be78f006498ed8e2b257f141ed99f37c31
Instruction Fuzzy Hash: C8B0923200C30CBF9F051E85FC028993B9DFA01238B20482AF91C084606A33B4606688

Uniqueness

Uniqueness Score: -1.00%

Function 032601BE Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4c4211e3f345f33096a9cdebee5c338cc59c85ff521322bb06ed11c135678907
Instruction ID: b22d2d56b56d61fb538d27b64ab5c4252f8f9acd5f95e8cbbef8ebb691b7620e
Opcode Fuzzy Hash: 4c4211e3f345f33096a9cdebee5c338cc59c85ff521322bb06ed11c135678907
Instruction Fuzzy Hash: D8C04C751327028BEB399F20D418726B3F0BF54713F558C5C94D291480D778D080DA04

Uniqueness

Uniqueness Score: -1.00%

Function 10006E7F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 10006E88

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: e1202fd1e4f5d8977c7b7a96617414b67cfca290f0f94c71d706ac0662c049fe
Instruction ID: f110cbd16c1bb37751f753d1a647617c831200ee5c78622edcfe42b0c36fdea9
Opcode Fuzzy Hash: e1202fd1e4f5d8977c7b7a96617414b67cfca290f0f94c71d706ac0662c049fe
Instruction Fuzzy Hash: 79B0923200C34C7BAF055E81BC028593B99EB00170B20401AF928040A16A33B4206A88

Uniqueness

Uniqueness Score: -1.00%

Function 6E824C0A Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E824C10

Part of subcall function 6E826981: RtlFreeHeap.NTDLL(00000000,00000000,?,6E827C9C,00000000), ref: 6E826997
Part of subcall function 6E826981: GetLastError.KERNEL32(00000000,?,6E827C9C,00000000), ref: 6E8269A9

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 6178d3f22588398d36f4611e460fd4a3d0a30c12387d4397e93b341663617945
Instruction ID: 65bff599fd36da404e2f4b364746498dcccaf4382d16f2a3ecc468add81ac002
Opcode Fuzzy Hash: 6178d3f22588398d36f4611e460fd4a3d0a30c12387d4397e93b341663617945
Instruction Fuzzy Hash: 70A0243101C30C3F4F0015C5FC01444774CC5000347104531F40C040101F33745114C5

Uniqueness

Uniqueness Score: -1.00%

Function 10006E91 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 10006E97

Part of subcall function 100088F9: RtlFreeHeap.NTDLL(00000000,00000000,?,1000ADFD,00000000), ref: 1000890F
Part of subcall function 100088F9: GetLastError.KERNEL32(00000000,?,1000ADFD,00000000), ref: 10008921

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 8957e412f1be88f9b7b7fdc751040b42602ba3dbcf7027b379398cf4fbb9189a
Instruction ID: e99da2718dab606a67c4f806f6da4517047304058caf26c6ac33294c73e42691
Opcode Fuzzy Hash: 8957e412f1be88f9b7b7fdc751040b42602ba3dbcf7027b379398cf4fbb9189a
Instruction Fuzzy Hash: 1EA0123104830C2A5A001545BC024043B4CDA000706508031F50C040135D2375100248

Uniqueness

Uniqueness Score: -1.00%

Function 0040333A Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,004030D6,?,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 00403348

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
Instruction ID: 699dda5fb03a211c19396a68767747e6c986426da1756d7c47186a7ffa8d2f84
Opcode Fuzzy Hash: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
Instruction Fuzzy Hash: EBB01231140300BFDA214F00DF09F057B21AB94710F10C034B384780F086711075EB0E

Uniqueness

Uniqueness Score: -1.00%

Function 1000E0B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 1000E0B5

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e4a82bfa24234aec9ce7610012d58310f1b9210eb5af31eff4f57043b3563f54
Instruction ID: 44b7f8cf60f1855f1d938e38f7dabad455a0234941b70a439785ff0052f0d212
Opcode Fuzzy Hash: e4a82bfa24234aec9ce7610012d58310f1b9210eb5af31eff4f57043b3563f54
Instruction Fuzzy Hash: FAA002B5B04210ABDE01DBA5CB8C90A77A8AB88701F018844F38DC2410CA78D800DB15

Uniqueness

Uniqueness Score: -1.00%

Function 032106C0 Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,00000000,?,00000000,?,03210439,?), ref: 0321074E

Memory Dump Source

Source File: 00000000.00000002.2578628998.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_etopt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 354d32a33b1036121a6ec3994a98cc7e92644cde6bec3ff27caf648b5712935b
Instruction ID: 02b64003dc85b943ce5f09e5c60b6facc6bba459550cb82dddacbf9b1c6cb34e
Opcode Fuzzy Hash: 354d32a33b1036121a6ec3994a98cc7e92644cde6bec3ff27caf648b5712935b
Instruction Fuzzy Hash: 4B318C7A2143469FE724CF19DA80A6AB3E5EF98754F14882DF9858B341D7B0E9D2CB10

Uniqueness

Uniqueness Score: -1.00%

Function 032306C0 Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,00000000,?,00000000,?,03230439,?), ref: 0323074E

Memory Dump Source

Source File: 00000000.00000002.2578668685.0000000003230000.00000040.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3230000_etopt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 354d32a33b1036121a6ec3994a98cc7e92644cde6bec3ff27caf648b5712935b
Instruction ID: 4a648121559523f37d34c9859d68d74cd03b2cdb9c9604ac09422ef595d34795
Opcode Fuzzy Hash: 354d32a33b1036121a6ec3994a98cc7e92644cde6bec3ff27caf648b5712935b
Instruction Fuzzy Hash: D6318EB92443069FE714CF19D880A6AB3E5EF89754F14882DE9868B341D770E982CF20

Uniqueness

Uniqueness Score: -1.00%

Function 1000E070 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 1000E084

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 12bb0428abb35722422abd9f2a62ac5936d04f3bb7f9051dc3485a759e1a614c
Instruction ID: 7c95582e85578660f787182726213066d8538165685b2ed9267cebfc7d34d343
Opcode Fuzzy Hash: 12bb0428abb35722422abd9f2a62ac5936d04f3bb7f9051dc3485a759e1a614c
Instruction Fuzzy Hash: FAC002B9608301BFDA04CB54C888D6BB7E9EBC8340F00C90CF59983210C770E840CB22

Uniqueness

Uniqueness Score: -1.00%

Function 1000E090 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 1000E09F

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0eb0b9e602eb096f6596135d5e03df9fe46522cf96b97847fd9ff5c86a979dbd
Instruction ID: 173ee8f69f091161fa44a18f3368d043bc664f47deb670baffa5b4996e6ad81e
Opcode Fuzzy Hash: 0eb0b9e602eb096f6596135d5e03df9fe46522cf96b97847fd9ff5c86a979dbd
Instruction Fuzzy Hash: 95C048B8208200BFEA04CB10C988D2BB7A9EBC8610F00C90CB88982210C670EC40DB22

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004054B9 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405518
GetDlgItem.USER32(?,000003EE), ref: 00405527
GetClientRect.USER32(?,?), ref: 00405564
GetSystemMetrics.USER32(00000002), ref: 0040556B
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040558C
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040559D
SendMessageA.USER32(?,00001001,00000000,?), ref: 004055B0
SendMessageA.USER32(?,00001026,00000000,?), ref: 004055BE
SendMessageA.USER32(?,00001024,00000000,?), ref: 004055D1
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004055F3
ShowWindow.USER32(?,00000008), ref: 00405607
GetDlgItem.USER32(?,000003EC), ref: 00405628
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405638
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405651
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040565D
GetDlgItem.USER32(?,000003F8), ref: 00405536

Part of subcall function 0040430C: SendMessageA.USER32(00000028,?,00000001,0040413C), ref: 0040431A

GetDlgItem.USER32(?,000003EC), ref: 00405679
CreateThread.KERNEL32(00000000,00000000,Function_0000544D,00000000), ref: 00405687
CloseHandle.KERNEL32(00000000), ref: 0040568E
ShowWindow.USER32(00000000), ref: 004056B1
ShowWindow.USER32(?,00000008), ref: 004056B8
ShowWindow.USER32(00000008), ref: 004056FE
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405732
CreatePopupMenu.USER32 ref: 00405743
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405758
GetWindowRect.USER32(?,000000FF), ref: 00405778
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405791
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004057CD
OpenClipboard.USER32(00000000), ref: 004057DD
EmptyClipboard.USER32 ref: 004057E3
GlobalAlloc.KERNEL32(00000042,?), ref: 004057EC
GlobalLock.KERNEL32(00000000), ref: 004057F6
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040580A
GlobalUnlock.KERNEL32(00000000), ref: 00405823
SetClipboardData.USER32(00000001,00000000), ref: 0040582E
CloseClipboard.USER32 ref: 00405834

Strings

B, xrefs: 004057A9

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: B
API String ID: 590372296-2384200711
Opcode ID: 854332278393657ac071d345c3eff53b333baed1548b57205b5f5ffb46331816
Instruction ID: fa09904ae4805c37f66cb6f6fbf4e508ae68bd431495edbe7075e0ae52e64c5b
Opcode Fuzzy Hash: 854332278393657ac071d345c3eff53b333baed1548b57205b5f5ffb46331816
Instruction Fuzzy Hash: 3DA16A71A00209FFDB11AFA0DE85AAE7FB9EB04355F00403AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404769 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004047B8
SetWindowTextA.USER32(00000000,?), ref: 004047E2
SHBrowseForFolderA.SHELL32(?,0041FCF8,?), ref: 00404893
CoTaskMemFree.OLE32(00000000), ref: 0040489E
lstrcmpiA.KERNEL32(ClocX see company, Inc.,00420920), ref: 004048D0
lstrcatA.KERNEL32(?,ClocX see company, Inc.), ref: 004048DC
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004048EE

Part of subcall function 00405931: GetDlgItemTextA.USER32(?,?,00000400,00404925), ref: 00405944

Part of subcall function 00406531: CharNextA.USER32(0000000C,*?|<>/":,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe",0040335D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 00406589
Part of subcall function 00406531: CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe",0040335D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 00406596
Part of subcall function 00406531: CharNextA.USER32(0000000C,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe",0040335D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 0040659B
Part of subcall function 00406531: CharPrevA.USER32(0000000C,0000000C,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe",0040335D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 004065AB

GetDiskFreeSpaceA.KERNEL32(0041F8F0,?,?,0000040F,?,0041F8F0,0041F8F0,?,00000001,0041F8F0,?,?,000003FB,?), ref: 004049AC
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049C7

Part of subcall function 00404B20: lstrlenA.KERNEL32(00420920,00420920,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A3B,000000DF,00000000,00000400,?), ref: 00404BBE
Part of subcall function 00404B20: wsprintfA.USER32 ref: 00404BC6
Part of subcall function 00404B20: SetDlgItemTextA.USER32(?,00420920), ref: 00404BD9

Strings

C:\Program Files (x86)\ClocX, xrefs: 004048B9
A, xrefs: 0040488C
_JX, xrefs: 00404A23
B, xrefs: 00404866
ClocX see company, Inc., xrefs: 004048CA, 004048CF, 004048DA

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: B$A$C:\Program Files (x86)\ClocX$ClocX see company, Inc.$_JX
API String ID: 2624150263-1107375781
Opcode ID: 4be04bcd603dc8ad665a3753792f3cc8c197c564620c39eb84ccd163043e8e9e
Instruction ID: b43511b86d8b62367545dd98d3186607546bd1c40842ef0ecb9fddf10259a0cf
Opcode Fuzzy Hash: 4be04bcd603dc8ad665a3753792f3cc8c197c564620c39eb84ccd163043e8e9e
Instruction Fuzzy Hash: 84A171F1A00219ABDB11AFA5CD45AAF77B8AF84314F10843BF611B62D1D77C8A418F6D

Uniqueness

Uniqueness Score: -1.00%

Function 032612E6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 339synchronizationsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0326138E
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 032613A1
GetLastError.KERNEL32 ref: 032613AD
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 032613BD
_memset.LIBCMT ref: 032613F4
wsprintfW.USER32 ref: 032614C5
_memmove.LIBCMT ref: 032615F3

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Part of subcall function 03255676: _memset.LIBCMT ref: 032557B6
Part of subcall function 03255676: socket.WS2_32(00000002,00000002,00000011), ref: 03255816
Part of subcall function 03255676: WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 0325584E

Sleep.KERNEL32(-0000000F), ref: 03261731

Strings

Software\Baidu\BDLOG\%u, xrefs: 032614B3
753c5975-112c-4e18-94bf-f89342ed7c3f, xrefs: 03261373
activeSent, xrefs: 032614F6

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memset$CloseCreateErrorIoctlLastMutexObjectSingleSleepWait_memmovesocketwsprintf
String ID: 753c5975-112c-4e18-94bf-f89342ed7c3f$Software\Baidu\BDLOG\%u$activeSent
API String ID: 349120424-2099686365
Opcode ID: c5971b24bfcf1d4409ee3616b6969a34a8f421d8136bde0009a26b97afdb1b52
Instruction ID: 2f6295be3a4fba58677451ff5278898f9baf06c9993bde2c589409a8dbcd4bdd
Opcode Fuzzy Hash: c5971b24bfcf1d4409ee3616b6969a34a8f421d8136bde0009a26b97afdb1b52
Instruction Fuzzy Hash: 28C16B755283429FD714EF24D88099BB7E8FF88250F048C2EE5959B250D770E9D98B92

Uniqueness

Uniqueness Score: -1.00%

Function 10007F0F Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 389timeCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 100080DB
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 10008271
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 1000829D

Strings

/../, xrefs: 1000812E
\..\, xrefs: 1000810C
/..\, xrefs: 1000813F
\../, xrefs: 1000811D

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: Time$File$ByteCharDateLocalMultiWide
String ID: /../$/..\$\../$\..\
API String ID: 97438588-3885502717
Opcode ID: d1db9ce2fa2519d8275d487034fd7b806b9caf8af8487061ce30571305c33da8
Instruction ID: cb95881ecf86776e70bcd4ea41c7382a7ddafe64d74d45ba2ed43ad4be6177e8
Opcode Fuzzy Hash: d1db9ce2fa2519d8275d487034fd7b806b9caf8af8487061ce30571305c33da8
Instruction Fuzzy Hash: CCF1CF719042658FEB26CF24C8807D9BBF8FF49390F1441E9E8899B286D735AB85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03251000 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 03251066
_strcpy_s.LIBCMT ref: 0325107A
_memset.LIBCMT ref: 0325108B
_strcpy_s.LIBCMT ref: 032510FE
_memset.LIBCMT ref: 0325113B
_strcpy_s.LIBCMT ref: 03251196

Strings

%08X%08X, xrefs: 03251176

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _strcpy_s$_memset$_memcpy_s
String ID: %08X%08X
API String ID: 3340561983-1563805794
Opcode ID: c42e0a0fb2f09b1aec9ddd23c6f223072da703c3768439ae24d8e6b31cf9231b
Instruction ID: 3096fbd4ebda502e890abc006ddfa7af6d003909703d1b9eeb52524ce32ed267
Opcode Fuzzy Hash: c42e0a0fb2f09b1aec9ddd23c6f223072da703c3768439ae24d8e6b31cf9231b
Instruction Fuzzy Hash: 56516D75910718AFEB25CF68CC41BDAB7F9AF0C300F0088E9E689E7150D6B0AAD48F50

Uniqueness

Uniqueness Score: -1.00%

Function 6E825C02 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 386timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 6E825F4C
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 6E825F78

Strings

\../, xrefs: 6E825DFC
/..\, xrefs: 6E825E1E
\..\, xrefs: 6E825DEB
/../, xrefs: 6E825E0D

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: Time$File$DateLocal
String ID: /../$/..\$\../$\..\
API String ID: 2071732420-3885502717
Opcode ID: 16c14fc32532ba7ae93e35db8ffcbc98ab56ab5f60833413b6a045eecf7d9d78
Instruction ID: e5986c9b4c78df71cece16383bfed86ad9f3101f4946cf1ff59bb6397179b320
Opcode Fuzzy Hash: 16c14fc32532ba7ae93e35db8ffcbc98ab56ab5f60833413b6a045eecf7d9d78
Instruction Fuzzy Hash: 90F1E1709042698FCB65CF68C8987D9BBF0AF49300F1449F9D8999B286D735AAC1CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0325D878 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(00000103,?), ref: 0325D8C4
QueryDosDeviceW.KERNEL32(?,?,00000104,?,?,?), ref: 0325D8FF
__wcsnicmp.LIBCMT ref: 0325D931
lstrcpyW.KERNEL32(?,?), ref: 0325D971

Strings

%s%s, xrefs: 0325D956

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: DeviceDriveLogicalQueryStrings__wcsnicmplstrcpy
String ID: %s%s
API String ID: 3867970626-3252725368
Opcode ID: f5ce823ad3f07ed0ece3a56d9fa6e633264cda9e021c8a61218b8ac173e53b07
Instruction ID: 13539e399109836c94eb511308207f06ebaa823976de7f72db54551dcff5302b
Opcode Fuzzy Hash: f5ce823ad3f07ed0ece3a56d9fa6e633264cda9e021c8a61218b8ac173e53b07
Instruction Fuzzy Hash: 5231607692022A9BDF20EB64DC44AEAB3B9EF48750F0481E5EC05E7150EB709F85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0325D9B1 Relevance: 7.6, APIs: 5, Instructions: 89nativestringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 0325DA04
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 0325DA48
NtQueryInformationProcess.NTDLL(?,0000001B,?,00000208,?), ref: 0325DA81
lstrcpyW.KERNEL32(?,?), ref: 0325DAC2
CloseHandle.KERNEL32(?), ref: 0325DACE

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Process$InformationQuery$CloseHandleOpenlstrcpy
String ID:
API String ID: 857859905-0
Opcode ID: 1d8dbfd869a56ccd390d5f79294811637662ea5cf565bd23e95f1bfcdf9d20f5
Instruction ID: e05f2b7bfce048602b153f3466dbc553c4efd47e6d82ac6f82e5bc899d8a0f56
Opcode Fuzzy Hash: 1d8dbfd869a56ccd390d5f79294811637662ea5cf565bd23e95f1bfcdf9d20f5
Instruction Fuzzy Hash: 6831DC7191521AEFDF20EFA4EC886AAB7B4FB08310F1849EAE905A6150D7709BC4CF11

Uniqueness

Uniqueness Score: -1.00%

Function 6E8417C2 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E841EC9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E841EDE
UnhandledExceptionFilter.KERNEL32(6E847160), ref: 6E841EE9
GetCurrentProcess.KERNEL32(C0000409), ref: 6E841F05
TerminateProcess.KERNEL32(00000000), ref: 6E841F0C

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: e3d83a98dac9f71eb9e92c339068b747f1b48a2fdea0ef890c60d7bd74a77b62
Instruction ID: 2fdcb823a51af44ecd21364ed5354781c410aeda3608865505e4d5b0e0701fab
Opcode Fuzzy Hash: e3d83a98dac9f71eb9e92c339068b747f1b48a2fdea0ef890c60d7bd74a77b62
Instruction Fuzzy Hash: A221C2B8401A44DFDB52FF68C5447487BB4FB4A706B1008BAE50C8B250F7795588CF85

Uniqueness

Uniqueness Score: -1.00%

Function 6E8264A2 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E827093
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E8270A8
UnhandledExceptionFilter.KERNEL32(6E82D180), ref: 6E8270B3
GetCurrentProcess.KERNEL32(C0000409), ref: 6E8270CF
TerminateProcess.KERNEL32(00000000), ref: 6E8270D6

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: e119cac171bfae7a22e92c269bdd30c1f1751c3f8e893c4fce8e5f84b83fc07c
Instruction ID: e824271456e6890d49bf7542c42a08d3374bb570a1607bad16b4d22bd4ee50f1
Opcode Fuzzy Hash: e119cac171bfae7a22e92c269bdd30c1f1751c3f8e893c4fce8e5f84b83fc07c
Instruction Fuzzy Hash: 2821D474404A08DFCF24CFA9E5446447BA4BB0A311F108D1AF90C87394DBB85986CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 03262453 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0326438F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 032643A4
UnhandledExceptionFilter.KERNEL32(032794F8), ref: 032643AF
GetCurrentProcess.KERNEL32(C0000409), ref: 032643CB
TerminateProcess.KERNEL32(00000000), ref: 032643D2

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: eb6ebdd9f6bfd00956ccd44f3d3a2e90a1bef248afb04415f8c12b0fba87104e
Instruction ID: 5b93b401e4f488318795f2fd715f57688a30965a555e730a6452485b3b8b6327
Opcode Fuzzy Hash: eb6ebdd9f6bfd00956ccd44f3d3a2e90a1bef248afb04415f8c12b0fba87104e
Instruction Fuzzy Hash: A821CDB8912304DFD700FF69F48E7843BB4BF48B18F10D41AE40986299E7B069A2CF45

Uniqueness

Uniqueness Score: -1.00%

Function 10008856 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 10009661
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10009676
UnhandledExceptionFilter.KERNEL32(10010214), ref: 10009681
GetCurrentProcess.KERNEL32(C0000409), ref: 1000969D
TerminateProcess.KERNEL32(00000000), ref: 100096A4

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: c985866c57eb1f418d8b6f084b612ff84d779bdb250b6eb7438e1a3973854f4d
Instruction ID: 2e0cf1e81a5f86c1abfe2cbb9f74f1f9d6e99e8901a8c91a17f5823351036a5f
Opcode Fuzzy Hash: c985866c57eb1f418d8b6f084b612ff84d779bdb250b6eb7438e1a3973854f4d
Instruction Fuzzy Hash: 7E2198B8A022249FF701DF29ECC96547BB4FB4C344F11C12AE58987660EBB1D985CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03258B80 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000030), ref: 03258C0F
StringFromGUID2.OLE32(?,?,00000030), ref: 03258C5E
StringFromGUID2.OLE32(?,?,00000030), ref: 03258CAD
StringFromGUID2.OLE32(?,?,00000030), ref: 03258CFC

Part of subcall function 032591EF: __EH_prolog3_GS.LIBCMT ref: 032591F9
Part of subcall function 032591EF: _memset.LIBCMT ref: 032592BD
Part of subcall function 032591EF: lstrcpyW.KERNEL32(?,00000066), ref: 032592DD

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: FromString$H_prolog3__memsetlstrcpy
String ID:
API String ID: 633414315-0
Opcode ID: 447ca90cbecf2733db4c9ec884a96f6e4ec65d28377dbb83149d8dd6cc283b8f
Instruction ID: f8ff04944cd9c3edc30202fc58ee5223789c20c2e59f72f3945c050907a53d82
Opcode Fuzzy Hash: 447ca90cbecf2733db4c9ec884a96f6e4ec65d28377dbb83149d8dd6cc283b8f
Instruction Fuzzy Hash: 9E51B6326243459BD716DF24C840BABB7E9FFC5300F044D29B8919B190DBB4E786CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0325AAED Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,0325AED3,00000000,?,0325AC11,00000000,00000000,?,?,0325AED3,?), ref: 0325AAF9
LockResource.KERNEL32(00000000,00000000,?,0325AC11,00000000,00000000,?,?,0325AED3,?), ref: 0325AB05
SizeofResource.KERNEL32(?,0325AED3,?,0325AC11,00000000,00000000,?,?,0325AED3,?), ref: 0325AB17

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 29f3b0958091d775b965ead8afc978fe4718849974ad6f975695d9eb8b3f7029
Instruction ID: b900c029f10781206e883ce12a325aa04796a44d0738700f59cde037a2025ed9
Opcode Fuzzy Hash: 29f3b0958091d775b965ead8afc978fe4718849974ad6f975695d9eb8b3f7029
Instruction Fuzzy Hash: 78F0BB33630116A78F235F29EC069BABBABFBA069530D8232FD05C6110E735C6E096D0

Uniqueness

Uniqueness Score: -1.00%

Function 03271D90 Relevance: 3.2, APIs: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03271DC2
_memset.LIBCMT ref: 03271DE0

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: a812d03c30fc781d0e28fa8efc954203c2809476a255da12f383e8f84d05e01b
Instruction ID: 406cb8b24f07f5f38f07b71efed4df8fe962d202002b6621d41d57edabc08fdf
Opcode Fuzzy Hash: a812d03c30fc781d0e28fa8efc954203c2809476a255da12f383e8f84d05e01b
Instruction Fuzzy Hash: 9951616910D7D08EC33ACB3A48909A6BFE15EB700170DCACDD8D64BB97D164E649CB72

Uniqueness

Uniqueness Score: -1.00%

Function 004027AF Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027BE

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7dc7aefde22297a4bf68967d875df35d5105c079c979e2d7c1a4a5bcaaa4c8d9
Instruction ID: 737ac8146ade5f595adbd5730fa00ddb6f2ef6f5a59bf34d7a8fc53b42ba95ca
Opcode Fuzzy Hash: 7dc7aefde22297a4bf68967d875df35d5105c079c979e2d7c1a4a5bcaaa4c8d9
Instruction Fuzzy Hash: 02F0E572605118EFD711DBA49A49AFEB768DF61324F2004BFE142F60C2C7B849419B3E

Uniqueness

Uniqueness Score: -1.00%

Function 03277324 Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Strings

N@, xrefs: 03277334

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: 8dbbfd56e9d73ba34581632316b2e48c478bdb1787ac0c7ae37b7ca488a27cb1
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 246138729003168FCB18CF4DC4946AABBF6FF84314F1AC5AED8095B365C7B19995CB84

Uniqueness

Uniqueness Score: -1.00%

Function 03272580 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

@, xrefs: 03272670

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3046b3594c1e47efc45773d4a054b351b2b05c1cac24a5dc60c16884f43d90b3
Instruction ID: da25824b0a133f1ad22ea36fdf0619540a87d1cce49a49b11aaa1cba743bd1e1
Opcode Fuzzy Hash: 3046b3594c1e47efc45773d4a054b351b2b05c1cac24a5dc60c16884f43d90b3
Instruction Fuzzy Hash: BB41043011D3D18BC716DF38889417AFFE1BF9A208F0D49DDE8D09B312D662A558C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 03210C67 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

Heap, xrefs: 03210D00

Memory Dump Source

Source File: 00000000.00000002.2578628998.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_etopt.jbxd

Similarity

API ID:
String ID: Heap
API String ID: 0-488345055
Opcode ID: 080f7baf2362a8755dfa17f0b8cf837672587a2fc0e03a928c88a944b937714f
Instruction ID: 5526900a384dd5d54a5cc8c3cbb538d58f8ccabe6b071e46bbd3481f637ae05e
Opcode Fuzzy Hash: 080f7baf2362a8755dfa17f0b8cf837672587a2fc0e03a928c88a944b937714f
Instruction Fuzzy Hash: 3F316936A1161ADFCB10CF88C580AAEF7F6FF94315F2981A9C80167212D370BA95DF80

Uniqueness

Uniqueness Score: -1.00%

Function 03230C67 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

Heap, xrefs: 03230D00

Memory Dump Source

Source File: 00000000.00000002.2578668685.0000000003230000.00000040.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3230000_etopt.jbxd

Similarity

API ID:
String ID: Heap
API String ID: 0-488345055
Opcode ID: 080f7baf2362a8755dfa17f0b8cf837672587a2fc0e03a928c88a944b937714f
Instruction ID: 264ad1dda33d0cc77235e18b1b8a93823c0631e3f8bfb5335a500111c555dd08
Opcode Fuzzy Hash: 080f7baf2362a8755dfa17f0b8cf837672587a2fc0e03a928c88a944b937714f
Instruction Fuzzy Hash: 76318E7691161ADFCB10CF88C480AAEF7F6FF85315F298599C80267312D370BA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0327807F Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0327807F

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 53a9373fad6e664e8e3b269cc52bed6cbd5b26212f8c01a2eabbbb119bf5fdb0
Instruction ID: 221abce9dea57b806466eebad88ba6f4d3a3a655d7948f08f8eab10ad15cb53e
Opcode Fuzzy Hash: 53a9373fad6e664e8e3b269cc52bed6cbd5b26212f8c01a2eabbbb119bf5fdb0
Instruction Fuzzy Hash: 3FC08C7806A3448EC340FB69B04F3093FB0B310601F28C009D00149A88EFB010F1CF0B

Uniqueness

Uniqueness Score: -1.00%

Function 032710A0 Relevance: .9, Instructions: 939COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31590cc3b8800b113e01c771703e70b0ee848efcd2e8dd84160f0f5998983fac
Instruction ID: abe7a37ec50834a8d45d886b9366cf19de2b9051942cdd48503f96572f27544b
Opcode Fuzzy Hash: 31590cc3b8800b113e01c771703e70b0ee848efcd2e8dd84160f0f5998983fac
Instruction Fuzzy Hash: 7E727172A083548FC368DF9AD8D45DBF7E2BFC8314F49853DD99C83302DA74A9158A86

Uniqueness

Uniqueness Score: -1.00%

Function 6E823814 Relevance: .7, Instructions: 662COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e280399371e9f418afa7a43feb38ffde9966abd060f384b598785dac1410f97f
Instruction ID: d1538f8558c20d02252a6871ca93a2b68a60ef42b5c116e3e044bd770c7ee0c2
Opcode Fuzzy Hash: e280399371e9f418afa7a43feb38ffde9966abd060f384b598785dac1410f97f
Instruction Fuzzy Hash: D0521875D1461AEFCB04CF99C5A46ADBBF1FF09310F2085AAD859AB685D3309E90CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10005A9B Relevance: .7, Instructions: 662COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efbceab6c7f233ed574b2a5ddd965e232971f5dff4a806fd1bf89f8b51417a9
Instruction ID: 93efb3ddecd82a45c6df8ec0d43faa231fb963580f63ec1a60894aa623fcca12
Opcode Fuzzy Hash: 1efbceab6c7f233ed574b2a5ddd965e232971f5dff4a806fd1bf89f8b51417a9
Instruction Fuzzy Hash: 5F522A71D0021AEFDF14CF98C584AAEBBF1FF08351F2581AAD855AB249D731AA50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03257144 Relevance: .6, Instructions: 642COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca46d5658f20917e92665e9e49515c3633f744e590e61baf2777213d3a999fbe
Instruction ID: 4eef09b348594b6bbd5425f3e3f617272a4623aa27752bce7d60ef510dc40726
Opcode Fuzzy Hash: ca46d5658f20917e92665e9e49515c3633f744e590e61baf2777213d3a999fbe
Instruction Fuzzy Hash: 32428F71D65246AFDB26CF5CD494AACBBB5EF06314F2880CAFC455B261C375AAC0CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E824014 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f02f95db8e31bbc34dc3dbb3bddfd22c28655e98120b2d6229fa3d559033131
Instruction ID: 8111e8cc35c89f7e200a9113686c9dc5db8c3f87c8f4c9bab9bfab6830d93e99
Opcode Fuzzy Hash: 6f02f95db8e31bbc34dc3dbb3bddfd22c28655e98120b2d6229fa3d559033131
Instruction Fuzzy Hash: 4DF10771E042298FDB64CF69C89079DB7B2BF89314F1185EAC84DA7245D7306E86CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000629B Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64bc58e457230d8ac40aaf32b8b1bfaccff9c7db401af52fa1f575e37dfae646
Instruction ID: 0559fff7edd57ede9ad97cb6408e28ef0d4348a0e53728e6e1ed0eb401de0cdb
Opcode Fuzzy Hash: 64bc58e457230d8ac40aaf32b8b1bfaccff9c7db401af52fa1f575e37dfae646
Instruction Fuzzy Hash: CFF1D475E042298FEB64CF28C89079DB7B2FB49354F2581EAC84DA7245DB306E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03272000 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ae1b3fe0f502dee63a86ae6ffa2c3d4148f5283d19107bd7ec829b2584ca87
Instruction ID: 12c224cd7c5e6da577192600da30c59b9051e4db9064e95aa7fbbf2a3bbbedd9
Opcode Fuzzy Hash: 96ae1b3fe0f502dee63a86ae6ffa2c3d4148f5283d19107bd7ec829b2584ca87
Instruction Fuzzy Hash: 3F910BB1A146108FD78CCF1AD194C52B7E2FF9C324757D2AED40A8B676D630E946CE88

Uniqueness

Uniqueness Score: -1.00%

Function 6E8249C3 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb4dfa860a3eaa4f5c136e1ff57a7183e1523c300478f89ca77f9beba99662b
Instruction ID: 86118bd13d49f412f279ab5f11cbe7226f8177749000d31910d58bac56a9cabb
Opcode Fuzzy Hash: 1cb4dfa860a3eaa4f5c136e1ff57a7183e1523c300478f89ca77f9beba99662b
Instruction Fuzzy Hash: C7210B256B4EE20A8B558AF8E8D011227D0CBCF11E79D8BB5CE94C9051D06DD773C5E0

Uniqueness

Uniqueness Score: -1.00%

Function 10006C4A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a613fbe12da46bbc3bb1f2e643eac4accf32e1b2a2b3feb4ddf10ccc0a5b094c
Instruction ID: 4f574b5194f90509bb5b0851de04b9ae9286ab7b99d4e967b6c4f36d3a3b8a4b
Opcode Fuzzy Hash: a613fbe12da46bbc3bb1f2e643eac4accf32e1b2a2b3feb4ddf10ccc0a5b094c
Instruction Fuzzy Hash: A721EB29AB0AF207F3498BFCFCD05122BD1CBCD15676DC2AADA94C9051D07DE6628570

Uniqueness

Uniqueness Score: -1.00%

Function 03210BF7 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578628998.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7803670f869195933bc174c76bcf570c7903543dcd5eaefd9c83307d4a1175ec
Instruction ID: 1b8851c424c75bfcff0d821eb3f6fe8d2a18759bf6cb74647e086356236207bb
Opcode Fuzzy Hash: 7803670f869195933bc174c76bcf570c7903543dcd5eaefd9c83307d4a1175ec
Instruction Fuzzy Hash: 2A01F73AB20610CFC754CF5DC6C08A9F3FAFBA8714754C4A5C4065B306D671A8D2CE50

Uniqueness

Uniqueness Score: -1.00%

Function 03230BF7 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578668685.0000000003230000.00000040.00001000.00020000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3230000_etopt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7803670f869195933bc174c76bcf570c7903543dcd5eaefd9c83307d4a1175ec
Instruction ID: 3eca5bd2ac57e8884d925e672b2fc57c9d7bf46a318ca538b27665875d680625
Opcode Fuzzy Hash: 7803670f869195933bc174c76bcf570c7903543dcd5eaefd9c83307d4a1175ec
Instruction Fuzzy Hash: 3501F77AB20610CFC755CF5EC4C09A9F3BAFB89714758C8A5C4071B202D675E882CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00404CDC Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404CF3
GetDlgItem.USER32(?,00000408), ref: 00404D00
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D4F
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404D66
SetWindowLongA.USER32(?,000000FC,004052EF), ref: 00404D80
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D92
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DA6
SendMessageA.USER32(?,00001109,00000002), ref: 00404DBC
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404DC8
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404DD8
DeleteObject.GDI32(00000110), ref: 00404DDD
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E08
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E14
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EAE
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404EDE

Part of subcall function 0040430C: SendMessageA.USER32(00000028,?,00000001,0040413C), ref: 0040431A

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EF2
GetWindowLongA.USER32(?,000000F0), ref: 00404F20
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F2E
ShowWindow.USER32(?,00000005), ref: 00404F3E
SendMessageA.USER32(?,00000419,00000000,?), ref: 00405039
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040509E
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004050B3
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 004050D7
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 004050F7
ImageList_Destroy.COMCTL32(?), ref: 0040510C
GlobalFree.KERNEL32(?), ref: 0040511C
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405195
SendMessageA.USER32(?,00001102,?,?), ref: 0040523E
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040524D
InvalidateRect.USER32(?,00000000,00000001), ref: 00405278
ShowWindow.USER32(?,00000000), ref: 004052C6
GetDlgItem.USER32(?,000003FE), ref: 004052D1
ShowWindow.USER32(00000000), ref: 004052D8

Strings

M, xrefs: 00404E96
N, xrefs: 00404F77
_JX, xrefs: 0040527E
, xrefs: 004052B0

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$_JX
API String ID: 2564846305-1617977533
Opcode ID: 35273d0a53c9492904665cffe558d27e96a6298a0d39fd84a0e2010bf116a6ea
Instruction ID: b8536462d7ad043019947a41e0c3bff44b8a42b3ab007f67e0f00d777fd7ef5a
Opcode Fuzzy Hash: 35273d0a53c9492904665cffe558d27e96a6298a0d39fd84a0e2010bf116a6ea
Instruction Fuzzy Hash: 52024EB0A00209AFEB20DF94DD45AAE7BB5FB44314F10417AF611BA2E1C7799D42DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403DDD Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E19
ShowWindow.USER32(?), ref: 00403E39
GetWindowLongA.USER32(?,000000F0), ref: 00403E4B
ShowWindow.USER32(?,00000004), ref: 00403E64
DestroyWindow.USER32 ref: 00403E78
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403E91
GetDlgItem.USER32(?,?), ref: 00403EB0
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403EC4
IsWindowEnabled.USER32(00000000), ref: 00403ECB
GetDlgItem.USER32(?,00000001), ref: 00403F76
GetDlgItem.USER32(?,00000002), ref: 00403F80
SetClassLongA.USER32(?,000000F2,?), ref: 00403F9A
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403FEB
GetDlgItem.USER32(?,00000003), ref: 00404091
ShowWindow.USER32(00000000,?), ref: 004040B2
EnableWindow.USER32(?,?), ref: 004040C4
EnableWindow.USER32(?,?), ref: 004040DF
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040F5
EnableMenuItem.USER32(00000000), ref: 004040FC
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404114
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404127
lstrlenA.KERNEL32(00420920,?,00420920,00000000), ref: 00404151
SetWindowTextA.USER32(?,00420920), ref: 00404160
ShowWindow.USER32(?,0000000A), ref: 00404294

Strings

B, xrefs: 00404141

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: B
API String ID: 1860320154-2384200711
Opcode ID: 4edc06f3de6150c2b67eeadd219133ca47170a920016fcd6dff27a4d421c7eec
Instruction ID: 9e5fc69495a441c79a548aa589c0b9841582ade0de07eae0a5a4d3e4d824febc
Opcode Fuzzy Hash: 4edc06f3de6150c2b67eeadd219133ca47170a920016fcd6dff27a4d421c7eec
Instruction Fuzzy Hash: BAC105B1600205ABDB206F61ED45E3B3A7CEB85746F50013EFA81B11F1CB7D98529B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0325AF58 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 264registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0325AF62

Part of subcall function 0325A75F: lstrcpyW.KERNEL32(?,00000066), ref: 0325A842
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?), ref: 0325A856
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?,0327D71C), ref: 0325A864
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?,00000066), ref: 0325A87E

_memset.LIBCMT ref: 0325B0A1
RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?,?,00000066), ref: 0325B15C
__wcsicoll.LIBCMT ref: 0325B201

Strings

5f)f, xrefs: 0325AF99
Tfff, xrefs: 0325B2E8
%ff, xrefs: 0325B05B
:f$f, xrefs: 0325B015
:f%f, xrefs: 0325AFC1
1f'f, xrefs: 0325AFAD
:f"f, xrefs: 0325AFE9
4f#f, xrefs: 0325AFB7
f, xrefs: 0325B0C0
f2f, xrefs: 0325AFA3
f, xrefs: 0325B2F1

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: lstrcat$EnumH_prolog3___wcsicoll_memsetlstrcpy
String ID: f2f$%ff$1f'f$4f#f$5f)f$:f"f$:f$f$:f%f$Tfff$f$f
API String ID: 970344271-265498559
Opcode ID: 3fc73e7393eed78fca2fc75712c41d910a17af4ba7f5422cb03724754682dd32
Instruction ID: 1bb48eaa39731b4e127fa83c10641302e0eeba99a37737d2d0ec192912501882
Opcode Fuzzy Hash: 3fc73e7393eed78fca2fc75712c41d910a17af4ba7f5422cb03724754682dd32
Instruction Fuzzy Hash: 0BB118B1D203299EDB20DF65CC45BDEBBB8BF41300F1080A9E648BB111DBB49AC58F95

Uniqueness

Uniqueness Score: -1.00%

Function 00404442 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004044CD
GetDlgItem.USER32(00000000,000003E8), ref: 004044E1
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004044FF
GetSysColor.USER32(?), ref: 00404510
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040451F
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040452E
lstrlenA.KERNEL32(?), ref: 00404531
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404540
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404555
GetDlgItem.USER32(?,0000040A), ref: 004045B7
SendMessageA.USER32(00000000), ref: 004045BA
GetDlgItem.USER32(?,000003E8), ref: 004045E5
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404625
LoadCursorA.USER32(00000000,00007F02), ref: 00404634
SetCursor.USER32(00000000), ref: 0040463D
LoadCursorA.USER32(00000000,00007F00), ref: 00404653
SetCursor.USER32(00000000), ref: 00404656
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404682
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404696

Strings

D@, xrefs: 00404641
N, xrefs: 004045D3
_JX, xrefs: 00404462
ClocX see company, Inc., xrefs: 00404610

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: D@$ClocX see company, Inc.$N$_JX
API String ID: 3103080414-2116975861
Opcode ID: ef3a11a860b8778ca4caabcb63db2f284b03ff91bbcd71dd1ef8619eb17325d1
Instruction ID: 4262831758e79eadeee89dc0d46885cfd5308b8b64789285217352c219a127bc
Opcode Fuzzy Hash: ef3a11a860b8778ca4caabcb63db2f284b03ff91bbcd71dd1ef8619eb17325d1
Instruction Fuzzy Hash: FF61B1B1A40209BFDB109F61DD45F6A3BA9EB84714F00843AFB04BA1D1D7BDA951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 032595C7 Relevance: 40.4, APIs: 2, Strings: 21, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 0325B3BB: __EH_prolog3_GS.LIBCMT ref: 0325B3C2

_memset.LIBCMT ref: 03259756
__wcsicoll.LIBCMT ref: 0325978E

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Strings

_f_f, xrefs: 0325967F
WfSf, xrefs: 032596C5
5f)f, xrefs: 032595EE
VfWf, xrefs: 032596A2
QfPf, xrefs: 03259694
RfPf, xrefs: 032596B7
ff, xrefs: 03259647
:f%f, xrefs: 03259616
TfUf, xrefs: 032596B0
SfKf, xrefs: 03259686
_fPf, xrefs: 032596D3
x, xrefs: 03259772
SfQf, xrefs: 03259663
UfVf, xrefs: 032596BE
RfSf, xrefs: 0325968D
f2f, xrefs: 032595F8
f, xrefs: 032596F5
:fLf, xrefs: 03259632
:f5f, xrefs: 03259639
1f'f, xrefs: 03259602
4f#f, xrefs: 0325960C

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: CloseH_prolog3___wcsicoll_memset
String ID: ff$ f2f$1f'f$4f#f$5f)f$:f%f$:f5f$:fLf$QfPf$RfPf$RfSf$SfKf$SfQf$TfUf$UfVf$VfWf$WfSf$_fPf$_f_f$f$x
API String ID: 107070161-1769253259
Opcode ID: 39498f65b7759053a4832abe142dce4c9c7241e30e40ada3e991c2d593e0d245
Instruction ID: 5b6171bd5adb7b9f5f43cb54829a0e2d11dc356c7a0dcfaf6c50beef861b877c
Opcode Fuzzy Hash: 39498f65b7759053a4832abe142dce4c9c7241e30e40ada3e991c2d593e0d245
Instruction Fuzzy Hash: 845115B1D2036D9BDB20DFA6DC827DDBBB8BF04304F1080A9D519BB240EB704A858F94

Uniqueness

Uniqueness Score: -1.00%

Function 6E842C98 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6E841B80,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E842CA0
__mtterm.LIBCMT ref: 6E842CAC

Part of subcall function 6E842977: DecodePointer.KERNEL32(00000006,6E841C43,6E841C29,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E842988
Part of subcall function 6E842977: TlsFree.KERNEL32(0000001B,6E841C43,6E841C29,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E8429A2
Part of subcall function 6E842977: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6E841C43,6E841C29,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E8447C8
Part of subcall function 6E842977: _free.LIBCMT ref: 6E8447CB
Part of subcall function 6E842977: DeleteCriticalSection.KERNEL32(0000001B,?,?,6E841C43,6E841C29,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E8447F2

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6E842CC2
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6E842CCF
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6E842CDC
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6E842CE9
TlsAlloc.KERNEL32(?,?,6E841B80,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E842D39
TlsSetValue.KERNEL32(00000000,?,?,6E841B80,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E842D54
__init_pointers.LIBCMT ref: 6E842D5E
EncodePointer.KERNEL32(?,?,6E841B80,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E842D6F
EncodePointer.KERNEL32(?,?,6E841B80,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E842D7C
EncodePointer.KERNEL32(?,?,6E841B80,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E842D89
EncodePointer.KERNEL32(?,?,6E841B80,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E842D96
DecodePointer.KERNEL32(Function_00002AFB,?,?,6E841B80,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E842DB7
__calloc_crt.LIBCMT ref: 6E842DCC
DecodePointer.KERNEL32(00000000,?,?,6E841B80,6E849378,00000008,6E841D14,?,?,?,6E849398,0000000C,6E841DCF,?), ref: 6E842DE6
GetCurrentThreadId.KERNEL32 ref: 6E842DF8

Strings

FlsSetValue, xrefs: 6E842CD1
KERNEL32.DLL, xrefs: 6E842C9B
FlsFree, xrefs: 6E842CDE
FlsGetValue, xrefs: 6E842CC4
FlsAlloc, xrefs: 6E842CBC

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 24c783b60f75e9daa44b93616189d2c1e4b21e3e6ab7c45426656a8a2e0fd4fa
Instruction ID: 47ca38c844ce252f7882318ba6cfb5c2643de4f7664e3d798679061505957fc0
Opcode Fuzzy Hash: 24c783b60f75e9daa44b93616189d2c1e4b21e3e6ab7c45426656a8a2e0fd4fa
Instruction Fuzzy Hash: F13132B2805A19DFDF12BFB59804A153FA9E7463A47100EBAE51CDB2D4F7398441DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E827E62 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6E826D84,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827E6A
__mtterm.LIBCMT ref: 6E827E76

Part of subcall function 6E827B41: DecodePointer.KERNEL32(00000007,6E826E47,6E826E2D,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827B52
Part of subcall function 6E827B41: TlsFree.KERNEL32(0000001C,6E826E47,6E826E2D,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827B6C
Part of subcall function 6E827B41: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6E826E47,6E826E2D,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E829ECE
Part of subcall function 6E827B41: _free.LIBCMT ref: 6E829ED1
Part of subcall function 6E827B41: DeleteCriticalSection.KERNEL32(0000001C,?,?,6E826E47,6E826E2D,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E829EF8

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6E827E8C
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6E827E99
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6E827EA6
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6E827EB3
TlsAlloc.KERNEL32(?,?,6E826D84,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827F03
TlsSetValue.KERNEL32(00000000,?,?,6E826D84,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827F1E
__init_pointers.LIBCMT ref: 6E827F28
EncodePointer.KERNEL32(?,?,6E826D84,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827F39
EncodePointer.KERNEL32(?,?,6E826D84,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827F46
EncodePointer.KERNEL32(?,?,6E826D84,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827F53
EncodePointer.KERNEL32(?,?,6E826D84,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827F60
DecodePointer.KERNEL32(Function_00007CC5,?,?,6E826D84,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827F81
__calloc_crt.LIBCMT ref: 6E827F96
DecodePointer.KERNEL32(00000000,?,?,6E826D84,6E830F40,00000008,6E826F18,?,?,?,6E830F60,0000000C,6E826FD3,?), ref: 6E827FB0
GetCurrentThreadId.KERNEL32 ref: 6E827FC2

Strings

FlsSetValue, xrefs: 6E827E9B
KERNEL32.DLL, xrefs: 6E827E65
FlsGetValue, xrefs: 6E827E8E
FlsFree, xrefs: 6E827EA8
FlsAlloc, xrefs: 6E827E86

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: a7ed0a34ae897098608f1633adf8c4df9d79f1aedd2b65620f2210496f7d0a92
Instruction ID: e36776440e7aa4e64d9eb192cfba26eb72856c2e489f8838746471ee18515d5e
Opcode Fuzzy Hash: a7ed0a34ae897098608f1633adf8c4df9d79f1aedd2b65620f2210496f7d0a92
Instruction Fuzzy Hash: DA313E39814B119FDF319BF6A904A0A3EA5EF4B7247104D3AE51C972D0DB3A8481CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 6E84124C Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 93libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(advapi32,00000000,00000000), ref: 6E841267
LoadLibraryA.KERNEL32(advapi32), ref: 6E841275
GetProcAddress.KERNEL32(?,6E84904C), ref: 6E841327
GetModuleHandleA.KERNEL32(ntdll), ref: 6E84133F
LoadLibraryA.KERNEL32(ntdll), ref: 6E84134C
GetProcAddress.KERNEL32(00000000,6E8490B8), ref: 6E841389

Strings

MD4Update, xrefs: 6E8412C6
RtlComputeCrc32, xrefs: 6E84137B
MD5Init, xrefs: 6E8412E2
MD5Update, xrefs: 6E8412F0
A_SHAFinal, xrefs: 6E8412A0
RtlRandom, xrefs: 6E84135F
MD4Init, xrefs: 6E8412B8
MD5Final, xrefs: 6E8412FE
A_SHAUpdate, xrefs: 6E841296
ntdll, xrefs: 6E841339, 6E84133E, 6E84134B
RtlRandomEx, xrefs: 6E84136D
MD4Final, xrefs: 6E8412D4
A_SHAInit, xrefs: 6E841291
advapi32, xrefs: 6E841261, 6E841266, 6E841274

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: A_SHAFinal$A_SHAInit$A_SHAUpdate$MD4Final$MD4Init$MD4Update$MD5Final$MD5Init$MD5Update$RtlComputeCrc32$RtlRandom$RtlRandomEx$advapi32$ntdll
API String ID: 310444273-1476569228
Opcode ID: a06bf3272dd43b240f0057ec3f647d94de5cbafb327ff0bf2dd775e63240245e
Instruction ID: a17f652565cffa1e982d72cd2fb84993ca6670067a6447a4674c3030ce989dff
Opcode Fuzzy Hash: a06bf3272dd43b240f0057ec3f647d94de5cbafb327ff0bf2dd775e63240245e
Instruction Fuzzy Hash: AF41F2B0C0162DDB8B22DFE9C9852DDBFB4FB49310F904829D655AB354EB324A09CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0325CF94 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 244networkfilestringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0325CFFF
_memset.LIBCMT ref: 0325D01D
__wcsnicmp.LIBCMT ref: 0325D063
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 0325D0BD
InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0325D0EA
_memset.LIBCMT ref: 0325D10B
HttpOpenRequestW.WININET(?,00000000,?,00000000,00000000,0327D1EC,00000001,00000000), ref: 0325D162
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0325D19A
InternetSetOptionW.WININET(?,0000001F,00003100,00000004), ref: 0325D1BA
lstrlenW.KERNEL32(00000001), ref: 0325D1CC
HttpSendRequestW.WININET(?,00000001,00000000,00000000,00000000), ref: 0325D1E1
HttpQueryInfoW.WININET(?,20000013,?,?,00000000), ref: 0325D21E
HttpQueryInfoW.WININET(?,20000005,?,00000004,00000000), ref: 0325D24C
InternetReadFile.WININET(?,?,00002000,00000004), ref: 0325D273
InternetCloseHandle.WININET(?), ref: 0325D2A2
InternetCloseHandle.WININET(?), ref: 0325D2AE
InternetCloseHandle.WININET(?), ref: 0325D2C2

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 0325D0B8
https, xrefs: 0325D05D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Internet$Http$CloseHandleQuery_memset$InfoOpenOptionRequest$ConnectFileReadSend__wcsnicmplstrlen
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko$https
API String ID: 4259084325-1186044973
Opcode ID: 9ad5e3493a24ba21524b21c058e0b175768719a9aa5450bfcd4e61fb8a4cd9c0
Instruction ID: 0561c6cb88906d66479e5b4d647b83f178245eba9430821336bd0788f25db588
Opcode Fuzzy Hash: 9ad5e3493a24ba21524b21c058e0b175768719a9aa5450bfcd4e61fb8a4cd9c0
Instruction Fuzzy Hash: 6C913E71912229ABDB22DB65DC889EEBBBCEF08B10F0445D6F909E6150D774DBC48F60

Uniqueness

Uniqueness Score: -1.00%

Function 03254B9F Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 315networkstringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03254C51

Part of subcall function 0325FA58: __time64.LIBCMT ref: 0325FA8E

socket.WS2_32(00000002,00000002,00000011), ref: 03254CEC
WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 03254D1F
setsockopt.WS2_32 ref: 03254D3F
_memset.LIBCMT ref: 03254DCB
_memset.LIBCMT ref: 03254DE1
GetTickCount.KERNEL32 ref: 03254DE9
_rand.LIBCMT ref: 03254DF6
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 03254E87
recvfrom.WS2_32(?,?,00001000,00000000,?,?), ref: 03254ED6
_memset.LIBCMT ref: 03254EF3
_memset.LIBCMT ref: 03254F63
lstrcpyW.KERNEL32(?,?), ref: 03254FAB
closesocket.WS2_32(?), ref: 03255015

Part of subcall function 03254AED: _swscanf.LIBCMT ref: 03254B30
Part of subcall function 03254AED: gethostbyname.WS2_32(?), ref: 03254B61

Strings

{}, xrefs: 03254D81
query, xrefs: 03254D7B
ust, xrefs: 03254C6D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memset$CountIoctlTick__time64_rand_swscanfclosesocketgethostbynamelstrcpyrecvfromsendtosetsockoptsocket
String ID: query$ust${}
API String ID: 2820226745-4139922480
Opcode ID: 40751c3300b88727417a7d3dbb94b557b01b737069f631590920b1206df8b150
Instruction ID: 52266c1b66ad3e4a552f7eb227959ab04fee41817a69b06f79f0c4bf37080d4c
Opcode Fuzzy Hash: 40751c3300b88727417a7d3dbb94b557b01b737069f631590920b1206df8b150
Instruction Fuzzy Hash: 62C19F76518381AFE331EB25D884BEBB7E8FF88710F10492EF998C7191D77096848B52

Uniqueness

Uniqueness Score: -1.00%

Function 03265018 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03263F49,0327E180,00000008,032640DD,?,?,?,0327E1A0,0000000C,03264198,?), ref: 03265020
__mtterm.LIBCMT ref: 0326502C

Part of subcall function 03264CF7: TlsFree.KERNEL32(0000001F,0326400C,03263FF2,0327E180,00000008,032640DD,?,?,?,0327E1A0,0000000C,03264198,?), ref: 03264D22
Part of subcall function 03264CF7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0326400C,03263FF2,0327E180,00000008,032640DD,?,?,?,0327E1A0,0000000C,03264198,?), ref: 0326CF79
Part of subcall function 03264CF7: _free.LIBCMT ref: 0326CF7C
Part of subcall function 03264CF7: DeleteCriticalSection.KERNEL32(0000001F,?,?,0326400C,03263FF2,0327E180,00000008,032640DD,?,?,?,0327E1A0,0000000C,03264198,?), ref: 0326CFA3

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 03265042
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0326504F
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0326505C
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 03265069
TlsAlloc.KERNEL32(?,?,03263F49,0327E180,00000008,032640DD,?,?,?,0327E1A0,0000000C,03264198,?), ref: 032650B9
TlsSetValue.KERNEL32(00000000,?,?,03263F49,0327E180,00000008,032640DD,?,?,?,0327E1A0,0000000C,03264198,?), ref: 032650D4
__init_pointers.LIBCMT ref: 032650DE
__calloc_crt.LIBCMT ref: 0326514C
GetCurrentThreadId.KERNEL32 ref: 03265178

Strings

FlsGetValue, xrefs: 03265044
KERNEL32.DLL, xrefs: 0326501B
FlsAlloc, xrefs: 0326503C
FlsSetValue, xrefs: 03265051
FlsFree, xrefs: 0326505E

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4163708885-3819984048
Opcode ID: 43cbb391264a037f362b8825e5f847eac8e95809326ad05b9b3f137fe594d1a0
Instruction ID: 64894cab4436c02d1bf71b21a3b75ca4ace621d89304f7d61f950b62255ab120
Opcode Fuzzy Hash: 43cbb391264a037f362b8825e5f847eac8e95809326ad05b9b3f137fe594d1a0
Instruction Fuzzy Hash: 52316335926311AECB21FB75B80C919BFB4FF65760B14861AE410962DDD774A0E2CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000AFC6 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,10009306,10014520,00000008,1000949A,?,?,?,10014540,0000000C,10009555,?), ref: 1000AFCE
__mtterm.LIBCMT ref: 1000AFDA

Part of subcall function 1000ACA2: TlsFree.KERNEL32(0000001D,100093C9,100093AF,10014520,00000008,1000949A,?,?,?,10014540,0000000C,10009555,?), ref: 1000ACCD
Part of subcall function 1000ACA2: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,100093C9,100093AF,10014520,00000008,1000949A,?,?,?,10014540,0000000C,10009555,?), ref: 1000BE6A
Part of subcall function 1000ACA2: _free.LIBCMT ref: 1000BE6D
Part of subcall function 1000ACA2: DeleteCriticalSection.KERNEL32(0000001D,?,?,100093C9,100093AF,10014520,00000008,1000949A,?,?,?,10014540,0000000C,10009555,?), ref: 1000BE94

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1000AFF0
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1000AFFD
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 1000B00A
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1000B017
TlsAlloc.KERNEL32(?,?,10009306,10014520,00000008,1000949A,?,?,?,10014540,0000000C,10009555,?), ref: 1000B067
TlsSetValue.KERNEL32(00000000,?,?,10009306,10014520,00000008,1000949A,?,?,?,10014540,0000000C,10009555,?), ref: 1000B082
__init_pointers.LIBCMT ref: 1000B08C
__calloc_crt.LIBCMT ref: 1000B0FA
GetCurrentThreadId.KERNEL32 ref: 1000B126

Strings

FlsGetValue, xrefs: 1000AFF2
FlsSetValue, xrefs: 1000AFFF
KERNEL32.DLL, xrefs: 1000AFC9
FlsAlloc, xrefs: 1000AFEA
FlsFree, xrefs: 1000B00C

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4163708885-3819984048
Opcode ID: cacdfea0d1b94f9217cfd9077508da2f3d6d71e93fdcd2ea25b4371cb079a790
Instruction ID: f8c786e06c6d4f75704c9d72a73d86a195292f38002d1ca85ddd674ba0f5faf1
Opcode Fuzzy Hash: cacdfea0d1b94f9217cfd9077508da2f3d6d71e93fdcd2ea25b4371cb079a790
Instruction Fuzzy Hash: A2317C71900A319BF791DFB9CC88A5A3EF5FB882A0F01862AF458931B5EB74D841CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03255143 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 334networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032551D1
_memset.LIBCMT ref: 03255271
socket.WS2_32(00000002,00000002,00000011), ref: 032552D1
WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 03255304
setsockopt.WS2_32 ref: 03255324
_memset.LIBCMT ref: 03255390
_memset.LIBCMT ref: 032553A6
GetTickCount.KERNEL32 ref: 032553AE
_rand.LIBCMT ref: 032553BB
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 0325544C
recvfrom.WS2_32(?,?,00001000,00000000,?,?), ref: 0325549B
_memset.LIBCMT ref: 032554B8

Part of subcall function 03253AF5: _memmove.LIBCMT ref: 03253BE3

closesocket.WS2_32(?), ref: 03255618

Part of subcall function 0325A9C3: std::exception::exception.LIBCMT ref: 0325A9DF
Part of subcall function 0325A9C3: __CxxThrowException@8.LIBCMT ref: 0325A9F4

Part of subcall function 03253317: __EH_prolog3_GS.LIBCMT ref: 03253321
Part of subcall function 03253317: _memset.LIBCMT ref: 03253365
Part of subcall function 03253317: _memset.LIBCMT ref: 0325337D

closesocket.WS2_32(?), ref: 0325558C

Part of subcall function 0325603E: __EH_prolog3_catch.LIBCMT ref: 03256045

Part of subcall function 03253412: __EH_prolog3.LIBCMT ref: 03253419

Strings

ust, xrefs: 032551ED

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memset$closesocket$CountException@8H_prolog3H_prolog3_H_prolog3_catchIoctlThrowTick_memmove_randrecvfromsendtosetsockoptsocketstd::exception::exception
String ID: ust
API String ID: 2621635266-4261539001
Opcode ID: f7f4e3164cc089568b0fdd9cd86681f9ab401a1a917494670fd3afb22955d5a3
Instruction ID: 11c97bc9d9bfaa1d7c3c23cdc1696b52f323404dc2c973187d0f10a76877e5e5
Opcode Fuzzy Hash: f7f4e3164cc089568b0fdd9cd86681f9ab401a1a917494670fd3afb22955d5a3
Instruction Fuzzy Hash: F6D17F764183859FD731EF64D885BDBB7E8EF85710F10092EFA8987190DBB096848B52

Uniqueness

Uniqueness Score: -1.00%

Function 03259CB3 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 205registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 03259CBD

Part of subcall function 0325B3BB: __EH_prolog3_GS.LIBCMT ref: 0325B3C2

_memset.LIBCMT ref: 03259E36
RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?,?,00000066), ref: 03259EE7
__wcsicoll.LIBCMT ref: 03259F93

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Part of subcall function 03260395: GetModuleHandleW.KERNEL32(ntdll,00000000,03253DBD), ref: 032603A5
Part of subcall function 03260395: LoadLibraryW.KERNEL32(ntdll), ref: 032603B0
Part of subcall function 03260395: GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 032603C0

Part of subcall function 0325B4F8: GetModuleHandleW.KERNEL32(ShlWapi,?,00000000), ref: 0325B51D
Part of subcall function 0325B4F8: LoadLibraryW.KERNEL32(ShlWapi,?,00000000), ref: 0325B52A
Part of subcall function 0325B4F8: GetProcAddress.KERNEL32(00000000,0327CF04), ref: 0325B5CD

Strings

ff, xrefs: 03259DB4
:f+f, xrefs: 03259CFB
:f%f, xrefs: 03259D52
f, xrefs: 03259E10
:f5f, xrefs: 03259DA6
5f)f, xrefs: 03259CD3
f2f, xrefs: 03259CDD
1f'f, xrefs: 03259CE7
4f#f, xrefs: 03259CF1
ff, xrefs: 03259E08
:f1f, xrefs: 03259D2D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressH_prolog3_HandleLibraryLoadModuleProc$CloseEnum__wcsicoll_memset
String ID: ff$ f2f$1f'f$4f#f$5f)f$:f%f$:f+f$:f1f$:f5f$f$ff
API String ID: 29765745-2445663763
Opcode ID: 9ce0de2f70dcfccb13ec299cbfc924224f0d401f9067f893e279144544c34c61
Instruction ID: f31af2116df89162c510615ecbd2f2f64bfed33ba43723807327498381a4f65d
Opcode Fuzzy Hash: 9ce0de2f70dcfccb13ec299cbfc924224f0d401f9067f893e279144544c34c61
Instruction Fuzzy Hash: 90A1E4B5D253698ADB21DFA5CC867DDBBB9BF04300F6041E9D408BB210DB705AC59F51

Uniqueness

Uniqueness Score: -1.00%

Function 0325A49D Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 162registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0325A4A7

Part of subcall function 0325B3BB: __EH_prolog3_GS.LIBCMT ref: 0325B3C2

_memset.LIBCMT ref: 0325A58B
RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?,?,00000066), ref: 0325A62A
__wcsicoll.LIBCMT ref: 0325A699

Strings

5f)f, xrefs: 0325A4D5
:f%f, xrefs: 0325A54C
:f%f, xrefs: 0325A4F1
ff, xrefs: 0325A561
:f"f, xrefs: 0325A50D
1f'f, xrefs: 0325A4E3
4f#f, xrefs: 0325A4EA
f, xrefs: 0325A5AA
f.f, xrefs: 0325A568
ff, xrefs: 0325A53E
f2f, xrefs: 0325A4DC

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3_$Enum__wcsicoll_memset
String ID: ff$ff$f.f$ f2f$1f'f$4f#f$5f)f$:f"f$:f%f$:f%f$f
API String ID: 4150764323-1315752963
Opcode ID: f8d3d0c12be11f6576e0e23d1c077b3ed64638112720b5f16c275b58bde5f4e9
Instruction ID: 426d6be2f290956af99be33d47f7f4c68321464c90404113362c83678f2347c0
Opcode Fuzzy Hash: f8d3d0c12be11f6576e0e23d1c077b3ed64638112720b5f16c275b58bde5f4e9
Instruction Fuzzy Hash: 516119B5C243698ADF61EFA6CC897DDBBB8AF40300F5042A9D908BB120DB754AC5DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423B20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: d61691d462883fe5d04acf452d55bcaff09ca60d36777b0a3b69fe5fd5749037
Instruction ID: ce0e1775dc57e2611eec9810580e82c7ccfea9863ca17ce6bffee9922d4e458c
Opcode Fuzzy Hash: d61691d462883fe5d04acf452d55bcaff09ca60d36777b0a3b69fe5fd5749037
Instruction Fuzzy Hash: DB419C71800209AFCB058F95DE459AFBFB9FF44314F00842EF991AA1A0CB389A54DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 03259031 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0325A75F: lstrcpyW.KERNEL32(?,00000066), ref: 0325A842
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?), ref: 0325A856
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?,0327D71C), ref: 0325A864
Part of subcall function 0325A75F: lstrcatW.KERNEL32(?,00000066), ref: 0325A87E

_memset.LIBCMT ref: 03259127
lstrcpyW.KERNEL32(?,00000066), ref: 03259147
lstrcatW.KERNEL32(?,\Hash Me), ref: 03259159

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Strings

ff, xrefs: 03259121
1f'f, xrefs: 0325908E
\Hash Me, xrefs: 0325914D
:f%f, xrefs: 0325909C
4f#f, xrefs: 03259095
f, xrefs: 03259131
5f)f, xrefs: 03259080
:fLf, xrefs: 032590B8
ff, xrefs: 032590CD
{017BEFE6-75D6-4129-8475-356B0774B0DE}, xrefs: 0325904C, 032591AC
:f%f, xrefs: 032590DB
f2f, xrefs: 03259087

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: lstrcat$lstrcpy$Close_memset
String ID: ff$ f2f$1f'f$4f#f$5f)f$:f%f$:f%f$:fLf$\Hash Me$f$ff${017BEFE6-75D6-4129-8475-356B0774B0DE}
API String ID: 4247296309-411516897
Opcode ID: f728e587091ffb1a78b7716fd0262442c9fadb1e3d00cd3204fe8813b8247fb5
Instruction ID: 6a9639d9f3025e73ae877e86ff8457cd3d82c574f6f853d130d246afc35d689e
Opcode Fuzzy Hash: f728e587091ffb1a78b7716fd0262442c9fadb1e3d00cd3204fe8813b8247fb5
Instruction Fuzzy Hash: 0E4124B1D2036D9BCB20DFA6DC867DEBBB8AF44704F1085A9D415BB240DB748A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03251E88 Relevance: 24.8, APIs: 3, Strings: 11, Instructions: 304COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 03251E8F

Part of subcall function 032601DA: GetModuleHandleW.KERNEL32(Kernel32,?,03252219,?,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,?), ref: 032601FD
Part of subcall function 032601DA: LoadLibraryW.KERNEL32(Kernel32,?,80000001,Software\Chromium,00000154,0325406F), ref: 03260208
Part of subcall function 032601DA: GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 03260218

_free.LIBCMT ref: 03252289

Part of subcall function 03262AB1: RtlFreeHeap.NTDLL(00000000,00000000,?,03264E52,00000000,?,0326B6E0,00000000,00000001,00000000,?,0326D017,00000018,0327E2F0,0000000C,0326D0A7), ref: 03262AC7
Part of subcall function 03262AB1: GetLastError.KERNEL32(00000000,?,03264E52,00000000,?,0326B6E0,00000000,00000001,00000000,?,0326D017,00000018,0327E2F0,0000000C,0326D0A7,00000000), ref: 03262AD9

_free.LIBCMT ref: 0325229B

Strings

x64, xrefs: 0325217C
board, xrefs: 03251F8E
mac1, xrefs: 03251F43
name, xrefs: 03252060
coreNum, xrefs: 032520B6
notepad, xrefs: 0325219F
mac2, xrefs: 03251F6C
cpu, xrefs: 03252038
sys, xrefs: 032520E5
product, xrefs: 03252008
manu, xrefs: 03251FB0

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _free$AddressErrorFreeH_prolog3HandleHeapLastLibraryLoadModuleProc
String ID: board$coreNum$cpu$mac1$mac2$manu$name$notepad$product$sys$x64
API String ID: 4060042898-2700394627
Opcode ID: f403334fb7a1033fd5fefdfdfa27c17652b3d198531c48529e14de01c04a8e39
Instruction ID: a3dcc1eea2d6cb7f9930a8a72fd9410543fc221a7a351a6f150fe9819849e318
Opcode Fuzzy Hash: f403334fb7a1033fd5fefdfdfa27c17652b3d198531c48529e14de01c04a8e39
Instruction Fuzzy Hash: 1BC1EFB592035DDBCB11EFE0C9449EEB7B9BF45314F64441AE815BB200D7B0AB898FA1

Uniqueness

Uniqueness Score: -1.00%

Function 03258361 Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 161registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032584DE
RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?,-80000001,00000066,?,00000001,?), ref: 03258568
__wcsicoll.LIBCMT ref: 032585D7

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Strings

4f#f, xrefs: 032583A2
5f)f, xrefs: 03258384
f2f, xrefs: 0325838E
ff, xrefs: 0325845C
f, xrefs: 032584B8
1f'f, xrefs: 03258398
:f1f, xrefs: 032583DE
:f+f, xrefs: 032583AC
ff, xrefs: 032584B0
:f%f, xrefs: 032583FA
:f5f, xrefs: 0325844E

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: CloseEnum__wcsicoll_memset
String ID: ff$ f2f$1f'f$4f#f$5f)f$:f%f$:f+f$:f1f$:f5f$f$ff
API String ID: 1002839776-2445663763
Opcode ID: 19a074950272f64853439785b1e7de321f1385b5797451ecdb12a79684b5eecc
Instruction ID: 0180c11e3295a13db8169b724c765cf80d69f792b30a35fc09e1d976f590cb8a
Opcode Fuzzy Hash: 19a074950272f64853439785b1e7de321f1385b5797451ecdb12a79684b5eecc
Instruction Fuzzy Hash: 5271F3B5D2136D9BDB20DF96DC867DDBBB9AF41304F5081A9D908BB210DBB04AC58F50

Uniqueness

Uniqueness Score: -1.00%

Function 03257F0B Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 145registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03257FFA
RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?,-80000001,00000066,00000001,?,00000000), ref: 0325808C
__wcsicoll.LIBCMT ref: 032580FB

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Strings

:f%f, xrefs: 03257F60
:f"f, xrefs: 03257F7C
ff, xrefs: 03257FD0
5f)f, xrefs: 03257F44
:f%f, xrefs: 03257FBB
f.f, xrefs: 03257FD7
1f'f, xrefs: 03257F52
4f#f, xrefs: 03257F59
ff, xrefs: 03257FAD
f, xrefs: 03258016
f2f, xrefs: 03257F4B

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: CloseEnum__wcsicoll_memset
String ID: ff$ff$f.f$ f2f$1f'f$4f#f$5f)f$:f"f$:f%f$:f%f$f
API String ID: 1002839776-1315752963
Opcode ID: 03c2263a0fa48522e1eae4dfc0a2c26cf9741885bfe136bdb9936eb9d102ad26
Instruction ID: 0f54db3a4530475cc88b2b41a14bf4e9f8b591e9001b8abf2b6646145d2eb240
Opcode Fuzzy Hash: 03c2263a0fa48522e1eae4dfc0a2c26cf9741885bfe136bdb9936eb9d102ad26
Instruction Fuzzy Hash: A05117B5D2436D9ADB20DFA6DC857DEFBB8AF40704F1081A9D818BB210D7B44A85DF90

Uniqueness

Uniqueness Score: -1.00%

Function 032591EF Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 78stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 032591F9
_memset.LIBCMT ref: 032592BD
lstrcpyW.KERNEL32(?,00000066), ref: 032592DD

Strings

ff, xrefs: 03259263
5f)f, xrefs: 03259216
Hash Me, xrefs: 0325933B
ff, xrefs: 032592B7
:f%f, xrefs: 03259271
:fLf, xrefs: 0325924E
f2f, xrefs: 0325921D
1f'f, xrefs: 03259224
:f%f, xrefs: 03259232
f, xrefs: 032592C7
4f#f, xrefs: 0325922B

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3__memsetlstrcpy
String ID: ff$ f2f$1f'f$4f#f$5f)f$:f%f$:f%f$:fLf$Hash Me$f$ff
API String ID: 3934880001-1273432146
Opcode ID: 3c4b730010f516aa7235b644a3519213931d02dabc7083f1c2a51eca3239c8d1
Instruction ID: b831513baaed2664b65369eac3a6d204266895b1c5601f06ad6ae90e3a2d444d
Opcode Fuzzy Hash: 3c4b730010f516aa7235b644a3519213931d02dabc7083f1c2a51eca3239c8d1
Instruction Fuzzy Hash: A931DDB4C2436D9ACB21DFA6DC827DEBBB8BF04704F5485A9D415BB240DB754A82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03260D12 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 268stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 03260D1C
_memset.LIBCMT ref: 03260D63
lstrlenW.KERNEL32(?,?sid=%u&d=,?,?,?), ref: 03260DB9
wsprintfW.USER32 ref: 03260DC7
_sprintf.LIBCMT ref: 03260E36
lstrcatW.KERNEL32(?,?), ref: 03260E88

Strings

x32, xrefs: 03260F91, 03261002
x64, xrefs: 03260FD2, 03261054
http://pz.qishia.com/mm2/up/, xrefs: 03260D85
?sid=%u&d=, xrefs: 03260DB3
http://pz.hnlyzqjlb.com/mm2/up/, xrefs: 03260D7C
pid=%u&mid=%u&sid=%u&x64=%u&ver=%u, xrefs: 03260E30
ver, xrefs: 03260F57, 032610A7

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3__memset_sprintflstrcatlstrlenwsprintf
String ID: ?sid=%u&d=$http://pz.hnlyzqjlb.com/mm2/up/$http://pz.qishia.com/mm2/up/$pid=%u&mid=%u&sid=%u&x64=%u&ver=%u$ver$x32$x64
API String ID: 1060426268-2707866487
Opcode ID: cb36d62bb9ee70d4404230ed5eb852ed43a1df7f4f9d87c5dbe44464891a391a
Instruction ID: d3a9956f6fbc89149c9e4ea46672044ac9eaf4007e46bbedfb32d3eb10ab8a4f
Opcode Fuzzy Hash: cb36d62bb9ee70d4404230ed5eb852ed43a1df7f4f9d87c5dbe44464891a391a
Instruction Fuzzy Hash: 81B18C769212599BEF21DF68CC84BEAB7B4BF85300F1845D5D808BB252DB71AAC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0325B5FC Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 169registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0325B606

Part of subcall function 0325B3BB: __EH_prolog3_GS.LIBCMT ref: 0325B3C2

_memset.LIBCMT ref: 0325B72D
RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?,?,00000066), ref: 0325B7D4
__wcsicoll.LIBCMT ref: 0325B843

Strings

:f$f, xrefs: 0325B6A1
%ff, xrefs: 0325B6E7
:f"f, xrefs: 0325B67E
f, xrefs: 0325B74C
1f'f, xrefs: 0325B648
4f#f, xrefs: 0325B652
5f)f, xrefs: 0325B634
f2f, xrefs: 0325B63E
:f%f, xrefs: 0325B65C

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3_$Enum__wcsicoll_memset
String ID: f2f$%ff$1f'f$4f#f$5f)f$:f"f$:f$f$:f%f$f
API String ID: 4150764323-3794202601
Opcode ID: 7d4b8edb705059ac20d9b9da8ec74d8047d90513c8c32bfdb545c9d4b610b93f
Instruction ID: f76cd54959df4b62881153951ea2d0d685b37e40a06f1eb8dd52b35006637475
Opcode Fuzzy Hash: 7d4b8edb705059ac20d9b9da8ec74d8047d90513c8c32bfdb545c9d4b610b93f
Instruction Fuzzy Hash: C371E5B5D213699ADB60EF66DC897DDBBB8AF00304F5081E9D508BB220DBB04AC5DF50

Uniqueness

Uniqueness Score: -1.00%

Function 03251240 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 194comCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0325125B
CoCreateInstance.OLE32(032793AC,00000000,00000001,032792DC,?), ref: 0325128D
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 032512E3
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0325131E
VariantInit.OLEAUT32(?), ref: 03251381
VariantClear.OLEAUT32(?), ref: 032513A7
_memmove.LIBCMT ref: 032513DA
VariantClear.OLEAUT32(?), ref: 032513E6

Strings

ROOT\CIMV2, xrefs: 032512B0
MSSMBios_RawSMBiosTables, xrefs: 03251333
ROOT\WMI, xrefs: 032512FC
SMBiosData, xrefs: 03251396

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Variant$BlanketClearProxy$CreateInitInitializeInstanceSecurity_memmove
String ID: MSSMBios_RawSMBiosTables$ROOT\CIMV2$ROOT\WMI$SMBiosData
API String ID: 3114937917-1648487413
Opcode ID: 724e277bd886cd9dd70b52eca1c7abb71a5b6946462aae3d184e7056e8df45e9
Instruction ID: 3e8bf81fb53190749b9a25d91f1160a3037acbb229215e60a28d108bfc4670b5
Opcode Fuzzy Hash: 724e277bd886cd9dd70b52eca1c7abb71a5b6946462aae3d184e7056e8df45e9
Instruction Fuzzy Hash: 6D515974A11229BFCF10DBA5C888EAFBB7CFF45B55B144455F915E7240C730AA81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406031,?,?), ref: 00405ED1
GetShortPathNameA.KERNEL32(?,004226B0,00000400), ref: 00405EDA

Part of subcall function 00405D2F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D3F
Part of subcall function 00405D2F: lstrlenA.KERNEL32(00000000,?,00000000,00405F8A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D71

GetShortPathNameA.KERNEL32(?,00422AB0,00000400), ref: 00405EF7
wsprintfA.USER32 ref: 00405F15
GetFileSize.KERNEL32(00000000,00000000,00422AB0,C0000000,00000004,00422AB0,?,?,?,?,?), ref: 00405F50
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F5F
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F97
SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004222B0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405FED
GlobalFree.KERNEL32(00000000), ref: 00405FFE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406005

Part of subcall function 00405DCA: GetFileAttributesA.KERNEL32(00000003,00402F51,C:\Users\user\Desktop\etopt.exe,80000000,00000003,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 00405DCE
Part of subcall function 00405DCA: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 00405DF0

Strings

%s=%s, xrefs: 00405F0B
[Rename], xrefs: 00405F7F, 00405F91

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 255301d452020da7e95fbf41ca8b28a4200129436cea3cded063fc6883a810ba
Instruction ID: 2a6fe1f2f438491df2a6fca622c89684d26ac700b3e0fd579b62a2bd19172a30
Opcode Fuzzy Hash: 255301d452020da7e95fbf41ca8b28a4200129436cea3cded063fc6883a810ba
Instruction Fuzzy Hash: AB314831200B16BBD220AB61AD49F6B3A5CDF41718F15043BFA06F62C2DB7DD8018ABD

Uniqueness

Uniqueness Score: -1.00%

Function 03258D2A Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(advapi32,?,00000000,?), ref: 03258D46
LoadLibraryW.KERNEL32(advapi32), ref: 03258D57
GetProcAddress.KERNEL32(?,0327CB90), ref: 03258E0D
GetModuleHandleW.KERNEL32(ntdll), ref: 03258E25
LoadLibraryW.KERNEL32(ntdll), ref: 03258E32
GetProcAddress.KERNEL32(00000000,0327CBF4), ref: 03258E6F

Strings

ntdll, xrefs: 03258E1F, 03258E24, 03258E31
advapi32, xrefs: 03258D40, 03258D45, 03258D56
A_SHAUpdate, xrefs: 03258D7A
A_SHAInit, xrefs: 03258D75
A_SHAFinal, xrefs: 03258D84

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: A_SHAFinal$A_SHAInit$A_SHAUpdate$advapi32$ntdll
API String ID: 310444273-173408535
Opcode ID: 2b0220eb8e15ce14b214b4ca43b9c92a4bc6331f01ef3d18a4c1f865de026f9d
Instruction ID: 72bfcfd591af7463e6c265222c0279d4d9cef1dfd0421eba4c1c7b33c6ac798d
Opcode Fuzzy Hash: 2b0220eb8e15ce14b214b4ca43b9c92a4bc6331f01ef3d18a4c1f865de026f9d
Instruction Fuzzy Hash: 7E41F7B5D22329DFCB15EFA9984869DFBB5FF49214F11885DE805AB340CB704A85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0325B3BB Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0325B3C2

Strings

/f"f, xrefs: 0325B40F
4f#f, xrefs: 0325B3DE
5f)f, xrefs: 0325B3C9
1f'f, xrefs: 0325B3D7
:f%f, xrefs: 0325B3E5
:fff, xrefs: 0325B416
f, xrefs: 0325B42B
:f%f, xrefs: 0325B401
f2f, xrefs: 0325B3D0
*f5f, xrefs: 0325B408

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3_
String ID: f2f$*f5f$/f"f$1f'f$4f#f$5f)f$:f%f$:f%f$:fff$f
API String ID: 2427045233-952141964
Opcode ID: 439ea9f165160dceb3ac4484248e49539604ec324302e028537d866e5d2dd2ae
Instruction ID: d5c4d75f7df5beee8476af8118f42219578c51c8296a09494576e00930256b8c
Opcode Fuzzy Hash: 439ea9f165160dceb3ac4484248e49539604ec324302e028537d866e5d2dd2ae
Instruction Fuzzy Hash: 3C1103B5C2022E9BCF10EFE6DC9179DFB78BF00304F558019E811BB250CBB84A829B90

Uniqueness

Uniqueness Score: -1.00%

Function 03257A4E Relevance: 18.1, APIs: 12, Instructions: 147COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03257ABA
_memset.LIBCMT ref: 03257ADF
_memset.LIBCMT ref: 03257B09
MD4Init.NTDLL(?), ref: 03257B24
MD4Update.NTDLL(?,?,?), ref: 03257B36
MD4Final.NTDLL(?), ref: 03257B41
MD5Init.NTDLL(?), ref: 03257B64
MD5Update.NTDLL(?,?,?), ref: 03257B79
MD5Final.NTDLL(?), ref: 03257B87
A_SHAInit.NTDLL(?), ref: 03257BAB
A_SHAUpdate.NTDLL(?,00000000,?), ref: 03257BC0
A_SHAFinal.NTDLL(?,00000000), ref: 03257BE5

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: FinalInitUpdate_memset
String ID:
API String ID: 1630851942-0
Opcode ID: 1b7b981623e594070d0c688c751b1d36bab83675ba61781e94bf9e690f9323b0
Instruction ID: b4e94d070bdcd71b78440aaa6db0f7b4a4f66a35460f0f2992dc53098b958169
Opcode Fuzzy Hash: 1b7b981623e594070d0c688c751b1d36bab83675ba61781e94bf9e690f9323b0
Instruction Fuzzy Hash: 55519472919745AFD721DFA8D848BCBB7E9AF89700F044C29FA84D7150D7B0D6488B93

Uniqueness

Uniqueness Score: -1.00%

Function 032611AD Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 96filetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 03254678: _memset.LIBCMT ref: 032546AB
Part of subcall function 03254678: GetLocalTime.KERNEL32(?), ref: 032546BA
Part of subcall function 03254678: _sprintf.LIBCMT ref: 032546E1
Part of subcall function 03254678: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 03254724
Part of subcall function 03254678: CloseHandle.KERNEL32(00000000), ref: 03254730

GetTempPathW.KERNEL32(00000104,?,?,00000000), ref: 032611DD
wsprintfW.USER32 ref: 03261217
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 03261237
GetLocalTime.KERNEL32(?), ref: 0326124F
_sprintf.LIBCMT ref: 0326129A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 032612AD
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 032612CA
CloseHandle.KERNEL32(00000000), ref: 032612D1

Strings

Nvidia_Geforce_%u.log, xrefs: 03261211
%hu-%02hu-%02hu %02hu:%02hu:%02hu%u-%u-%u Loaded., xrefs: 03261294

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: File$CloseCreateHandleLocalTime_sprintf$PathPointerTempWrite_memsetwsprintf
String ID: %hu-%02hu-%02hu %02hu:%02hu:%02hu%u-%u-%u Loaded.$Nvidia_Geforce_%u.log
API String ID: 2875734321-3077253291
Opcode ID: 511791d041ecb45962a6d808857ddbcc104bb0665144e1d27e28941013bc65b7
Instruction ID: 7184492dd4464ae7ef854fbaae577036e24e7950efaa4575e7a0e8a28470c359
Opcode Fuzzy Hash: 511791d041ecb45962a6d808857ddbcc104bb0665144e1d27e28941013bc65b7
Instruction Fuzzy Hash: 733180B1910328AACB20DB69AC48FAAB7FCFF48714F008599F616E1080D77599D4CB24

Uniqueness

Uniqueness Score: -1.00%

Function 03253317 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 03253321

Part of subcall function 0325FF62: __EH_prolog3.LIBCMT ref: 0325FF69

_memset.LIBCMT ref: 03253365
_memset.LIBCMT ref: 0325337D

Strings

location, xrefs: 032532D1
inst, xrefs: 032533CA
query, xrefs: 032533B0
denyApps, xrefs: 0325323C
denyAppKey, xrefs: 032531F5
list<T> too long, xrefs: 0325330C
can, xrefs: 03253193

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memset$H_prolog3H_prolog3_
String ID: can$denyAppKey$denyApps$inst$list<T> too long$location$query
API String ID: 2557959752-4255518197
Opcode ID: 890997dadc35cbeb801d7aa802e3b5b6025ed763e1b661315135610562adcaba
Instruction ID: c6d4b3e5501113ea1243abb69c33c2f91b7954d4bb7ec4f270d0e7bccd0eda43
Opcode Fuzzy Hash: 890997dadc35cbeb801d7aa802e3b5b6025ed763e1b661315135610562adcaba
Instruction Fuzzy Hash: 0621AB36920259AFDB20DEB4CD40FDEB778AF14310F4445A6A619EB181EA749BC88B51

Uniqueness

Uniqueness Score: -1.00%

Function 6E8413D5 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,00000000,6E84146A,00000000,?,?,?,6E8416AB,?,00000000,?,00000000), ref: 6E8413E4
GetProcAddress.KERNEL32(00000000,ZwQuerySystemInformation), ref: 6E8413FD
GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 6E84140A
GetProcAddress.KERNEL32(00000000,NtQueryInformationThread), ref: 6E841417
GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 6E841424

Strings

NtQueryInformationProcess, xrefs: 6E8413FF
ntdll, xrefs: 6E8413DF
NtCreateThreadEx, xrefs: 6E841419
ZwQuerySystemInformation, xrefs: 6E8413F7
NtQueryInformationThread, xrefs: 6E84140C

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: NtCreateThreadEx$NtQueryInformationProcess$NtQueryInformationThread$ZwQuerySystemInformation$ntdll
API String ID: 667068680-3201133385
Opcode ID: 85b963390a8f73973072c5422996665efb3e1dec1179d305ea749f9310800f85
Instruction ID: 69eb6f14d813032fa7227fbc4f3c30645bf7f18beb3672cd47f8cd0216678eb6
Opcode Fuzzy Hash: 85b963390a8f73973072c5422996665efb3e1dec1179d305ea749f9310800f85
Instruction Fuzzy Hash: 26F01271812A1DE6CF617BF98988B5A7EB9E79A761F00582BA00892388E7744844CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 0325FB8E Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll,?,0325D9F5,?,?), ref: 0325FB9D
GetProcAddress.KERNEL32(00000000,ZwQuerySystemInformation), ref: 0325FBB6
GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 0325FBC3
GetProcAddress.KERNEL32(00000000,NtQueryInformationThread), ref: 0325FBD0
GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 0325FBDD

Strings

NtCreateThreadEx, xrefs: 0325FBD2
ntdll, xrefs: 0325FB98
NtQueryInformationThread, xrefs: 0325FBC5
NtQueryInformationProcess, xrefs: 0325FBB8
ZwQuerySystemInformation, xrefs: 0325FBB0

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: NtCreateThreadEx$NtQueryInformationProcess$NtQueryInformationThread$ZwQuerySystemInformation$ntdll
API String ID: 667068680-3201133385
Opcode ID: 8b49ec2790aac5bd34e994dee8075c2d1491d2cf74e14a9b4ea09c9ca68ace7b
Instruction ID: 96b58f45dd48948bfed4b4fbad727955a71e89d554eb9f72c1b229258141e76e
Opcode Fuzzy Hash: 8b49ec2790aac5bd34e994dee8075c2d1491d2cf74e14a9b4ea09c9ca68ace7b
Instruction Fuzzy Hash: 77F04F70962321EED710EF3AF90CB2A7AE8B741A11F06C82AB810D2548DBB540C1DF50

Uniqueness

Uniqueness Score: -1.00%

Function 03272E40 Relevance: 16.8, APIs: 11, Instructions: 264COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,?,?,?,?,03254A37,?,?,?,?), ref: 03272E51
SetLastError.KERNEL32(000000C1,?,?,?,?,?,03254A37,?,?,?,?), ref: 03272E71

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6efab07242b5ca7fea8889460f031cb587dbe7062bc62b928d953b14f48a3776
Instruction ID: b758b71920bd4eef512fd5571894e60f06e5a1ab8c0a8a17b59aa08aab4c3e39
Opcode Fuzzy Hash: 6efab07242b5ca7fea8889460f031cb587dbe7062bc62b928d953b14f48a3776
Instruction Fuzzy Hash: 818113766243018FD724DF69EC88B6BB7E4FF88710F084829EA4AC7641E771E584CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03260836 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 152COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 032608FB
_memset.LIBCMT ref: 03260973
_swscanf.LIBCMT ref: 032609F5

Part of subcall function 03261FEE: GetModuleHandleW.KERNEL32(ntdll,00000000,03260BE6), ref: 03261FFE
Part of subcall function 03261FEE: LoadLibraryW.KERNEL32(ntdll), ref: 03262009
Part of subcall function 03261FEE: GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 03262019

Part of subcall function 0325E236: RegQueryValueExW.ADVAPI32(80000001,000000A8,00000000,?,?,?,?,?,0325E4B0,?,000000A8,00000000,?,000000A8,?,00001000), ref: 0325E256

Strings

log_id, xrefs: 0326097B
Software\Baidu\BDLOG\%u, xrefs: 032608F5
cur_version, xrefs: 032608CF
%u-%u-%u-%u, xrefs: 032609D7
Software\Baidu\BDLOG, xrefs: 032608B3

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProcQueryValue_memset_swscanfwsprintf
String ID: %u-%u-%u-%u$Software\Baidu\BDLOG$Software\Baidu\BDLOG\%u$cur_version$log_id
API String ID: 416128342-318670487
Opcode ID: 59027af28485cda5d7b16805919f098131da12141575dcd060915efbc7ce3e3d
Instruction ID: fbad6a53484d99b549558663221c2a27564735e950bca9f8a97256c05b5b71cc
Opcode Fuzzy Hash: 59027af28485cda5d7b16805919f098131da12141575dcd060915efbc7ce3e3d
Instruction Fuzzy Hash: 28511DB5A2132D9BCB21DF54DC806DDB7B8AF48704F4485EAA618E7201D7B05FC98F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040537B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420100,00000000,0061CE90,00000000,?,?,?,?,?,?,?,?,?,00403278,00000000,?), ref: 004053B4
lstrlenA.KERNEL32(x2@,00420100,00000000,0061CE90,00000000,?,?,?,?,?,?,?,?,?,00403278,00000000), ref: 004053C4
lstrcatA.KERNEL32(00420100,0040A188,x2@,00420100,00000000,0061CE90,00000000), ref: 004053D7
SetWindowTextA.USER32(00420100,00420100), ref: 004053E9
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540F
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405429
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405437

Strings

x2@, xrefs: 004053C1, 004053D3

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: x2@
API String ID: 2531174081-1041233179
Opcode ID: 732e91c08cd52420067877160c4b0cbc137f43ed40200d61547a8e6a48252c09
Instruction ID: 193261f56c6a094394ae9e4e1c0271684ed3008236e33968a4fc6aac2b1449fe
Opcode Fuzzy Hash: 732e91c08cd52420067877160c4b0cbc137f43ed40200d61547a8e6a48252c09
Instruction Fuzzy Hash: 3C218E71A00118BBDB11AF95DD80ADFBFB9EF05354F14807AF944A6291C7794E908F98

Uniqueness

Uniqueness Score: -1.00%

Function 0325BD0E Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 209COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0325BD18
_memset.LIBCMT ref: 0325BD41

Strings

client, xrefs: 0325BE2D
https://apis.juhe.cn/ip/Example/query.php, xrefs: 0325BDAB
Content-Type: application/x-www-form-urlencoded; charset=UTF-8, xrefs: 0325BD8F
result, xrefs: 0325BEAC
IP=, xrefs: 0325BD58

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3__memset
String ID: Content-Type: application/x-www-form-urlencoded; charset=UTF-8$IP=$client$https://apis.juhe.cn/ip/Example/query.php$result
API String ID: 3055368530-2142713558
Opcode ID: bbfe8abd52d4c5352a7cfdcbd55727e32a0b6cc35ed43e7f33cccc12b57760c2
Instruction ID: fcc384c38892a63390f80d926f1267b44820529db0fc91860ec9ebfcbc725b81
Opcode Fuzzy Hash: bbfe8abd52d4c5352a7cfdcbd55727e32a0b6cc35ed43e7f33cccc12b57760c2
Instruction Fuzzy Hash: 3C71B23292012A8FDF25DBA4C890BA9B7B5BB45300F4D81E9F949AB251DB705FC9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 032534F9 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 142COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 03253503
_memset.LIBCMT ref: 03253549
_free.LIBCMT ref: 032536AD
_free.LIBCMT ref: 032536C5

Part of subcall function 03260726: _memmove.LIBCMT ref: 0326073F

Strings

inst, xrefs: 032536F0
app, xrefs: 03253706
uninst, xrefs: 032536E6, 03253705

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _free$H_prolog3__memmove_memset
String ID: app$inst$uninst
API String ID: 2499224747-1933297612
Opcode ID: a1a073be99bc16ff19f8dff149f1f862bf025f297d06463ab4798f70db8c0c0e
Instruction ID: 24b7e7b66c218b4ec2e3e3b88cbf2ea90a0c6f19d7f9c39b2686a66004f3a81c
Opcode Fuzzy Hash: a1a073be99bc16ff19f8dff149f1f862bf025f297d06463ab4798f70db8c0c0e
Instruction Fuzzy Hash: 6451F975D212589ACF20EF69DC88ADDBBB4BF48300F5045EAE909AB250DBB45BC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00406531 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000C,*?|<>/":,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe",0040335D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 00406589
CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe",0040335D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 00406596
CharNextA.USER32(0000000C,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe",0040335D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 0040659B
CharPrevA.USER32(0000000C,0000000C,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe",0040335D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 004065AB

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406532
*?|<>/":, xrefs: 00406579
"C:\Users\user\Desktop\etopt.exe", xrefs: 00406531

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\etopt.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-833620832
Opcode ID: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
Instruction ID: de1a1bd6985ba7cac93a683545dd3366f3df86e074a0f8c4e154e93e0f99b948
Opcode Fuzzy Hash: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
Instruction Fuzzy Hash: D611B2618047913DEB3217286C44B777FD98F567A0F1A007BE4C6722CAC67C5D62936D

Uniqueness

Uniqueness Score: -1.00%

Function 0325BBC1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0325BBF3
__wcsnicmp.LIBCMT ref: 0325BC0F
__wcsnicmp.LIBCMT ref: 0325BC2B
_memmove.LIBCMT ref: 0325BC50

Strings

Vmware, xrefs: 0325BBEB
Loopback, xrefs: 0325BC23
Bluetooth, xrefs: 0325BC07

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __wcsnicmp$_memmove
String ID: Bluetooth$Loopback$Vmware
API String ID: 1417415642-2046804252
Opcode ID: 36a66be975361d87111981ff069fbfa437e4d7580433ff742150151d24cef090
Instruction ID: 4feec502de405ecb42a2252c40b5847b52359ae8db1ff07377d73a69f6b8ac33
Opcode Fuzzy Hash: 36a66be975361d87111981ff069fbfa437e4d7580433ff742150151d24cef090
Instruction Fuzzy Hash: A5112737A207067ED720CA29CD41F46FBA9BF50652F0C8025FC4A959A1EBB0E6E0C684

Uniqueness

Uniqueness Score: -1.00%

Function 03258EB4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 03258ED6
__wcsnicmp.LIBCMT ref: 03258EEC
__wcsnicmp.LIBCMT ref: 03258F02

Part of subcall function 0326325B: __wcsnicmp_l.LIBCMT ref: 032632EE

_memmove.LIBCMT ref: 03258F25

Strings

Vmware, xrefs: 03258ECE
Loopback, xrefs: 03258EFA
Bluetooth, xrefs: 03258EE4

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __wcsnicmp$__wcsnicmp_l_memmove
String ID: Bluetooth$Loopback$Vmware
API String ID: 3256463596-2046804252
Opcode ID: ec0976488b7d0279db9c5fffecc69692a6070520709598f07c6025343bf4a16c
Instruction ID: 0afa8f8f72a7c760ae442a4e922bcb683cdf9cc7637f4b9bedd8e8d2a0e99976
Opcode Fuzzy Hash: ec0976488b7d0279db9c5fffecc69692a6070520709598f07c6025343bf4a16c
Instruction Fuzzy Hash: 0C010437730B02AAD220D612DD41B13F3AAFF64694F884020FD05D5851EBF1EAE185A0

Uniqueness

Uniqueness Score: -1.00%

Function 03261A89 Relevance: 12.2, APIs: 8, Instructions: 166networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0325DCC6: GetModuleHandleW.KERNEL32(WS2_32), ref: 0325DCEE
Part of subcall function 0325DCC6: LoadLibraryW.KERNEL32(WS2_32), ref: 0325DCFB

gethostbyname.WS2_32(00000099), ref: 03261AFE
socket.WS2_32(00000002,00000002,00000011), ref: 03261B4E
sendto.WS2_32(?,?,00000005,00000000,?), ref: 03261B9F
_memset.LIBCMT ref: 03261BD5
select.WS2_32(00000000,?,00000000,00000000,?), ref: 03261BFA
recvfrom.WS2_32(?,?,00001063,00000000,?,?), ref: 03261C2F
_memmove.LIBCMT ref: 03261C8F
closesocket.WS2_32(?), ref: 03261CAB

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: HandleLibraryLoadModule_memmove_memsetclosesocketgethostbynamerecvfromselectsendtosocket
String ID:
API String ID: 2536953502-0
Opcode ID: 3366a5baf737004c705b68584594f981468329d3214246d77942c24ae3ab3ede
Instruction ID: 70070b84e1f7785cc3c42488cf349b31e5c4ac5fb027f6a1b77ff41a1855e502
Opcode Fuzzy Hash: 3366a5baf737004c705b68584594f981468329d3214246d77942c24ae3ab3ede
Instruction Fuzzy Hash: 4551D575D112689EEB24CF64DC859EEBBB8EF09300F4445EAE689E7141D3B0AEC48F51

Uniqueness

Uniqueness Score: -1.00%

Function 0040433E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 0040435B
GetSysColor.USER32(00000000), ref: 00404399
SetTextColor.GDI32(?,00000000), ref: 004043A5
SetBkMode.GDI32(?,?), ref: 004043B1
GetSysColor.USER32(?), ref: 004043C4
SetBkColor.GDI32(?,?), ref: 004043D4
DeleteObject.GDI32(?), ref: 004043EE
CreateBrushIndirect.GDI32(?), ref: 004043F8

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
Instruction ID: f3d2caa253efee0c6ff3f86a8ce28c187c830c83fbdbf526c21f43bf9a6a529c
Opcode Fuzzy Hash: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
Instruction Fuzzy Hash: 662177B15007049FC730DF78DA08B57BBF8AF41714B05893DE996A26E1D734E954CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0325372B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 03253735
_memset.LIBCMT ref: 0325377B
_free.LIBCMT ref: 032538B7
_free.LIBCMT ref: 032538CF

Part of subcall function 03260726: _memmove.LIBCMT ref: 0326073F

Strings

app, xrefs: 03253905
active, xrefs: 03253900

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _free$H_prolog3__memmove_memset
String ID: active$app
API String ID: 2499224747-463711056
Opcode ID: ddbb1648585c1a0cb31a1ad5e8a16f51a6ee402d20136cf122df665ec923da6e
Instruction ID: d7f9180799d48317401466ae51d4053a1220e1426bd7e61b196fa15269aaebd5
Opcode Fuzzy Hash: ddbb1648585c1a0cb31a1ad5e8a16f51a6ee402d20136cf122df665ec923da6e
Instruction Fuzzy Hash: 9A51D675D252289ADF21EF69DC88ADDBBB4BF08300F5041AAE409BB250D7B55BC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03252F9B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 03252FA5
_memset.LIBCMT ref: 03252FEB
_free.LIBCMT ref: 032530FF
_free.LIBCMT ref: 03253117

Strings

inst, xrefs: 03253148
query, xrefs: 0325314D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _free$H_prolog3__memset
String ID: inst$query
API String ID: 2225430737-511933031
Opcode ID: c309f7b390fbb366b9821be5631bee47523eeb4490069ae09fbbcc19f79f04dc
Instruction ID: 2de36630872538387362ed331e0d9fd39905b4b675c9eca936ad6955d249859a
Opcode Fuzzy Hash: c309f7b390fbb366b9821be5631bee47523eeb4490069ae09fbbcc19f79f04dc
Instruction Fuzzy Hash: 8D51D276C152589ADF20EFA9DC88ADDBBB4AF08300F5041EAE508BB250DAB15AC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03263A49 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 03263A6E
__calloc_crt.LIBCMT ref: 03263A7A
__getptd.LIBCMT ref: 03263A87
CreateThread.KERNEL32(?,?,032639E4,00000000,?,?), ref: 03263ABE
GetLastError.KERNEL32(?,?,?,?,0325636B,00000000,00000000,03256793,032818A4,00000000,032818A8,03254AE5), ref: 03263AC8
_free.LIBCMT ref: 03263AD1
__dosmaperr.LIBCMT ref: 03263ADC

Part of subcall function 0326491D: __getptd_noexit.LIBCMT ref: 0326491D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 87e63677d3d013d31b6262ec963945e728aad29a06f625f28ead3fc51d1e1465
Instruction ID: 47979ab007e9da0d9e2786d68cecea744521aad18e294da1f0ba6f0c4355c2b8
Opcode Fuzzy Hash: 87e63677d3d013d31b6262ec963945e728aad29a06f625f28ead3fc51d1e1465
Instruction Fuzzy Hash: 5911E53A225706AFDB11FFA6EC4499F77D8EF44364B100015FA548B150DBB1D8C19AA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E8410D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E8410FC

Part of subcall function 6E841000: lstrcpynA.KERNEL32(00000000,00000004,00000000,00000000,?,6E8411A3,00000000), ref: 6E841023
Part of subcall function 6E841000: GlobalFree.KERNEL32(00000000), ref: 6E841033

lstrcmpiA.KERNEL32(00000000,true), ref: 6E841130

Strings

true, xrefs: 6E841124
false, xrefs: 6E84113A

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: FreeGlobal_memsetlstrcmpilstrcpyn
String ID: false$true
API String ID: 1330358205-2658103896
Opcode ID: e0e54a732efee6dd6e88a6890345956b18c766b94a71515032d112b326afcb11
Instruction ID: bf75dbb55a4384f6d8868ecf46a5f1f25c14c4b23d2cf142a887cd5f67d82d58
Opcode Fuzzy Hash: e0e54a732efee6dd6e88a6890345956b18c766b94a71515032d112b326afcb11
Instruction Fuzzy Hash: ED01D87090421EEBDF11DBF58E01FCA77ECEF05648F004CA2AA48D7181EA35DA1D8B61

Uniqueness

Uniqueness Score: -1.00%

Function 00404C2A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C45
GetMessagePos.USER32 ref: 00404C4D
ScreenToClient.USER32(?,?), ref: 00404C67
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404C79
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404C9F

Strings

f, xrefs: 00404C7B

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
Instruction ID: 02d38ff014d9bca29b63da83eca387977c8340b2ea73bb7955faa23d0bd024be
Opcode Fuzzy Hash: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
Instruction Fuzzy Hash: A5015E71900219BAEB00DBA4DD85FFFBBBCAF55721F10012BBA40B61D0C7B899458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402E2A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E45
MulDiv.KERNEL32(004556F8,00000064,004556FC), ref: 00402E70
wsprintfA.USER32 ref: 00402E80
SetWindowTextA.USER32(?,?), ref: 00402E90
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402EA2

Strings

verifying installer: %d%%, xrefs: 00402E7A

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 28c4548f622da75b34f4b00d5fa0069a4700956d7e1aa93142aee228208de263
Instruction ID: 89356783a841f8c11df1cea2370ec9b2ce3557e18fed09aa54f77677c3c625b5
Opcode Fuzzy Hash: 28c4548f622da75b34f4b00d5fa0069a4700956d7e1aa93142aee228208de263
Instruction Fuzzy Hash: 20016270640208FBEF10AF60DD09EEE37A9AB00745F008039FA02B51E0DBB89956CF99

Uniqueness

Uniqueness Score: -1.00%

Function 6E8429B4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6E849418,00000008,6E842ABC,00000000,00000000,?,6E8418DC,00000001,?,00000000), ref: 6E8429C5
__lock.LIBCMT ref: 6E8429F9

Part of subcall function 6E8448DB: __mtinitlocknum.LIBCMT ref: 6E8448F1
Part of subcall function 6E8448DB: __amsg_exit.LIBCMT ref: 6E8448FD
Part of subcall function 6E8448DB: EnterCriticalSection.KERNEL32(6E8418DC,6E8418DC,?,6E8429FE,0000000D,?,6E8418DC,00000001,?,00000000), ref: 6E844905

InterlockedIncrement.KERNEL32(74C08508), ref: 6E842A06
__lock.LIBCMT ref: 6E842A1A
___addlocaleref.LIBCMT ref: 6E842A38

Strings

KERNEL32.DLL, xrefs: 6E8429C0

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: bc43b4d381296f02cfe521740c72856eda1533f568c39304820a502bc11c044f
Instruction ID: c2151dd72853f3ded79de4aa8d0fd0f693c122e29a14240bb6310199f38fd493
Opcode Fuzzy Hash: bc43b4d381296f02cfe521740c72856eda1533f568c39304820a502bc11c044f
Instruction Fuzzy Hash: C7018B71445B08DBD720DFA9C804389FBE4EF80324F108D0AD5A9977E0DB74A645CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E827B7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6E830FE0,00000008,6E827C86,00000000,00000000,?,6E8265B1,?,?), ref: 6E827B8F
__lock.LIBCMT ref: 6E827BC3

Part of subcall function 6E829FE1: __mtinitlocknum.LIBCMT ref: 6E829FF7
Part of subcall function 6E829FE1: __amsg_exit.LIBCMT ref: 6E82A003
Part of subcall function 6E829FE1: EnterCriticalSection.KERNEL32(6E8265B1,6E8265B1,?,6E827BC8,0000000D,?,6E8265B1,?,?), ref: 6E82A00B

InterlockedIncrement.KERNEL32(CCCCCCCC), ref: 6E827BD0
__lock.LIBCMT ref: 6E827BE4
___addlocaleref.LIBCMT ref: 6E827C02

Strings

KERNEL32.DLL, xrefs: 6E827B8A

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 6eebe368def4b6f80c8e5226231fafc4c2be82c68ec2d563743b480b8bfc9ad9
Instruction ID: 2308becf53a7b5f472ac530ae352221423ec9e1542ebc30409545ea37495d3b8
Opcode Fuzzy Hash: 6eebe368def4b6f80c8e5226231fafc4c2be82c68ec2d563743b480b8bfc9ad9
Instruction Fuzzy Hash: 81015BB1804B009FDB208FBAC504789BBE4AF10724F108D5ED4995A3E0CB75A585CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03264D34 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0327E1E0,00000008,03264E3C,00000000,00000000,?,0326B6E0,00000000,00000001,00000000,?,0326D017,00000018,0327E2F0,0000000C), ref: 03264D45
__lock.LIBCMT ref: 03264D79

Part of subcall function 0326D08C: __mtinitlocknum.LIBCMT ref: 0326D0A2
Part of subcall function 0326D08C: __amsg_exit.LIBCMT ref: 0326D0AE
Part of subcall function 0326D08C: EnterCriticalSection.KERNEL32(00000000,00000000,?,03264F0C,0000000D,0327E208,00000008,03265003,00000000,?,03264078,00000000,0327E180,00000008,032640DD,?), ref: 0326D0B6

InterlockedIncrement.KERNEL32(?), ref: 03264D86
__lock.LIBCMT ref: 03264D9A
___addlocaleref.LIBCMT ref: 03264DB8

Strings

KERNEL32.DLL, xrefs: 03264D40

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 39f9f9a122bd7a0f800f5649b3da859d1e6a94d39bd9a194f0fe58d004b6e437
Instruction ID: 0d9ca963f572629c636b24a7ac60132b63ed451b35a184c7be99186f144076f6
Opcode Fuzzy Hash: 39f9f9a122bd7a0f800f5649b3da859d1e6a94d39bd9a194f0fe58d004b6e437
Instruction Fuzzy Hash: B7015B75951B00EFD720EF66D40974ABBF0BF00325F10890ED4D59A7A0CBB0AAC4CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1000ACDF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,10014600,00000008,1000ADE7,00000000,00000000,?,10008E4C,?,?), ref: 1000ACF0
__lock.LIBCMT ref: 1000AD24

Part of subcall function 1000BF7D: __mtinitlocknum.LIBCMT ref: 1000BF93
Part of subcall function 1000BF7D: __amsg_exit.LIBCMT ref: 1000BF9F
Part of subcall function 1000BF7D: EnterCriticalSection.KERNEL32(10008E4C,10008E4C,?,1000AD29,0000000D,?,10008E4C,?,?), ref: 1000BFA7

InterlockedIncrement.KERNEL32(A4358B56), ref: 1000AD31
__lock.LIBCMT ref: 1000AD45
___addlocaleref.LIBCMT ref: 1000AD63

Strings

KERNEL32.DLL, xrefs: 1000ACEB

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: c2ea0553ca30b8ee392e4d74dff17151f42a26a334473b8f81abdd431c3b5b93
Instruction ID: 7c32f7c713b2df0d6431340e09d0f7eb236c956cea4b01d75017c7c8216770fe
Opcode Fuzzy Hash: c2ea0553ca30b8ee392e4d74dff17151f42a26a334473b8f81abdd431c3b5b93
Instruction Fuzzy Hash: F8018B79804B40AEE321CF65CC0574ABBE0EF05361F10860EE4965B6A0CBB4B684CF11

Uniqueness

Uniqueness Score: -1.00%

Function 032639E4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 032639EA

Part of subcall function 03264CA6: TlsGetValue.KERNEL32(00000000,03264DFF,?,0326B6E0,00000000,00000001,00000000,?,0326D017,00000018,0327E2F0,0000000C,0326D0A7,00000000,00000000), ref: 03264CAF
Part of subcall function 03264CA6: TlsSetValue.KERNEL32(00000000,?,0326B6E0,00000000,00000001,00000000,?,0326D017,00000018,0327E2F0,0000000C,0326D0A7,00000000,00000000,?,03264F0C), ref: 03264CD0

___fls_getvalue@4.LIBCMT ref: 032639F5

Part of subcall function 03264C86: TlsGetValue.KERNEL32(?,?,032639FA,00000000), ref: 03264C94

___fls_setvalue@8.LIBCMT ref: 03263A08
GetLastError.KERNEL32(00000000,?,00000000), ref: 03263A11
ExitThread.KERNEL32 ref: 03263A18
GetCurrentThreadId.KERNEL32 ref: 03263A1E
__freefls@4.LIBCMT ref: 03263A3E

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 259663610-0
Opcode ID: 5be626a70919cb151731128e32786818966ca7b025928b739a39fec1ebc85293
Instruction ID: 7ac2318333c4733d97ae619da3b85e50e693dea9147e962576d090490b70e62c
Opcode Fuzzy Hash: 5be626a70919cb151731128e32786818966ca7b025928b739a39fec1ebc85293
Instruction Fuzzy Hash: 38F0677C520700AFCB04FFB2D948C0E7BA9AF892503248458EA85DB321DB75D8C2CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E82BFD6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E82BFF7

Part of subcall function 6E827CAB: __getptd_noexit.LIBCMT ref: 6E827CAE
Part of subcall function 6E827CAB: __amsg_exit.LIBCMT ref: 6E827CBB

__getptd.LIBCMT ref: 6E82C008
__getptd.LIBCMT ref: 6E82C016

Strings

MOC, xrefs: 6E82BFE9
RCC, xrefs: 6E82BFE2
csm, xrefs: 6E82BFF0

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 6a2129aa055bec7a9ad979a1b8d3e62ac3636eb4cd8746133f974c0e2a5b7d6c
Instruction ID: 6ec6b41499234b21b3564f55e52ae544ddd0fa090dd45fa3384874d20d7a707f
Opcode Fuzzy Hash: 6a2129aa055bec7a9ad979a1b8d3e62ac3636eb4cd8746133f974c0e2a5b7d6c
Instruction Fuzzy Hash: C4E01A305142088FC7109FE9C145BA832E8BF48319F160DB2D40DCF2A3C729E8D489C7

Uniqueness

Uniqueness Score: -1.00%

Function 03273801 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03273822

Part of subcall function 03264E61: __getptd_noexit.LIBCMT ref: 03264E64
Part of subcall function 03264E61: __amsg_exit.LIBCMT ref: 03264E71

__getptd.LIBCMT ref: 03273833
__getptd.LIBCMT ref: 03273841

Strings

MOC, xrefs: 03273814
csm, xrefs: 0327381B
RCC, xrefs: 0327380D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 032fda426a85116dfb61e8fd30bfad0229bd04db95874c6453da34c5aa0d14d8
Instruction ID: 45d993b5c5a36fad64e4b526ed170972600050a25083dea9f4908fafc1ac1743
Opcode Fuzzy Hash: 032fda426a85116dfb61e8fd30bfad0229bd04db95874c6453da34c5aa0d14d8
Instruction Fuzzy Hash: 85E012381302048EC720EBA9D04A76C76A8FFC4214F1944A1D58DCB622C7B4E4D099C2

Uniqueness

Uniqueness Score: -1.00%

Function 1000EA7B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1000EA9C

Part of subcall function 1000AE0C: __getptd_noexit.LIBCMT ref: 1000AE0F
Part of subcall function 1000AE0C: __amsg_exit.LIBCMT ref: 1000AE1C

__getptd.LIBCMT ref: 1000EAAD
__getptd.LIBCMT ref: 1000EABB

Strings

MOC, xrefs: 1000EA8E
csm, xrefs: 1000EA95
RCC, xrefs: 1000EA87

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 0ed365206a313fce9d43dd6e83f32896edfac7a21f7c29c61925c1b1f00026d2
Instruction ID: 9b2c66d07e88ef9ab9507a3ad682c1f493f29ffbe3f3741c90d77626f8a893eb
Opcode Fuzzy Hash: 0ed365206a313fce9d43dd6e83f32896edfac7a21f7c29c61925c1b1f00026d2
Instruction Fuzzy Hash: C5E0ED346002888FE710DB64C046B5833D5FF8A794F2A42A1E80D8762AC764BC908A83

Uniqueness

Uniqueness Score: -1.00%

Function 6E8414DF Relevance: 9.1, APIs: 6, Instructions: 65stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000004), ref: 6E841526
GlobalAlloc.KERNEL32(00000040,00000001), ref: 6E841534
lstrcpyA.KERNEL32(00000000,00000004), ref: 6E84153F
GlobalFree.KERNEL32(00000000), ref: 6E841550
RtlComputeCrc32.NTDLL(?,00000000,00000000), ref: 6E84157F
GlobalFree.KERNEL32(00000000), ref: 6E841588

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: Global$Free$AllocComputeCrc32lstrcpylstrlen
String ID:
API String ID: 3368281215-0
Opcode ID: 4c7d1af5333538aeb3f065dc3f405b4da9dc859d8a56ad07f18d734aba7915d9
Instruction ID: f9578be0e22c92b63529b54dfa17bf61fc945b7c8d39afb80ca6c469687e473c
Opcode Fuzzy Hash: 4c7d1af5333538aeb3f065dc3f405b4da9dc859d8a56ad07f18d734aba7915d9
Instruction Fuzzy Hash: D4214776501B19DFCB02EFEAC8849AE77E8FB4A7607014816FA29E7244D7309814CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E82C283 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6E82C2AB

Part of subcall function 6E82BD09: __getptd.LIBCMT ref: 6E82BD17
Part of subcall function 6E82BD09: __getptd.LIBCMT ref: 6E82BD25

__getptd.LIBCMT ref: 6E82C2B5

Part of subcall function 6E827CAB: __getptd_noexit.LIBCMT ref: 6E827CAE
Part of subcall function 6E827CAB: __amsg_exit.LIBCMT ref: 6E827CBB

__getptd.LIBCMT ref: 6E82C2C3
__getptd.LIBCMT ref: 6E82C2D1
__getptd.LIBCMT ref: 6E82C2DC
_CallCatchBlock2.LIBCMT ref: 6E82C302

Part of subcall function 6E82BDAE: __CallSettingFrame@12.LIBCMT ref: 6E82BDFA

Part of subcall function 6E82C3A9: __getptd.LIBCMT ref: 6E82C3B8
Part of subcall function 6E82C3A9: __getptd.LIBCMT ref: 6E82C3C6

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 987376a59d0cb136a25b2197a11dcc18091cbb636e2c9a49ffd8fe75f5ccc733
Instruction ID: a6da3947a8cb4409c2a440c5749f0bbc36303a89bac1ef1dad41ae5a3ccd5bc5
Opcode Fuzzy Hash: 987376a59d0cb136a25b2197a11dcc18091cbb636e2c9a49ffd8fe75f5ccc733
Instruction Fuzzy Hash: 7011C6B1C10209DFDF00DFE9D484AED7BB4FF08319F108869E855AB250DB399A559B94

Uniqueness

Uniqueness Score: -1.00%

Function 03273AAE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 03273AD6

Part of subcall function 032734B9: __getptd.LIBCMT ref: 032734C7
Part of subcall function 032734B9: __getptd.LIBCMT ref: 032734D5

__getptd.LIBCMT ref: 03273AE0

Part of subcall function 03264E61: __getptd_noexit.LIBCMT ref: 03264E64
Part of subcall function 03264E61: __amsg_exit.LIBCMT ref: 03264E71

__getptd.LIBCMT ref: 03273AEE
__getptd.LIBCMT ref: 03273AFC
__getptd.LIBCMT ref: 03273B07
_CallCatchBlock2.LIBCMT ref: 03273B2D

Part of subcall function 0327355E: __CallSettingFrame@12.LIBCMT ref: 032735AA

Part of subcall function 03273BD4: __getptd.LIBCMT ref: 03273BE3
Part of subcall function 03273BD4: __getptd.LIBCMT ref: 03273BF1

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: cbc4cacc85c4e528284d85a08b2057412cc17f1470ace59498cfa6980ff96f24
Instruction ID: 6c98584b6043226827b59b7d65aa014e3f071c66c03bb6c361b4b0e9a6aa8865
Opcode Fuzzy Hash: cbc4cacc85c4e528284d85a08b2057412cc17f1470ace59498cfa6980ff96f24
Instruction Fuzzy Hash: AD112B79C20309DFDF01EFA5C444AEDBBB0FF08310F108069E954AB251DBB89A919F90

Uniqueness

Uniqueness Score: -1.00%

Function 1000ED28 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 1000ED50

Part of subcall function 1000E823: __getptd.LIBCMT ref: 1000E831
Part of subcall function 1000E823: __getptd.LIBCMT ref: 1000E83F

__getptd.LIBCMT ref: 1000ED5A

Part of subcall function 1000AE0C: __getptd_noexit.LIBCMT ref: 1000AE0F
Part of subcall function 1000AE0C: __amsg_exit.LIBCMT ref: 1000AE1C

__getptd.LIBCMT ref: 1000ED68
__getptd.LIBCMT ref: 1000ED76
__getptd.LIBCMT ref: 1000ED81
_CallCatchBlock2.LIBCMT ref: 1000EDA7

Part of subcall function 1000E8C8: __CallSettingFrame@12.LIBCMT ref: 1000E914

Part of subcall function 1000EE4E: __getptd.LIBCMT ref: 1000EE5D
Part of subcall function 1000EE4E: __getptd.LIBCMT ref: 1000EE6B

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 265c515ab8fdafb5923c3bcc5ee8db72f8085dacb976cd359d9e54b5da2689fb
Instruction ID: 0bd586ea62b9dce6247b48ef45cd0f97089bcccd1e3252310bcb2903d2df7163
Opcode Fuzzy Hash: 265c515ab8fdafb5923c3bcc5ee8db72f8085dacb976cd359d9e54b5da2689fb
Instruction Fuzzy Hash: DA1119B5C00249DFEF00DFA4C845ADE7BB0FF44354F108169F814AB255DB78AA909F94

Uniqueness

Uniqueness Score: -1.00%

Function 6E842137 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E842143

Part of subcall function 6E842AE1: __getptd_noexit.LIBCMT ref: 6E842AE4
Part of subcall function 6E842AE1: __amsg_exit.LIBCMT ref: 6E842AF1

__amsg_exit.LIBCMT ref: 6E842163
__lock.LIBCMT ref: 6E842173
InterlockedDecrement.KERNEL32(?), ref: 6E842190
_free.LIBCMT ref: 6E8421A3
InterlockedIncrement.KERNEL32(03041680), ref: 6E8421BB

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 3e97985bcd4d9733375c899ac8dc632d81657f0486cd0be2a008b72832960f67
Instruction ID: ee8a8779c0e84040736e289fda0d3d5c82ccb7c3422f424ccdb65fb874a07ec1
Opcode Fuzzy Hash: 3e97985bcd4d9733375c899ac8dc632d81657f0486cd0be2a008b72832960f67
Instruction Fuzzy Hash: AD01AD75949B2EDBEB41ABE8840478EB3A4FB41714F000D59DD14EB2C0D728A881CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 6E827301 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E82730D

Part of subcall function 6E827CAB: __getptd_noexit.LIBCMT ref: 6E827CAE
Part of subcall function 6E827CAB: __amsg_exit.LIBCMT ref: 6E827CBB

__amsg_exit.LIBCMT ref: 6E82732D
__lock.LIBCMT ref: 6E82733D
InterlockedDecrement.KERNEL32(?), ref: 6E82735A
_free.LIBCMT ref: 6E82736D
InterlockedIncrement.KERNEL32(03301680), ref: 6E827385

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: de74cf8ecb6c7c32c3315dcb86012ee8886668a93d614d215b2ae3b3c706acd5
Instruction ID: 866d4b2d3a83d67275ae1b03ac933d78bd9aff0aa9ea5c3d82e2463ccb3e1762
Opcode Fuzzy Hash: de74cf8ecb6c7c32c3315dcb86012ee8886668a93d614d215b2ae3b3c706acd5
Instruction Fuzzy Hash: 8C01C031900A22EFDB509FEAD44878D7760BF01714F808D29EC14AB2D0CB3A99D2CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 03266629 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03266635

Part of subcall function 03264E61: __getptd_noexit.LIBCMT ref: 03264E64
Part of subcall function 03264E61: __amsg_exit.LIBCMT ref: 03264E71

__amsg_exit.LIBCMT ref: 03266655
__lock.LIBCMT ref: 03266665
InterlockedDecrement.KERNEL32(?), ref: 03266682
_free.LIBCMT ref: 03266695
InterlockedIncrement.KERNEL32(032B1680), ref: 032666AD

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 16f3a5e685f5bf155e3a74cac45e5e859881ecc126cd0ad2612acb4dd34562d8
Instruction ID: b807612a402feba9cbc44c80f2d7f8e96f8cbce7fb5cb82df48ef6cabceffd2b
Opcode Fuzzy Hash: 16f3a5e685f5bf155e3a74cac45e5e859881ecc126cd0ad2612acb4dd34562d8
Instruction Fuzzy Hash: 2C019635922722ABD721FF65B54875EB760BF44B10F188145E800AB294C7B869C1CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 1000A462 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1000A46E

Part of subcall function 1000AE0C: __getptd_noexit.LIBCMT ref: 1000AE0F
Part of subcall function 1000AE0C: __amsg_exit.LIBCMT ref: 1000AE1C

__amsg_exit.LIBCMT ref: 1000A48E
__lock.LIBCMT ref: 1000A49E
InterlockedDecrement.KERNEL32(?), ref: 1000A4BB
_free.LIBCMT ref: 1000A4CE
InterlockedIncrement.KERNEL32(036F1680), ref: 1000A4E6

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: b11bee68bda0f5b5b240daebbc916aa2f67129327d76d6a7378f8176986a6d25
Instruction ID: 79af99b7cf1421b3431eced2637b86ee132113610dbaef1a4b5e230efaf47888
Opcode Fuzzy Hash: b11bee68bda0f5b5b240daebbc916aa2f67129327d76d6a7378f8176986a6d25
Instruction Fuzzy Hash: E6016139D017219BF742DB248C8974E77A0FF867D0F128259E8006729ACBB8A9C1DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0325C999 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0325C9F6
_wcschr.LIBCMT ref: 0325CA79
_wcsrchr.LIBCMT ref: 0325CAB7

Strings

://, xrefs: 0325CA51
mailto:, xrefs: 0325C9F0

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __wcsnicmp_wcschr_wcsrchr
String ID: ://$mailto:
API String ID: 1469043303-2229934588
Opcode ID: 7401166e53365c57062572c64f1e4dc7fe441495fa7d977fbb3d1906ecebc302
Instruction ID: 1d6c0c9bc8dc8d9a82bf32029cbe2d449feff457ddd8f2a885dab149fe91cb12
Opcode Fuzzy Hash: 7401166e53365c57062572c64f1e4dc7fe441495fa7d977fbb3d1906ecebc302
Instruction Fuzzy Hash: D451B1B5A607238ADF34DE38889523AB7A8EF40651B58456EFD839B5C0FBB0D6C18650

Uniqueness

Uniqueness Score: -1.00%

Function 0325E035 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123registryCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 0325E165
RegSetValueExW.ADVAPI32(?,000000A8,00000000,00000003,00000002,A8CDA8C5,80000001,?), ref: 0325E1C2
__time64.LIBCMT ref: 0325E1C9
RegSetValueExW.ADVAPI32(?,000000A8,00000000,00000004,?,00000004), ref: 0325E1FE

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Strings

%s\%u, xrefs: 0325E15F

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Value$Close__time64wsprintf
String ID: %s\%u
API String ID: 2916993801-464771739
Opcode ID: 883a7a9d7582b0f5dbc8688486fc4938c17fe6b634a57dc7f72c6d7c3e1e8e7e
Instruction ID: 00bcb913b73b970ac5e9ffe3846625bac9500b5525372d058799754113ee5e80
Opcode Fuzzy Hash: 883a7a9d7582b0f5dbc8688486fc4938c17fe6b634a57dc7f72c6d7c3e1e8e7e
Instruction Fuzzy Hash: 475159B1C20319AAEF20DFADE8485EDBB75BF00710F208599E854BB608D7704A97CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0325CB92 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0325CBE4
_memmove.LIBCMT ref: 0325CC14
_memmove.LIBCMT ref: 0325CC49
_swscanf.LIBCMT ref: 0325CC7A

Strings

%hu, xrefs: 0325CC74

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memmove$_swscanf
String ID: %hu
API String ID: 340315987-1284258053
Opcode ID: 27b54ea3c739159551989ab0b541d9968f8ef22cfeaca5abae6bccfff81a822e
Instruction ID: 7bea9c9fbfb441d5aa065b4012c3bbedbfb46e0c1cae8089325fe105a1c24783
Opcode Fuzzy Hash: 27b54ea3c739159551989ab0b541d9968f8ef22cfeaca5abae6bccfff81a822e
Instruction Fuzzy Hash: B8312D353203169BDB25DF69D880A6BB3E8BF44B45B44442DFC4ACB260FB70EA95CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00404B20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420920,00420920,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A3B,000000DF,00000000,00000400,?), ref: 00404BBE
wsprintfA.USER32 ref: 00404BC6
SetDlgItemTextA.USER32(?,00420920), ref: 00404BD9

Strings

B, xrefs: 00404BB0
%u.%u%s%s, xrefs: 00404BA8

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: B$%u.%u%s%s
API String ID: 3540041739-3700600037
Opcode ID: f5c0fb7cd2ccb68c948dc1e6a7dc71071cb200291adab78a08e3f59663db4ef1
Instruction ID: 2097dda61dbfb34d62a788ce0216486465dff842daca956433ca403a3f4dd3e0
Opcode Fuzzy Hash: f5c0fb7cd2ccb68c948dc1e6a7dc71071cb200291adab78a08e3f59663db4ef1
Instruction Fuzzy Hash: 3611B773A041286BDB00656D9C46FAE3298DB85374F25023BFA26F71D1E978DC5242E8

Uniqueness

Uniqueness Score: -1.00%

Function 032602C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll,?,?,?,?,?,?,?,?,?,00000230,03254058,?), ref: 032602D6
LoadLibraryW.KERNEL32(ntdll,?,?,?,?,?,00000230,03254058,?), ref: 032602E1
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 032602F1

Strings

RtlGetNtVersionNumbers, xrefs: 032602EB
ntdll, xrefs: 032602D0, 032602D5, 032602E0

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: RtlGetNtVersionNumbers$ntdll
API String ID: 310444273-3725187768
Opcode ID: 1161bf186e3d31c831e0a2841a400667d9cea55c5d5726b7e8cbe66e2bedb061
Instruction ID: b4ebb42eac41d1d3361747fc9b2533d7483802c1e300d2ae09444d4a5ed651d7
Opcode Fuzzy Hash: 1161bf186e3d31c831e0a2841a400667d9cea55c5d5726b7e8cbe66e2bedb061
Instruction Fuzzy Hash: E0114C75A25346EFDB05DFA5D898BAE77B8FF44206F0484ACE802D7244EB30D684DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0325CE6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0325CE83

Part of subcall function 032623DA: std::exception::exception.LIBCMT ref: 032623EF
Part of subcall function 032623DA: __CxxThrowException@8.LIBCMT ref: 03262404
Part of subcall function 032623DA: std::exception::exception.LIBCMT ref: 03262415

std::_Xinvalid_argument.LIBCPMT ref: 0325CEA2
_memmove.LIBCMT ref: 0325CEDC

Strings

invalid string position, xrefs: 0325CE7E
string too long, xrefs: 0325CE9D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: 335631d5725fce63e2155d5d9a544f742c2bc65bce7cdd81abfc39522b5f27c4
Instruction ID: 9a2602c5bcda8e48292e3b02567fe863ec8d549b47c8bf678c89d532f2f90e33
Opcode Fuzzy Hash: 335631d5725fce63e2155d5d9a544f742c2bc65bce7cdd81abfc39522b5f27c4
Instruction Fuzzy Hash: BF117032760315AFD704DF6CD880959B3A9FF41210B540924FC16DBA41E7B0EAD08BD1

Uniqueness

Uniqueness Score: -1.00%

Function 032600EF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,03260185,80000001,0325E19C,00020006,?,0325E19C,00000000,00000002,00000000,?,?,0325E19C,80000001), ref: 032600FE
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0326010E
RegCreateKeyExW.ADVAPI32(80000001,0325E19C,00000000,00000000,00000000,?,00000000,?,00000000,?,?,03260185,80000001,0325E19C,00020006,?), ref: 0326014A

Strings

RegCreateKeyTransactedW, xrefs: 03260108
Advapi32.dll, xrefs: 032600F9

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: a6c9ae0f01b557c4bd5a90601f27fc89183208237c3e26ed78fac84b2455eb7c
Instruction ID: 12d173116b912510ef8fcd05bf06caf9cbaf9c1c6656d7a93c61f51099d033e3
Opcode Fuzzy Hash: a6c9ae0f01b557c4bd5a90601f27fc89183208237c3e26ed78fac84b2455eb7c
Instruction Fuzzy Hash: 6B016F7216612ABF8F229F919C08CDFBF2AFF16B91744C455F61994115C33288E1EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 10004E81 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,10004F16,-80000001,10003A7D,00000000,?,10003A7D,769373E0,00000000,-80000001,?,10003A7D,-80000001,?), ref: 10004E90
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 10004EA0
RegCreateKeyExW.ADVAPI32(-80000001,10003A7D,00000000,00000000,00000000,?,00000000,-80000001,00000000,?,?,10004F16,-80000001,10003A7D,00000000,?), ref: 10004EDC

Strings

RegCreateKeyTransactedW, xrefs: 10004E9A
Advapi32.dll, xrefs: 10004E8B

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: ebb15a3a10b9a7e96acae1b5f38c94a0b89bc6176d20ad0c9b1437816c4d59d6
Instruction ID: 32b8aff5ee0ad75f78d76b723ae53d38952a8d60f022d6ad591f8c2beecf12ff
Opcode Fuzzy Hash: ebb15a3a10b9a7e96acae1b5f38c94a0b89bc6176d20ad0c9b1437816c4d59d6
Instruction Fuzzy Hash: 1901BB75102169BBDF52DF92CC48DDF7F6AFF096E5B018411FA5994024C7318861EBE4

Uniqueness

Uniqueness Score: -1.00%

Function 6E82C630 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6E82C643

Part of subcall function 6E82C59E: ___BuildCatchObjectHelper.LIBCMT ref: 6E82C5D4

_UnwindNestedFrames.LIBCMT ref: 6E82C65A
___FrameUnwindToState.LIBCMT ref: 6E82C668

Strings

csm, xrefs: 6E82C632
csm, xrefs: 6E82C63F, 6E82C654, 6E82C667, 6E82C685, 6E82C695

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 8c960ef3ac8cdc2786603648fdbda3dea58b70cba2e8a4ee3bf69547044adc1f
Instruction ID: 7f966e5b718fe1d3a180392e481d63b7006732da5f933f5d10ececdeb28ac230
Opcode Fuzzy Hash: 8c960ef3ac8cdc2786603648fdbda3dea58b70cba2e8a4ee3bf69547044adc1f
Instruction Fuzzy Hash: 8501247100110ABFDF529F95CD44EEA7F6AFF08344F008825BD1919161DB32D9A1DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 03273E5B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 03273E6E

Part of subcall function 03273DC9: ___BuildCatchObjectHelper.LIBCMT ref: 03273DFF

_UnwindNestedFrames.LIBCMT ref: 03273E85
___FrameUnwindToState.LIBCMT ref: 03273E93

Strings

csm, xrefs: 03273E5D
csm, xrefs: 03273E6A, 03273E7F, 03273E92, 03273EB0, 03273EC0

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: a73722e5cee5a94c818f1fa13ffe976a09e816b63843316ea8682695edc1dc98
Instruction ID: 6d3641e223dd5193bd420cc90912de84e4c4ec9b69914b934244bbc03e8d3283
Opcode Fuzzy Hash: a73722e5cee5a94c818f1fa13ffe976a09e816b63843316ea8682695edc1dc98
Instruction Fuzzy Hash: 3101D27942120ABBDF12EE51CC45EAB7A6AFF08350F048014BE1819160D7B299A1EAE1

Uniqueness

Uniqueness Score: -1.00%

Function 1000F0D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 1000F0E8

Part of subcall function 1000F043: ___BuildCatchObjectHelper.LIBCMT ref: 1000F079

_UnwindNestedFrames.LIBCMT ref: 1000F0FF
___FrameUnwindToState.LIBCMT ref: 1000F10D

Strings

csm, xrefs: 1000F0E4, 1000F0F9, 1000F10C, 1000F12A, 1000F13A
csm, xrefs: 1000F0D7

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 92e1b5ee8c9c72a48e4071c42aaf60707b654d4371e3f37b0d3aa8cfed45f753
Instruction ID: ec66902be28b6a188cde97aad6a8086c73501c54f5c43849402a190dc819195f
Opcode Fuzzy Hash: 92e1b5ee8c9c72a48e4071c42aaf60707b654d4371e3f37b0d3aa8cfed45f753
Instruction Fuzzy Hash: 7701467500014ABBEF229F50CC41EEA3F6AEF08384F108018FD1824526DB32A9B1EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0326000F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00020019,?,03260091,80000001,0325E3E8,00020019,00000000,?,?,?,?,0325E3E8,80000001), ref: 0326001E
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0326002E
RegOpenKeyExW.ADVAPI32(80000001,0325E3E8,00000000,?,?,00020019,?,03260091,80000001,0325E3E8,00020019,00000000), ref: 0326005E

Strings

Advapi32.dll, xrefs: 03260019
RegOpenKeyTransactedW, xrefs: 03260028

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1337834000-3913318428
Opcode ID: 2bae8376d25b883eeb3a50b0ba43d0d355b85c50651fdf49e55b9348cf2019e2
Instruction ID: f980bdc1c20a620a7370143375f4e6567ca144e354a150fd4762c5d48bf6f3e6
Opcode Fuzzy Hash: 2bae8376d25b883eeb3a50b0ba43d0d355b85c50651fdf49e55b9348cf2019e2
Instruction Fuzzy Hash: 87F0E731524619FFCF22AFA5AC08C5BBB7AFF85B517288818F55590014D77285E0EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03260395 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll,00000000,03253DBD), ref: 032603A5
LoadLibraryW.KERNEL32(ntdll), ref: 032603B0
GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 032603C0

Strings

ntdll, xrefs: 0326039F, 032603A4, 032603AF
NtWow64DebuggerCall, xrefs: 032603BA

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: NtWow64DebuggerCall$ntdll
API String ID: 310444273-2362330086
Opcode ID: c3e0fbced8cd2bfc39f264d324fec840ec1c10f9ed5348c1a6a4e63db3bfc49f
Instruction ID: 211e2181e3765839718252e6a2498677da7becb6cd62d44a9043b7be784e54e8
Opcode Fuzzy Hash: c3e0fbced8cd2bfc39f264d324fec840ec1c10f9ed5348c1a6a4e63db3bfc49f
Instruction Fuzzy Hash: 4FE04F3067E7229FDB11FA35780C75B325CFF41247704C4A8F801E0188E774C8D19A94

Uniqueness

Uniqueness Score: -1.00%

Function 03261FEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll,00000000,03260BE6), ref: 03261FFE
LoadLibraryW.KERNEL32(ntdll), ref: 03262009
GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 03262019

Strings

ntdll, xrefs: 03261FF8, 03261FFD, 03262008
NtWow64DebuggerCall, xrefs: 03262013

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: NtWow64DebuggerCall$ntdll
API String ID: 310444273-2362330086
Opcode ID: d6e681e2d34351d289fd1926ed223600724d50ed8c510c1665f36962312e05dc
Instruction ID: bda62b397c96d1ab52c21ead5b3ed8c9d497a22fe90328ed90c59ecd5c26c3f3
Opcode Fuzzy Hash: d6e681e2d34351d289fd1926ed223600724d50ed8c510c1665f36962312e05dc
Instruction Fuzzy Hash: E1E04F30676B22DEDB22AB35780C7AA329CFF191857059865F400D0148E734D4C1CA98

Uniqueness

Uniqueness Score: -1.00%

Function 10002775 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll,00000000,10003F28), ref: 10002785
LoadLibraryW.KERNEL32(ntdll), ref: 10002790
GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 100027A0

Strings

NtWow64DebuggerCall, xrefs: 1000279A
ntdll, xrefs: 1000277F, 10002784, 1000278F

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: NtWow64DebuggerCall$ntdll
API String ID: 310444273-2362330086
Opcode ID: 275f7315d0419a9f565d041a17faedadb1b70349428857ea0bffa79c3fa10f2f
Instruction ID: c1dbe77f9deb5212b0fb9020796fb69774f77fb9c6086b2bace7345d030ed22e
Opcode Fuzzy Hash: 275f7315d0419a9f565d041a17faedadb1b70349428857ea0bffa79c3fa10f2f
Instruction Fuzzy Hash: 92E086307496B25AF343DB31BC4878B37E8EB061D5B0284A0F44DD1118E778C8858E95

Uniqueness

Uniqueness Score: -1.00%

Function 032601DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,?,03252219,?,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,?), ref: 032601FD
LoadLibraryW.KERNEL32(Kernel32,?,80000001,Software\Chromium,00000154,0325406F), ref: 03260208
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 03260218

Strings

Kernel32, xrefs: 032601ED, 032601F2, 03260207
GetTickCount64, xrefs: 03260212

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: GetTickCount64$Kernel32
API String ID: 310444273-3117871262
Opcode ID: d45a6415b7b109c041b7868854e8242808abbaa2902a103f963936b458255d91
Instruction ID: c9eab357778fe1013a315f9c07dad45ea2b9999f59a571bb75be6cfbc67400b1
Opcode Fuzzy Hash: d45a6415b7b109c041b7868854e8242808abbaa2902a103f963936b458255d91
Instruction Fuzzy Hash: A3F0323496B321CFE720BF28F41C75536A8FF09712F08E8A9E002A1288C3B445C5EAA4

Uniqueness

Uniqueness Score: -1.00%

Function 03257DD6 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03257E30

Part of subcall function 0325BC98: _memset.LIBCMT ref: 0325BCCB

_memset.LIBCMT ref: 03257E87
MD5Init.NTDLL(?), ref: 03257E94
MD5Update.NTDLL(?,?,?), ref: 03257EA4
MD5Final.NTDLL(?), ref: 03257EAF

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memset$FinalInitUpdate
String ID:
API String ID: 321375279-0
Opcode ID: 1bd3944088eeff854043d9f8290a3abe138a158e6158d6281ca2a034948a323d
Instruction ID: 6307553c44d75976450d179d4afb8ff17d4db77aa48312094006788bda704a30
Opcode Fuzzy Hash: 1bd3944088eeff854043d9f8290a3abe138a158e6158d6281ca2a034948a323d
Instruction Fuzzy Hash: 9D31A6729583059FD710DF68D844B9BB7E9BF88714F044D19FA88DB180DBB0EA498BD2

Uniqueness

Uniqueness Score: -1.00%

Function 03261835 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03261880

Part of subcall function 03261A12: _memset.LIBCMT ref: 03261A46

_memset.LIBCMT ref: 032618E1
MD5Init.NTDLL(00000000), ref: 032618F0
MD5Update.NTDLL(00000000,?,?), ref: 03261904
MD5Final.NTDLL(00000000), ref: 03261911

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memset$FinalInitUpdate
String ID:
API String ID: 321375279-0
Opcode ID: 250f309985aa6fbbd4994d259b4e4a80644d424c2873de9b22c2f8e684cb86bb
Instruction ID: ffa99b439de2bc4b3e6f46829848f8b708682ed47e31ef5da1b3097f5b744445
Opcode Fuzzy Hash: 250f309985aa6fbbd4994d259b4e4a80644d424c2873de9b22c2f8e684cb86bb
Instruction Fuzzy Hash: EC316D72E113199BEF14DFA4DC44BDAB7B9BF49300F004895E609BB180D7B0BAC98B91

Uniqueness

Uniqueness Score: -1.00%

Function 00402D40 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D94
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DE0
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE9
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402E00
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E0B

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
Instruction ID: a5e4f490f3213e056e2de4031cbf7e2f03171c809d79779608604f73e8d3eb7d
Opcode Fuzzy Hash: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
Instruction Fuzzy Hash: DE215C72500108BBDF129F90CE89EEF7B6DEF44344F100076FA55B11E0D7B49E549AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401D6A Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D83
GetClientRect.USER32(?,?), ref: 00401DD1
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401E01
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E15
DeleteObject.GDI32(00000000), ref: 00401E25

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 3447c67b72d9b7ec60f9ea7938cff3c4f046c939b573ee149af5f304e006b58f
Instruction ID: 5f58bdc0f86da4ad8d0d53f000e7583207e05708e2ca94497a2adcf05e998a52
Opcode Fuzzy Hash: 3447c67b72d9b7ec60f9ea7938cff3c4f046c939b573ee149af5f304e006b58f
Instruction Fuzzy Hash: 1F212A72A00509AFCF15DF94DD45AAEBBB5FB88300F24407AF901F62A1CB389941DB58

Uniqueness

Uniqueness Score: -1.00%

Function 6E8456D4 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E8456E2

Part of subcall function 6E843250: __FF_MSGBANNER.LIBCMT ref: 6E843269
Part of subcall function 6E843250: __NMSG_WRITE.LIBCMT ref: 6E843270
Part of subcall function 6E843250: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,-00001000,00000000,?,6E8418DC,00000001,?,00000000), ref: 6E843295

_free.LIBCMT ref: 6E8456F5

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 20a98d1405a081b3bc42463f193a9a7e7f1d42f5b4e1373598d58929af3d5a5d
Instruction ID: 43ac91f13d58e9db84e98a9c5c2b6d681482da36bac5f12b12863aa1a20fd2dd
Opcode Fuzzy Hash: 20a98d1405a081b3bc42463f193a9a7e7f1d42f5b4e1373598d58929af3d5a5d
Instruction Fuzzy Hash: D611823254971DEBCB222BF9DC04A8E37A9FB423A5B104D35E559D6184EB788940C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E82B247 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E82B255

Part of subcall function 6E826A0C: __FF_MSGBANNER.LIBCMT ref: 6E826A25
Part of subcall function 6E826A0C: __NMSG_WRITE.LIBCMT ref: 6E826A2C
Part of subcall function 6E826A0C: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6E8265B1,?,?), ref: 6E826A51

_free.LIBCMT ref: 6E82B268

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 158b440cb8b7dcd5d98a0a72c94bef22c5889a6391b6c68c25091943e5935a04
Instruction ID: 3571e8ae2c24531ca92b8ce5e1d895514e301bfa5daf8a736ce90517f4f64543
Opcode Fuzzy Hash: 158b440cb8b7dcd5d98a0a72c94bef22c5889a6391b6c68c25091943e5935a04
Instruction Fuzzy Hash: 06117732545715AFCF211BF99804B8E3B9DEF463A5B104D35E8589B2D8EF3484C197D0

Uniqueness

Uniqueness Score: -1.00%

Function 03262EEC Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 03262EFA

Part of subcall function 03262B1E: __FF_MSGBANNER.LIBCMT ref: 03262B37
Part of subcall function 03262B1E: __NMSG_WRITE.LIBCMT ref: 03262B3E
Part of subcall function 03262B1E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0326B6E0,00000000,00000001,00000000,?,0326D017,00000018,0327E2F0,0000000C,0326D0A7), ref: 03262B63

_free.LIBCMT ref: 03262F0D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: d530b6da9f6ec24f35de0b4282830afbfe29016c0139555f7208bd17ed2615da
Instruction ID: f7b5476324003096eb1317a1a6211b6da64864de0d1e4a6222780f6a5459ee32
Opcode Fuzzy Hash: d530b6da9f6ec24f35de0b4282830afbfe29016c0139555f7208bd17ed2615da
Instruction Fuzzy Hash: 2011A336935312EBCB21BF75F808A5E3A9CEF44261B244925E899DF290DBB098C08790

Uniqueness

Uniqueness Score: -1.00%

Function 1000C8A2 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1000C8B0

Part of subcall function 10008865: __FF_MSGBANNER.LIBCMT ref: 1000887E
Part of subcall function 10008865: __NMSG_WRITE.LIBCMT ref: 10008885
Part of subcall function 10008865: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000000,00000000,?,10008E4C,?,?), ref: 100088AA

_free.LIBCMT ref: 1000C8C3

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 668f0f6149e950c13bb4b6ea83aa9708929724d3a2af31e6bdc02ba5c7ab32da
Instruction ID: 64c2343e5f0c23cd4c45b3d725638f0a5137503058911c82b24e18bce770cc70
Opcode Fuzzy Hash: 668f0f6149e950c13bb4b6ea83aa9708929724d3a2af31e6bdc02ba5c7ab32da
Instruction Fuzzy Hash: 9E11913654071AABFB21DB78AC09F4A37A5EF443F0B218135FC4896299DF74D9808794

Uniqueness

Uniqueness Score: -1.00%

Function 00401E3A Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E3D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E57
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5F
ReleaseDC.USER32(?,00000000), ref: 00401E70
CreateFontIndirectA.GDI32(0040B800), ref: 00401EBF

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 22228c3693abc94b936fd2f16b8ba8b9056b3eb02351572d69dab0e0d9b57348
Instruction ID: 93cf2425c987cc267120fbe0add9028dd9a2d776d6f9c9f2b704a90d9ede6a52
Opcode Fuzzy Hash: 22228c3693abc94b936fd2f16b8ba8b9056b3eb02351572d69dab0e0d9b57348
Instruction Fuzzy Hash: E2018072545244AFE7007B60AE4AA993FA8E795301F14887AF141B62F2CB7801448BAD

Uniqueness

Uniqueness Score: -1.00%

Function 6E8428B8 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E8428C4

Part of subcall function 6E842AE1: __getptd_noexit.LIBCMT ref: 6E842AE4
Part of subcall function 6E842AE1: __amsg_exit.LIBCMT ref: 6E842AF1

__getptd.LIBCMT ref: 6E8428DB
__amsg_exit.LIBCMT ref: 6E8428E9
__lock.LIBCMT ref: 6E8428F9
__updatetlocinfoEx_nolock.LIBCMT ref: 6E84290D

Memory Dump Source

Source File: 00000000.00000002.2585195873.000000006E841000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E840000, based on PE: true

Associated: 00000000.00000002.2585171159.000000006E840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585218937.000000006E847000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585240458.000000006E84A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2585261476.000000006E84C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e840000_etopt.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: f820e4454141515c96929f2e4564dd7d692a428813a21c44affcfecdab164929
Instruction ID: e024b726b39b2aea2ddd866f3699e8411c49d4c3f682f304190193388687c947
Opcode Fuzzy Hash: f820e4454141515c96929f2e4564dd7d692a428813a21c44affcfecdab164929
Instruction Fuzzy Hash: 92F09032988B2CDBE761ABEC8805B8D77E4EF45B28F110D59D814FB2D0DB2C4942DA55

Uniqueness

Uniqueness Score: -1.00%

Function 6E827A82 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E827A8E

Part of subcall function 6E827CAB: __getptd_noexit.LIBCMT ref: 6E827CAE
Part of subcall function 6E827CAB: __amsg_exit.LIBCMT ref: 6E827CBB

__getptd.LIBCMT ref: 6E827AA5
__amsg_exit.LIBCMT ref: 6E827AB3
__lock.LIBCMT ref: 6E827AC3
__updatetlocinfoEx_nolock.LIBCMT ref: 6E827AD7

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 35919b619868f7086bb6d7b2cede7b85b7b4e73616782156e4c6dbfd43286743
Instruction ID: b52e281b44cd100e19e16cbe71cbdddaedba1456ac613fb24dc970599e274f46
Opcode Fuzzy Hash: 35919b619868f7086bb6d7b2cede7b85b7b4e73616782156e4c6dbfd43286743
Instruction Fuzzy Hash: 29F09672984A119FDB51ABFE840178D32A46F00738F104D79E456671C0CB2646C186D9

Uniqueness

Uniqueness Score: -1.00%

Function 03266DAA Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03266DB6

Part of subcall function 03264E61: __getptd_noexit.LIBCMT ref: 03264E64
Part of subcall function 03264E61: __amsg_exit.LIBCMT ref: 03264E71

__getptd.LIBCMT ref: 03266DCD
__amsg_exit.LIBCMT ref: 03266DDB
__lock.LIBCMT ref: 03266DEB
__updatetlocinfoEx_nolock.LIBCMT ref: 03266DFF

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: c265281489070bc65fe098b876141c51593773b90c8675be8299c0540b133051
Instruction ID: d5b2492e73da712c5dcbe51629be318f239cc2d73ff9c6d8f4ff861e7fed1fec
Opcode Fuzzy Hash: c265281489070bc65fe098b876141c51593773b90c8675be8299c0540b133051
Instruction Fuzzy Hash: 25F0B43A9617149BDB21FBB5E405B4DB7A0AF00B24F158289D450BF5D2CBB454C18BD5

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABE3 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1000ABEF

Part of subcall function 1000AE0C: __getptd_noexit.LIBCMT ref: 1000AE0F
Part of subcall function 1000AE0C: __amsg_exit.LIBCMT ref: 1000AE1C

__getptd.LIBCMT ref: 1000AC06
__amsg_exit.LIBCMT ref: 1000AC14
__lock.LIBCMT ref: 1000AC24
__updatetlocinfoEx_nolock.LIBCMT ref: 1000AC38

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 2965e32a79f2a16c8b0be67d309ee2b53229f148a27ac7b44616c678460c2eb5
Instruction ID: b4651211849a4c38ad3941516d81055ff4f90f90d46b98ceffbf7462d0d1082b
Opcode Fuzzy Hash: 2965e32a79f2a16c8b0be67d309ee2b53229f148a27ac7b44616c678460c2eb5
Instruction Fuzzy Hash: E8F06D3A944A109BF752DB748C02F8E33D0EF027E0F124709F400AA1DACB74A9C09A55

Uniqueness

Uniqueness Score: -1.00%

Function 032639D8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 03265416: _doexit.LIBCMT ref: 03265422

___set_flsgetvalue.LIBCMT ref: 032639EA

Part of subcall function 03264CA6: TlsGetValue.KERNEL32(00000000,03264DFF,?,0326B6E0,00000000,00000001,00000000,?,0326D017,00000018,0327E2F0,0000000C,0326D0A7,00000000,00000000), ref: 03264CAF
Part of subcall function 03264CA6: TlsSetValue.KERNEL32(00000000,?,0326B6E0,00000000,00000001,00000000,?,0326D017,00000018,0327E2F0,0000000C,0326D0A7,00000000,00000000,?,03264F0C), ref: 03264CD0

___fls_getvalue@4.LIBCMT ref: 032639F5

Part of subcall function 03264C86: TlsGetValue.KERNEL32(?,?,032639FA,00000000), ref: 03264C94

___fls_setvalue@8.LIBCMT ref: 03263A08
GetLastError.KERNEL32(00000000,?,00000000), ref: 03263A11
ExitThread.KERNEL32 ref: 03263A18
GetCurrentThreadId.KERNEL32 ref: 03263A1E
__freefls@4.LIBCMT ref: 03263A3E

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 2403457894-0
Opcode ID: 5ac33f7946ed0559533ca28d79b8526961aa7c65f320c61164e48bc94eb4d2f6
Instruction ID: ab8024d960ce1360097e49ec2428f5501d6ebb7c0a176e79f9aaf5332d628489
Opcode Fuzzy Hash: 5ac33f7946ed0559533ca28d79b8526961aa7c65f320c61164e48bc94eb4d2f6
Instruction Fuzzy Hash: 12E08C799303057BCF00FBF3ED0CC9F3A2CAE42281B241450BA40EB600EBA5E8D187A5

Uniqueness

Uniqueness Score: -1.00%

Function 03258641 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ShlWapi,?,?), ref: 03258669
LoadLibraryW.KERNEL32(ShlWapi), ref: 03258676
GetProcAddress.KERNEL32(00000000,0327CCA8), ref: 0325888E

Strings

ShlWapi, xrefs: 03258663, 03258668, 03258675

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ShlWapi
API String ID: 310444273-866782505
Opcode ID: 21ac6e1da16b8531ad067f4397d298f33eb314fdb30c2d63d32baf876c28962f
Instruction ID: c03230e99764dfbb49947e5fee349ca9103f21497d81f4c747cd4afec639866f
Opcode Fuzzy Hash: 21ac6e1da16b8531ad067f4397d298f33eb314fdb30c2d63d32baf876c28962f
Instruction Fuzzy Hash: ED5161B0822369DFCB25EFA5D94C6ADBEB0FB05618F528998D4187B240C7310AC9CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10002434 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ShlWapi,00000000,?), ref: 1000245C
LoadLibraryW.KERNEL32(ShlWapi), ref: 10002469
GetProcAddress.KERNEL32(00000000,10013AA0), ref: 10002681

Strings

ShlWapi, xrefs: 10002456, 1000245B, 10002468

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ShlWapi
API String ID: 310444273-866782505
Opcode ID: 4267742fe7e7355d15c1f60785ed86310ad0142a45a20abc05df35a0c175c416
Instruction ID: f4fcdc8ec7c7f6f01d16c9477f3771ef02e8c2d8eec4340c8f2a43e32f59b97c
Opcode Fuzzy Hash: 4267742fe7e7355d15c1f60785ed86310ad0142a45a20abc05df35a0c175c416
Instruction Fuzzy Hash: F951A9B08052E99ADB21CF95898079EBB70FB01250FD08188D19E3F310D7BA8AC9CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03251943 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0325194A

Part of subcall function 03256112: std::_Xinvalid_argument.LIBCPMT ref: 0325613B

Strings

virtual, xrefs: 03251995
Virtual, xrefs: 0325197D
Bluetooth, xrefs: 032519AD

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3_Xinvalid_argumentstd::_
String ID: Bluetooth$Virtual$virtual
API String ID: 4049434844-1221282609
Opcode ID: b8729aff45ad0fa5fa767c1f7bc7f31789b06e6c287433d38af8fa538a1887a0
Instruction ID: 96a2f02775d3a5929e4fac07b61cf0a7ab4b1febf3d7f7690d8d33a048b86af9
Opcode Fuzzy Hash: b8729aff45ad0fa5fa767c1f7bc7f31789b06e6c287433d38af8fa538a1887a0
Instruction Fuzzy Hash: 2C315E7AA203159FCF20EB64DC85E6B73E9EF48610B04445AFD05AF641E6B1FAD1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00401C33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CA3
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CBB

Strings

!, xrefs: 00401C6F

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a6dea4fc88f6149f91a63d7e2dd6a70fefe0934d05977c47e3f293ca48d04a1f
Instruction ID: 76c6edd09e85abed819265412271f083f69054edbe809756b368d67259cdbd0b
Opcode Fuzzy Hash: a6dea4fc88f6149f91a63d7e2dd6a70fefe0934d05977c47e3f293ca48d04a1f
Instruction Fuzzy Hash: 6B219471948208BEEF05DFA4DA86AAE7FB1EF84304F14447EF501F61D1C6788681DB18

Uniqueness

Uniqueness Score: -1.00%

Function 03260B8F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 03260B99
wsprintfW.USER32 ref: 03260BBB

Part of subcall function 03261FEE: GetModuleHandleW.KERNEL32(ntdll,00000000,03260BE6), ref: 03261FFE
Part of subcall function 03261FEE: LoadLibraryW.KERNEL32(ntdll), ref: 03262009
Part of subcall function 03261FEE: GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 03262019

Part of subcall function 0325FFDD: RegQueryValueExW.KERNEL32(80000001,?,00000000,?,?,?,?,0325E423,?,000000A8,?,00001000), ref: 0325FFF4

Strings

cache32, xrefs: 03260C20, 03260C25, 03260C5A
Software\Tencent\bugReport\QQ\%u, xrefs: 03260BB3

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressH_prolog3_HandleLibraryLoadModuleProcQueryValuewsprintf
String ID: Software\Tencent\bugReport\QQ\%u$cache32
API String ID: 1318800310-1579977975
Opcode ID: aa81848d27ba3b8a27f8b99ab5a9a3bd106c01dd188e78c1a7cadb9e7dff7724
Instruction ID: 38b692dc19a564b002122c000132fd531b8ff8f4a8a4350bd2e53edf265f32f3
Opcode Fuzzy Hash: aa81848d27ba3b8a27f8b99ab5a9a3bd106c01dd188e78c1a7cadb9e7dff7724
Instruction Fuzzy Hash: D9212E75961329ABCB24DFA4DC88ADDB7B8AF08700F1085D5E409E6140D7B09FC49F98

Uniqueness

Uniqueness Score: -1.00%

Function 0325B4F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ShlWapi,?,00000000), ref: 0325B51D
LoadLibraryW.KERNEL32(ShlWapi,?,00000000), ref: 0325B52A
GetProcAddress.KERNEL32(00000000,0327CF04), ref: 0325B5CD

Strings

ShlWapi, xrefs: 0325B517, 0325B51C, 0325B529

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ShlWapi
API String ID: 310444273-866782505
Opcode ID: 268095f8f11384961ee6ab90b32d74a495ea2f1497d393e8ad82e4203fd4bf1d
Instruction ID: 90cb8ab4811b8f0e12ef5b0be2df64c7a71d154a078348c38dd80cb235722152
Opcode Fuzzy Hash: 268095f8f11384961ee6ab90b32d74a495ea2f1497d393e8ad82e4203fd4bf1d
Instruction Fuzzy Hash: DC21E9B0822329DBCB15EFA5E5481AEBFF0FF45319F528819E8017B248C735468ACF85

Uniqueness

Uniqueness Score: -1.00%

Function 03260ACD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58registryCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 03260AF6

Part of subcall function 03261FEE: GetModuleHandleW.KERNEL32(ntdll,00000000,03260BE6), ref: 03261FFE
Part of subcall function 03261FEE: LoadLibraryW.KERNEL32(ntdll), ref: 03262009
Part of subcall function 03261FEE: GetProcAddress.KERNEL32(00000000,NtWow64DebuggerCall), ref: 03262019

RegSetValueExW.ADVAPI32(?,cache32,00000000,00000003,?,?,-80000001,?), ref: 03260B5C

Part of subcall function 032601BE: RegCloseKey.KERNEL32(?,032600AC,?,?,?,?,0325E3E8,80000001), ref: 032601C7

Strings

cache32, xrefs: 03260B51
Software\Tencent\bugReport\QQ\%u, xrefs: 03260AEE

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: AddressCloseHandleLibraryLoadModuleProcValuewsprintf
String ID: Software\Tencent\bugReport\QQ\%u$cache32
API String ID: 1538166155-1579977975
Opcode ID: 4bfe17b8954435f0978d243aa76833a1c722e65e365a6ea097b3be135a9b7c1b
Instruction ID: 0e94e4a6acc96ba2ba48507096e4b9513f16acc4cead1d7b98f14ea7896e2e8e
Opcode Fuzzy Hash: 4bfe17b8954435f0978d243aa76833a1c722e65e365a6ea097b3be135a9b7c1b
Instruction Fuzzy Hash: 4D11C47595031CABCB25EF28DC88ADDB7B9EF90700F0082999419A7150CF705EC58A90

Uniqueness

Uniqueness Score: -1.00%

Function 032610F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53registryCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 0326113D
RegSetValueExW.ADVAPI32(?,activeSent,00000000,00000004,?,00000004,80000001,?), ref: 03261183

Strings

Software\Baidu\BDLOG\%u, xrefs: 0326111E
activeSent, xrefs: 03261172

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Valuewsprintf
String ID: Software\Baidu\BDLOG\%u$activeSent
API String ID: 1366739692-3170583200
Opcode ID: a2df54b33f017edaca70e6125882620d7b62ebe22f073837ee9c94513d35a345
Instruction ID: 85ec113fdabcf954d9ca5c3da3a30ae58406648cc21df8bd63e26c236c3c6729
Opcode Fuzzy Hash: a2df54b33f017edaca70e6125882620d7b62ebe22f073837ee9c94513d35a345
Instruction Fuzzy Hash: 78114CB594122C9BCB20EF19DC48BDABBB9FF94710F1041D5A919E7250DB705AC5CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03253FCF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 03253FE8
__wcsicoll.LIBCMT ref: 03253FFB

Strings

vmtoolsd.exe, xrefs: 03253FE0
wmacthlp.exe, xrefs: 03253FF3

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __wcsicoll
String ID: vmtoolsd.exe$wmacthlp.exe
API String ID: 3832890014-2203709971
Opcode ID: 1eb4c4d0133f934e74e4faa6a20a261af3a4cddb6662ac21a8206df00021c9e1
Instruction ID: 3bc23d5870c50169f427a97a5ce676e21e2166d0d67f43329c41a4eb038e58d0
Opcode Fuzzy Hash: 1eb4c4d0133f934e74e4faa6a20a261af3a4cddb6662ac21a8206df00021c9e1
Instruction Fuzzy Hash: 42E06D376647026AD768F61AEC01A17F7E8EF41260B68543AE902D6C60EEF1F4D0A294

Uniqueness

Uniqueness Score: -1.00%

Function 00405BC9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040336F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 00405BCF
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040336F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040365F,?,00000008,0000000A,0000000C), ref: 00405BD8
lstrcatA.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405BE9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC9

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
Instruction ID: 8dd50479c6149f027b74e10dfc13b5f8d095aad435375af3d6d90cc381691839
Opcode Fuzzy Hash: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
Instruction Fuzzy Hash: 5CD0A762509A306BD15237154D09ECB294D8F42350B0500AAF141B2191C67C5C1147FD

Uniqueness

Uniqueness Score: -1.00%

Function 03272AD0 Relevance: 6.4, APIs: 5, Instructions: 137COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000), ref: 03272B04
IsBadReadPtr.KERNEL32(?,00000014,?,?,?,?,?,?,03273069), ref: 03272BCA
SetLastError.KERNEL32(0000007F,00000000,?), ref: 03272BF8

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Read$ErrorLast
String ID:
API String ID: 2715074504-0
Opcode ID: 28f62906a782ee582ba075f0f2a309b3465b3dccb6bddf3f98b08d4ee81963c1
Instruction ID: 31cf68cc4aecd6e89fe2488fa33398dfc37165f90fd8528985ee5a542898ded4
Opcode Fuzzy Hash: 28f62906a782ee582ba075f0f2a309b3465b3dccb6bddf3f98b08d4ee81963c1
Instruction Fuzzy Hash: 29415971210302DBD710DF69EC88B6AB7E8FF88710F18882CE84987650E775F989CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000DEF0 Relevance: 6.4, APIs: 5, Instructions: 137COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000), ref: 1000DF24
IsBadReadPtr.KERNEL32(?,00000014,?,?,?,?,?,?,1000E489), ref: 1000DFEA
SetLastError.KERNEL32(0000007F,00000000,?), ref: 1000E018

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: Read$ErrorLast
String ID:
API String ID: 2715074504-0
Opcode ID: d044b2a68499cc0ed7ca31d307926132b6f3a1fe1eec084c7c2661b397098fbf
Instruction ID: 545f4d29ee9b9389870fee978c59dd4d9f8e1c4c1e83cc99259d8048dfffa4c2
Opcode Fuzzy Hash: d044b2a68499cc0ed7ca31d307926132b6f3a1fe1eec084c7c2661b397098fbf
Instruction Fuzzy Hash: D9417A712043069FE310DF69DC84B2AB3E4FF88390F518829F84987654E775F945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0326EEC7 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0326EEFB
__isleadbyte_l.LIBCMT ref: 0326EF2E
MultiByteToWideChar.KERNEL32(00000080,00000009,03263BF2,?,00000000,00000000,?,?,?,?,03263BF2,00000000), ref: 0326EF5F
MultiByteToWideChar.KERNEL32(00000080,00000009,03263BF2,00000001,00000000,00000000,?,?,?,?,03263BF2,00000000), ref: 0326EFCD

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9462b40a9746018366c27ab234a02bfd6b0ea7d2c411e5d4d718efd690943acc
Instruction ID: 423cd676b75967ae566c40c45481a213088f6e43b6170868ad18d52f6f7c9117
Opcode Fuzzy Hash: 9462b40a9746018366c27ab234a02bfd6b0ea7d2c411e5d4d718efd690943acc
Instruction Fuzzy Hash: 6431D235A20356EFCB20DFA4C9809BD7BB9BF01360F1A85A9F4648B191D730D9C0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0325420D Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03254B9F: socket.WS2_32(00000002,00000002,00000011), ref: 03254CEC
Part of subcall function 03254B9F: WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 03254D1F
Part of subcall function 03254B9F: setsockopt.WS2_32 ref: 03254D3F

_memset.LIBCMT ref: 0325424F
_memset.LIBCMT ref: 03254267
_memset.LIBCMT ref: 0325429A
lstrcpyW.KERNEL32(?,?), ref: 032542C4

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memset$Ioctllstrcpysetsockoptsocket
String ID:
API String ID: 3613419040-0
Opcode ID: ad859b71ae854b67b06d4f70a59d5e8d2e752305eaf8c2c6fa45c3b592ce4e25
Instruction ID: 2d252f33d91b39780f978fce08ada91e9f4e42e2f44c52c02ddc1611e1f59c21
Opcode Fuzzy Hash: ad859b71ae854b67b06d4f70a59d5e8d2e752305eaf8c2c6fa45c3b592ce4e25
Instruction Fuzzy Hash: A121B67692021D6FDB10FE659C85FAEB3BCEF44650F5001A6B919E7180EA70AFC58724

Uniqueness

Uniqueness Score: -1.00%

Function 03274EBE Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 03274EE4

Part of subcall function 03274D10: __fltout2.LIBCMT ref: 03274D3B

__cftog_l.LIBCMT ref: 03274F0A
__cftoe_l.LIBCMT ref: 03274F3C

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: a4645631c4bd178c8e2db423c22415f65ce08b7079f42eff3b2876aec032777d
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 2E11893642018EFBCF12AE8ADC45CEE3F62BB08254B598455FE1859430D773C5B2AB82

Uniqueness

Uniqueness Score: -1.00%

Function 00405C62 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,0000000C,00405CCE,C:\,C:\,76233410,?,C:\Users\user\AppData\Local\Temp\,00405A19,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\etopt.exe"), ref: 00405C70
CharNextA.USER32(00000000), ref: 00405C75
CharNextA.USER32(00000000), ref: 00405C89

Strings

C:\, xrefs: 00405C63

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 48ab597918d8e2ef306ddd6e117c28a3ba6feb84c3778f0c5ad980b6008cf2cb
Instruction ID: 1ebfcb2f4d1ed7b64dca08bbf865c5837eafd140423484c1274332e83ab39009
Opcode Fuzzy Hash: 48ab597918d8e2ef306ddd6e117c28a3ba6feb84c3778f0c5ad980b6008cf2cb
Instruction Fuzzy Hash: E8F0F06190CFA02FFB3296680C44B776F8CCB56354F08007BE681BA2C2C2BC48409F9A

Uniqueness

Uniqueness Score: -1.00%

Function 032620B8 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(03281C14,?,00000000,?,0325AB95,00000000,?,?,?,?,?,0325AED3,?,-00000010), ref: 032620C5
LeaveCriticalSection.KERNEL32(03281C14,?,0325AB95,00000000,?,?,?,?,?,0325AED3,?,-00000010), ref: 032620E1
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,0325AB95,00000000,?,?,?,?,?,0325AED3,?,-00000010), ref: 03262100
LeaveCriticalSection.KERNEL32(03281C14,?,0325AB95,00000000,?,?,?,?,?,0325AED3,?,-00000010), ref: 03262107

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExceptionRaise
String ID:
API String ID: 799838862-0
Opcode ID: 4836eac5d33f9008cb4c782d6e6f98c3eb20c5796f7ae7b57412f70b934e850e
Instruction ID: fe3c5f4cd95fb3ce53e24bbb45c849395eeeccc8b892b2b50b513b14b28e0c30
Opcode Fuzzy Hash: 4836eac5d33f9008cb4c782d6e6f98c3eb20c5796f7ae7b57412f70b934e850e
Instruction Fuzzy Hash: 07F09636234741DBD720DA55AC48B66B779BF85B51F018859FA02E7540CBA1F8C1C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00402EAD Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040308B,00000001,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 00402EC0
GetTickCount.KERNEL32 ref: 00402EDE
CreateDialogParamA.USER32(0000006F,00000000,00402E2A,00000000), ref: 00402EFB
ShowWindow.USER32(00000000,00000005,?,?,004036CC,?,?,00000008,0000000A,0000000C), ref: 00402F09

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 4225155ee5447ffa37c68dd19a651ead4297babbcabdb1ad21195ca45245469b
Instruction ID: 1ea7ccf4f68ca2687d871ed4e8f0ab871c33d0ddda464bcb50247c8706c38170
Opcode Fuzzy Hash: 4225155ee5447ffa37c68dd19a651ead4297babbcabdb1ad21195ca45245469b
Instruction Fuzzy Hash: 54F08230551221EBC721EF50FF4CA9B7BA4FB44B02721443AF005B55E8CB7448868BEC

Uniqueness

Uniqueness Score: -1.00%

Function 0325E271 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 0325E3C3
_memmove.LIBCMT ref: 0325E46A

Strings

%s\%u, xrefs: 0325E3BD

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memmovewsprintf
String ID: %s\%u
API String ID: 3576396993-464771739
Opcode ID: b308cc59fefa4b1b90643612a7789aa692beaaa9d2fd908bfd58050e7b21f6dc
Instruction ID: 7821f765b0a1531d05176744585c9f696cb54ee7c54373e3d0e2d456cc7f2015
Opcode Fuzzy Hash: b308cc59fefa4b1b90643612a7789aa692beaaa9d2fd908bfd58050e7b21f6dc
Instruction Fuzzy Hash: 4E6159B1C2125D9FEB20DFA8D8845DDBBB8BF04310F1445A9E459FB204D7709AA6CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03261CC6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 03261CCD

Part of subcall function 0325FF62: __EH_prolog3.LIBCMT ref: 0325FF69

Part of subcall function 0325F8B0: __EH_prolog3.LIBCMT ref: 0325F8B7
Part of subcall function 0325F8B0: _free.LIBCMT ref: 0325F92B

Strings

up2, xrefs: 03261D67
urls, xrefs: 03261D25

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3$H_prolog3__free
String ID: up2$urls
API String ID: 3069150181-467228521
Opcode ID: 3fe588823d16f43d5beccfa5a4f729f7c08f1f6e7dea2edd1478d484f2780b54
Instruction ID: 8cfa054c01f63cbb012d0bee7d8eee67c2cc886756403d8d09c06df3909cb5f3
Opcode Fuzzy Hash: 3fe588823d16f43d5beccfa5a4f729f7c08f1f6e7dea2edd1478d484f2780b54
Instruction Fuzzy Hash: 5431E076D2071AEBCB20DBA8C840A9DF7B8BF05340F194555D860EB286E770FAD5CB80

Uniqueness

Uniqueness Score: -1.00%

Function 03271CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 03271D30
_memmove.LIBCMT ref: 03271D81

Strings

@, xrefs: 03271D65

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: _memmove
String ID: @
API String ID: 4104443479-2766056989
Opcode ID: acda460a18d57beb1f8be7f02fd523b013655c81e9d2569f00bf9287d2f44774
Instruction ID: 853229310a51a2ff6a64a95ddbb5f34fb30726faff4b75c312d985e1c0b637ff
Opcode Fuzzy Hash: acda460a18d57beb1f8be7f02fd523b013655c81e9d2569f00bf9287d2f44774
Instruction Fuzzy Hash: 5911C4B7A203076BD310EEA5D8C09A7B7ACFF94594B14052DF94586105E770F9A48AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0325CEFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0325CF42
_memmove.LIBCMT ref: 0325CF70

Strings

string too long, xrefs: 0325CF3D

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 210c3e726c858c8817adfca2092f7a7fba92ae8dcc859a539147586168f60687
Instruction ID: 349ecefd4cf75fd91201f117faf825c3ecd3fd340c3e49192945d2402cb5800b
Opcode Fuzzy Hash: 210c3e726c858c8817adfca2092f7a7fba92ae8dcc859a539147586168f60687
Instruction Fuzzy Hash: 5F115175324311AB9714EE2CD880929B769EF81664718051AFC01CB659E7B0EAD0C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 03254AED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

_swscanf.LIBCMT ref: 03254B30

Part of subcall function 0325DCC6: GetModuleHandleW.KERNEL32(WS2_32), ref: 0325DCEE
Part of subcall function 0325DCC6: LoadLibraryW.KERNEL32(WS2_32), ref: 0325DCFB

gethostbyname.WS2_32(?), ref: 03254B61

Strings

%[^:]:%hu, xrefs: 03254B24

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: HandleLibraryLoadModule_swscanfgethostbyname
String ID: %[^:]:%hu
API String ID: 2437039547-485521755
Opcode ID: 1f48fd43a532b692cf55059c50bf7897da131f052f94a6bc6dec00b384422eda
Instruction ID: 0aeaf43f72c4d959d512099519bb697169e8c2f419b9b32500f0a0daada163d6
Opcode Fuzzy Hash: 1f48fd43a532b692cf55059c50bf7897da131f052f94a6bc6dec00b384422eda
Instruction Fuzzy Hash: 13119476D202459FCF24EF65D8A1ADDF7F4AB09300F0888D9F61997211D6709BC4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0326052D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03260543

Part of subcall function 032623DA: std::exception::exception.LIBCMT ref: 032623EF
Part of subcall function 032623DA: __CxxThrowException@8.LIBCMT ref: 03262404
Part of subcall function 032623DA: std::exception::exception.LIBCMT ref: 03262415

Part of subcall function 03260761: std::_Xinvalid_argument.LIBCPMT ref: 0326076B

_memmove.LIBCMT ref: 03260595

Strings

invalid string position, xrefs: 0326053E

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: ad7ba63390f38d378d45e90ac78135518d853b5ebc428ef1b67fe1f760c10321
Instruction ID: 5df207e84b43a108e23010612ab8a13b56b0c368da4302bcb94062cc62a2ee14
Opcode Fuzzy Hash: ad7ba63390f38d378d45e90ac78135518d853b5ebc428ef1b67fe1f760c10321
Instruction Fuzzy Hash: 6011C4B67383109BCB14EE2CD8A0A69B7A9BF442217448555F8198F241D7B0E9D09BE5

Uniqueness

Uniqueness Score: -1.00%

Function 032604C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 032604D2

Part of subcall function 032623DA: std::exception::exception.LIBCMT ref: 032623EF
Part of subcall function 032623DA: __CxxThrowException@8.LIBCMT ref: 03262404
Part of subcall function 032623DA: std::exception::exception.LIBCMT ref: 03262415

_memmove.LIBCMT ref: 03260508

Strings

invalid string position, xrefs: 032604CD

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: ef40bbe9a043139e96a5cd0763b7f11f269f80ceadbbd67449e0dad2ab34c9d2
Instruction ID: f2014c1d7d3146347ce9b8c6034925a4d0d3bd41a7b5675021cf02b5eaf34033
Opcode Fuzzy Hash: ef40bbe9a043139e96a5cd0763b7f11f269f80ceadbbd67449e0dad2ab34c9d2
Instruction Fuzzy Hash: 460181727687518BD334CE6CD9D492AB2BAEFC45017248D3CD082CB685DBB0ECC6A390

Uniqueness

Uniqueness Score: -1.00%

Function 10005024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 10005033

Part of subcall function 100087D2: std::exception::exception.LIBCMT ref: 100087E7
Part of subcall function 100087D2: __CxxThrowException@8.LIBCMT ref: 100087FC
Part of subcall function 100087D2: std::exception::exception.LIBCMT ref: 1000880D

_memmove.LIBCMT ref: 10005069

Strings

invalid string position, xrefs: 1000502E

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 28e4900ac049f7e2454973e9f148ac343fb4c85794aa1984df6d29cb6c58fb98
Instruction ID: 8ff18ae12fdbc443a749de704e7b4f7d07be7fdb23849a37bba4d7ee73fb21cd
Opcode Fuzzy Hash: 28e4900ac049f7e2454973e9f148ac343fb4c85794aa1984df6d29cb6c58fb98
Instruction Fuzzy Hash: D3016231300A418BF724CD68888491F72A6EB80792721493CD5D5CB64DEBB7ED4687D0

Uniqueness

Uniqueness Score: -1.00%

Function 004052EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040531E
CallWindowProcA.USER32(?,?,?,?), ref: 0040536F

Part of subcall function 00404323: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404335

Strings

, xrefs: 004052FF

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1a3edb13fbb9d77a7e945387c8f49b4177271b2a1e893ed2b4ba779e46112139
Instruction ID: 437a69096ec9ba1d9f18478e55202537de4ebfa08eb254ddcd68563096c266c2
Opcode Fuzzy Hash: 1a3edb13fbb9d77a7e945387c8f49b4177271b2a1e893ed2b4ba779e46112139
Instruction Fuzzy Hash: 17015E7120060CABEF205F11DD80AAB3766EB84795F54803AFE01761D1C7BA8892DE29

Uniqueness

Uniqueness Score: -1.00%

Function 6E82C3A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E82BD5C: __getptd.LIBCMT ref: 6E82BD62
Part of subcall function 6E82BD5C: __getptd.LIBCMT ref: 6E82BD72

__getptd.LIBCMT ref: 6E82C3B8

Part of subcall function 6E827CAB: __getptd_noexit.LIBCMT ref: 6E827CAE
Part of subcall function 6E827CAB: __amsg_exit.LIBCMT ref: 6E827CBB

__getptd.LIBCMT ref: 6E82C3C6

Strings

csm, xrefs: 6E82C3D4

Memory Dump Source

Source File: 00000000.00000002.2585076729.000000006E821000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E820000, based on PE: true

Associated: 00000000.00000002.2585052709.000000006E820000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585099482.000000006E82D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585124924.000000006E832000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2585147387.000000006E834000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e820000_etopt.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: ef1c37c9ea808f0d6b47427f93e0234a7dfed2f2fc59f49d9643a9403cb4d735
Instruction ID: 0a79b706bf5a64045ed3c8d75074ac6117b19f2c1ad35b1951196603556fffbe
Opcode Fuzzy Hash: ef1c37c9ea808f0d6b47427f93e0234a7dfed2f2fc59f49d9643a9403cb4d735
Instruction Fuzzy Hash: 85016D38811206CFCB648FA5C5546FEB3B9BF04215F144C3DD0925AAE2CBB1C5C5EB91

Uniqueness

Uniqueness Score: -1.00%

Function 03273BD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0327350C: __getptd.LIBCMT ref: 03273512
Part of subcall function 0327350C: __getptd.LIBCMT ref: 03273522

__getptd.LIBCMT ref: 03273BE3

Part of subcall function 03264E61: __getptd_noexit.LIBCMT ref: 03264E64
Part of subcall function 03264E61: __amsg_exit.LIBCMT ref: 03264E71

__getptd.LIBCMT ref: 03273BF1

Strings

csm, xrefs: 03273BFF

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 00b9b1f6ce2072b835fdd00883fdef9133cedfbd51445f2d3faf3c50acbbf011
Instruction ID: 5e57165cc4ede2195c09b2e8493115975feb26352c352ba6285894ca95fd28b7
Opcode Fuzzy Hash: 00b9b1f6ce2072b835fdd00883fdef9133cedfbd51445f2d3faf3c50acbbf011
Instruction Fuzzy Hash: 71014F3C920316CACF39DF61C440A6EFBB5BF44621F28489DD5415A550CB72C5C1EBC1

Uniqueness

Uniqueness Score: -1.00%

Function 1000EE4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 1000E876: __getptd.LIBCMT ref: 1000E87C
Part of subcall function 1000E876: __getptd.LIBCMT ref: 1000E88C

__getptd.LIBCMT ref: 1000EE5D

Part of subcall function 1000AE0C: __getptd_noexit.LIBCMT ref: 1000AE0F
Part of subcall function 1000AE0C: __amsg_exit.LIBCMT ref: 1000AE1C

__getptd.LIBCMT ref: 1000EE6B

Strings

csm, xrefs: 1000EE79

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: be0acc4cedfe86ac2a6d2338c2af09507286dba6f5b673073edea3b15eda1417
Instruction ID: 92d01e3b6ee4dae8138fedfbbf28229bf8bb1ba7a48831e3409c6df4da3db182
Opcode Fuzzy Hash: be0acc4cedfe86ac2a6d2338c2af09507286dba6f5b673073edea3b15eda1417
Instruction Fuzzy Hash: 32014B388007C98EEB24CF20D440AADB7F5EF44391F6085ADE041A6295CB30AD82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0325679F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 032567A6
std::_Xinvalid_argument.LIBCPMT ref: 032567E3

Strings

list<T> too long, xrefs: 032567DE

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: H_prolog3_catchXinvalid_argumentstd::_
String ID: list<T> too long
API String ID: 4202626062-4027344264
Opcode ID: 23eea3421f6963475b24fdf6fc450b4f1641b339857cfc014738fc0b9e7da21b
Instruction ID: dddddf48182e87c6149213500ff899f2012df0fed0c1af9a9df468e869177657
Opcode Fuzzy Hash: 23eea3421f6963475b24fdf6fc450b4f1641b339857cfc014738fc0b9e7da21b
Instruction Fuzzy Hash: 0A014FB9620306DFCB04DF68C940A597BE5FF89300B148909FD569B350C771EA95CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004039AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76233410,00000000,C:\Users\user\AppData\Local\Temp\,00403983,00403769,?,?,00000008,0000000A,0000000C), ref: 004039C5
GlobalFree.KERNEL32(00000000), ref: 004039CC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004039AB

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: ca298928d6acf9595f75de0ead6f6aa016ee95e771ecb86a17bb6358c8d46369
Instruction ID: 23ab7fd1d63e2fab3ac7dadfdf82902bd838ceaf316fcd07c58c8ed2a8b622e1
Opcode Fuzzy Hash: ca298928d6acf9595f75de0ead6f6aa016ee95e771ecb86a17bb6358c8d46369
Instruction Fuzzy Hash: 1BE0123390113097CA216F49FE057EA77AC6F84B22F09407BE9847B26187B45C875BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405C10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F7D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\etopt.exe,C:\Users\user\Desktop\etopt.exe,80000000,00000003,?,?,004036CC,?,?,00000008,0000000A), ref: 00405C16
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F7D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\etopt.exe,C:\Users\user\Desktop\etopt.exe,80000000,00000003,?,?,004036CC,?), ref: 00405C24

Strings

C:\Users\user\Desktop, xrefs: 00405C10

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
Instruction ID: f5f1b7b44289610ce8c86bafd7a047c89c6d00d3be03dd2f0244dee5cd576e0a
Opcode Fuzzy Hash: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
Instruction Fuzzy Hash: 97D0A77240CE705EF30373109D04B9F6A88CF17300F0A04E6E181B2190C2780C414BAD

Uniqueness

Uniqueness Score: -1.00%

Function 03272CD0 Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F,03260CCF,00000000,00000761,?,?,03254A37,?,?,?,?), ref: 03272CE8
SetLastError.KERNEL32(0000007F,?,?,?,00000000,03260CCF,00000000,00000761,?,?,03254A37,?,?,?,?), ref: 03272D83

Memory Dump Source

Source File: 00000000.00000002.2578728295.0000000003251000.00000020.00001000.00020000.00000000.sdmp, Offset: 03250000, based on PE: true

Associated: 00000000.00000002.2578709736.0000000003250000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578757643.0000000003279000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578780676.0000000003280000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2578802981.0000000003286000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_etopt.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: f9c8ffb8e157081e273938739262bf195b2078834f58fbc62751c134e8853e5e
Instruction ID: d5b56f30b64bfbc834fa71a6ceebaec719951079281334056c1465609b466252
Opcode Fuzzy Hash: f9c8ffb8e157081e273938739262bf195b2078834f58fbc62751c134e8853e5e
Instruction Fuzzy Hash: 5F21B136654302DFD724CF28F884B66B3E5FF89611F198969E845C7254E730F885C751

Uniqueness

Uniqueness Score: -1.00%

Function 1000E0F0 Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F,10003438,00000000,DllGetClassObject,?,?,?,?,?,00000000), ref: 1000E108
SetLastError.KERNEL32(0000007F,?,?,00000000,?,10003438,00000000,DllGetClassObject,?,?,?,?,?,00000000), ref: 1000E1A3

Memory Dump Source

Source File: 00000000.00000002.2584952783.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2584930200.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2584977481.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585001010.0000000010016000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2585026227.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_etopt.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 243499c269d941c01704e1758e6590da5d0887b3d815820213fa96d1f82bafe1
Instruction ID: d6cb14d2bc8f1afc2ed8b053cf196c3f3b6dfa632435da8668e27b99ce1f303c
Opcode Fuzzy Hash: 243499c269d941c01704e1758e6590da5d0887b3d815820213fa96d1f82bafe1
Instruction Fuzzy Hash: F121A0363442429FE720CF54EC84AA6B3E2EF88351F168969E585D7245D730FC01C661

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D3F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D57
CharNextA.USER32(00000000,?,00000000,00405F8A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D68
lstrlenA.KERNEL32(00000000,?,00000000,00405F8A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D71

Memory Dump Source

Source File: 00000000.00000002.2577713118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2577696561.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577730617.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577747925.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2577805819.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_etopt.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
Instruction ID: 4dc99498ecdd168c5d6df08f6d14e93a58a360c852809f2b3245c589054ce4f5
Opcode Fuzzy Hash: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
Instruction Fuzzy Hash: 7CF0C235100818AFCB029FA5DD04D9FBBA8EF05250B2180AAE840FB211D674DE01ABA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report etopt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg

C:\Program Files (x86)\ClocX\BackupAlarms.bat

C:\Program Files (x86)\ClocX\ClocX.exe

C:\Program Files (x86)\ClocX\Lang\Afrikaans.lng

C:\Program Files (x86)\ClocX\Lang\Arabic.lng

C:\Program Files (x86)\ClocX\Lang\Bosanski.lng

C:\Program Files (x86)\ClocX\Lang\Brazilian Portuguese.lng

C:\Program Files (x86)\ClocX\Lang\Bulgarian.lng

C:\Program Files (x86)\ClocX\Lang\Czech.lng

C:\Program Files (x86)\ClocX\Lang\Danish.lng

C:\Program Files (x86)\ClocX\Lang\Deutsch.lng

C:\Program Files (x86)\ClocX\Lang\English.lng

C:\Program Files (x86)\ClocX\Lang\Espanol.lng

C:\Program Files (x86)\ClocX\Lang\Estonian.lng

C:\Program Files (x86)\ClocX\Lang\French.lng

C:\Program Files (x86)\ClocX\Lang\Greek.lng

C:\Program Files (x86)\ClocX\Lang\Hebrew.lng

C:\Program Files (x86)\ClocX\Lang\Hungarian.lng

C:\Program Files (x86)\ClocX\Lang\Indonesian.lng

C:\Program Files (x86)\ClocX\Lang\Italiano.lng

Windows Analysis Report
etopt.exe

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre